b5b7b3f8d02604894fea421f9f6b6d47150e958d822b6038df3d3ff599fea569

Analysis

max time kernel
31s
max time network
20s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
07-08-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

host6.3.msi
Size

7.3MB
MD5

9a854e28b0756b607d151ba315e67d3c
SHA1

a3ad57995fc1980680a8db2a05fbf77d39989f83
SHA256

b5b7b3f8d02604894fea421f9f6b6d47150e958d822b6038df3d3ff599fea569
SHA512

1f288e470b1af99d89e20b0d1a622df56c7c6e59f63ad8388fba3d5e1d3b1deb99077b1cd59541a46edfa55e001908e6a3fd69bea96e696eee6e455a7e8e59a8
SSDEEP

98304:uYyYaKeS0cyBZuhUd3S4mHXbReA7+GcsdfR4fTZIQtdawGEhWFG7OFV3mEQjGV+q:vmpFMUM4mNYGceflQdzG1Ek3NQjUPx

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	2376	msiexec.exe
4	2376	msiexec.exe
6	2376	msiexec.exe
8	2376	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
1224	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2376	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2376	msiexec.exe
Token: SeSecurityPrivilege	2196	msiexec.exe
Token: SeCreateTokenPrivilege	2376	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2376	msiexec.exe
Token: SeLockMemoryPrivilege	2376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2376	msiexec.exe
Token: SeMachineAccountPrivilege	2376	msiexec.exe
Token: SeTcbPrivilege	2376	msiexec.exe
Token: SeSecurityPrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeLoadDriverPrivilege	2376	msiexec.exe
Token: SeSystemProfilePrivilege	2376	msiexec.exe
Token: SeSystemtimePrivilege	2376	msiexec.exe
Token: SeProfSingleProcessPrivilege	2376	msiexec.exe
Token: SeIncBasePriorityPrivilege	2376	msiexec.exe
Token: SeCreatePagefilePrivilege	2376	msiexec.exe
Token: SeCreatePermanentPrivilege	2376	msiexec.exe
Token: SeBackupPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeShutdownPrivilege	2376	msiexec.exe
Token: SeDebugPrivilege	2376	msiexec.exe
Token: SeAuditPrivilege	2376	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2376	msiexec.exe
Token: SeChangeNotifyPrivilege	2376	msiexec.exe
Token: SeRemoteShutdownPrivilege	2376	msiexec.exe
Token: SeUndockPrivilege	2376	msiexec.exe
Token: SeSyncAgentPrivilege	2376	msiexec.exe
Token: SeEnableDelegationPrivilege	2376	msiexec.exe
Token: SeManageVolumePrivilege	2376	msiexec.exe
Token: SeImpersonatePrivilege	2376	msiexec.exe
Token: SeCreateGlobalPrivilege	2376	msiexec.exe
Token: SeCreateTokenPrivilege	2376	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2376	msiexec.exe
Token: SeLockMemoryPrivilege	2376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2376	msiexec.exe
Token: SeMachineAccountPrivilege	2376	msiexec.exe
Token: SeTcbPrivilege	2376	msiexec.exe
Token: SeSecurityPrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeLoadDriverPrivilege	2376	msiexec.exe
Token: SeSystemProfilePrivilege	2376	msiexec.exe
Token: SeSystemtimePrivilege	2376	msiexec.exe
Token: SeProfSingleProcessPrivilege	2376	msiexec.exe
Token: SeIncBasePriorityPrivilege	2376	msiexec.exe
Token: SeCreatePagefilePrivilege	2376	msiexec.exe
Token: SeCreatePermanentPrivilege	2376	msiexec.exe
Token: SeBackupPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeShutdownPrivilege	2376	msiexec.exe
Token: SeDebugPrivilege	2376	msiexec.exe
Token: SeAuditPrivilege	2376	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2376	msiexec.exe
Token: SeChangeNotifyPrivilege	2376	msiexec.exe
Token: SeRemoteShutdownPrivilege	2376	msiexec.exe
Token: SeUndockPrivilege	2376	msiexec.exe
Token: SeSyncAgentPrivilege	2376	msiexec.exe
Token: SeEnableDelegationPrivilege	2376	msiexec.exe
Token: SeManageVolumePrivilege	2376	msiexec.exe
Token: SeImpersonatePrivilege	2376	msiexec.exe
Token: SeCreateGlobalPrivilege	2376	msiexec.exe
Token: SeCreateTokenPrivilege	2376	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2376	msiexec.exe
Token: SeLockMemoryPrivilege	2376	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2376	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1224	2196	msiexec.exe	73
PID 2196 wrote to memory of 1224	2196	msiexec.exe	73
PID 2196 wrote to memory of 1224	2196	msiexec.exe	73

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\host6.3.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2376

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6759C7EAB1C8A06085377480DC27BD5E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIDAC0.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads