c806086192b9e3d2c9333805b2c5b374d664176ad47a2615792864a6550400e2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c806086192b9e3d2c9333805b2c5b374d664176ad47a2615792864a6550400e2.msi
Size

34.2MB
MD5

b7c427b7a03f39652a2e09760b56e04a
SHA1

3fdb4661b9821e126bce1642e1bc8d95f5a947d0
SHA256

c806086192b9e3d2c9333805b2c5b374d664176ad47a2615792864a6550400e2
SHA512

956ee5c954bdf038ee6f615987f15bcb7e47db39a7f5cea0ee0760314fb78b9936c111034bccb35dbc4d31850849a3f5ee530d67f8ba39018adf548311868f6d
SSDEEP

786432:Ct9pUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0yvl0J7:Ct9d7xVLYjsp+ikJvG

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
29	4088	MsiExec.exe
31	4088	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{9F9B95BB-26E5-42D9-AD20-1438CD7E9DF6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E2D.tmp	msiexec.exe
File created	C:\Windows\Installer\e576eac.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576ea8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI707E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI718A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F06.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8959.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8999.tmp	msiexec.exe
File created	C:\Windows\Installer\e576ea8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI712C.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
4088	MsiExec.exe
4088	MsiExec.exe
4088	MsiExec.exe
4088	MsiExec.exe
4088	MsiExec.exe
4088	MsiExec.exe
4088	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4008	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4992	msiexec.exe
4992	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4008	msiexec.exe
Token: SeSecurityPrivilege	4992	msiexec.exe
Token: SeCreateTokenPrivilege	4008	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4008	msiexec.exe
Token: SeLockMemoryPrivilege	4008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4008	msiexec.exe
Token: SeMachineAccountPrivilege	4008	msiexec.exe
Token: SeTcbPrivilege	4008	msiexec.exe
Token: SeSecurityPrivilege	4008	msiexec.exe
Token: SeTakeOwnershipPrivilege	4008	msiexec.exe
Token: SeLoadDriverPrivilege	4008	msiexec.exe
Token: SeSystemProfilePrivilege	4008	msiexec.exe
Token: SeSystemtimePrivilege	4008	msiexec.exe
Token: SeProfSingleProcessPrivilege	4008	msiexec.exe
Token: SeIncBasePriorityPrivilege	4008	msiexec.exe
Token: SeCreatePagefilePrivilege	4008	msiexec.exe
Token: SeCreatePermanentPrivilege	4008	msiexec.exe
Token: SeBackupPrivilege	4008	msiexec.exe
Token: SeRestorePrivilege	4008	msiexec.exe
Token: SeShutdownPrivilege	4008	msiexec.exe
Token: SeDebugPrivilege	4008	msiexec.exe
Token: SeAuditPrivilege	4008	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4008	msiexec.exe
Token: SeChangeNotifyPrivilege	4008	msiexec.exe
Token: SeRemoteShutdownPrivilege	4008	msiexec.exe
Token: SeUndockPrivilege	4008	msiexec.exe
Token: SeSyncAgentPrivilege	4008	msiexec.exe
Token: SeEnableDelegationPrivilege	4008	msiexec.exe
Token: SeManageVolumePrivilege	4008	msiexec.exe
Token: SeImpersonatePrivilege	4008	msiexec.exe
Token: SeCreateGlobalPrivilege	4008	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4008	msiexec.exe
4008	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4088	4992	msiexec.exe	86
PID 4992 wrote to memory of 4088	4992	msiexec.exe	86
PID 4992 wrote to memory of 4088	4992	msiexec.exe	86

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c806086192b9e3d2c9333805b2c5b374d664176ad47a2615792864a6550400e2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7FDE6F03D767E9B32D0F8BD4284432DE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e576eab.rbs

Filesize
25KB

MD5
50ed54eca30fca4d44347bfbc614ac13

SHA1
56f573d3a8c616a3deeec2062bd9185bd6b21257

SHA256
cd159c5084164682ad6c09b4651206b57a6ae5ba744161b93d959ebe3af917cc

SHA512
6160ccebeaf0e3fde69beacdb7d4dee298305c2e3e973631eeffd4a3b1e2db84612bd646b0d2f91dd6d349d4100d06f1ccdcb21f40a3d55dc6c052a323952a19

Download Submit
C:\Windows\Installer\MSI6F06.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI8999.tmp

Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit
C:\Windows\Installer\e576ea8.msi

Filesize
34.2MB

MD5
b7c427b7a03f39652a2e09760b56e04a

SHA1
3fdb4661b9821e126bce1642e1bc8d95f5a947d0

SHA256
c806086192b9e3d2c9333805b2c5b374d664176ad47a2615792864a6550400e2

SHA512
956ee5c954bdf038ee6f615987f15bcb7e47db39a7f5cea0ee0760314fb78b9936c111034bccb35dbc4d31850849a3f5ee530d67f8ba39018adf548311868f6d

Download Submit