b4c049ddf662ed9b5aceb5ab60b7962169ecd740408bd0a5d1274d6e6c6be448

Analysis

max time kernel
134s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462.msi
Size

34.2MB
MD5

57a55d067c89c10d205abaa98a2e14dd
SHA1

9e83844b5f6f77660424db4df4c3554503855d23
SHA256

9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462
SHA512

c1eec66216b9ac436d4a323b8866c1c4d9ae1d4c57d6282fc490098e54a4146ae75af73aeaabd3ba26a48cd4ee7b81a3da08f392b5dbc349dd7b0435af34d6ff
SSDEEP

786432:Gt9VUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0yduCb9fJq:Gt9p7xVLYjsp+ikJdu6f

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
22	1608	MsiExec.exe
25	1608	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{A3B57D56-6AA8-41AB-8597-54452901B5C6}	msiexec.exe
File created	C:\Windows\Installer\e57d9a7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d9a7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA14.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFEBA.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d9ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3FB.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB8C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBDB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
1608	MsiExec.exe
1608	MsiExec.exe
1608	MsiExec.exe
1608	MsiExec.exe
1608	MsiExec.exe
1608	MsiExec.exe
1608	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4460	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2664	msiexec.exe
2664	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4460	msiexec.exe
Token: SeSecurityPrivilege	2664	msiexec.exe
Token: SeCreateTokenPrivilege	4460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4460	msiexec.exe
Token: SeLockMemoryPrivilege	4460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4460	msiexec.exe
Token: SeMachineAccountPrivilege	4460	msiexec.exe
Token: SeTcbPrivilege	4460	msiexec.exe
Token: SeSecurityPrivilege	4460	msiexec.exe
Token: SeTakeOwnershipPrivilege	4460	msiexec.exe
Token: SeLoadDriverPrivilege	4460	msiexec.exe
Token: SeSystemProfilePrivilege	4460	msiexec.exe
Token: SeSystemtimePrivilege	4460	msiexec.exe
Token: SeProfSingleProcessPrivilege	4460	msiexec.exe
Token: SeIncBasePriorityPrivilege	4460	msiexec.exe
Token: SeCreatePagefilePrivilege	4460	msiexec.exe
Token: SeCreatePermanentPrivilege	4460	msiexec.exe
Token: SeBackupPrivilege	4460	msiexec.exe
Token: SeRestorePrivilege	4460	msiexec.exe
Token: SeShutdownPrivilege	4460	msiexec.exe
Token: SeDebugPrivilege	4460	msiexec.exe
Token: SeAuditPrivilege	4460	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4460	msiexec.exe
Token: SeChangeNotifyPrivilege	4460	msiexec.exe
Token: SeRemoteShutdownPrivilege	4460	msiexec.exe
Token: SeUndockPrivilege	4460	msiexec.exe
Token: SeSyncAgentPrivilege	4460	msiexec.exe
Token: SeEnableDelegationPrivilege	4460	msiexec.exe
Token: SeManageVolumePrivilege	4460	msiexec.exe
Token: SeImpersonatePrivilege	4460	msiexec.exe
Token: SeCreateGlobalPrivilege	4460	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4460	msiexec.exe
4460	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1608	2664	msiexec.exe	86
PID 2664 wrote to memory of 1608	2664	msiexec.exe	86
PID 2664 wrote to memory of 1608	2664	msiexec.exe	86

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8E8E64725BEC0D58AAC4B41B1821E3F7
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d9aa.rbs

Filesize
25KB

MD5
fee9abe924d41b54a3a76b2124b0d32a

SHA1
dd46c9aa3b82399dd1c75dbb18be6ab23df76b48

SHA256
d84c2d6c081b93ef07945be051febac210505c8d0ed2510bac45b417a031e30a

SHA512
a95cf162f9d8dca1bd07340ed36171befbbed8b0512b36d3395d46a352636a4d44b33896b92230346d6e1007aa0722a567ee427c01bc17b7efb24ea3008f4dd7

Download Submit
C:\Windows\Installer\MSIDA14.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSIF3FB.tmp

Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit
C:\Windows\Installer\e57d9a7.msi

Filesize
34.2MB

MD5
57a55d067c89c10d205abaa98a2e14dd

SHA1
9e83844b5f6f77660424db4df4c3554503855d23

SHA256
9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462

SHA512
c1eec66216b9ac436d4a323b8866c1c4d9ae1d4c57d6282fc490098e54a4146ae75af73aeaabd3ba26a48cd4ee7b81a3da08f392b5dbc349dd7b0435af34d6ff

Download Submit