Analysis
-
max time kernel
138s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 09:46
Static task
static1
Behavioral task
behavioral1
Sample
d5cfd09fd7161493290e9e15a2bdbe15.msi
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
d5cfd09fd7161493290e9e15a2bdbe15.msi
Resource
win10v2004-20240802-en
General
-
Target
d5cfd09fd7161493290e9e15a2bdbe15.msi
-
Size
4.8MB
-
MD5
d5cfd09fd7161493290e9e15a2bdbe15
-
SHA1
d9494f1c796f4b301692f0d16b54248514258fd4
-
SHA256
e8a5b808ec57fa33d43f8ca7cc74a7c7e00166dc9307fe1e82fc1e099f0cf5e6
-
SHA512
900aff0edc22a4f727909b54e8c6f85af9496e1957a8b9b5444c55b90dca15715e442b5958cecffa55a68f10d5e6b8cb56e220e005602569fd1cdbade3c75a02
-
SSDEEP
98304:2kufFjyn453oxsC3gB02bIE2g32rYEc2ufqcn2:2kN4+WCL2yg3yuCZ
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C1FE96FD-8E35-910A-5104-47BB4DCBD0F9.lnk MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 13 1492 MsiExec.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 api.ipify.org -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e57aab7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAC1F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIACAE.tmp msiexec.exe File created C:\Windows\Installer\e57aab7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAC7E.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{D2C04E3D-EEB6-47B0-80D5-771D973B91FB} msiexec.exe File created C:\Windows\Installer\e57aabb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAE27.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIAB05.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAD8A.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 2012 Rar.exe 3472 4A073466-D405-7164-BCBC-08428D72F4A4.exe -
Loads dropped DLL 9 IoCs
pid Process 1492 MsiExec.exe 1492 MsiExec.exe 1492 MsiExec.exe 1492 MsiExec.exe 1492 MsiExec.exe 3472 4A073466-D405-7164-BCBC-08428D72F4A4.exe 3472 4A073466-D405-7164-BCBC-08428D72F4A4.exe 3472 4A073466-D405-7164-BCBC-08428D72F4A4.exe 3472 4A073466-D405-7164-BCBC-08428D72F4A4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3560 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3056 msiexec.exe 3056 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3472 4A073466-D405-7164-BCBC-08428D72F4A4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3560 msiexec.exe Token: SeIncreaseQuotaPrivilege 3560 msiexec.exe Token: SeSecurityPrivilege 3056 msiexec.exe Token: SeCreateTokenPrivilege 3560 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3560 msiexec.exe Token: SeLockMemoryPrivilege 3560 msiexec.exe Token: SeIncreaseQuotaPrivilege 3560 msiexec.exe Token: SeMachineAccountPrivilege 3560 msiexec.exe Token: SeTcbPrivilege 3560 msiexec.exe Token: SeSecurityPrivilege 3560 msiexec.exe Token: SeTakeOwnershipPrivilege 3560 msiexec.exe Token: SeLoadDriverPrivilege 3560 msiexec.exe Token: SeSystemProfilePrivilege 3560 msiexec.exe Token: SeSystemtimePrivilege 3560 msiexec.exe Token: SeProfSingleProcessPrivilege 3560 msiexec.exe Token: SeIncBasePriorityPrivilege 3560 msiexec.exe Token: SeCreatePagefilePrivilege 3560 msiexec.exe Token: SeCreatePermanentPrivilege 3560 msiexec.exe Token: SeBackupPrivilege 3560 msiexec.exe Token: SeRestorePrivilege 3560 msiexec.exe Token: SeShutdownPrivilege 3560 msiexec.exe Token: SeDebugPrivilege 3560 msiexec.exe Token: SeAuditPrivilege 3560 msiexec.exe Token: SeSystemEnvironmentPrivilege 3560 msiexec.exe Token: SeChangeNotifyPrivilege 3560 msiexec.exe Token: SeRemoteShutdownPrivilege 3560 msiexec.exe Token: SeUndockPrivilege 3560 msiexec.exe Token: SeSyncAgentPrivilege 3560 msiexec.exe Token: SeEnableDelegationPrivilege 3560 msiexec.exe Token: SeManageVolumePrivilege 3560 msiexec.exe Token: SeImpersonatePrivilege 3560 msiexec.exe Token: SeCreateGlobalPrivilege 3560 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3560 msiexec.exe 3560 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1492 3056 msiexec.exe 87 PID 3056 wrote to memory of 1492 3056 msiexec.exe 87 PID 3056 wrote to memory of 1492 3056 msiexec.exe 87 PID 1492 wrote to memory of 2012 1492 MsiExec.exe 98 PID 1492 wrote to memory of 2012 1492 MsiExec.exe 98 PID 1492 wrote to memory of 3472 1492 MsiExec.exe 100 PID 1492 wrote to memory of 3472 1492 MsiExec.exe 100
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d5cfd09fd7161493290e9e15a2bdbe15.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3560
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1B660F234BB3C0348CAA3F5768D464A92⤵
- Drops startup file
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Public\Videos\Rar.exe"C:\Users\Public\Videos\Rar.exe" x -df -y "C:\Users\Public\Videos\4264AEE2-12ED-D1A6-CC0E-592088C8E805.rar" "C:\Users\Public\Videos\"3⤵
- Executes dropped EXE
PID:2012
-
-
C:\Users\Public\Videos\4A073466-D405-7164-BCBC-08428D72F4A4.exe"C:\Users\Public\Videos\4A073466-D405-7164-BCBC-08428D72F4A4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:3472
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD567bd1972ced82ade01ff4b3b1e174e20
SHA12b910185c9cc483e16be12d53030ade9187b1586
SHA256010a1459c9b6568aeeb019a073b2a614e0a0c7c8b6d8b746053207c826c008c8
SHA512996eb7c63fbaf8bf4e28e90e207c705ae5c1f664807bf87e12520f663f6db980081b1f79b9d0550829b65de0fcfab8e267165f597b05a57d3fcdf52ae4ff8261
-
Filesize
5.2MB
MD537cbc8e2984692b482baf3c7a63caf0e
SHA14f6b410e8236bde9680bf0d763de7da70582f2cd
SHA256c087eeefacdfcce51e9d4218832a522eef4bf7058ebc3390e98298b04859412e
SHA5129211151d2acac76e7cd36ae3508fe9827153703af533bd16eb6652a5271e25f0bba83702cfec5efacd34e1d7882fb5f2450e1e332adfd652680fcd659e968799
-
Filesize
639KB
MD5c00caf990793d69120a0abc4bf0e3210
SHA1f5556f65bdbc1dd62286d353312646215a14f079
SHA25604c777837d0d418e78fddbbb35587b205e1a424adda5a552363e2164cf2df686
SHA512a93365fc0ecf746c074d08fd784c6af7556d06e2646b2b167b67d03554e8dcc37f67804562fcdb4a09a2e117db3f893e4cc192280145531354cea7605e834e14
-
Filesize
744KB
MD516659ae52ce03889ad19db1f5710c6aa
SHA166b814fe3be64229e2cc19f0a4460e123ba74971
SHA2560b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118
SHA512f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398
-
Filesize
385KB
MD5a986b3caa090d8c2cc75955c983f2da9
SHA17108c3a44918bfb35bff01bd654eeb23df0b6abd
SHA25668380282f65cd2a772f6743b05761f9abd6c4dcf0f326af2e0873e5f0985f985
SHA512474aef5956f128466e0c28601e1b36da252bdcf442d9fa8fe82e70875d172a2dbafdb9135780782be83ea6b7e226043ac62ee7d2b4d1059fcdf08296754da4e9
-
Filesize
6.1MB
MD5eaa6283d8347efa2e55ca93521fcd401
SHA14328270dba1cf7bb4f33e039697dbbf88743c665
SHA25669967f642ef23e5b53f7c010f6971872abf2f008218ffbbd964229f3e62d19bb
SHA51251b2e5916b04119db855a97149b717d1626da9574ddfb1d5735e9904ce943b52a93c935c417eb39faf6f6760575da7bc3e6d1c4a2d9ec61877319e958e5a702a
-
Filesize
816KB
MD5aa88d8f40a286b6d40de0f3abc836cfa
SHA1c24eab9e4b10b159b589f4c3b64ef3db111ea1c8
SHA2568d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1
SHA5126c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519