Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/08/2024, 20:42
Static task
static1
Behavioral task
behavioral1
Sample
Wallet.msi
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
Wallet.msi
Resource
win10-20240404-en
windows10-1703-x64
10 signatures
150 seconds
Behavioral task
behavioral3
Sample
Wallet.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral4
Sample
Wallet.msi
Resource
win11-20240802-en
windows11-21h2-x64
10 signatures
150 seconds
General
-
Target
Wallet.msi
-
Size
1.6MB
-
MD5
232855725fdfa00b59e7c0066942b7ff
-
SHA1
f08533026efd8080a83343efcd88521a4b5068fa
-
SHA256
db6132529852ea5707bfdd46195ac03e589eeb59ae12ac54e170b50a4ae0b3e6
-
SHA512
3cb4acc32627f46c89061e0ef7f530c1d780d29d8a4dd67ee6ad7dbfb0e58406da490c7700aafdde63d7af61ac536b5daca8af69dc736e1cff4226f03c48bc2d
-
SSDEEP
49152:pWJ3+JA3iD1Vwt0Cay8NwXKO15sUXOwz2oTw/B:pWJ8A3Ost0CfZXT1ZO2w/
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e579a9a.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI9AE8.tmp msiexec.exe File created C:\Windows\Installer\e579a9a.msi msiexec.exe -
Loads dropped DLL 2 IoCs
pid Process 4204 MsiExec.exe 4204 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3848 msiexec.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2040 4204 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3896 msiexec.exe 3896 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeShutdownPrivilege 3848 msiexec.exe Token: SeIncreaseQuotaPrivilege 3848 msiexec.exe Token: SeSecurityPrivilege 3896 msiexec.exe Token: SeCreateTokenPrivilege 3848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3848 msiexec.exe Token: SeLockMemoryPrivilege 3848 msiexec.exe Token: SeIncreaseQuotaPrivilege 3848 msiexec.exe Token: SeMachineAccountPrivilege 3848 msiexec.exe Token: SeTcbPrivilege 3848 msiexec.exe Token: SeSecurityPrivilege 3848 msiexec.exe Token: SeTakeOwnershipPrivilege 3848 msiexec.exe Token: SeLoadDriverPrivilege 3848 msiexec.exe Token: SeSystemProfilePrivilege 3848 msiexec.exe Token: SeSystemtimePrivilege 3848 msiexec.exe Token: SeProfSingleProcessPrivilege 3848 msiexec.exe Token: SeIncBasePriorityPrivilege 3848 msiexec.exe Token: SeCreatePagefilePrivilege 3848 msiexec.exe Token: SeCreatePermanentPrivilege 3848 msiexec.exe Token: SeBackupPrivilege 3848 msiexec.exe Token: SeRestorePrivilege 3848 msiexec.exe Token: SeShutdownPrivilege 3848 msiexec.exe Token: SeDebugPrivilege 3848 msiexec.exe Token: SeAuditPrivilege 3848 msiexec.exe Token: SeSystemEnvironmentPrivilege 3848 msiexec.exe Token: SeChangeNotifyPrivilege 3848 msiexec.exe Token: SeRemoteShutdownPrivilege 3848 msiexec.exe Token: SeUndockPrivilege 3848 msiexec.exe Token: SeSyncAgentPrivilege 3848 msiexec.exe Token: SeEnableDelegationPrivilege 3848 msiexec.exe Token: SeManageVolumePrivilege 3848 msiexec.exe Token: SeImpersonatePrivilege 3848 msiexec.exe Token: SeCreateGlobalPrivilege 3848 msiexec.exe Token: SeRestorePrivilege 3896 msiexec.exe Token: SeTakeOwnershipPrivilege 3896 msiexec.exe Token: SeRestorePrivilege 3896 msiexec.exe Token: SeTakeOwnershipPrivilege 3896 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3848 msiexec.exe 3848 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3896 wrote to memory of 4204 3896 msiexec.exe 84 PID 3896 wrote to memory of 4204 3896 msiexec.exe 84 PID 3896 wrote to memory of 4204 3896 msiexec.exe 84
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Wallet.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3848
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8CC1C15604B0AF9CE1EA169485262BF12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 10403⤵
- Program crash
PID:2040
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 42041⤵PID:580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5e93fc74b28319ecb5ca6fd8756fcbe33
SHA1781b74da8a681a41b4e8a1a300f8f5dcf2088789
SHA256664a6383e229551f56429d648aa81791174579c6918ed373e206087a859e3951
SHA512899e7b81645778f6bf57c0195e4e06f74f62494287f1c5e7ee96b9317a7768d10e5c62dccaab426735d528d49ad6cf6d26993ae2aa5e4cd6bb5caba96c232e53