89b79ce8504634e17a78723016e756a123aa5dc171a4fb0133c79c256213317d

Analysis

max time kernel
103s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ȸx86.msi
Size

7.1MB
MD5

fe4fa2e0f683686dcff7eda9c8f6dc43
SHA1

64825f0711796a3d62fb67bf1c6d7ac7bee35c98
SHA256

5a02f6700eb4cfc9c24f60068f92e71e9b465694657f297a9de03e02af244dcb
SHA512

dc799a506e2b5bca479494bd2da7b56c6a792fd1ad362c2b9474241a4a4a65d5ff85bd23b5368f3c56d726d1ff2cc780c96c0d6ea8d2fca8650616e97bca5b68
SSDEEP

98304:FN6wTl5/8PH85NfHTVEr4nowc/cn3bfl+oX3GdvLbfVjJQKI5LBEdVRM70h4Tq6M:L6Jq92c3goXqvfVJctmdVgVZ

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\viewer.exe	MsiExec.exe

Loads dropped DLL 10 IoCs

pid	Process
3172	MsiExec.exe
3172	MsiExec.exe
3172	MsiExec.exe
3172	MsiExec.exe
3172	MsiExec.exe
3172	MsiExec.exe
3172	MsiExec.exe
3172	MsiExec.exe
3172	MsiExec.exe
3172	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1936	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1936	msiexec.exe
Token: SeSecurityPrivilege	4028	msiexec.exe
Token: SeCreateTokenPrivilege	1936	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1936	msiexec.exe
Token: SeLockMemoryPrivilege	1936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1936	msiexec.exe
Token: SeMachineAccountPrivilege	1936	msiexec.exe
Token: SeTcbPrivilege	1936	msiexec.exe
Token: SeSecurityPrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeLoadDriverPrivilege	1936	msiexec.exe
Token: SeSystemProfilePrivilege	1936	msiexec.exe
Token: SeSystemtimePrivilege	1936	msiexec.exe
Token: SeProfSingleProcessPrivilege	1936	msiexec.exe
Token: SeIncBasePriorityPrivilege	1936	msiexec.exe
Token: SeCreatePagefilePrivilege	1936	msiexec.exe
Token: SeCreatePermanentPrivilege	1936	msiexec.exe
Token: SeBackupPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeShutdownPrivilege	1936	msiexec.exe
Token: SeDebugPrivilege	1936	msiexec.exe
Token: SeAuditPrivilege	1936	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1936	msiexec.exe
Token: SeChangeNotifyPrivilege	1936	msiexec.exe
Token: SeRemoteShutdownPrivilege	1936	msiexec.exe
Token: SeUndockPrivilege	1936	msiexec.exe
Token: SeSyncAgentPrivilege	1936	msiexec.exe
Token: SeEnableDelegationPrivilege	1936	msiexec.exe
Token: SeManageVolumePrivilege	1936	msiexec.exe
Token: SeImpersonatePrivilege	1936	msiexec.exe
Token: SeCreateGlobalPrivilege	1936	msiexec.exe
Token: SeCreateTokenPrivilege	1936	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1936	msiexec.exe
Token: SeLockMemoryPrivilege	1936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1936	msiexec.exe
Token: SeMachineAccountPrivilege	1936	msiexec.exe
Token: SeTcbPrivilege	1936	msiexec.exe
Token: SeSecurityPrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeLoadDriverPrivilege	1936	msiexec.exe
Token: SeSystemProfilePrivilege	1936	msiexec.exe
Token: SeSystemtimePrivilege	1936	msiexec.exe
Token: SeProfSingleProcessPrivilege	1936	msiexec.exe
Token: SeIncBasePriorityPrivilege	1936	msiexec.exe
Token: SeCreatePagefilePrivilege	1936	msiexec.exe
Token: SeCreatePermanentPrivilege	1936	msiexec.exe
Token: SeBackupPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeShutdownPrivilege	1936	msiexec.exe
Token: SeDebugPrivilege	1936	msiexec.exe
Token: SeAuditPrivilege	1936	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1936	msiexec.exe
Token: SeChangeNotifyPrivilege	1936	msiexec.exe
Token: SeRemoteShutdownPrivilege	1936	msiexec.exe
Token: SeUndockPrivilege	1936	msiexec.exe
Token: SeSyncAgentPrivilege	1936	msiexec.exe
Token: SeEnableDelegationPrivilege	1936	msiexec.exe
Token: SeManageVolumePrivilege	1936	msiexec.exe
Token: SeImpersonatePrivilege	1936	msiexec.exe
Token: SeCreateGlobalPrivilege	1936	msiexec.exe
Token: SeCreateTokenPrivilege	1936	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1936	msiexec.exe
Token: SeLockMemoryPrivilege	1936	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1936	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3172	4028	msiexec.exe	86
PID 4028 wrote to memory of 3172	4028	msiexec.exe	86
PID 4028 wrote to memory of 3172	4028	msiexec.exe	86

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ȸx86.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2CFA700895101DE90BA07C595D8162C7 C
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIA5D5.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA8C8.tmp

Filesize
703KB

MD5
59f4b7e8b960987b68b311660c99957a

SHA1
3ba452e27d4bf53e72bf28cde68240290e72e46f

SHA256
3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

SHA512
64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA907.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads