Analysis
-
max time kernel
94s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 16:57
Static task
static1
Behavioral task
behavioral1
Sample
Meteorite_0.3.0_x64_en-US.msi
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
Meteorite_0.3.0_x64_en-US.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
Meteorite_0.3.0_x64_en-US.msi
-
Size
5.6MB
-
MD5
196f000d6929e1ce6f79e581fec37e2c
-
SHA1
8e904fd9477ffa493acfe0631c249002944c0e88
-
SHA256
828d5c8ff19fb394f8444acfdb6dfd4030a0d3122cce2272452e34f5393f4972
-
SHA512
1b4b643a26f34e7cc48407f9fc9a07f1705e93d7c7f7a5a421f8861a8a3971c15931a7ee091e4aef37fb3a606b5656843d081b0e8fca8ae046d81f52abb5bd42
-
SSDEEP
98304:zllounibAOzWM+JczBnjAt2hxiS0gCMjiZJqrtqa4TAKlGyA08dysDdkSbTry:rodh1FnOSnOZJGtZ4kK6ZQidkSb
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 876 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 876 msiexec.exe Token: SeIncreaseQuotaPrivilege 876 msiexec.exe Token: SeSecurityPrivilege 772 msiexec.exe Token: SeCreateTokenPrivilege 876 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 876 msiexec.exe Token: SeLockMemoryPrivilege 876 msiexec.exe Token: SeIncreaseQuotaPrivilege 876 msiexec.exe Token: SeMachineAccountPrivilege 876 msiexec.exe Token: SeTcbPrivilege 876 msiexec.exe Token: SeSecurityPrivilege 876 msiexec.exe Token: SeTakeOwnershipPrivilege 876 msiexec.exe Token: SeLoadDriverPrivilege 876 msiexec.exe Token: SeSystemProfilePrivilege 876 msiexec.exe Token: SeSystemtimePrivilege 876 msiexec.exe Token: SeProfSingleProcessPrivilege 876 msiexec.exe Token: SeIncBasePriorityPrivilege 876 msiexec.exe Token: SeCreatePagefilePrivilege 876 msiexec.exe Token: SeCreatePermanentPrivilege 876 msiexec.exe Token: SeBackupPrivilege 876 msiexec.exe Token: SeRestorePrivilege 876 msiexec.exe Token: SeShutdownPrivilege 876 msiexec.exe Token: SeDebugPrivilege 876 msiexec.exe Token: SeAuditPrivilege 876 msiexec.exe Token: SeSystemEnvironmentPrivilege 876 msiexec.exe Token: SeChangeNotifyPrivilege 876 msiexec.exe Token: SeRemoteShutdownPrivilege 876 msiexec.exe Token: SeUndockPrivilege 876 msiexec.exe Token: SeSyncAgentPrivilege 876 msiexec.exe Token: SeEnableDelegationPrivilege 876 msiexec.exe Token: SeManageVolumePrivilege 876 msiexec.exe Token: SeImpersonatePrivilege 876 msiexec.exe Token: SeCreateGlobalPrivilege 876 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 876 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Meteorite_0.3.0_x64_en-US.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:876
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:772