2bf994daf30eb46bfbf9f43028717c14e4693a7afb4a5c2bb7b6d852daed2b86

Resubmissions

16-10-2024 08:03

241016-jxqefszhpg 10

16-10-2024 07:59

241016-jvwtfszgrg 10

Analysis

max time kernel
32s
max time network
36s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Predict7.6.3/Launcher8.3.6.msi
Size

34.8MB
MD5

62a70b6a607c787a26ecd7aae7f5cfa7
SHA1

24be3506a7eb8bcddd63810813934138902a07d1
SHA256

975bcef0f45e9012fd3d1e06133d916eec9a77bfe40bf4d526711a40ff956dfb
SHA512

d18514bae872ce947a05551485d377a3d8de1f807aa9c486496cdef455f09f71b16967b62a24e95d5c62217d63c63939337f66023815b35a0fbd9e87b2c6a18a
SSDEEP

786432:Fx7ZJrqPhKmBwZDjzQrdj1CqeqaGK3Eafgtil2EJGw0SEx:7rqt6zKdj3auMgtTyGw0

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76fed8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76fed8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF36.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFF3.tmp	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
2832	MsiExec.exe
2832	MsiExec.exe
2832	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2260	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2260	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2260	msiexec.exe
Token: SeRestorePrivilege	2812	msiexec.exe
Token: SeTakeOwnershipPrivilege	2812	msiexec.exe
Token: SeSecurityPrivilege	2812	msiexec.exe
Token: SeCreateTokenPrivilege	2260	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2260	msiexec.exe
Token: SeLockMemoryPrivilege	2260	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2260	msiexec.exe
Token: SeMachineAccountPrivilege	2260	msiexec.exe
Token: SeTcbPrivilege	2260	msiexec.exe
Token: SeSecurityPrivilege	2260	msiexec.exe
Token: SeTakeOwnershipPrivilege	2260	msiexec.exe
Token: SeLoadDriverPrivilege	2260	msiexec.exe
Token: SeSystemProfilePrivilege	2260	msiexec.exe
Token: SeSystemtimePrivilege	2260	msiexec.exe
Token: SeProfSingleProcessPrivilege	2260	msiexec.exe
Token: SeIncBasePriorityPrivilege	2260	msiexec.exe
Token: SeCreatePagefilePrivilege	2260	msiexec.exe
Token: SeCreatePermanentPrivilege	2260	msiexec.exe
Token: SeBackupPrivilege	2260	msiexec.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeShutdownPrivilege	2260	msiexec.exe
Token: SeDebugPrivilege	2260	msiexec.exe
Token: SeAuditPrivilege	2260	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2260	msiexec.exe
Token: SeChangeNotifyPrivilege	2260	msiexec.exe
Token: SeRemoteShutdownPrivilege	2260	msiexec.exe
Token: SeUndockPrivilege	2260	msiexec.exe
Token: SeSyncAgentPrivilege	2260	msiexec.exe
Token: SeEnableDelegationPrivilege	2260	msiexec.exe
Token: SeManageVolumePrivilege	2260	msiexec.exe
Token: SeImpersonatePrivilege	2260	msiexec.exe
Token: SeCreateGlobalPrivilege	2260	msiexec.exe
Token: SeRestorePrivilege	2812	msiexec.exe
Token: SeTakeOwnershipPrivilege	2812	msiexec.exe
Token: SeRestorePrivilege	2812	msiexec.exe
Token: SeTakeOwnershipPrivilege	2812	msiexec.exe
Token: SeRestorePrivilege	2812	msiexec.exe
Token: SeTakeOwnershipPrivilege	2812	msiexec.exe
Token: SeRestorePrivilege	2812	msiexec.exe
Token: SeTakeOwnershipPrivilege	2812	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2260	msiexec.exe
2260	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2832	2812	msiexec.exe	31
PID 2812 wrote to memory of 2832	2812	msiexec.exe	31
PID 2812 wrote to memory of 2832	2812	msiexec.exe	31
PID 2812 wrote to memory of 2832	2812	msiexec.exe	31
PID 2812 wrote to memory of 2832	2812	msiexec.exe	31
PID 2812 wrote to memory of 2832	2812	msiexec.exe	31
PID 2812 wrote to memory of 2832	2812	msiexec.exe	31

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Predict7.6.3\Launcher8.3.6.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2260

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24DBB2A1855E59B6F8A4A032F90EAD22
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2832

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI6fe2d.LOG

Filesize
20KB

MD5
15cb4716aa554da8c49e28b117560a23

SHA1
7a81054839c0a8e73332eceb28ede718be0a2e5d

SHA256
c82181440e27c609e40a4e823dddc8bd4fe5be6c315b725b8d065b552c62d3cf

SHA512
820c5846c2cec631625c8fb9d2fdc630244b33d3b68d8fac05f5703425c21e7019443c0cf0b224d0756a7baf725b7197082ce1cfa18f3e67511272f6937ed2ab

Download Submit
C:\Windows\Installer\MSIFF36.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSIFFF3.tmp

Filesize
1.1MB

MD5
7768d9d4634bf3dc159cebb6f3ea4718

SHA1
a297e0e4dd61ee8f5e88916af1ee6596cd216f26

SHA256
745de246181eb58f48224e6433c810ffbaa67fba330c616f03a7361fb1edb121

SHA512
985bbf38667609f6a422a22af34d9382ae4112e7995f87b6053a683a0aaa647e17ba70a7a83b5e1309f201fc12a53db3c13ffd2b0fad44c1374fff6f07059cbf

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads