d8005c7b650d97849028f731c5b2067283052ddd619b8f97bf8b6872e4132a2e

Analysis

max time kernel
108s
max time network
110s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

30.4MB
MD5

0171c34bb463a2fe2e2e38c5c5923782
SHA1

f5a5a93ddd5b6dcc4b40a538d3d2b124c15c34b7
SHA256

21d3520cf9783cd7100ceee6197a27348618c0e56e1bd17f74a56eddece1a58a
SHA512

ebf35a41360860553c8bf0a682bb80b85811cccabd1bca27fcb6df71f3fb2eadd92b00ddfaceae8d8f37aaa13bb31ecafc56eee10d758799144c425cf67dd07d
SSDEEP

393216:qgfnYGyDF2DzOxiTXUmagqQZ5JqmYgK5QZXIucWv57Nd1evWCu8q2W7XBE10wIZx:MxoX8KrJww4ubBReLu8iE6y1BQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	msxml6-KB927977-enu-x86.exe

Loads dropped DLL 5 IoCs

pid	Process
1120	setup.exe
1120	setup.exe
2468	msxml6-KB927977-enu-x86.exe
2180	MsiExec.exe
2856	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2904	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\Installer\f78313e.msi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f78313e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3553.tmp	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxml6-KB927977-enu-x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2828	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2828	msiexec.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe
Token: SeSecurityPrivilege	2832	msiexec.exe
Token: SeCreateTokenPrivilege	2828	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2828	msiexec.exe
Token: SeLockMemoryPrivilege	2828	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2828	msiexec.exe
Token: SeMachineAccountPrivilege	2828	msiexec.exe
Token: SeTcbPrivilege	2828	msiexec.exe
Token: SeSecurityPrivilege	2828	msiexec.exe
Token: SeTakeOwnershipPrivilege	2828	msiexec.exe
Token: SeLoadDriverPrivilege	2828	msiexec.exe
Token: SeSystemProfilePrivilege	2828	msiexec.exe
Token: SeSystemtimePrivilege	2828	msiexec.exe
Token: SeProfSingleProcessPrivilege	2828	msiexec.exe
Token: SeIncBasePriorityPrivilege	2828	msiexec.exe
Token: SeCreatePagefilePrivilege	2828	msiexec.exe
Token: SeCreatePermanentPrivilege	2828	msiexec.exe
Token: SeBackupPrivilege	2828	msiexec.exe
Token: SeRestorePrivilege	2828	msiexec.exe
Token: SeShutdownPrivilege	2828	msiexec.exe
Token: SeDebugPrivilege	2828	msiexec.exe
Token: SeAuditPrivilege	2828	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2828	msiexec.exe
Token: SeChangeNotifyPrivilege	2828	msiexec.exe
Token: SeRemoteShutdownPrivilege	2828	msiexec.exe
Token: SeUndockPrivilege	2828	msiexec.exe
Token: SeSyncAgentPrivilege	2828	msiexec.exe
Token: SeEnableDelegationPrivilege	2828	msiexec.exe
Token: SeManageVolumePrivilege	2828	msiexec.exe
Token: SeImpersonatePrivilege	2828	msiexec.exe
Token: SeCreateGlobalPrivilege	2828	msiexec.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe
Token: SeShutdownPrivilege	2904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2904	msiexec.exe
Token: SeCreateTokenPrivilege	2904	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2904	msiexec.exe
Token: SeLockMemoryPrivilege	2904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2904	msiexec.exe
Token: SeMachineAccountPrivilege	2904	msiexec.exe
Token: SeTcbPrivilege	2904	msiexec.exe
Token: SeSecurityPrivilege	2904	msiexec.exe
Token: SeTakeOwnershipPrivilege	2904	msiexec.exe
Token: SeLoadDriverPrivilege	2904	msiexec.exe
Token: SeSystemProfilePrivilege	2904	msiexec.exe
Token: SeSystemtimePrivilege	2904	msiexec.exe
Token: SeProfSingleProcessPrivilege	2904	msiexec.exe
Token: SeIncBasePriorityPrivilege	2904	msiexec.exe
Token: SeCreatePagefilePrivilege	2904	msiexec.exe
Token: SeCreatePermanentPrivilege	2904	msiexec.exe
Token: SeBackupPrivilege	2904	msiexec.exe
Token: SeRestorePrivilege	2904	msiexec.exe
Token: SeShutdownPrivilege	2904	msiexec.exe
Token: SeDebugPrivilege	2904	msiexec.exe
Token: SeAuditPrivilege	2904	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2904	msiexec.exe
Token: SeChangeNotifyPrivilege	2904	msiexec.exe
Token: SeRemoteShutdownPrivilege	2904	msiexec.exe
Token: SeUndockPrivilege	2904	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2904	msiexec.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2468	1120	setup.exe	29
PID 1120 wrote to memory of 2468	1120	setup.exe	29
PID 1120 wrote to memory of 2468	1120	setup.exe	29
PID 1120 wrote to memory of 2468	1120	setup.exe	29
PID 1120 wrote to memory of 2468	1120	setup.exe	29
PID 1120 wrote to memory of 2468	1120	setup.exe	29
PID 1120 wrote to memory of 2468	1120	setup.exe	29
PID 2468 wrote to memory of 2828	2468	msxml6-KB927977-enu-x86.exe	30
PID 2468 wrote to memory of 2828	2468	msxml6-KB927977-enu-x86.exe	30
PID 2468 wrote to memory of 2828	2468	msxml6-KB927977-enu-x86.exe	30
PID 2468 wrote to memory of 2828	2468	msxml6-KB927977-enu-x86.exe	30
PID 2468 wrote to memory of 2828	2468	msxml6-KB927977-enu-x86.exe	30
PID 2468 wrote to memory of 2828	2468	msxml6-KB927977-enu-x86.exe	30
PID 2468 wrote to memory of 2828	2468	msxml6-KB927977-enu-x86.exe	30
PID 2832 wrote to memory of 2180	2832	msiexec.exe	32
PID 2832 wrote to memory of 2180	2832	msiexec.exe	32
PID 2832 wrote to memory of 2180	2832	msiexec.exe	32
PID 2832 wrote to memory of 2180	2832	msiexec.exe	32
PID 2832 wrote to memory of 2180	2832	msiexec.exe	32
PID 2832 wrote to memory of 2180	2832	msiexec.exe	32
PID 2832 wrote to memory of 2180	2832	msiexec.exe	32
PID 1120 wrote to memory of 2904	1120	setup.exe	33
PID 1120 wrote to memory of 2904	1120	setup.exe	33
PID 1120 wrote to memory of 2904	1120	setup.exe	33
PID 1120 wrote to memory of 2904	1120	setup.exe	33
PID 1120 wrote to memory of 2904	1120	setup.exe	33
PID 1120 wrote to memory of 2904	1120	setup.exe	33
PID 1120 wrote to memory of 2904	1120	setup.exe	33
PID 2832 wrote to memory of 2856	2832	msiexec.exe	34
PID 2832 wrote to memory of 2856	2832	msiexec.exe	34
PID 2832 wrote to memory of 2856	2832	msiexec.exe	34
PID 2832 wrote to memory of 2856	2832	msiexec.exe	34
PID 2832 wrote to memory of 2856	2832	msiexec.exe	34
PID 2832 wrote to memory of 2856	2832	msiexec.exe	34
PID 2832 wrote to memory of 2856	2832	msiexec.exe	34

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\msxml6-KB927977-enu-x86.exe
  C:\Users\Admin\AppData\Local\Temp\msxml6-KB927977-enu-x86.exe /Q
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec /i c:\111fe06661f4b30435ea\msxml6.msi /Q
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\Virtual_PC_2007_Install.msi" /L*v "C:\Users\Admin\AppData\Local\Temp\VPCInstallLog.txt" MSIRESTARTMANAGERCONTROL=Disable
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- \??\c:\Windows\syswow64\MsiExec.exe
  c:\Windows\syswow64\MsiExec.exe -Embedding 3117B62743DD912481AA4D5E2EC45338
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71F0DEC0ED5C15AB598C524220243C85 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI459A.tmp

Filesize
93KB

MD5
22d4ad02684c3657e9e781bef8140d3a

SHA1
ae3c646a16ab12452011460b452cea10616e001c

SHA256
ec4b9529cb61486891a05e63fd47f21351cc88acb866944dc936bc49d10c7adf

SHA512
8cb6625033b8ea95f88af8d7a770f744e756e72fb508e8f2af53acc30c6f23e27cd52924b8f7e867692adf09844e5bfced72855ee0c78709c503d23a2a5bb0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virtual_PC_2007_Install.msi

Filesize
26.8MB

MD5
8fc182d2cc7d847eea10b34cc0511209

SHA1
cc74d0564a76ee3cb4f3ca2f353c22479ef0db5e

SHA256
83c119d4d842fbe968a79bff359ad30f9c5df1b71ca02d0bc4f4e7d5f2eb6ebf

SHA512
57ac665f8872d21fc56be0d5eff0fcfeaa6fa464abe613523404cfc04b89fd585ae5b3daf5dcdecbc61a5af5157a240305a4017d09874a89373304247168f08c

Download Submit
C:\Windows\Installer\MSI3553.tmp

Filesize
58KB

MD5
bbdf1dd9dfd723fb6329f810eb70c5eb

SHA1
51eafc325d1595e47342dc95fa152bf228665f99

SHA256
b1127d40552585985514eb58dc8536c61c62a726ae0222717cfbdfb38eb272c8

SHA512
542506585c44be0398a0fe2f4a019cb4170fe6a898e41713b48356c8657d788c32c007109e0c4fd9dfad10bed7a5f7043305d6c6514f73769f374ecb086b83c5

Download Submit
\??\c:\111fe06661f4b30435ea\msxml6.msi

Filesize
1.4MB

MD5
49c92309b2fee6f3cda727da41928788

SHA1
ef086408fbe2100e8177b73ad772fafd50eab8eb

SHA256
be445fb6905f07c903a40e70b6f284a21987c766c8e148b4c4aa0431994f22d0

SHA512
b6c82f426fdd5331a7e2f74a284528ede3f0c36f38e42ce4927b62a2dcc10622375035fbe9f11771c8fb8e915daebb73dbd68f39ec717496608510569886a2ea

Download Submit
\Users\Admin\AppData\Local\Temp\msxml6-KB927977-enu-x86.exe

Filesize
888KB

MD5
ecf7b649bc6a5794621c78bbce88159a

SHA1
9db9b1c3784a015ebe31bf3a84f92ac453aead5f

SHA256
dfb1a02d0794f738dd6678de48520d3a1df20cd0d6fd7ffe557b1da77583b362

SHA512
6d9f8898aca4f053daa6bf50ed757cb1c7974e126fc0eadb816afd5f30dfcb0d3a8a520b8712ffa6288566d83f396fcd51dbefe7b1cdb7b81fe767b6c102ddbb

Download Submit
memory/2180-18-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download