ead0577e228789bfd4f57dd1a277c1393d150f05977340fffdc682e300603453

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NewRelicAgent_x64_8.24.244.0.msi
Size

4.9MB
MD5

0427777291730ea30290cca53df5dedb
SHA1

70e1cc66843a5c8a9631b20555d3cf2b5b9a9630
SHA256

ead0577e228789bfd4f57dd1a277c1393d150f05977340fffdc682e300603453
SHA512

9705055b3ab155e50b86c168e6c328fd0858446e26beb5d3a57098734768faaf36b253ad47e78cf72003e1ef63a6a0185828bfe7af93d99966e4771d7aa4901b
SSDEEP

98304:f711NIX5Cu4OTwN0yqhcIzin+d8ZNQr0x61qPd6:f71fYT4hyWeDdlrMd

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	3764	msiexec.exe
6	3764	msiexec.exe
8	3764	msiexec.exe
10	3764	msiexec.exe
12	3764	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
3176	MsiExec.exe
4632	rundll32.exe
4632	rundll32.exe
4632	rundll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3764	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3764	msiexec.exe
Token: SeSecurityPrivilege	4236	msiexec.exe
Token: SeCreateTokenPrivilege	3764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3764	msiexec.exe
Token: SeLockMemoryPrivilege	3764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3764	msiexec.exe
Token: SeMachineAccountPrivilege	3764	msiexec.exe
Token: SeTcbPrivilege	3764	msiexec.exe
Token: SeSecurityPrivilege	3764	msiexec.exe
Token: SeTakeOwnershipPrivilege	3764	msiexec.exe
Token: SeLoadDriverPrivilege	3764	msiexec.exe
Token: SeSystemProfilePrivilege	3764	msiexec.exe
Token: SeSystemtimePrivilege	3764	msiexec.exe
Token: SeProfSingleProcessPrivilege	3764	msiexec.exe
Token: SeIncBasePriorityPrivilege	3764	msiexec.exe
Token: SeCreatePagefilePrivilege	3764	msiexec.exe
Token: SeCreatePermanentPrivilege	3764	msiexec.exe
Token: SeBackupPrivilege	3764	msiexec.exe
Token: SeRestorePrivilege	3764	msiexec.exe
Token: SeShutdownPrivilege	3764	msiexec.exe
Token: SeDebugPrivilege	3764	msiexec.exe
Token: SeAuditPrivilege	3764	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3764	msiexec.exe
Token: SeChangeNotifyPrivilege	3764	msiexec.exe
Token: SeRemoteShutdownPrivilege	3764	msiexec.exe
Token: SeUndockPrivilege	3764	msiexec.exe
Token: SeSyncAgentPrivilege	3764	msiexec.exe
Token: SeEnableDelegationPrivilege	3764	msiexec.exe
Token: SeManageVolumePrivilege	3764	msiexec.exe
Token: SeImpersonatePrivilege	3764	msiexec.exe
Token: SeCreateGlobalPrivilege	3764	msiexec.exe
Token: SeCreateTokenPrivilege	3764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3764	msiexec.exe
Token: SeLockMemoryPrivilege	3764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3764	msiexec.exe
Token: SeMachineAccountPrivilege	3764	msiexec.exe
Token: SeTcbPrivilege	3764	msiexec.exe
Token: SeSecurityPrivilege	3764	msiexec.exe
Token: SeTakeOwnershipPrivilege	3764	msiexec.exe
Token: SeLoadDriverPrivilege	3764	msiexec.exe
Token: SeSystemProfilePrivilege	3764	msiexec.exe
Token: SeSystemtimePrivilege	3764	msiexec.exe
Token: SeProfSingleProcessPrivilege	3764	msiexec.exe
Token: SeIncBasePriorityPrivilege	3764	msiexec.exe
Token: SeCreatePagefilePrivilege	3764	msiexec.exe
Token: SeCreatePermanentPrivilege	3764	msiexec.exe
Token: SeBackupPrivilege	3764	msiexec.exe
Token: SeRestorePrivilege	3764	msiexec.exe
Token: SeShutdownPrivilege	3764	msiexec.exe
Token: SeDebugPrivilege	3764	msiexec.exe
Token: SeAuditPrivilege	3764	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3764	msiexec.exe
Token: SeChangeNotifyPrivilege	3764	msiexec.exe
Token: SeRemoteShutdownPrivilege	3764	msiexec.exe
Token: SeUndockPrivilege	3764	msiexec.exe
Token: SeSyncAgentPrivilege	3764	msiexec.exe
Token: SeEnableDelegationPrivilege	3764	msiexec.exe
Token: SeManageVolumePrivilege	3764	msiexec.exe
Token: SeImpersonatePrivilege	3764	msiexec.exe
Token: SeCreateGlobalPrivilege	3764	msiexec.exe
Token: SeCreateTokenPrivilege	3764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3764	msiexec.exe
Token: SeLockMemoryPrivilege	3764	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3764	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 3176	4236	msiexec.exe	94
PID 4236 wrote to memory of 3176	4236	msiexec.exe	94
PID 3176 wrote to memory of 4632	3176	MsiExec.exe	95
PID 3176 wrote to memory of 4632	3176	MsiExec.exe	95

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NewRelicAgent_x64_8.24.244.0.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C7D4EA7190FEE8AB4D1EDD6D3A85EB8A C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIC89A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240699640 1 InstallerActions!InstallerActions.CustomActions.FindPreviousLicenseKey
    3⤵
    - Loads dropped DLL
    PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIC89A.tmp

Filesize
280KB

MD5
a7582a6ab33366a0490e1b1ef5c4437b

SHA1
d3dee52275b3395acdd3e6d270d31b602025909d

SHA256
eaf2fdb4eaca6029c83792bbe45b84ffcdaabe6edc5a6e53a27f0f3108ab570b

SHA512
cbe18fd099b543bc41bedb96d28f2e285ec5b1357a2bef5b63b63fbc9174dceebe2c66d51823b70a152b9928cd86d71aba3ddf5579dd56b9d85aca5e28e03684

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC89A.tmp-\InstallerActions.dll

Filesize
16KB

MD5
d683ce7331b020e979640ae55cd2d2aa

SHA1
28425e4b6b53cbe791d36793d417937e4155967a

SHA256
2d798e86641b83ba8845e5630fa500cb802b26ad66eed2c09bf216c2f785ed86

SHA512
122e9dd7854cf636ce357ce22854a788267993af0424c4a48effcb7ad6d7b8c4e4d20c4ff111390172db833908f703e2c25b517d1b2ae5f0282ffcf70e937f1f

Download Submit
memory/4632-31-0x0000025C86AE0000-0x0000025C86B0E000-memory.dmp

Filesize
184KB

Download
memory/4632-35-0x0000025C86A50000-0x0000025C86A58000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads