392062387237180f947774e21e0b154d46155416a7a81e780f0c79664cb9b570

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scribe_4.10.5.msi
Size

81.8MB
MD5

010394b91ce56a6835ba9f69375d7f81
SHA1

56cbb6c0e22b69e9f4a14ee16106a090ec75b4b1
SHA256

392062387237180f947774e21e0b154d46155416a7a81e780f0c79664cb9b570
SHA512

35986e0afb5016ab48477c296c1136e13cfec8cf45eb8d35d56ee7df463f8e13e7888861ce7e5e27a3fdaf31e64e6da8d12ae9b8e421e7ab1fcda9f6aca7098f
SSDEEP

1572864:kd8rwbiwRUE9g4rc636T/zCRHZ/DYdqgMtsBkmGFjXeYPtUyqSO:kuwbitognS6Tmld1nC9G1XeYg

Score

6^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2728	msiexec.exe
5	2728	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Loads dropped DLL 8 IoCs

pid	Process
1700	MsiExec.exe
1700	MsiExec.exe
1700	MsiExec.exe
1700	MsiExec.exe
1700	MsiExec.exe
1700	MsiExec.exe
1700	MsiExec.exe
1700	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2260	powershell.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2728	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeSecurityPrivilege	2180	msiexec.exe
Token: SeCreateTokenPrivilege	2728	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2728	msiexec.exe
Token: SeLockMemoryPrivilege	2728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2728	msiexec.exe
Token: SeMachineAccountPrivilege	2728	msiexec.exe
Token: SeTcbPrivilege	2728	msiexec.exe
Token: SeSecurityPrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeLoadDriverPrivilege	2728	msiexec.exe
Token: SeSystemProfilePrivilege	2728	msiexec.exe
Token: SeSystemtimePrivilege	2728	msiexec.exe
Token: SeProfSingleProcessPrivilege	2728	msiexec.exe
Token: SeIncBasePriorityPrivilege	2728	msiexec.exe
Token: SeCreatePagefilePrivilege	2728	msiexec.exe
Token: SeCreatePermanentPrivilege	2728	msiexec.exe
Token: SeBackupPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeShutdownPrivilege	2728	msiexec.exe
Token: SeDebugPrivilege	2728	msiexec.exe
Token: SeAuditPrivilege	2728	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2728	msiexec.exe
Token: SeChangeNotifyPrivilege	2728	msiexec.exe
Token: SeRemoteShutdownPrivilege	2728	msiexec.exe
Token: SeUndockPrivilege	2728	msiexec.exe
Token: SeSyncAgentPrivilege	2728	msiexec.exe
Token: SeEnableDelegationPrivilege	2728	msiexec.exe
Token: SeManageVolumePrivilege	2728	msiexec.exe
Token: SeImpersonatePrivilege	2728	msiexec.exe
Token: SeCreateGlobalPrivilege	2728	msiexec.exe
Token: SeCreateTokenPrivilege	2728	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2728	msiexec.exe
Token: SeLockMemoryPrivilege	2728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2728	msiexec.exe
Token: SeMachineAccountPrivilege	2728	msiexec.exe
Token: SeTcbPrivilege	2728	msiexec.exe
Token: SeSecurityPrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeLoadDriverPrivilege	2728	msiexec.exe
Token: SeSystemProfilePrivilege	2728	msiexec.exe
Token: SeSystemtimePrivilege	2728	msiexec.exe
Token: SeProfSingleProcessPrivilege	2728	msiexec.exe
Token: SeIncBasePriorityPrivilege	2728	msiexec.exe
Token: SeCreatePagefilePrivilege	2728	msiexec.exe
Token: SeCreatePermanentPrivilege	2728	msiexec.exe
Token: SeBackupPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeShutdownPrivilege	2728	msiexec.exe
Token: SeDebugPrivilege	2728	msiexec.exe
Token: SeAuditPrivilege	2728	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2728	msiexec.exe
Token: SeChangeNotifyPrivilege	2728	msiexec.exe
Token: SeRemoteShutdownPrivilege	2728	msiexec.exe
Token: SeUndockPrivilege	2728	msiexec.exe
Token: SeSyncAgentPrivilege	2728	msiexec.exe
Token: SeEnableDelegationPrivilege	2728	msiexec.exe
Token: SeManageVolumePrivilege	2728	msiexec.exe
Token: SeImpersonatePrivilege	2728	msiexec.exe
Token: SeCreateGlobalPrivilege	2728	msiexec.exe
Token: SeCreateTokenPrivilege	2728	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2728	msiexec.exe
2728	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1700	2180	msiexec.exe	31
PID 2180 wrote to memory of 1700	2180	msiexec.exe	31
PID 2180 wrote to memory of 1700	2180	msiexec.exe	31
PID 2180 wrote to memory of 1700	2180	msiexec.exe	31
PID 2180 wrote to memory of 1700	2180	msiexec.exe	31
PID 2180 wrote to memory of 1700	2180	msiexec.exe	31
PID 2180 wrote to memory of 1700	2180	msiexec.exe	31
PID 1700 wrote to memory of 2260	1700	MsiExec.exe	32
PID 1700 wrote to memory of 2260	1700	MsiExec.exe	32
PID 1700 wrote to memory of 2260	1700	MsiExec.exe	32
PID 1700 wrote to memory of 2260	1700	MsiExec.exe	32

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scribe_4.10.5.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2728

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A58ED0CFB647DFCEA71F24F152BBC0DC C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss6E40.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi6E3D.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr6E3E.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr6E3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab6B14.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6DB3.tmp

Filesize
758KB

MD5
743c67416aa1d2568679f45ef36e0179

SHA1
dc7163deb7e0d0e493f0ced46fb2fd0b29e19910

SHA256
58800c0b1f916f5ac032ab6e9410d2e5d687eebc95c2955bded68ac97dacd639

SHA512
f35f5a19aa3fe6fc723b771e7199e35cff4de5ed26a5a0a86377288f9487875bbdb19231743f2a7a019642f59ab57ed7cc02e7b4b9a6ec3c11b595596aa6066c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI711E.tmp

Filesize
738KB

MD5
ee45c6dffaf86ed2a76d8f969c390c08

SHA1
ff5b2942ffa7d28ed3f72208e8e76391b2991b5a

SHA256
118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca

SHA512
a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI72A8.tmp

Filesize
875KB

MD5
0100adb48a98b69b29b817fc65547aa8

SHA1
958c3a436211758373087efa732fa5e9fb16f5b3

SHA256
f754814bda0f682382da00f49f21eb66f47c02504e4fb9322bc8068f0f168b41

SHA512
00203279917359ba4838f7232d9cd8db479cf61506aa4dbbb08e6e53b0cfdc5c489928e97cd936df2b7d46d71073d78294085e3ad3e6974c07d242d8c0f9a6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI72E7.tmp

Filesize
1.1MB

MD5
e6d26b10972bc3b58ccd535e1278cc32

SHA1
10996e7f0b267e7f0c6843f9860bc7da89e5d2c2

SHA256
3dbb46ee1950b828c53f2c5dee3371559327f8c6932e549c3543eaf16846a5de

SHA512
530836aef2da9287a08cfebfcb195cfd986ee6a8265e84fe372fb17e58a7b37814e529f49ef22bf204c860a1e451be78213d51a60356f501cf44ff10c0482eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6BE2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss6E40.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr6E3E.ps1

Filesize
1KB

MD5
d80b7b237ba8af313dd12bf9f6af372f

SHA1
3ec20cc5411e3b927047cf06552067203abd8862

SHA256
a2bc34970de61ced4f2978bd71c78a092c528458b681ede5e1f5c195d14eb1ab

SHA512
6352ea735dc56053003c6b895a3bdc565c0b588cb6af39596745f6a7da31442358c167f3c2d6e3b65502f437b6c4475e9a1b0ef31694f658425c3ecd9eb734cc

Download Submit