Analysis
-
max time kernel
239s -
max time network
240s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/08/2024, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
Token.msi
Resource
win10-20240611-en
windows10-1703-x64
9 signatures
300 seconds
Behavioral task
behavioral2
Sample
Token.msi
Resource
win7-20240729-en
windows7-x64
10 signatures
300 seconds
Behavioral task
behavioral3
Sample
Token.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
300 seconds
Behavioral task
behavioral4
Sample
Token.msi
Resource
win11-20240802-en
windows11-21h2-x64
10 signatures
300 seconds
General
-
Target
Token.msi
-
Size
2.0MB
-
MD5
d5fa700a5b740ac0e6ac8bd62f3e129d
-
SHA1
2a39f753237c93b77008a56c5089684a7394276f
-
SHA256
32b1e239e53b40eedfc36a59816d20ceebd1ee44d8789ab951880fb86b01ce79
-
SHA512
3e9fb1dfdc295b560e5096e07149ea2824bb7a7a93b4d5a4ee98bdc6db56de16b2169e068ece5bb356be8eb9973c25dc8202713b05b8b66ab35c89f4dacb7211
-
SSDEEP
49152:oIuZDPa4VokfHr5fTsrDzsPEeZqvSqslrUfEJ0LY9c99d:oJo0rNsX+qUUfEeLEc99d
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Installer\f77a6e9.msi msiexec.exe File opened for modification C:\Windows\Installer\f77a6e9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA718.tmp msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 2844 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1856 msiexec.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2972 2844 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1992 msiexec.exe 1992 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeShutdownPrivilege 1856 msiexec.exe Token: SeIncreaseQuotaPrivilege 1856 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeSecurityPrivilege 1992 msiexec.exe Token: SeCreateTokenPrivilege 1856 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1856 msiexec.exe Token: SeLockMemoryPrivilege 1856 msiexec.exe Token: SeIncreaseQuotaPrivilege 1856 msiexec.exe Token: SeMachineAccountPrivilege 1856 msiexec.exe Token: SeTcbPrivilege 1856 msiexec.exe Token: SeSecurityPrivilege 1856 msiexec.exe Token: SeTakeOwnershipPrivilege 1856 msiexec.exe Token: SeLoadDriverPrivilege 1856 msiexec.exe Token: SeSystemProfilePrivilege 1856 msiexec.exe Token: SeSystemtimePrivilege 1856 msiexec.exe Token: SeProfSingleProcessPrivilege 1856 msiexec.exe Token: SeIncBasePriorityPrivilege 1856 msiexec.exe Token: SeCreatePagefilePrivilege 1856 msiexec.exe Token: SeCreatePermanentPrivilege 1856 msiexec.exe Token: SeBackupPrivilege 1856 msiexec.exe Token: SeRestorePrivilege 1856 msiexec.exe Token: SeShutdownPrivilege 1856 msiexec.exe Token: SeDebugPrivilege 1856 msiexec.exe Token: SeAuditPrivilege 1856 msiexec.exe Token: SeSystemEnvironmentPrivilege 1856 msiexec.exe Token: SeChangeNotifyPrivilege 1856 msiexec.exe Token: SeRemoteShutdownPrivilege 1856 msiexec.exe Token: SeUndockPrivilege 1856 msiexec.exe Token: SeSyncAgentPrivilege 1856 msiexec.exe Token: SeEnableDelegationPrivilege 1856 msiexec.exe Token: SeManageVolumePrivilege 1856 msiexec.exe Token: SeImpersonatePrivilege 1856 msiexec.exe Token: SeCreateGlobalPrivilege 1856 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1856 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2844 1992 msiexec.exe 31 PID 1992 wrote to memory of 2844 1992 msiexec.exe 31 PID 1992 wrote to memory of 2844 1992 msiexec.exe 31 PID 1992 wrote to memory of 2844 1992 msiexec.exe 31 PID 1992 wrote to memory of 2844 1992 msiexec.exe 31 PID 1992 wrote to memory of 2844 1992 msiexec.exe 31 PID 1992 wrote to memory of 2844 1992 msiexec.exe 31 PID 2844 wrote to memory of 2972 2844 MsiExec.exe 32 PID 2844 wrote to memory of 2972 2844 MsiExec.exe 32 PID 2844 wrote to memory of 2972 2844 MsiExec.exe 32 PID 2844 wrote to memory of 2972 2844 MsiExec.exe 32
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Token.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1856
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E929ADDC0312A486DEC418F5FC0334002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 6043⤵
- Program crash
PID:2972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5e6970288df5ce47f2934253e5ed23946
SHA18510efd3a9d2fa3c5066829677e93ac5cdefa9d5
SHA256bc2de1e7c545dfa4eaf0ac3c3f53eef7baae2daf6c2df2b66293bd41ffb42514
SHA512e0ce074e77dabe598d41c59b547b51d5bc1c4ea09e016f10cd95c642303eeabfef382969faa1c39cd6622f95e2ba03e73314bfb43bfa7faab8ac042225ad05ae