1e5ee42dc85bc51fb13f1665e66a9a6950f98f8aba3e260627d5be99db95b1ee

Analysis

max time kernel
102s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e5ee42dc85bc51fb13f1665e66a9a6950f98f8aba3e260627d5be99db95b1eeN.msi
Size

3.0MB
MD5

76fa57efd571ccbf3b122223f1fcff90
SHA1

573fdcc3f2e7c6d96f585b95140a0036392c4454
SHA256

1e5ee42dc85bc51fb13f1665e66a9a6950f98f8aba3e260627d5be99db95b1ee
SHA512

1ca6622104d51c695ea9233ca31bba55ec1fd1ff2df3534f5851ac545383ce099753f8a119902ccf1194da5bde8d13c007a5a057b52a74da0ca019841de474eb
SSDEEP

49152:nB4yNYyAUd7ROHLtup6NQ3A+7d7v6I4HGJ/wxIa0x9B:lYyFd4HLA6O3T7bzJ/sIa0xf

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
2824	MsiExec.exe
2824	MsiExec.exe
2824	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1872	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1872	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1872	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	1680	msiexec.exe
Token: SeCreateTokenPrivilege	1872	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1872	msiexec.exe
Token: SeLockMemoryPrivilege	1872	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1872	msiexec.exe
Token: SeMachineAccountPrivilege	1872	msiexec.exe
Token: SeTcbPrivilege	1872	msiexec.exe
Token: SeSecurityPrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeLoadDriverPrivilege	1872	msiexec.exe
Token: SeSystemProfilePrivilege	1872	msiexec.exe
Token: SeSystemtimePrivilege	1872	msiexec.exe
Token: SeProfSingleProcessPrivilege	1872	msiexec.exe
Token: SeIncBasePriorityPrivilege	1872	msiexec.exe
Token: SeCreatePagefilePrivilege	1872	msiexec.exe
Token: SeCreatePermanentPrivilege	1872	msiexec.exe
Token: SeBackupPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeShutdownPrivilege	1872	msiexec.exe
Token: SeDebugPrivilege	1872	msiexec.exe
Token: SeAuditPrivilege	1872	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1872	msiexec.exe
Token: SeChangeNotifyPrivilege	1872	msiexec.exe
Token: SeRemoteShutdownPrivilege	1872	msiexec.exe
Token: SeUndockPrivilege	1872	msiexec.exe
Token: SeSyncAgentPrivilege	1872	msiexec.exe
Token: SeEnableDelegationPrivilege	1872	msiexec.exe
Token: SeManageVolumePrivilege	1872	msiexec.exe
Token: SeImpersonatePrivilege	1872	msiexec.exe
Token: SeCreateGlobalPrivilege	1872	msiexec.exe
Token: SeCreateTokenPrivilege	1872	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1872	msiexec.exe
Token: SeLockMemoryPrivilege	1872	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1872	msiexec.exe
Token: SeMachineAccountPrivilege	1872	msiexec.exe
Token: SeTcbPrivilege	1872	msiexec.exe
Token: SeSecurityPrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeLoadDriverPrivilege	1872	msiexec.exe
Token: SeSystemProfilePrivilege	1872	msiexec.exe
Token: SeSystemtimePrivilege	1872	msiexec.exe
Token: SeProfSingleProcessPrivilege	1872	msiexec.exe
Token: SeIncBasePriorityPrivilege	1872	msiexec.exe
Token: SeCreatePagefilePrivilege	1872	msiexec.exe
Token: SeCreatePermanentPrivilege	1872	msiexec.exe
Token: SeBackupPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeShutdownPrivilege	1872	msiexec.exe
Token: SeDebugPrivilege	1872	msiexec.exe
Token: SeAuditPrivilege	1872	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1872	msiexec.exe
Token: SeChangeNotifyPrivilege	1872	msiexec.exe
Token: SeRemoteShutdownPrivilege	1872	msiexec.exe
Token: SeUndockPrivilege	1872	msiexec.exe
Token: SeSyncAgentPrivilege	1872	msiexec.exe
Token: SeEnableDelegationPrivilege	1872	msiexec.exe
Token: SeManageVolumePrivilege	1872	msiexec.exe
Token: SeImpersonatePrivilege	1872	msiexec.exe
Token: SeCreateGlobalPrivilege	1872	msiexec.exe
Token: SeCreateTokenPrivilege	1872	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1872	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2824	1680	msiexec.exe	31
PID 1680 wrote to memory of 2824	1680	msiexec.exe	31
PID 1680 wrote to memory of 2824	1680	msiexec.exe	31
PID 1680 wrote to memory of 2824	1680	msiexec.exe	31
PID 1680 wrote to memory of 2824	1680	msiexec.exe	31
PID 1680 wrote to memory of 2824	1680	msiexec.exe	31
PID 1680 wrote to memory of 2824	1680	msiexec.exe	31

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1e5ee42dc85bc51fb13f1665e66a9a6950f98f8aba3e260627d5be99db95b1eeN.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1872

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBB7C47DB1E9C3C156C9A02781204346 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSICD5D.tmp

Filesize
57KB

MD5
90ed4938fd712e3ac49dfdff0ff63cc0

SHA1
f3ae0ec59bd8fcb578310942bbf17c047d4895c9

SHA256
9d3eee64d97e0b082a2ab26f997b29fd6f16bb49a70b711fdc241fca079c788b

SHA512
c35ae7a402a01155a9aca294ee88a4029eeb2c560c25a33acb3e35d7060f8fa02d6bc0289b6cf44ed4e516cbd21a7c7b0843172d2686dc3a7270f40be08e0f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICE77.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
\Users\Admin\AppData\Local\Temp\MSICF14.tmp

Filesize
184KB

MD5
3404519eb0b2108a460e5da2be63d10a

SHA1
cbea0062bb579e77c19bfbbd3834a5c1a301e6ff

SHA256
2fd2ea60b1f47753ff4e0db6f21344cdbaea14ccbe46b20fa5504702d3aeaed6

SHA512
0c2d2db2c3e528ca2a735cb33a1c441a61d666b50a893c28dae6fb039e4ff3e0435a98af26c41f5fb978f9906b88eed846e276842c15caf6080ed8baaad562f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads