Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
e8a5b808ec57fa33d43f8ca7cc74a7c7e00166dc9307fe1e82fc1e099f0cf5e6.msi
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e8a5b808ec57fa33d43f8ca7cc74a7c7e00166dc9307fe1e82fc1e099f0cf5e6.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
e8a5b808ec57fa33d43f8ca7cc74a7c7e00166dc9307fe1e82fc1e099f0cf5e6.msi
-
Size
4.8MB
-
MD5
d5cfd09fd7161493290e9e15a2bdbe15
-
SHA1
d9494f1c796f4b301692f0d16b54248514258fd4
-
SHA256
e8a5b808ec57fa33d43f8ca7cc74a7c7e00166dc9307fe1e82fc1e099f0cf5e6
-
SHA512
900aff0edc22a4f727909b54e8c6f85af9496e1957a8b9b5444c55b90dca15715e442b5958cecffa55a68f10d5e6b8cb56e220e005602569fd1cdbade3c75a02
-
SSDEEP
98304:2kufFjyn453oxsC3gB02bIE2g32rYEc2ufqcn2:2kN4+WCL2yg3yuCZ
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Installer\f774579.msi msiexec.exe File opened for modification C:\Windows\Installer\f774579.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4634.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI48D4.tmp msiexec.exe -
Loads dropped DLL 2 IoCs
pid Process 2732 MsiExec.exe 2732 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2596 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 2596 msiexec.exe Token: SeIncreaseQuotaPrivilege 2596 msiexec.exe Token: SeRestorePrivilege 2760 msiexec.exe Token: SeTakeOwnershipPrivilege 2760 msiexec.exe Token: SeSecurityPrivilege 2760 msiexec.exe Token: SeCreateTokenPrivilege 2596 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2596 msiexec.exe Token: SeLockMemoryPrivilege 2596 msiexec.exe Token: SeIncreaseQuotaPrivilege 2596 msiexec.exe Token: SeMachineAccountPrivilege 2596 msiexec.exe Token: SeTcbPrivilege 2596 msiexec.exe Token: SeSecurityPrivilege 2596 msiexec.exe Token: SeTakeOwnershipPrivilege 2596 msiexec.exe Token: SeLoadDriverPrivilege 2596 msiexec.exe Token: SeSystemProfilePrivilege 2596 msiexec.exe Token: SeSystemtimePrivilege 2596 msiexec.exe Token: SeProfSingleProcessPrivilege 2596 msiexec.exe Token: SeIncBasePriorityPrivilege 2596 msiexec.exe Token: SeCreatePagefilePrivilege 2596 msiexec.exe Token: SeCreatePermanentPrivilege 2596 msiexec.exe Token: SeBackupPrivilege 2596 msiexec.exe Token: SeRestorePrivilege 2596 msiexec.exe Token: SeShutdownPrivilege 2596 msiexec.exe Token: SeDebugPrivilege 2596 msiexec.exe Token: SeAuditPrivilege 2596 msiexec.exe Token: SeSystemEnvironmentPrivilege 2596 msiexec.exe Token: SeChangeNotifyPrivilege 2596 msiexec.exe Token: SeRemoteShutdownPrivilege 2596 msiexec.exe Token: SeUndockPrivilege 2596 msiexec.exe Token: SeSyncAgentPrivilege 2596 msiexec.exe Token: SeEnableDelegationPrivilege 2596 msiexec.exe Token: SeManageVolumePrivilege 2596 msiexec.exe Token: SeImpersonatePrivilege 2596 msiexec.exe Token: SeCreateGlobalPrivilege 2596 msiexec.exe Token: SeRestorePrivilege 2760 msiexec.exe Token: SeTakeOwnershipPrivilege 2760 msiexec.exe Token: SeRestorePrivilege 2760 msiexec.exe Token: SeTakeOwnershipPrivilege 2760 msiexec.exe Token: SeRestorePrivilege 2760 msiexec.exe Token: SeTakeOwnershipPrivilege 2760 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2596 msiexec.exe 2596 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2732 2760 msiexec.exe 31 PID 2760 wrote to memory of 2732 2760 msiexec.exe 31 PID 2760 wrote to memory of 2732 2760 msiexec.exe 31 PID 2760 wrote to memory of 2732 2760 msiexec.exe 31 PID 2760 wrote to memory of 2732 2760 msiexec.exe 31 PID 2760 wrote to memory of 2732 2760 msiexec.exe 31 PID 2760 wrote to memory of 2732 2760 msiexec.exe 31
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e8a5b808ec57fa33d43f8ca7cc74a7c7e00166dc9307fe1e82fc1e099f0cf5e6.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2596
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 99B6DFC15E00460785BB03A76351710E2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
816KB
MD5aa88d8f40a286b6d40de0f3abc836cfa
SHA1c24eab9e4b10b159b589f4c3b64ef3db111ea1c8
SHA2568d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1
SHA5126c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519