300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Size

31.6MB
MD5

0483ff2b9382e11b33f97b35e62d8d41
SHA1

0a5b5081bdedd90b7a5183343dc4be720c01c80f
SHA256

300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45
SHA512

ed774140b89c712eccfdbcdaf06004382ff715c71f1a043897cdad48d8adeeac69e8dc3765029b432562a89644c109ff3993f60a6f53e7a3d9e8dc424508b9d5
SSDEEP

786432:W9lzMRum1Qz0eoDr9NdkIvhlr4cGtMVsjVKmWRZc+BsVEVk:W9lzMRum1QQRzkIvhjuAfzsVEK

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 12 IoCs

pid	Process
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\X:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\S:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\Z:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\N:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\T:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\W:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\H:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\O:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\P:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\Y:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\G:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\K:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\U:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeCreateTokenPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeAssignPrimaryTokenPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeLockMemoryPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeIncreaseQuotaPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeMachineAccountPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeTcbPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeSecurityPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeTakeOwnershipPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeLoadDriverPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeSystemProfilePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeSystemtimePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeProfSingleProcessPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeIncBasePriorityPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeCreatePagefilePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeCreatePermanentPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeBackupPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeRestorePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeShutdownPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeDebugPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeAuditPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeSystemEnvironmentPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeChangeNotifyPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeRemoteShutdownPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeUndockPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeSyncAgentPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeEnableDelegationPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeManageVolumePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeImpersonatePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeCreateGlobalPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeCreateTokenPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeAssignPrimaryTokenPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeLockMemoryPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeIncreaseQuotaPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeMachineAccountPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeTcbPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeSecurityPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeTakeOwnershipPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeLoadDriverPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeSystemProfilePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeSystemtimePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeProfSingleProcessPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeIncBasePriorityPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeCreatePagefilePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeCreatePermanentPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeBackupPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeRestorePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeShutdownPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeDebugPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeAuditPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeSystemEnvironmentPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeChangeNotifyPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeRemoteShutdownPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeUndockPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeSyncAgentPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeEnableDelegationPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeManageVolumePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeImpersonatePrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeCreateGlobalPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeCreateTokenPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeAssignPrimaryTokenPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
Token: SeLockMemoryPrivilege	1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1356	300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 696	1952	msiexec.exe	31
PID 1952 wrote to memory of 696	1952	msiexec.exe	31
PID 1952 wrote to memory of 696	1952	msiexec.exe	31
PID 1952 wrote to memory of 696	1952	msiexec.exe	31
PID 1952 wrote to memory of 696	1952	msiexec.exe	31
PID 1952 wrote to memory of 696	1952	msiexec.exe	31
PID 1952 wrote to memory of 696	1952	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe
"C:\Users\Admin\AppData\Local\Temp\300d87987d360bd4abc2927a791031f41450cdf547c830902107daceba263a45.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1356

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCC0CF895EC4F45FFC911DD0D371964E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1356\background

Filesize
27KB

MD5
24103f71a86c20089528c96c0dbe1445

SHA1
007d7a930dcae7684477347f4f2bd58d4ee5d184

SHA256
8542e195ef15dfd3ed9b246d3539295f266a19f3bde524c3f41b99adb6719c11

SHA512
94267aa20fb17e2db9ac31bb20b17e108f99c17f181c8f1612d9ecc9ac1375703b2ec7af3795b7c4ab379723c4c764a137025fb21df3e60859d0480ca546eb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1356\x256Transparent.png

Filesize
9KB

MD5
8b8f458692d5b36610ce0253ab6895b0

SHA1
24706349b0452acff47ef9fb4619f7ac308c1a49

SHA256
93c2d2add96a069af6d24ce5aa15a408dca618603d47711ab1f83c7293e741c1

SHA512
65ed822ebf559641a39e2b25f5bf5706a5117711f520db48452ec2afce734d052f358b04077255f858bb616c1cef0c1234fdd461aaa1fc1b4eb67935da63dbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAEA9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB9A1.tmp

Filesize
819KB

MD5
3604517a3e6e69ba339239cf82fc94a5

SHA1
c4757e31f9c8a90ee5de233792da71c8915050c5

SHA256
bdd1d14c9cb54b19f6a7f37adbc7537ce8fd2f6fa59a74a4a90b08c7979708d2

SHA512
c22ffc410886fae221dfee6ab469e44694f87cecce14d505a059f5fe01c1b4e1ad93c15b78c7623e821a37737491e89c627ddae5d03c407a877835ab6d611619

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBBD4.tmp

Filesize
1.1MB

MD5
cc048c7aadc4adf3a29d429f1f5eead0

SHA1
6b4d89df901427fe955be2d58ad91a6de30be9d6

SHA256
d23c6ac751423ff6961694437e67d7b608102bd351e3e0cd10d34d026a1a08ca

SHA512
0e67c0a4db70e19ead49f6c0fd41045f3fd9ee688d75a6da2916e347b70783843fa0e3d6cfc2b0bcd5e16a6045ba27707dff655556ebc725c126082e45cee2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBD1D.tmp

Filesize
877KB

MD5
899a6d5f1c9e00ec2f43e732c6b7548f

SHA1
a795646d8c878a21beb51120a8c709dc83b87960

SHA256
0ca4e5eb5a7bac56a3ee31df50110a4e89ab4781ecb1da43bb5cab66ff799491

SHA512
8467de1ede139dbf6f6d2225c58f379d140972101f2770e59ef50d98d6793bacfc62a4abe80644d7ab587ee20c8da02839efb95ae3f0689dfa837c4495c1a172

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC688.tmp

Filesize
319KB

MD5
132f0fac22e0b118569fd0fb0b2765b6

SHA1
4869ddb45822a873020d2cd91afd85e131809a21

SHA256
c76f966457883d3c0d6126787e3f1fab7219a96f1ecc7fe1a89773eecf744ca3

SHA512
3232a8107b91c0b9a3920a482188874d8d308f27c3aa07dbaf806adc821ef7708f0b023b22df8d6d7b39eb93bea39f8f0b6d0199080ba6f8d59f4f632bf460c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAEDA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Key Metric Software\SQL Backup Master 7.4.842.0\install\955D7DF\sbm-setup.x64.msi

Filesize
5.9MB

MD5
c4fea01c5092689bc9b37733181a3bee

SHA1
2a35b7b6968c129740bf5e6d18cfdc59124ab747

SHA256
09f35db13be70da8aa21150b3b9a7b917e80c7473ae6def60a21098862f5bea7

SHA512
0600427d5ae182953c22014aa5837a6eff0b44b7bc475bf6fb94baba233e9afd30ce6f602cee692ba438b58260489ffd3289eb5ec43ad690c102df804dc7c93b

Download Submit
memory/1356-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1356-257-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download