Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 11:27
Static task
static1
Behavioral task
behavioral1
Sample
d5cfd09fd7161493290e9e15a2bdbe15.msi
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d5cfd09fd7161493290e9e15a2bdbe15.msi
Resource
win10v2004-20240802-en
General
-
Target
d5cfd09fd7161493290e9e15a2bdbe15.msi
-
Size
4.8MB
-
MD5
d5cfd09fd7161493290e9e15a2bdbe15
-
SHA1
d9494f1c796f4b301692f0d16b54248514258fd4
-
SHA256
e8a5b808ec57fa33d43f8ca7cc74a7c7e00166dc9307fe1e82fc1e099f0cf5e6
-
SHA512
900aff0edc22a4f727909b54e8c6f85af9496e1957a8b9b5444c55b90dca15715e442b5958cecffa55a68f10d5e6b8cb56e220e005602569fd1cdbade3c75a02
-
SSDEEP
98304:2kufFjyn453oxsC3gB02bIE2g32rYEc2ufqcn2:2kN4+WCL2yg3yuCZ
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2D2E99F-4644-3F67-EC9C-1B2D2B44158B.lnk MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 5 3248 MsiExec.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 43 api.ipify.org -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{D2C04E3D-EEB6-47B0-80D5-771D973B91FB} msiexec.exe File opened for modification C:\Windows\Installer\MSI7561.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI769C.tmp msiexec.exe File created C:\Windows\Installer\e57738a.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI73D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI74E3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI760F.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e57738e.msi msiexec.exe File opened for modification C:\Windows\Installer\e57738a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7591.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 2380 Rar.exe 4952 4B418BC0-E4F6-890E-42CE-C5B4916165A1.exe -
Loads dropped DLL 9 IoCs
pid Process 3248 MsiExec.exe 3248 MsiExec.exe 3248 MsiExec.exe 3248 MsiExec.exe 3248 MsiExec.exe 4952 4B418BC0-E4F6-890E-42CE-C5B4916165A1.exe 4952 4B418BC0-E4F6-890E-42CE-C5B4916165A1.exe 4952 4B418BC0-E4F6-890E-42CE-C5B4916165A1.exe 4952 4B418BC0-E4F6-890E-42CE-C5B4916165A1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1256 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 932 msiexec.exe 932 msiexec.exe 932 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4952 4B418BC0-E4F6-890E-42CE-C5B4916165A1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1256 msiexec.exe Token: SeIncreaseQuotaPrivilege 1256 msiexec.exe Token: SeSecurityPrivilege 932 msiexec.exe Token: SeCreateTokenPrivilege 1256 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1256 msiexec.exe Token: SeLockMemoryPrivilege 1256 msiexec.exe Token: SeIncreaseQuotaPrivilege 1256 msiexec.exe Token: SeMachineAccountPrivilege 1256 msiexec.exe Token: SeTcbPrivilege 1256 msiexec.exe Token: SeSecurityPrivilege 1256 msiexec.exe Token: SeTakeOwnershipPrivilege 1256 msiexec.exe Token: SeLoadDriverPrivilege 1256 msiexec.exe Token: SeSystemProfilePrivilege 1256 msiexec.exe Token: SeSystemtimePrivilege 1256 msiexec.exe Token: SeProfSingleProcessPrivilege 1256 msiexec.exe Token: SeIncBasePriorityPrivilege 1256 msiexec.exe Token: SeCreatePagefilePrivilege 1256 msiexec.exe Token: SeCreatePermanentPrivilege 1256 msiexec.exe Token: SeBackupPrivilege 1256 msiexec.exe Token: SeRestorePrivilege 1256 msiexec.exe Token: SeShutdownPrivilege 1256 msiexec.exe Token: SeDebugPrivilege 1256 msiexec.exe Token: SeAuditPrivilege 1256 msiexec.exe Token: SeSystemEnvironmentPrivilege 1256 msiexec.exe Token: SeChangeNotifyPrivilege 1256 msiexec.exe Token: SeRemoteShutdownPrivilege 1256 msiexec.exe Token: SeUndockPrivilege 1256 msiexec.exe Token: SeSyncAgentPrivilege 1256 msiexec.exe Token: SeEnableDelegationPrivilege 1256 msiexec.exe Token: SeManageVolumePrivilege 1256 msiexec.exe Token: SeImpersonatePrivilege 1256 msiexec.exe Token: SeCreateGlobalPrivilege 1256 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1256 msiexec.exe 1256 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 932 wrote to memory of 3248 932 msiexec.exe 86 PID 932 wrote to memory of 3248 932 msiexec.exe 86 PID 932 wrote to memory of 3248 932 msiexec.exe 86 PID 3248 wrote to memory of 2380 3248 MsiExec.exe 95 PID 3248 wrote to memory of 2380 3248 MsiExec.exe 95 PID 3248 wrote to memory of 4952 3248 MsiExec.exe 97 PID 3248 wrote to memory of 4952 3248 MsiExec.exe 97
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d5cfd09fd7161493290e9e15a2bdbe15.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1256
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 14210C27599036DCEB4A3361724BC2202⤵
- Drops startup file
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Public\Videos\Rar.exe"C:\Users\Public\Videos\Rar.exe" x -df -y "C:\Users\Public\Videos\B2C24C72-794E-B465-3157-D285AFB51A2F.rar" "C:\Users\Public\Videos\"3⤵
- Executes dropped EXE
PID:2380
-
-
C:\Users\Public\Videos\4B418BC0-E4F6-890E-42CE-C5B4916165A1.exe"C:\Users\Public\Videos\4B418BC0-E4F6-890E-42CE-C5B4916165A1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:4952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5e8ab1cf8527012f8d24790be42db6ed7
SHA1e37e0b1e5d5c924bc4da345ffadaeb38d8802a4e
SHA25672a7e50194cff324cc73c870b7d9409d1d403e4417ff9177397a88444b16a031
SHA512d5716bc830bed96a8fc0e1828a62f7965bdcfdb4df33f33902faac559c087cf6b90edc79587519509edc9018a0daed1ddac57c0f4e8e99cc2f707af2966090e4
-
Filesize
5.2MB
MD537cbc8e2984692b482baf3c7a63caf0e
SHA14f6b410e8236bde9680bf0d763de7da70582f2cd
SHA256c087eeefacdfcce51e9d4218832a522eef4bf7058ebc3390e98298b04859412e
SHA5129211151d2acac76e7cd36ae3508fe9827153703af533bd16eb6652a5271e25f0bba83702cfec5efacd34e1d7882fb5f2450e1e332adfd652680fcd659e968799
-
Filesize
639KB
MD5c00caf990793d69120a0abc4bf0e3210
SHA1f5556f65bdbc1dd62286d353312646215a14f079
SHA25604c777837d0d418e78fddbbb35587b205e1a424adda5a552363e2164cf2df686
SHA512a93365fc0ecf746c074d08fd784c6af7556d06e2646b2b167b67d03554e8dcc37f67804562fcdb4a09a2e117db3f893e4cc192280145531354cea7605e834e14
-
Filesize
744KB
MD516659ae52ce03889ad19db1f5710c6aa
SHA166b814fe3be64229e2cc19f0a4460e123ba74971
SHA2560b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118
SHA512f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398
-
Filesize
385KB
MD5a986b3caa090d8c2cc75955c983f2da9
SHA17108c3a44918bfb35bff01bd654eeb23df0b6abd
SHA25668380282f65cd2a772f6743b05761f9abd6c4dcf0f326af2e0873e5f0985f985
SHA512474aef5956f128466e0c28601e1b36da252bdcf442d9fa8fe82e70875d172a2dbafdb9135780782be83ea6b7e226043ac62ee7d2b4d1059fcdf08296754da4e9
-
Filesize
6.1MB
MD5eaa6283d8347efa2e55ca93521fcd401
SHA14328270dba1cf7bb4f33e039697dbbf88743c665
SHA25669967f642ef23e5b53f7c010f6971872abf2f008218ffbbd964229f3e62d19bb
SHA51251b2e5916b04119db855a97149b717d1626da9574ddfb1d5735e9904ce943b52a93c935c417eb39faf6f6760575da7bc3e6d1c4a2d9ec61877319e958e5a702a
-
Filesize
816KB
MD5aa88d8f40a286b6d40de0f3abc836cfa
SHA1c24eab9e4b10b159b589f4c3b64ef3db111ea1c8
SHA2568d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1
SHA5126c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519