Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
n-_f-.msi
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
n-_f-.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
n-_f-.msi
-
Size
18.3MB
-
MD5
32bb1aaee46bbd3c4f0f1a377f42219a
-
SHA1
59a265296ef44334bf6e0ae4ca5f7169e00a2f07
-
SHA256
6744a2143c101fdf686c601416c23040f07ad1d537a71186c63ca33a2bae6528
-
SHA512
ba476ed26d7bbc8140c7da389154fc34e368107276c3a2856a401f45460c67283a95c4f8cd239e1f898214505e2ac6a59d55707b8dac0dd9283f8873508586fe
-
SSDEEP
393216:O/tTbXbRVYlqWSREziOTP2/SfGbEGyiUymAsnuoY9cwi4ssRit34LAZd:O/NXbRVQpzRPbGbEGyieuoWcwHiWL
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Loads dropped DLL 7 IoCs
pid Process 5000 MsiExec.exe 5000 MsiExec.exe 5000 MsiExec.exe 5000 MsiExec.exe 5000 MsiExec.exe 5000 MsiExec.exe 5000 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2704 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2704 msiexec.exe Token: SeIncreaseQuotaPrivilege 2704 msiexec.exe Token: SeSecurityPrivilege 1440 msiexec.exe Token: SeCreateTokenPrivilege 2704 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2704 msiexec.exe Token: SeLockMemoryPrivilege 2704 msiexec.exe Token: SeIncreaseQuotaPrivilege 2704 msiexec.exe Token: SeMachineAccountPrivilege 2704 msiexec.exe Token: SeTcbPrivilege 2704 msiexec.exe Token: SeSecurityPrivilege 2704 msiexec.exe Token: SeTakeOwnershipPrivilege 2704 msiexec.exe Token: SeLoadDriverPrivilege 2704 msiexec.exe Token: SeSystemProfilePrivilege 2704 msiexec.exe Token: SeSystemtimePrivilege 2704 msiexec.exe Token: SeProfSingleProcessPrivilege 2704 msiexec.exe Token: SeIncBasePriorityPrivilege 2704 msiexec.exe Token: SeCreatePagefilePrivilege 2704 msiexec.exe Token: SeCreatePermanentPrivilege 2704 msiexec.exe Token: SeBackupPrivilege 2704 msiexec.exe Token: SeRestorePrivilege 2704 msiexec.exe Token: SeShutdownPrivilege 2704 msiexec.exe Token: SeDebugPrivilege 2704 msiexec.exe Token: SeAuditPrivilege 2704 msiexec.exe Token: SeSystemEnvironmentPrivilege 2704 msiexec.exe Token: SeChangeNotifyPrivilege 2704 msiexec.exe Token: SeRemoteShutdownPrivilege 2704 msiexec.exe Token: SeUndockPrivilege 2704 msiexec.exe Token: SeSyncAgentPrivilege 2704 msiexec.exe Token: SeEnableDelegationPrivilege 2704 msiexec.exe Token: SeManageVolumePrivilege 2704 msiexec.exe Token: SeImpersonatePrivilege 2704 msiexec.exe Token: SeCreateGlobalPrivilege 2704 msiexec.exe Token: SeCreateTokenPrivilege 2704 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2704 msiexec.exe Token: SeLockMemoryPrivilege 2704 msiexec.exe Token: SeIncreaseQuotaPrivilege 2704 msiexec.exe Token: SeMachineAccountPrivilege 2704 msiexec.exe Token: SeTcbPrivilege 2704 msiexec.exe Token: SeSecurityPrivilege 2704 msiexec.exe Token: SeTakeOwnershipPrivilege 2704 msiexec.exe Token: SeLoadDriverPrivilege 2704 msiexec.exe Token: SeSystemProfilePrivilege 2704 msiexec.exe Token: SeSystemtimePrivilege 2704 msiexec.exe Token: SeProfSingleProcessPrivilege 2704 msiexec.exe Token: SeIncBasePriorityPrivilege 2704 msiexec.exe Token: SeCreatePagefilePrivilege 2704 msiexec.exe Token: SeCreatePermanentPrivilege 2704 msiexec.exe Token: SeBackupPrivilege 2704 msiexec.exe Token: SeRestorePrivilege 2704 msiexec.exe Token: SeShutdownPrivilege 2704 msiexec.exe Token: SeDebugPrivilege 2704 msiexec.exe Token: SeAuditPrivilege 2704 msiexec.exe Token: SeSystemEnvironmentPrivilege 2704 msiexec.exe Token: SeChangeNotifyPrivilege 2704 msiexec.exe Token: SeRemoteShutdownPrivilege 2704 msiexec.exe Token: SeUndockPrivilege 2704 msiexec.exe Token: SeSyncAgentPrivilege 2704 msiexec.exe Token: SeEnableDelegationPrivilege 2704 msiexec.exe Token: SeManageVolumePrivilege 2704 msiexec.exe Token: SeImpersonatePrivilege 2704 msiexec.exe Token: SeCreateGlobalPrivilege 2704 msiexec.exe Token: SeCreateTokenPrivilege 2704 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2704 msiexec.exe Token: SeLockMemoryPrivilege 2704 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2704 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1440 wrote to memory of 5000 1440 msiexec.exe 86 PID 1440 wrote to memory of 5000 1440 msiexec.exe 86 PID 1440 wrote to memory of 5000 1440 msiexec.exe 86
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\n-_f-.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2704
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B595324D24B2A6576D21987AE1C61791 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD5421643ee7bb89e6df092bc4b18a40ff8
SHA1e801582a6dd358060a699c9c5cde31cd07ee49ab
SHA256d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da
SHA512d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023