b4c049ddf662ed9b5aceb5ab60b7962169ecd740408bd0a5d1274d6e6c6be448

Analysis

max time kernel
39s
max time network
49s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 01:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462.msi
Size

34.2MB
MD5

57a55d067c89c10d205abaa98a2e14dd
SHA1

9e83844b5f6f77660424db4df4c3554503855d23
SHA256

9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462
SHA512

c1eec66216b9ac436d4a323b8866c1c4d9ae1d4c57d6282fc490098e54a4146ae75af73aeaabd3ba26a48cd4ee7b81a3da08f392b5dbc349dd7b0435af34d6ff
SSDEEP

786432:Gt9VUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0yduCb9fJq:Gt9p7xVLYjsp+ikJdu6f

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2732	MsiExec.exe
7	2732	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f787caf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI802A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f787caf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DA8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F2F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9199.tmp	msiexec.exe
File created	C:\Windows\Installer\f787cb2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8D2.tmp	msiexec.exe
File created	C:\Windows\Installer\f787cb4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f787cb2.ipi	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
2732	MsiExec.exe
2732	MsiExec.exe
2732	MsiExec.exe
2732	MsiExec.exe
2732	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2508	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	msiexec.exe
2700	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeSecurityPrivilege	2700	msiexec.exe
Token: SeCreateTokenPrivilege	2508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2508	msiexec.exe
Token: SeLockMemoryPrivilege	2508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2508	msiexec.exe
Token: SeMachineAccountPrivilege	2508	msiexec.exe
Token: SeTcbPrivilege	2508	msiexec.exe
Token: SeSecurityPrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeLoadDriverPrivilege	2508	msiexec.exe
Token: SeSystemProfilePrivilege	2508	msiexec.exe
Token: SeSystemtimePrivilege	2508	msiexec.exe
Token: SeProfSingleProcessPrivilege	2508	msiexec.exe
Token: SeIncBasePriorityPrivilege	2508	msiexec.exe
Token: SeCreatePagefilePrivilege	2508	msiexec.exe
Token: SeCreatePermanentPrivilege	2508	msiexec.exe
Token: SeBackupPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeShutdownPrivilege	2508	msiexec.exe
Token: SeDebugPrivilege	2508	msiexec.exe
Token: SeAuditPrivilege	2508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2508	msiexec.exe
Token: SeChangeNotifyPrivilege	2508	msiexec.exe
Token: SeRemoteShutdownPrivilege	2508	msiexec.exe
Token: SeUndockPrivilege	2508	msiexec.exe
Token: SeSyncAgentPrivilege	2508	msiexec.exe
Token: SeEnableDelegationPrivilege	2508	msiexec.exe
Token: SeManageVolumePrivilege	2508	msiexec.exe
Token: SeImpersonatePrivilege	2508	msiexec.exe
Token: SeCreateGlobalPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2508	msiexec.exe
2508	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2732	2700	msiexec.exe	30
PID 2700 wrote to memory of 2732	2700	msiexec.exe	30
PID 2700 wrote to memory of 2732	2700	msiexec.exe	30
PID 2700 wrote to memory of 2732	2700	msiexec.exe	30
PID 2700 wrote to memory of 2732	2700	msiexec.exe	30
PID 2700 wrote to memory of 2732	2700	msiexec.exe	30
PID 2700 wrote to memory of 2732	2700	msiexec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E924038517DDA8BA2986CF035C24CEBB
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f787cb3.rbs

Filesize
25KB

MD5
d1c38ee2ea0be69c3699be4e2a3879b6

SHA1
d51ef217b9e2e4facc5cf52a60b3fcd1fad227f9

SHA256
fbf60113dbf8dd5e020305ba4e02da3d02ac9f677c1766b679cfb5597ebff212

SHA512
28acdd6203eed78a26acbdc40e468ef43d03772756cdd43497f8c36bb8bca92ee4e50219078eb938d31330fb4298fa168111ab28ca8d582acf0669ac8300f908

Download Submit
C:\Windows\Installer\MSI7DA8.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI9199.tmp

Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit
C:\Windows\Installer\f787caf.msi

Filesize
34.2MB

MD5
57a55d067c89c10d205abaa98a2e14dd

SHA1
9e83844b5f6f77660424db4df4c3554503855d23

SHA256
9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462

SHA512
c1eec66216b9ac436d4a323b8866c1c4d9ae1d4c57d6282fc490098e54a4146ae75af73aeaabd3ba26a48cd4ee7b81a3da08f392b5dbc349dd7b0435af34d6ff

Download Submit