Overview

overview

6

Static

static

1

ȸx86.msi

windows7-x64

6

ȸx86.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08/08/2024, 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ȸx86.msi

  • Size

    7.1MB

  • MD5

    fe4fa2e0f683686dcff7eda9c8f6dc43

  • SHA1

    64825f0711796a3d62fb67bf1c6d7ac7bee35c98

  • SHA256

    5a02f6700eb4cfc9c24f60068f92e71e9b465694657f297a9de03e02af244dcb

  • SHA512

    dc799a506e2b5bca479494bd2da7b56c6a792fd1ad362c2b9474241a4a4a65d5ff85bd23b5368f3c56d726d1ff2cc780c96c0d6ea8d2fca8650616e97bca5b68

  • SSDEEP

    98304:FN6wTl5/8PH85NfHTVEr4nowc/cn3bfl+oX3GdvLbfVjJQKI5LBEdVRM70h4Tq6M:L6Jq92c3goXqvfVJctmdVgVZ

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ȸx86.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2140
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B6AD998E03B1490FD7DEC0D08532D9BA C
      2⤵
      • Drops file in Windows directory
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI2DA5.tmp
    Filesize

    557KB

    MD5

    e1423fc5ddaedc0152a09f4796243e31

    SHA1

    c92cec1fb6093d6922fe64719e583048fca12153

    SHA256

    3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

    SHA512

    fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI2F7D.tmp
    Filesize

    703KB

    MD5

    59f4b7e8b960987b68b311660c99957a

    SHA1

    3ba452e27d4bf53e72bf28cde68240290e72e46f

    SHA256

    3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

    SHA512

    64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI2FFB.tmp
    Filesize

    1.0MB

    MD5

    5566149fc623f29d55ca72018369c780

    SHA1

    8ae947ab0ae9182f1c09bd266ff360c0e8b88326

    SHA256

    a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

    SHA512

    f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

    Download Submit