8b9147aeca757bc36f30e98c7481ec302d2be6de1b893a6f2ad80864f1106fb3

Resubmissions

03-08-2024 19:46

240803-yg8nestbqr 10

03-08-2024 19:44

240803-ygbcxsxhld 6

03-08-2024 19:41

240803-yd6pnaxgpa 6

Analysis

max time kernel
430s
max time network
434s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win-airplay/Bonjour64.msi
Size

2.6MB
MD5

8dcf5c9eaacdaf4568220d103f393dea
SHA1

27f68596398b68ba048f95752b4eeb4aa013c23f
SHA256

53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93
SHA512

10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088
SSDEEP

49152:aXMDiLYLW8Rv5GYCRL69MXeixEEgj8HyvftiZikCTcRi3/jP/N/v08Masv8Qo2/:wwPR8YCRLVm

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

2 1680 msiexec.exe
4 1680 msiexec.exe
9 1680 msiexec.exe

flow	pid	process
2	1680	msiexec.exe
4	1680	msiexec.exe
9	1680	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1612 MsiExec.exe
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

1680 msiexec.exe

pid	process
1612	MsiExec.exe

pid	process
1680	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	2316	msiexec.exe
Token: SeCreateTokenPrivilege	1680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1680	msiexec.exe
Token: SeLockMemoryPrivilege	1680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1680	msiexec.exe
Token: SeMachineAccountPrivilege	1680	msiexec.exe
Token: SeTcbPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeLoadDriverPrivilege	1680	msiexec.exe
Token: SeSystemProfilePrivilege	1680	msiexec.exe
Token: SeSystemtimePrivilege	1680	msiexec.exe
Token: SeProfSingleProcessPrivilege	1680	msiexec.exe
Token: SeIncBasePriorityPrivilege	1680	msiexec.exe
Token: SeCreatePagefilePrivilege	1680	msiexec.exe
Token: SeCreatePermanentPrivilege	1680	msiexec.exe
Token: SeBackupPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeShutdownPrivilege	1680	msiexec.exe
Token: SeDebugPrivilege	1680	msiexec.exe
Token: SeAuditPrivilege	1680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1680	msiexec.exe
Token: SeChangeNotifyPrivilege	1680	msiexec.exe
Token: SeRemoteShutdownPrivilege	1680	msiexec.exe
Token: SeUndockPrivilege	1680	msiexec.exe
Token: SeSyncAgentPrivilege	1680	msiexec.exe
Token: SeEnableDelegationPrivilege	1680	msiexec.exe
Token: SeManageVolumePrivilege	1680	msiexec.exe
Token: SeImpersonatePrivilege	1680	msiexec.exe
Token: SeCreateGlobalPrivilege	1680	msiexec.exe
Token: SeCreateTokenPrivilege	1680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1680	msiexec.exe
Token: SeLockMemoryPrivilege	1680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1680	msiexec.exe
Token: SeMachineAccountPrivilege	1680	msiexec.exe
Token: SeTcbPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeLoadDriverPrivilege	1680	msiexec.exe
Token: SeSystemProfilePrivilege	1680	msiexec.exe
Token: SeSystemtimePrivilege	1680	msiexec.exe
Token: SeProfSingleProcessPrivilege	1680	msiexec.exe
Token: SeIncBasePriorityPrivilege	1680	msiexec.exe
Token: SeCreatePagefilePrivilege	1680	msiexec.exe
Token: SeCreatePermanentPrivilege	1680	msiexec.exe
Token: SeBackupPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeShutdownPrivilege	1680	msiexec.exe
Token: SeDebugPrivilege	1680	msiexec.exe
Token: SeAuditPrivilege	1680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1680	msiexec.exe
Token: SeChangeNotifyPrivilege	1680	msiexec.exe
Token: SeRemoteShutdownPrivilege	1680	msiexec.exe
Token: SeUndockPrivilege	1680	msiexec.exe
Token: SeSyncAgentPrivilege	1680	msiexec.exe
Token: SeEnableDelegationPrivilege	1680	msiexec.exe
Token: SeManageVolumePrivilege	1680	msiexec.exe
Token: SeImpersonatePrivilege	1680	msiexec.exe
Token: SeCreateGlobalPrivilege	1680	msiexec.exe
Token: SeCreateTokenPrivilege	1680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1680	msiexec.exe
Token: SeLockMemoryPrivilege	1680	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1680 msiexec.exe

pid	process
1680	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2316 wrote to memory of 1612	2316	msiexec.exe	MsiExec.exe
PID 2316 wrote to memory of 1612	2316	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\win-airplay\Bonjour64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 637BF1D6544F5C50C11A89A3DB8D9108 C
2⤵
- Loads dropped DLL
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIA99E.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit