3fbee427cd1a6374da88d8652cf1783fbcf7c95e68a6f168916f4cae56a1be57

Analysis

max time kernel
32s
max time network
39s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30/09/2024, 22:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TopazVideoAI.msi
Size

2.5MB
MD5

c737f14930618830d30b3ec4ecdc80a8
SHA1

783997c5e0552ff2fa8105ede8ce07078009637a
SHA256

3fbee427cd1a6374da88d8652cf1783fbcf7c95e68a6f168916f4cae56a1be57
SHA512

3e3c62ac8f2484a6cc739aff807b0c73b57258a668572d65e3c82da0b5080152ff65c1eddebdf602780effdcd63910167ca6d6a8fb71f1082b9919b798d41c65
SSDEEP

24576:BfHWvZgkjVtyOTgStboymBwBFuoShl+P4cL96bborCBEFPxmm/AgX:dWvZgkjPyOTFmBoFuoHP9rJNx94

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57dfd1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE03E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{505DDA6B-7A05-4145-BC31-054214D18CA6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE563.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0B031E58953ACB8A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dfd1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB69F07714B2B04E9.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF13C63369BCA264E0.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7517EB48111D2363.TMP	msiexec.exe

Loads dropped DLL 6 IoCs

pid	Process
2172	MsiExec.exe
3344	MsiExec.exe
1788	MsiExec.exe
1788	MsiExec.exe
3760	MsiExec.exe
3760	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
768	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1680	msiexec.exe
1680	msiexec.exe
1680	msiexec.exe
1680	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	768	msiexec.exe
Token: SeSecurityPrivilege	1680	msiexec.exe
Token: SeCreateTokenPrivilege	768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	768	msiexec.exe
Token: SeLockMemoryPrivilege	768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	768	msiexec.exe
Token: SeMachineAccountPrivilege	768	msiexec.exe
Token: SeTcbPrivilege	768	msiexec.exe
Token: SeSecurityPrivilege	768	msiexec.exe
Token: SeTakeOwnershipPrivilege	768	msiexec.exe
Token: SeLoadDriverPrivilege	768	msiexec.exe
Token: SeSystemProfilePrivilege	768	msiexec.exe
Token: SeSystemtimePrivilege	768	msiexec.exe
Token: SeProfSingleProcessPrivilege	768	msiexec.exe
Token: SeIncBasePriorityPrivilege	768	msiexec.exe
Token: SeCreatePagefilePrivilege	768	msiexec.exe
Token: SeCreatePermanentPrivilege	768	msiexec.exe
Token: SeBackupPrivilege	768	msiexec.exe
Token: SeRestorePrivilege	768	msiexec.exe
Token: SeShutdownPrivilege	768	msiexec.exe
Token: SeDebugPrivilege	768	msiexec.exe
Token: SeAuditPrivilege	768	msiexec.exe
Token: SeSystemEnvironmentPrivilege	768	msiexec.exe
Token: SeChangeNotifyPrivilege	768	msiexec.exe
Token: SeRemoteShutdownPrivilege	768	msiexec.exe
Token: SeUndockPrivilege	768	msiexec.exe
Token: SeSyncAgentPrivilege	768	msiexec.exe
Token: SeEnableDelegationPrivilege	768	msiexec.exe
Token: SeManageVolumePrivilege	768	msiexec.exe
Token: SeImpersonatePrivilege	768	msiexec.exe
Token: SeCreateGlobalPrivilege	768	msiexec.exe
Token: SeCreateTokenPrivilege	768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	768	msiexec.exe
Token: SeLockMemoryPrivilege	768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	768	msiexec.exe
Token: SeMachineAccountPrivilege	768	msiexec.exe
Token: SeTcbPrivilege	768	msiexec.exe
Token: SeSecurityPrivilege	768	msiexec.exe
Token: SeTakeOwnershipPrivilege	768	msiexec.exe
Token: SeLoadDriverPrivilege	768	msiexec.exe
Token: SeSystemProfilePrivilege	768	msiexec.exe
Token: SeSystemtimePrivilege	768	msiexec.exe
Token: SeProfSingleProcessPrivilege	768	msiexec.exe
Token: SeIncBasePriorityPrivilege	768	msiexec.exe
Token: SeCreatePagefilePrivilege	768	msiexec.exe
Token: SeCreatePermanentPrivilege	768	msiexec.exe
Token: SeBackupPrivilege	768	msiexec.exe
Token: SeRestorePrivilege	768	msiexec.exe
Token: SeShutdownPrivilege	768	msiexec.exe
Token: SeDebugPrivilege	768	msiexec.exe
Token: SeAuditPrivilege	768	msiexec.exe
Token: SeSystemEnvironmentPrivilege	768	msiexec.exe
Token: SeChangeNotifyPrivilege	768	msiexec.exe
Token: SeRemoteShutdownPrivilege	768	msiexec.exe
Token: SeUndockPrivilege	768	msiexec.exe
Token: SeSyncAgentPrivilege	768	msiexec.exe
Token: SeEnableDelegationPrivilege	768	msiexec.exe
Token: SeManageVolumePrivilege	768	msiexec.exe
Token: SeImpersonatePrivilege	768	msiexec.exe
Token: SeCreateGlobalPrivilege	768	msiexec.exe
Token: SeCreateTokenPrivilege	768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	768	msiexec.exe
Token: SeLockMemoryPrivilege	768	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
768	msiexec.exe
768	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2172	1680	msiexec.exe	81
PID 1680 wrote to memory of 2172	1680	msiexec.exe	81
PID 1680 wrote to memory of 3344	1680	msiexec.exe	82
PID 1680 wrote to memory of 3344	1680	msiexec.exe	82
PID 1680 wrote to memory of 3344	1680	msiexec.exe	82
PID 1680 wrote to memory of 1788	1680	msiexec.exe	83
PID 1680 wrote to memory of 1788	1680	msiexec.exe	83
PID 1680 wrote to memory of 3760	1680	msiexec.exe	84
PID 1680 wrote to memory of 3760	1680	msiexec.exe	84
PID 1680 wrote to memory of 3760	1680	msiexec.exe	84

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TopazVideoAI.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 216AE48E261ACF04A03BD2D37AE8DA68 C
  2⤵
  - Loads dropped DLL
  PID:2172
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ED0DE50D1A09F7B69CBA1367A4DE0BD2 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3344
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9EB2641BC663AF81C8CB8330ED20AF92
  2⤵
  - Loads dropped DLL
  PID:1788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A7CE757295A1B56D8522705C9CAE348F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIAD86.tmp

Filesize
1.0MB

MD5
4c93d7484fb89dfc73bb8d40efebc44e

SHA1
b3b1ce8895894a7c870143743e46f6de279b08b8

SHA256
53dc7f6827a81d52adf4e935391a0c3c9079d1e615c5e2447df9a62e3d3d66b5

SHA512
b364dcc261208ee244f0f0054e894258959b08423723218e5646f9c978d731a2ca9875724671720b70ac0c71fcba709cd052d3f19d017b18b740cdc97a62e15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC99A.tmp

Filesize
132KB

MD5
cfbb8568bd3711a97e6124c56fcfa8d9

SHA1
d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57

SHA256
7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc

SHA512
860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04

Download Submit
C:\Windows\Installer\MSIE3BC.tmp

Filesize
234KB

MD5
8edc1557e9fc7f25f89ad384d01bcec4

SHA1
98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

SHA256
78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

SHA512
d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

Download Submit