Analysis
-
max time kernel
130s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 01:04
Static task
static1
Behavioral task
behavioral1
Sample
0c77bb170825ac036e53c6196fbd9a3d58115cde9538536118e7694c77261080.msi
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
0c77bb170825ac036e53c6196fbd9a3d58115cde9538536118e7694c77261080.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
0c77bb170825ac036e53c6196fbd9a3d58115cde9538536118e7694c77261080.msi
-
Size
12.0MB
-
MD5
13c0a51adb4003aa73e15f5cd68873c4
-
SHA1
61adcc7372110a8a479009444de616f791a75f86
-
SHA256
0c77bb170825ac036e53c6196fbd9a3d58115cde9538536118e7694c77261080
-
SHA512
ce8d8f4c890d72d932f8456fbf8b017192858233f2dd51e139cbcb3e8de7d5daddf453141d4db17940aab7f93ffad0a49bd054b91697e2a026fa7bf368f12817
-
SSDEEP
196608:XTtisE6IMKTc8aWU84zCCDNyi5h5rh2nJAa1NmvoABk/cAZsCgCQfkDwLBVNI:XTtBEyMHa98IxDZhdh2naa7zgc+cDKzI
Score
6/10
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 5 2076 MsiExec.exe 7 2076 MsiExec.exe 9 2076 MsiExec.exe 10 2076 MsiExec.exe 13 2076 MsiExec.exe 22 2076 MsiExec.exe 23 2076 MsiExec.exe 24 2076 MsiExec.exe 25 2076 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ipinfo.io 5 ipinfo.io -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA1FE.tmp msiexec.exe File opened for modification C:\Windows\Installer\f769e61.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9EBF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA018.tmp msiexec.exe File created C:\Windows\Installer\f769e64.ipi msiexec.exe File created C:\Windows\Installer\f769e61.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9FBA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA1DE.tmp msiexec.exe -
Loads dropped DLL 4 IoCs
pid Process 2076 MsiExec.exe 2076 MsiExec.exe 2076 MsiExec.exe 2076 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 552 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2504 msiexec.exe 2504 msiexec.exe 2076 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 552 msiexec.exe Token: SeIncreaseQuotaPrivilege 552 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeSecurityPrivilege 2504 msiexec.exe Token: SeCreateTokenPrivilege 552 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 552 msiexec.exe Token: SeLockMemoryPrivilege 552 msiexec.exe Token: SeIncreaseQuotaPrivilege 552 msiexec.exe Token: SeMachineAccountPrivilege 552 msiexec.exe Token: SeTcbPrivilege 552 msiexec.exe Token: SeSecurityPrivilege 552 msiexec.exe Token: SeTakeOwnershipPrivilege 552 msiexec.exe Token: SeLoadDriverPrivilege 552 msiexec.exe Token: SeSystemProfilePrivilege 552 msiexec.exe Token: SeSystemtimePrivilege 552 msiexec.exe Token: SeProfSingleProcessPrivilege 552 msiexec.exe Token: SeIncBasePriorityPrivilege 552 msiexec.exe Token: SeCreatePagefilePrivilege 552 msiexec.exe Token: SeCreatePermanentPrivilege 552 msiexec.exe Token: SeBackupPrivilege 552 msiexec.exe Token: SeRestorePrivilege 552 msiexec.exe Token: SeShutdownPrivilege 552 msiexec.exe Token: SeDebugPrivilege 552 msiexec.exe Token: SeAuditPrivilege 552 msiexec.exe Token: SeSystemEnvironmentPrivilege 552 msiexec.exe Token: SeChangeNotifyPrivilege 552 msiexec.exe Token: SeRemoteShutdownPrivilege 552 msiexec.exe Token: SeUndockPrivilege 552 msiexec.exe Token: SeSyncAgentPrivilege 552 msiexec.exe Token: SeEnableDelegationPrivilege 552 msiexec.exe Token: SeManageVolumePrivilege 552 msiexec.exe Token: SeImpersonatePrivilege 552 msiexec.exe Token: SeCreateGlobalPrivilege 552 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 552 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2076 2504 msiexec.exe 31 PID 2504 wrote to memory of 2076 2504 msiexec.exe 31 PID 2504 wrote to memory of 2076 2504 msiexec.exe 31 PID 2504 wrote to memory of 2076 2504 msiexec.exe 31 PID 2504 wrote to memory of 2076 2504 msiexec.exe 31 PID 2504 wrote to memory of 2076 2504 msiexec.exe 31 PID 2504 wrote to memory of 2076 2504 msiexec.exe 31
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0c77bb170825ac036e53c6196fbd9a3d58115cde9538536118e7694c77261080.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:552
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DCA886C4A420340574F8C763B65456222⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.3MB
MD5e8779b8369bd0026e0127a5231290274
SHA137fb276b107b21f3e2c0ad97d53c2ffb619fba23
SHA256293a50b3dbe92ad518d6fc081f4f7c0932c0480695a26dce579f5a3416c2506d
SHA512bc18f8c5556cf3ba8df9c37b4420acb9bb4e3a7f34c98d1fcbe8124b0a8c4176e5cde76e5d6ac020b1bb2441a9238202e99f793e6c510942652a61ae5c001531
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b