4fa81d2cf99c324146974fb8a3000c9e0df870fd7f97fbf8a2f2fcdbb339acc9

Analysis

max time kernel
12s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 14:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

x64_x32_installer__v4.3.5.msi
Size

34.2MB
MD5

c864f211a0c12446583e7b200b7d5d7d
SHA1

0919ef1b3f8b3bcd981f4e9eb6607860e128e989
SHA256

4fa81d2cf99c324146974fb8a3000c9e0df870fd7f97fbf8a2f2fcdbb339acc9
SHA512

e3506504b779605198bbe70473758b8ca04a24d47504da7ed24d8d048a2ab72b01f1011eaded3b70eeff371dae4f48382735c5cf80e18370f3a5e546062f4f3d
SSDEEP

786432:it9KUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0y8YBf:it9m7xVLYjsp+ikJ8YB

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
23	536	MsiExec.exe
25	536	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID49D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB94E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1175C73A-1150-4A66-9253-2C567B24B8D7}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b73a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID017.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b73e.msi	msiexec.exe
File created	C:\Windows\Installer\e57b73a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA0C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1676	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3760	msiexec.exe
3760	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1676	msiexec.exe
Token: SeSecurityPrivilege	3760	msiexec.exe
Token: SeCreateTokenPrivilege	1676	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1676	msiexec.exe
Token: SeLockMemoryPrivilege	1676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1676	msiexec.exe
Token: SeMachineAccountPrivilege	1676	msiexec.exe
Token: SeTcbPrivilege	1676	msiexec.exe
Token: SeSecurityPrivilege	1676	msiexec.exe
Token: SeTakeOwnershipPrivilege	1676	msiexec.exe
Token: SeLoadDriverPrivilege	1676	msiexec.exe
Token: SeSystemProfilePrivilege	1676	msiexec.exe
Token: SeSystemtimePrivilege	1676	msiexec.exe
Token: SeProfSingleProcessPrivilege	1676	msiexec.exe
Token: SeIncBasePriorityPrivilege	1676	msiexec.exe
Token: SeCreatePagefilePrivilege	1676	msiexec.exe
Token: SeCreatePermanentPrivilege	1676	msiexec.exe
Token: SeBackupPrivilege	1676	msiexec.exe
Token: SeRestorePrivilege	1676	msiexec.exe
Token: SeShutdownPrivilege	1676	msiexec.exe
Token: SeDebugPrivilege	1676	msiexec.exe
Token: SeAuditPrivilege	1676	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1676	msiexec.exe
Token: SeChangeNotifyPrivilege	1676	msiexec.exe
Token: SeRemoteShutdownPrivilege	1676	msiexec.exe
Token: SeUndockPrivilege	1676	msiexec.exe
Token: SeSyncAgentPrivilege	1676	msiexec.exe
Token: SeEnableDelegationPrivilege	1676	msiexec.exe
Token: SeManageVolumePrivilege	1676	msiexec.exe
Token: SeImpersonatePrivilege	1676	msiexec.exe
Token: SeCreateGlobalPrivilege	1676	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1676	msiexec.exe
1676	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 536	3760	msiexec.exe	86
PID 3760 wrote to memory of 536	3760	msiexec.exe	86
PID 3760 wrote to memory of 536	3760	msiexec.exe	86

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\x64_x32_installer__v4.3.5.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 256F5E76F61589FC68FD3547DF265AEA
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b73d.rbs

Filesize
25KB

MD5
50107a4d73f4e873babfbb93f36b4780

SHA1
0e147334544e99db137ea7c47e20731a6c178ac7

SHA256
814620b8e6421c39dc795cecda7caca55734b3841be24c7d0ddc3e9fd536f310

SHA512
705e0fb905cbca243bceb692cb456d88e89581686ce001865865eb8eae086b1d15054d860f2dafb4077b3a0c98ef8dd76223aca672f8daf464e131b2640dad0d

Download Submit
C:\Windows\Installer\MSIB7B7.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSID017.tmp

Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit
C:\Windows\Installer\e57b73a.msi

Filesize
34.2MB

MD5
c864f211a0c12446583e7b200b7d5d7d

SHA1
0919ef1b3f8b3bcd981f4e9eb6607860e128e989

SHA256
4fa81d2cf99c324146974fb8a3000c9e0df870fd7f97fbf8a2f2fcdbb339acc9

SHA512
e3506504b779605198bbe70473758b8ca04a24d47504da7ed24d8d048a2ab72b01f1011eaded3b70eeff371dae4f48382735c5cf80e18370f3a5e546062f4f3d

Download Submit