97252260ffd31969f14876e388fcd38f0f057a51cdfa5c2748575d5bc627876e

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BaZiShare.msi
Size

10.0MB
MD5

09f211aebd16341977709857bf4bbf8e
SHA1

0671f642a4de089568a1e0cf2af9db652fd6de35
SHA256

3e9c26b5cbad549d385bf61b1cb57e2e1982b59d676b4a6ea694e8b3a2e10cd0
SHA512

d73518cc5de006dcad04e95be4699c4aaabedbc5ed3bd0efa9055e1c3cd3e344906506482adb835dd4dda06b460574122e1e3e857cb3667fb765e525bfe27ca8
SSDEEP

196608:z/0BW30A29LpkxX4vMeSP2zbT748D4TARcnwQxqjPAGaX2hhDK32Lk9+5BBCu:zsBW3CKIf1b/JcnwQnGaGhdlDPCu

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
3992	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1380	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1380	msiexec.exe
Token: SeSecurityPrivilege	540	msiexec.exe
Token: SeCreateTokenPrivilege	1380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1380	msiexec.exe
Token: SeLockMemoryPrivilege	1380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1380	msiexec.exe
Token: SeMachineAccountPrivilege	1380	msiexec.exe
Token: SeTcbPrivilege	1380	msiexec.exe
Token: SeSecurityPrivilege	1380	msiexec.exe
Token: SeTakeOwnershipPrivilege	1380	msiexec.exe
Token: SeLoadDriverPrivilege	1380	msiexec.exe
Token: SeSystemProfilePrivilege	1380	msiexec.exe
Token: SeSystemtimePrivilege	1380	msiexec.exe
Token: SeProfSingleProcessPrivilege	1380	msiexec.exe
Token: SeIncBasePriorityPrivilege	1380	msiexec.exe
Token: SeCreatePagefilePrivilege	1380	msiexec.exe
Token: SeCreatePermanentPrivilege	1380	msiexec.exe
Token: SeBackupPrivilege	1380	msiexec.exe
Token: SeRestorePrivilege	1380	msiexec.exe
Token: SeShutdownPrivilege	1380	msiexec.exe
Token: SeDebugPrivilege	1380	msiexec.exe
Token: SeAuditPrivilege	1380	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1380	msiexec.exe
Token: SeChangeNotifyPrivilege	1380	msiexec.exe
Token: SeRemoteShutdownPrivilege	1380	msiexec.exe
Token: SeUndockPrivilege	1380	msiexec.exe
Token: SeSyncAgentPrivilege	1380	msiexec.exe
Token: SeEnableDelegationPrivilege	1380	msiexec.exe
Token: SeManageVolumePrivilege	1380	msiexec.exe
Token: SeImpersonatePrivilege	1380	msiexec.exe
Token: SeCreateGlobalPrivilege	1380	msiexec.exe
Token: SeCreateTokenPrivilege	1380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1380	msiexec.exe
Token: SeLockMemoryPrivilege	1380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1380	msiexec.exe
Token: SeMachineAccountPrivilege	1380	msiexec.exe
Token: SeTcbPrivilege	1380	msiexec.exe
Token: SeSecurityPrivilege	1380	msiexec.exe
Token: SeTakeOwnershipPrivilege	1380	msiexec.exe
Token: SeLoadDriverPrivilege	1380	msiexec.exe
Token: SeSystemProfilePrivilege	1380	msiexec.exe
Token: SeSystemtimePrivilege	1380	msiexec.exe
Token: SeProfSingleProcessPrivilege	1380	msiexec.exe
Token: SeIncBasePriorityPrivilege	1380	msiexec.exe
Token: SeCreatePagefilePrivilege	1380	msiexec.exe
Token: SeCreatePermanentPrivilege	1380	msiexec.exe
Token: SeBackupPrivilege	1380	msiexec.exe
Token: SeRestorePrivilege	1380	msiexec.exe
Token: SeShutdownPrivilege	1380	msiexec.exe
Token: SeDebugPrivilege	1380	msiexec.exe
Token: SeAuditPrivilege	1380	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1380	msiexec.exe
Token: SeChangeNotifyPrivilege	1380	msiexec.exe
Token: SeRemoteShutdownPrivilege	1380	msiexec.exe
Token: SeUndockPrivilege	1380	msiexec.exe
Token: SeSyncAgentPrivilege	1380	msiexec.exe
Token: SeEnableDelegationPrivilege	1380	msiexec.exe
Token: SeManageVolumePrivilege	1380	msiexec.exe
Token: SeImpersonatePrivilege	1380	msiexec.exe
Token: SeCreateGlobalPrivilege	1380	msiexec.exe
Token: SeCreateTokenPrivilege	1380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1380	msiexec.exe
Token: SeLockMemoryPrivilege	1380	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1380	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 3992	540	msiexec.exe	87
PID 540 wrote to memory of 3992	540	msiexec.exe	87
PID 540 wrote to memory of 3992	540	msiexec.exe	87

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\BaZiShare.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1D8B43973C14C47E7DAB07E7B9FDCC03 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI9B27.tmp

Filesize
14KB

MD5
501bd70081bb1b9d52a3c5add8cf7dbc

SHA1
d1e4aec6344a9e59eb1dba19c86a0de5b89149b1

SHA256
981241a06e2633f07dde24bc3a8fa2eb4bc87b9261bbb4be2453e31a820868a0

SHA512
cf68e064acd3af314b0f50c45dfad92227550ab7c57e065ced68fa83c6937262cc9538c1cf6198ec960bb0fa800d0308a92acd41fe5642ba22e6ce560c1de891

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads