89e2e410785289fe8592da5b47c7ec3761ed9d71aed844b1b52bc96d64e0e942

Analysis

max time kernel
44s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b974015e21e86ca6c89545e86e69732d4dd6e41d588aeb31e4e112a6cd0e237f.msi
Size

34.2MB
MD5

f89109ce397d50081ea28f31a8f61952
SHA1

d78fdfe1ff56325d632cfb8c1b5547cdc42b63c4
SHA256

b974015e21e86ca6c89545e86e69732d4dd6e41d588aeb31e4e112a6cd0e237f
SHA512

98db488ee275413aafdc3570e19863220c96710113d90144ac04fcace3017bd81bd16840e39cc83881b379957a9ecc527132adb25aa74626652a28c6f64d2bb9
SSDEEP

786432:Ct9/UyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0y:Ct9P7xVLYjsp+ikJ

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
23	4968	MsiExec.exe
25	4968	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8A8E.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8AFC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA34B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8AB.tmp	msiexec.exe
File created	C:\Windows\Installer\e5788b8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B1C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B9A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{857DDEA9-FBB9-47B3-82F3-23B3AB62CB40}	msiexec.exe
File created	C:\Windows\Installer\e5788bc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5788b8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8935.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2EC.tmp	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
4968	MsiExec.exe
4968	MsiExec.exe
4968	MsiExec.exe
4968	MsiExec.exe
4968	MsiExec.exe
4968	MsiExec.exe
4968	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4996	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5116	msiexec.exe
5116	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4996	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4996	msiexec.exe
Token: SeSecurityPrivilege	5116	msiexec.exe
Token: SeCreateTokenPrivilege	4996	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4996	msiexec.exe
Token: SeLockMemoryPrivilege	4996	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4996	msiexec.exe
Token: SeMachineAccountPrivilege	4996	msiexec.exe
Token: SeTcbPrivilege	4996	msiexec.exe
Token: SeSecurityPrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeLoadDriverPrivilege	4996	msiexec.exe
Token: SeSystemProfilePrivilege	4996	msiexec.exe
Token: SeSystemtimePrivilege	4996	msiexec.exe
Token: SeProfSingleProcessPrivilege	4996	msiexec.exe
Token: SeIncBasePriorityPrivilege	4996	msiexec.exe
Token: SeCreatePagefilePrivilege	4996	msiexec.exe
Token: SeCreatePermanentPrivilege	4996	msiexec.exe
Token: SeBackupPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeShutdownPrivilege	4996	msiexec.exe
Token: SeDebugPrivilege	4996	msiexec.exe
Token: SeAuditPrivilege	4996	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4996	msiexec.exe
Token: SeChangeNotifyPrivilege	4996	msiexec.exe
Token: SeRemoteShutdownPrivilege	4996	msiexec.exe
Token: SeUndockPrivilege	4996	msiexec.exe
Token: SeSyncAgentPrivilege	4996	msiexec.exe
Token: SeEnableDelegationPrivilege	4996	msiexec.exe
Token: SeManageVolumePrivilege	4996	msiexec.exe
Token: SeImpersonatePrivilege	4996	msiexec.exe
Token: SeCreateGlobalPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4996	msiexec.exe
4996	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4968	5116	msiexec.exe	86
PID 5116 wrote to memory of 4968	5116	msiexec.exe	86
PID 5116 wrote to memory of 4968	5116	msiexec.exe	86

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b974015e21e86ca6c89545e86e69732d4dd6e41d588aeb31e4e112a6cd0e237f.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4996

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4CC5655B2E4C122B3F03A2161BBC9002
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4968

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5788bb.rbs

Filesize
25KB

MD5
d4556e488bc0cdd471797768f27f0038

SHA1
1ed110685164ebb91b7f7aeeded58194ac162f6f

SHA256
d529a053c3ae3468c63ac4dd9f0bd06ae540ee40a6c31cc69010643caf3c1658

SHA512
50554e0703984cd64ce67cbccd08c7a377e5c28873cd3a5834fad5fea0f81c5e491eeae6b9dfd37f7050e16a23b4486d67504bf79fdbbab9ad2c9ac10daf50b3

Download Submit
C:\Windows\Installer\MSI8935.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSIA34B.tmp

Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit
C:\Windows\Installer\e5788b8.msi

Filesize
34.2MB

MD5
f89109ce397d50081ea28f31a8f61952

SHA1
d78fdfe1ff56325d632cfb8c1b5547cdc42b63c4

SHA256
b974015e21e86ca6c89545e86e69732d4dd6e41d588aeb31e4e112a6cd0e237f

SHA512
98db488ee275413aafdc3570e19863220c96710113d90144ac04fcace3017bd81bd16840e39cc83881b379957a9ecc527132adb25aa74626652a28c6f64d2bb9

Download Submit