aaf3877ba2de9b121375a3a9def1d7177a02701457f185583fc78417b5e0b118

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.msi
Size

2.9MB
MD5

64cd91662e9ba4747a85c6e750964af9
SHA1

0121dffc5f7058e6e312228eb2fcb2295997dd23
SHA256

aaf3877ba2de9b121375a3a9def1d7177a02701457f185583fc78417b5e0b118
SHA512

c77a49dedae7c549227374cbd26de3c493ce42f3f2bf6043b6fa63f4b13f50d47e9d17b28b96f22abe68a0210c290e59a6635b07427bfb4fb6f467cf7455d36e
SSDEEP

49152:JHrZzerSX55baiU0o8P5Ferq7I5RJK5k1Q/Y02gCQsG592CB6b0Wk:LirS/dxFeb02b

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
1636	MsiExec.exe
1636	MsiExec.exe
1636	MsiExec.exe
1636	MsiExec.exe
1636	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2392	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2392	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2392	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeSecurityPrivilege	2532	msiexec.exe
Token: SeCreateTokenPrivilege	2392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2392	msiexec.exe
Token: SeLockMemoryPrivilege	2392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2392	msiexec.exe
Token: SeMachineAccountPrivilege	2392	msiexec.exe
Token: SeTcbPrivilege	2392	msiexec.exe
Token: SeSecurityPrivilege	2392	msiexec.exe
Token: SeTakeOwnershipPrivilege	2392	msiexec.exe
Token: SeLoadDriverPrivilege	2392	msiexec.exe
Token: SeSystemProfilePrivilege	2392	msiexec.exe
Token: SeSystemtimePrivilege	2392	msiexec.exe
Token: SeProfSingleProcessPrivilege	2392	msiexec.exe
Token: SeIncBasePriorityPrivilege	2392	msiexec.exe
Token: SeCreatePagefilePrivilege	2392	msiexec.exe
Token: SeCreatePermanentPrivilege	2392	msiexec.exe
Token: SeBackupPrivilege	2392	msiexec.exe
Token: SeRestorePrivilege	2392	msiexec.exe
Token: SeShutdownPrivilege	2392	msiexec.exe
Token: SeDebugPrivilege	2392	msiexec.exe
Token: SeAuditPrivilege	2392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2392	msiexec.exe
Token: SeChangeNotifyPrivilege	2392	msiexec.exe
Token: SeRemoteShutdownPrivilege	2392	msiexec.exe
Token: SeUndockPrivilege	2392	msiexec.exe
Token: SeSyncAgentPrivilege	2392	msiexec.exe
Token: SeEnableDelegationPrivilege	2392	msiexec.exe
Token: SeManageVolumePrivilege	2392	msiexec.exe
Token: SeImpersonatePrivilege	2392	msiexec.exe
Token: SeCreateGlobalPrivilege	2392	msiexec.exe
Token: SeCreateTokenPrivilege	2392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2392	msiexec.exe
Token: SeLockMemoryPrivilege	2392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2392	msiexec.exe
Token: SeMachineAccountPrivilege	2392	msiexec.exe
Token: SeTcbPrivilege	2392	msiexec.exe
Token: SeSecurityPrivilege	2392	msiexec.exe
Token: SeTakeOwnershipPrivilege	2392	msiexec.exe
Token: SeLoadDriverPrivilege	2392	msiexec.exe
Token: SeSystemProfilePrivilege	2392	msiexec.exe
Token: SeSystemtimePrivilege	2392	msiexec.exe
Token: SeProfSingleProcessPrivilege	2392	msiexec.exe
Token: SeIncBasePriorityPrivilege	2392	msiexec.exe
Token: SeCreatePagefilePrivilege	2392	msiexec.exe
Token: SeCreatePermanentPrivilege	2392	msiexec.exe
Token: SeBackupPrivilege	2392	msiexec.exe
Token: SeRestorePrivilege	2392	msiexec.exe
Token: SeShutdownPrivilege	2392	msiexec.exe
Token: SeDebugPrivilege	2392	msiexec.exe
Token: SeAuditPrivilege	2392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2392	msiexec.exe
Token: SeChangeNotifyPrivilege	2392	msiexec.exe
Token: SeRemoteShutdownPrivilege	2392	msiexec.exe
Token: SeUndockPrivilege	2392	msiexec.exe
Token: SeSyncAgentPrivilege	2392	msiexec.exe
Token: SeEnableDelegationPrivilege	2392	msiexec.exe
Token: SeManageVolumePrivilege	2392	msiexec.exe
Token: SeImpersonatePrivilege	2392	msiexec.exe
Token: SeCreateGlobalPrivilege	2392	msiexec.exe
Token: SeCreateTokenPrivilege	2392	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2392	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1636	2532	msiexec.exe	31
PID 2532 wrote to memory of 1636	2532	msiexec.exe	31
PID 2532 wrote to memory of 1636	2532	msiexec.exe	31
PID 2532 wrote to memory of 1636	2532	msiexec.exe	31
PID 2532 wrote to memory of 1636	2532	msiexec.exe	31
PID 2532 wrote to memory of 1636	2532	msiexec.exe	31
PID 2532 wrote to memory of 1636	2532	msiexec.exe	31

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Installer.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1297B63B2DC7D2746B6D4B2500E29DE C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIB56A.tmp

Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads