813306c94e6f5f061a5789f037d48f57d52240284a679e5ace4a0f73f8f2feeb

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 06:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

node-v20.16.0-x64.msi
Size

25.3MB
MD5

cb4cdb7654c93b137b3776dc170aab28
SHA1

98eabe3f677bb9d4f23e50686492eb720d8b5785
SHA256

813306c94e6f5f061a5789f037d48f57d52240284a679e5ace4a0f73f8f2feeb
SHA512

46521b4e3b1ee1a063c61ed4dbf0805a4df74f233e5dd19b78bebc64c40e262dc198441b35adaa88b09b553575e864aad9d6eca5c3b7c8b305eea24967024090
SSDEEP

393216:nL2LqzzRMZ+XHQvm2TWTTgXpOkBsPRZZUaHHwP4D3CcmalESB1YDbQ/4h:nSYz/HYTWTTcsPeag4D7/l7BOPQQh

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	412	msiexec.exe
7	412	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
4572	MsiExec.exe
4572	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
412	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	412	msiexec.exe
Token: SeSecurityPrivilege	768	msiexec.exe
Token: SeCreateTokenPrivilege	412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	412	msiexec.exe
Token: SeLockMemoryPrivilege	412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	412	msiexec.exe
Token: SeMachineAccountPrivilege	412	msiexec.exe
Token: SeTcbPrivilege	412	msiexec.exe
Token: SeSecurityPrivilege	412	msiexec.exe
Token: SeTakeOwnershipPrivilege	412	msiexec.exe
Token: SeLoadDriverPrivilege	412	msiexec.exe
Token: SeSystemProfilePrivilege	412	msiexec.exe
Token: SeSystemtimePrivilege	412	msiexec.exe
Token: SeProfSingleProcessPrivilege	412	msiexec.exe
Token: SeIncBasePriorityPrivilege	412	msiexec.exe
Token: SeCreatePagefilePrivilege	412	msiexec.exe
Token: SeCreatePermanentPrivilege	412	msiexec.exe
Token: SeBackupPrivilege	412	msiexec.exe
Token: SeRestorePrivilege	412	msiexec.exe
Token: SeShutdownPrivilege	412	msiexec.exe
Token: SeDebugPrivilege	412	msiexec.exe
Token: SeAuditPrivilege	412	msiexec.exe
Token: SeSystemEnvironmentPrivilege	412	msiexec.exe
Token: SeChangeNotifyPrivilege	412	msiexec.exe
Token: SeRemoteShutdownPrivilege	412	msiexec.exe
Token: SeUndockPrivilege	412	msiexec.exe
Token: SeSyncAgentPrivilege	412	msiexec.exe
Token: SeEnableDelegationPrivilege	412	msiexec.exe
Token: SeManageVolumePrivilege	412	msiexec.exe
Token: SeImpersonatePrivilege	412	msiexec.exe
Token: SeCreateGlobalPrivilege	412	msiexec.exe
Token: SeCreateTokenPrivilege	412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	412	msiexec.exe
Token: SeLockMemoryPrivilege	412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	412	msiexec.exe
Token: SeMachineAccountPrivilege	412	msiexec.exe
Token: SeTcbPrivilege	412	msiexec.exe
Token: SeSecurityPrivilege	412	msiexec.exe
Token: SeTakeOwnershipPrivilege	412	msiexec.exe
Token: SeLoadDriverPrivilege	412	msiexec.exe
Token: SeSystemProfilePrivilege	412	msiexec.exe
Token: SeSystemtimePrivilege	412	msiexec.exe
Token: SeProfSingleProcessPrivilege	412	msiexec.exe
Token: SeIncBasePriorityPrivilege	412	msiexec.exe
Token: SeCreatePagefilePrivilege	412	msiexec.exe
Token: SeCreatePermanentPrivilege	412	msiexec.exe
Token: SeBackupPrivilege	412	msiexec.exe
Token: SeRestorePrivilege	412	msiexec.exe
Token: SeShutdownPrivilege	412	msiexec.exe
Token: SeDebugPrivilege	412	msiexec.exe
Token: SeAuditPrivilege	412	msiexec.exe
Token: SeSystemEnvironmentPrivilege	412	msiexec.exe
Token: SeChangeNotifyPrivilege	412	msiexec.exe
Token: SeRemoteShutdownPrivilege	412	msiexec.exe
Token: SeUndockPrivilege	412	msiexec.exe
Token: SeSyncAgentPrivilege	412	msiexec.exe
Token: SeEnableDelegationPrivilege	412	msiexec.exe
Token: SeManageVolumePrivilege	412	msiexec.exe
Token: SeImpersonatePrivilege	412	msiexec.exe
Token: SeCreateGlobalPrivilege	412	msiexec.exe
Token: SeCreateTokenPrivilege	412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	412	msiexec.exe
Token: SeLockMemoryPrivilege	412	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
412	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4572	768	msiexec.exe	88
PID 768 wrote to memory of 4572	768	msiexec.exe	88

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\node-v20.16.0-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:412

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding EEF3BC31FBAB7B6B8A6F9F391B2AEB21 C
  2⤵
  - Loads dropped DLL
  PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIAFB8.tmp

Filesize
125KB

MD5
1cac27140646e7b4f8a4ecc423936ba7

SHA1
85d13f4dec21bd892faea0a5475e29c744697c0b

SHA256
600df6a51522251cbb080e1fa5d8666044680d85c63a82459308cfa2f3890177

SHA512
694f0a6da4d61fe6c741bb9a4423b1d1d7d497020f715e5656c4fcd60628ced4cffbf0b868b19ba3d3b5d3e7adba4b6d7a48a31f082e96d204add0f2c3a9bf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB075.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads