9b0bcf400badc55d3acc1db7b9e086135ee2a87dd8e1f9bab2f4dbd642a51dfd

Analysis

max time kernel
309s
max time network
315s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x64_x32_installer__v4.1.1.msi
Size

34.3MB
MD5

d00dfa1254adae89e3d61f58ff09ba9b
SHA1

110b147dee11dc7fc5f9411f977e2f94f0259a91
SHA256

9b0bcf400badc55d3acc1db7b9e086135ee2a87dd8e1f9bab2f4dbd642a51dfd
SHA512

3c581c5437e33c61adfcd5dd0c41714ccbe8797556d4e8bc1941f5090a28120a6dee061e7f2acc6efe43d7ee43311ef13ee9215a99eb00d572f433669ee7499d
SSDEEP

786432:rt9sUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0y2beW:rt9M7xVLYjsp+ikJ2yW

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
32	3512	MsiExec.exe
35	3512	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI902A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9173.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91F2.tmp	msiexec.exe
File created	C:\Windows\Installer\e578f8e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA52F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA976.tmp	msiexec.exe
File created	C:\Windows\Installer\e578f92.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e578f8e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9251.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D5E2F1D5-A2D3-447F-89A9-FDA0603781CB}	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
3512	MsiExec.exe
3512	MsiExec.exe
3512	MsiExec.exe
3512	MsiExec.exe
3512	MsiExec.exe
3512	MsiExec.exe
3512	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3656	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	msiexec.exe
5012	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3656	msiexec.exe
Token: SeSecurityPrivilege	5012	msiexec.exe
Token: SeCreateTokenPrivilege	3656	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3656	msiexec.exe
Token: SeLockMemoryPrivilege	3656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3656	msiexec.exe
Token: SeMachineAccountPrivilege	3656	msiexec.exe
Token: SeTcbPrivilege	3656	msiexec.exe
Token: SeSecurityPrivilege	3656	msiexec.exe
Token: SeTakeOwnershipPrivilege	3656	msiexec.exe
Token: SeLoadDriverPrivilege	3656	msiexec.exe
Token: SeSystemProfilePrivilege	3656	msiexec.exe
Token: SeSystemtimePrivilege	3656	msiexec.exe
Token: SeProfSingleProcessPrivilege	3656	msiexec.exe
Token: SeIncBasePriorityPrivilege	3656	msiexec.exe
Token: SeCreatePagefilePrivilege	3656	msiexec.exe
Token: SeCreatePermanentPrivilege	3656	msiexec.exe
Token: SeBackupPrivilege	3656	msiexec.exe
Token: SeRestorePrivilege	3656	msiexec.exe
Token: SeShutdownPrivilege	3656	msiexec.exe
Token: SeDebugPrivilege	3656	msiexec.exe
Token: SeAuditPrivilege	3656	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3656	msiexec.exe
Token: SeChangeNotifyPrivilege	3656	msiexec.exe
Token: SeRemoteShutdownPrivilege	3656	msiexec.exe
Token: SeUndockPrivilege	3656	msiexec.exe
Token: SeSyncAgentPrivilege	3656	msiexec.exe
Token: SeEnableDelegationPrivilege	3656	msiexec.exe
Token: SeManageVolumePrivilege	3656	msiexec.exe
Token: SeImpersonatePrivilege	3656	msiexec.exe
Token: SeCreateGlobalPrivilege	3656	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3656	msiexec.exe
3656	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3512	5012	msiexec.exe	88
PID 5012 wrote to memory of 3512	5012	msiexec.exe	88
PID 5012 wrote to memory of 3512	5012	msiexec.exe	88

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\x64_x32_installer__v4.1.1.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 630DA0E9BEF2EDF4E80554C33101F734
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578f91.rbs

Filesize
25KB

MD5
0444959c4f3bec2dad3bbee941b40f76

SHA1
f5f8266ae0676dd397e0ce894d3cce5b06a17cfa

SHA256
2cff4281a8cc2656eb60abbe300d6ec837285b3a9dae3424916af4a5d6c4491e

SHA512
36cb210101f704e46c3ea24bac281fe89b61557287d34b267ab296c238740828f946e4667b2f9b291273798bfc073f99c55c0d9d15c79741199a6a72841e434c

Download Submit
C:\Windows\Installer\MSI902A.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSIA52F.tmp

Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit
C:\Windows\Installer\e578f8e.msi

Filesize
34.3MB

MD5
d00dfa1254adae89e3d61f58ff09ba9b

SHA1
110b147dee11dc7fc5f9411f977e2f94f0259a91

SHA256
9b0bcf400badc55d3acc1db7b9e086135ee2a87dd8e1f9bab2f4dbd642a51dfd

SHA512
3c581c5437e33c61adfcd5dd0c41714ccbe8797556d4e8bc1941f5090a28120a6dee061e7f2acc6efe43d7ee43311ef13ee9215a99eb00d572f433669ee7499d

Download Submit