e29d4a0cb5456d4a450243214360fc39db66dce5ed5e6def88112a00fbaea5f2

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

谷歌官网安装包.msi
Size

18.9MB
MD5

613f5baf5dc10b078583d76dc524638c
SHA1

e418401b983ff628622f972e2b9c72f21e2e104b
SHA256

4f814cc796e43cb4214554dc9e3d7c8512f8f6e6fa6969b3f6e781c1476968d5
SHA512

822581b42b507bed664fc3f00db18a865011f23a547d6f73762a8d948b8f0e8791c624192dad3b6b00acb061d75d43208cdf09fbd90a5554638b10b56d1d8b5b
SSDEEP

393216:9vbbOv23u55DQRaGtTT6GoX1YOL7/0Nib+EFpvMVdoH:xn4nftUVoXp7/0EyAMVdoH

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\谷歌\谷歌\ChromeSetup.exe	msiexec.exe
File created	C:\Program Files (x86)\谷歌\谷歌\Eas安装7.exe	msiexec.exe
File created	C:\Program Files (x86)\谷歌\谷歌\资源之家（无限宇宙壁纸） (63).jpg	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f771797.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f771796.msi	msiexec.exe
File created	C:\Windows\Installer\f771797.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1843.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI198B.tmp	msiexec.exe
File created	C:\Windows\Installer\f771799.msi	msiexec.exe
File created	C:\Windows\SystemTemp\viewer.exe	MsiExec.exe
File created	C:\Windows\Installer\f771796.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17C5.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
324	Eas安装7.exe

Loads dropped DLL 15 IoCs

pid	Process
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2376	MsiExec.exe
2376	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1688	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eas安装7.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AEAECD6040D6B38478A3FBF5A1028295\6C3A8987690088E4E8EF3D92653AEAA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6C3A8987690088E4E8EF3D92653AEAA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\PackageCode = "7AAB85E818862414DBDD0E3E8F3FCA98"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AEAECD6040D6B38478A3FBF5A1028295	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\SourceList\PackageName = "谷歌官网安装包.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\Language = "2052"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6C3A8987690088E4E8EF3D92653AEAA9\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C3A8987690088E4E8EF3D92653AEAA9\ProductName = "谷歌"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2744	msiexec.exe
2744	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1688	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	2744	msiexec.exe
Token: SeTakeOwnershipPrivilege	2744	msiexec.exe
Token: SeSecurityPrivilege	2744	msiexec.exe
Token: SeCreateTokenPrivilege	1688	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1688	msiexec.exe
Token: SeLockMemoryPrivilege	1688	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1688	msiexec.exe
Token: SeMachineAccountPrivilege	1688	msiexec.exe
Token: SeTcbPrivilege	1688	msiexec.exe
Token: SeSecurityPrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe
Token: SeLoadDriverPrivilege	1688	msiexec.exe
Token: SeSystemProfilePrivilege	1688	msiexec.exe
Token: SeSystemtimePrivilege	1688	msiexec.exe
Token: SeProfSingleProcessPrivilege	1688	msiexec.exe
Token: SeIncBasePriorityPrivilege	1688	msiexec.exe
Token: SeCreatePagefilePrivilege	1688	msiexec.exe
Token: SeCreatePermanentPrivilege	1688	msiexec.exe
Token: SeBackupPrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeShutdownPrivilege	1688	msiexec.exe
Token: SeDebugPrivilege	1688	msiexec.exe
Token: SeAuditPrivilege	1688	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1688	msiexec.exe
Token: SeChangeNotifyPrivilege	1688	msiexec.exe
Token: SeRemoteShutdownPrivilege	1688	msiexec.exe
Token: SeUndockPrivilege	1688	msiexec.exe
Token: SeSyncAgentPrivilege	1688	msiexec.exe
Token: SeEnableDelegationPrivilege	1688	msiexec.exe
Token: SeManageVolumePrivilege	1688	msiexec.exe
Token: SeImpersonatePrivilege	1688	msiexec.exe
Token: SeCreateGlobalPrivilege	1688	msiexec.exe
Token: SeCreateTokenPrivilege	1688	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1688	msiexec.exe
Token: SeLockMemoryPrivilege	1688	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1688	msiexec.exe
Token: SeMachineAccountPrivilege	1688	msiexec.exe
Token: SeTcbPrivilege	1688	msiexec.exe
Token: SeSecurityPrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe
Token: SeLoadDriverPrivilege	1688	msiexec.exe
Token: SeSystemProfilePrivilege	1688	msiexec.exe
Token: SeSystemtimePrivilege	1688	msiexec.exe
Token: SeProfSingleProcessPrivilege	1688	msiexec.exe
Token: SeIncBasePriorityPrivilege	1688	msiexec.exe
Token: SeCreatePagefilePrivilege	1688	msiexec.exe
Token: SeCreatePermanentPrivilege	1688	msiexec.exe
Token: SeBackupPrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeShutdownPrivilege	1688	msiexec.exe
Token: SeDebugPrivilege	1688	msiexec.exe
Token: SeAuditPrivilege	1688	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1688	msiexec.exe
Token: SeChangeNotifyPrivilege	1688	msiexec.exe
Token: SeRemoteShutdownPrivilege	1688	msiexec.exe
Token: SeUndockPrivilege	1688	msiexec.exe
Token: SeSyncAgentPrivilege	1688	msiexec.exe
Token: SeEnableDelegationPrivilege	1688	msiexec.exe
Token: SeManageVolumePrivilege	1688	msiexec.exe
Token: SeImpersonatePrivilege	1688	msiexec.exe
Token: SeCreateGlobalPrivilege	1688	msiexec.exe
Token: SeCreateTokenPrivilege	1688	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1688	msiexec.exe
1688	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2524	2744	msiexec.exe	31
PID 2744 wrote to memory of 2524	2744	msiexec.exe	31
PID 2744 wrote to memory of 2524	2744	msiexec.exe	31
PID 2744 wrote to memory of 2524	2744	msiexec.exe	31
PID 2744 wrote to memory of 2524	2744	msiexec.exe	31
PID 2744 wrote to memory of 2524	2744	msiexec.exe	31
PID 2744 wrote to memory of 2524	2744	msiexec.exe	31
PID 2744 wrote to memory of 2376	2744	msiexec.exe	32
PID 2744 wrote to memory of 2376	2744	msiexec.exe	32
PID 2744 wrote to memory of 2376	2744	msiexec.exe	32
PID 2744 wrote to memory of 2376	2744	msiexec.exe	32
PID 2744 wrote to memory of 2376	2744	msiexec.exe	32
PID 2744 wrote to memory of 2376	2744	msiexec.exe	32
PID 2744 wrote to memory of 2376	2744	msiexec.exe	32
PID 2524 wrote to memory of 324	2524	MsiExec.exe	34
PID 2524 wrote to memory of 324	2524	MsiExec.exe	34
PID 2524 wrote to memory of 324	2524	MsiExec.exe	34
PID 2524 wrote to memory of 324	2524	MsiExec.exe	34

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\谷歌官网安装包.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1688

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71A5433481811C0E810EB7F1ABF59FE9 C
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Program Files (x86)\谷歌\谷歌\Eas安装7.exe
    "C:\Program Files (x86)\谷歌\谷歌\Eas安装7.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:324
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D0AD12D471BB3BDFB154F43C204986DF
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771798.rbs

Filesize
8KB

MD5
42c3fb39e40d926ad0f48888c3d53e34

SHA1
8c2669200c0a1f9d9b27a2c5e8df85f6f8dd389e

SHA256
7d4ae5198d0277c97307b5c15f38c8b62f894681997db9a20356c2bdd9a65ba2

SHA512
3a74a1888ad94dbc274ff3c29fecab5933e0d13f8f1cbcc53f2b16179923a47f3d086140c0a82967cea64419d65cbcf291121ae3fb69459e60a76002104cecb4

Download Submit
C:\Program Files (x86)\谷歌\谷歌\ChromeSetup.exe

Filesize
8.0MB

MD5
6146d80ddb9ab1d200feaef5c5782668

SHA1
0630776275c0186ed80796b502f93f49e5f4f07d

SHA256
c50158d713846589ea9021e7dd7ee845f261576b5ab919bf39262bc62cf1aa49

SHA512
eec3fe32ee0f223d52788464f33c146e38286c9a1d59f23dfb77bb9d7976fe89516da17fbe858c99f3811687a053eaf79a9e26df7cca29cd15696915cd3af44b

Download Submit
C:\Program Files (x86)\谷歌\谷歌\Eas安装7.exe

Filesize
12.0MB

MD5
a36426519198480cfd977926587ca5ad

SHA1
47308f2d1c6d546edcbc1d1523e932afd40e8736

SHA256
8e9bc7263f880f504d8dce9e7cac6f144aa897f335975c154b60ffb07ae4962a

SHA512
1096a90a941c7725bfe4ba4273d3dad20bea7a31aeefda734e01142ad4664355f30f64dd94d5c03505bb416af99e2760778e2498763c0f483c7dbc93f251b583

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI320.tmp

Filesize
703KB

MD5
59f4b7e8b960987b68b311660c99957a

SHA1
3ba452e27d4bf53e72bf28cde68240290e72e46f

SHA256
3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

SHA512
64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI360.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
C:\Windows\Installer\f771796.msi

Filesize
18.9MB

MD5
613f5baf5dc10b078583d76dc524638c

SHA1
e418401b983ff628622f972e2b9c72f21e2e104b

SHA256
4f814cc796e43cb4214554dc9e3d7c8512f8f6e6fa6969b3f6e781c1476968d5

SHA512
822581b42b507bed664fc3f00db18a865011f23a547d6f73762a8d948b8f0e8791c624192dad3b6b00acb061d75d43208cdf09fbd90a5554638b10b56d1d8b5b

Download Submit
\Users\Admin\AppData\Local\Temp\MSI177.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit