7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6

Resubmissions

22-11-2024 05:12

241122-fv4mhs1kgp 10

19-11-2024 04:06

241119-epln3szmft 10

Analysis

max time kernel
122s
max time network
144s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

i4.msi
Size

414.8MB
MD5

5458ded6540ceaa02e7c1b74b38fa8ba
SHA1

77f63bfb0c37b76005b9105e3544a63dd2240f77
SHA256

7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6
SHA512

cac691c9c69e6db69e4e9d16a60aa9e01f2cf6f2fc7bafc15b9ba88d13dc0bcfb2f966e9e7b888aafa547cb49f2ca6df625fe555b6eb6d757e30aa601ea8feec
SSDEEP

12582912:kGJfvUrxERbTpxS6bJSPeXi2ffucxlgJIerR:kGq9Mp9bJSWXi2fpxOIerR

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
5	2284	MsiExec.exe
7	2284	MsiExec.exe
9	2284	MsiExec.exe
11	2284	MsiExec.exe
13	2284	MsiExec.exe
15	2284	MsiExec.exe
17	2284	MsiExec.exe
18	2284	MsiExec.exe
19	2284	MsiExec.exe
20	2284	MsiExec.exe
21	2284	MsiExec.exe
22	2284	MsiExec.exe
23	2284	MsiExec.exe
24	2284	MsiExec.exe
25	2284	MsiExec.exe
26	2284	MsiExec.exe
27	2284	MsiExec.exe
28	2284	MsiExec.exe
29	2284	MsiExec.exe
30	2284	MsiExec.exe
31	2284	MsiExec.exe
32	2284	MsiExec.exe
33	2284	MsiExec.exe
34	2284	MsiExec.exe
35	2284	MsiExec.exe
36	2284	MsiExec.exe
37	2284	MsiExec.exe
38	2284	MsiExec.exe
39	2284	MsiExec.exe
40	2284	MsiExec.exe
41	2284	MsiExec.exe
42	2284	MsiExec.exe
43	2284	MsiExec.exe
44	2284	MsiExec.exe
45	2284	MsiExec.exe
46	2284	MsiExec.exe
47	2284	MsiExec.exe
48	2284	MsiExec.exe
49	2284	MsiExec.exe
50	2284	MsiExec.exe
51	2284	MsiExec.exe
52	2284	MsiExec.exe
53	2284	MsiExec.exe
54	2284	MsiExec.exe
55	2284	MsiExec.exe
56	2284	MsiExec.exe
57	2284	MsiExec.exe
58	2284	MsiExec.exe
59	2284	MsiExec.exe
60	2284	MsiExec.exe
61	2284	MsiExec.exe
62	2284	MsiExec.exe
63	2284	MsiExec.exe
64	2284	MsiExec.exe
65	2284	MsiExec.exe
66	2284	MsiExec.exe
67	2284	MsiExec.exe
68	2284	MsiExec.exe
69	2284	MsiExec.exe
70	2284	MsiExec.exe
71	2284	MsiExec.exe
72	2284	MsiExec.exe
73	2284	MsiExec.exe
74	2284	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Loads dropped DLL 9 IoCs

pid	Process
2284	MsiExec.exe
2284	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2040	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2228	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeSecurityPrivilege	1900	msiexec.exe
Token: SeCreateTokenPrivilege	2040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2040	msiexec.exe
Token: SeLockMemoryPrivilege	2040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2040	msiexec.exe
Token: SeMachineAccountPrivilege	2040	msiexec.exe
Token: SeTcbPrivilege	2040	msiexec.exe
Token: SeSecurityPrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeLoadDriverPrivilege	2040	msiexec.exe
Token: SeSystemProfilePrivilege	2040	msiexec.exe
Token: SeSystemtimePrivilege	2040	msiexec.exe
Token: SeProfSingleProcessPrivilege	2040	msiexec.exe
Token: SeIncBasePriorityPrivilege	2040	msiexec.exe
Token: SeCreatePagefilePrivilege	2040	msiexec.exe
Token: SeCreatePermanentPrivilege	2040	msiexec.exe
Token: SeBackupPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeShutdownPrivilege	2040	msiexec.exe
Token: SeDebugPrivilege	2040	msiexec.exe
Token: SeAuditPrivilege	2040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2040	msiexec.exe
Token: SeChangeNotifyPrivilege	2040	msiexec.exe
Token: SeRemoteShutdownPrivilege	2040	msiexec.exe
Token: SeUndockPrivilege	2040	msiexec.exe
Token: SeSyncAgentPrivilege	2040	msiexec.exe
Token: SeEnableDelegationPrivilege	2040	msiexec.exe
Token: SeManageVolumePrivilege	2040	msiexec.exe
Token: SeImpersonatePrivilege	2040	msiexec.exe
Token: SeCreateGlobalPrivilege	2040	msiexec.exe
Token: SeCreateTokenPrivilege	2040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2040	msiexec.exe
Token: SeLockMemoryPrivilege	2040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2040	msiexec.exe
Token: SeMachineAccountPrivilege	2040	msiexec.exe
Token: SeTcbPrivilege	2040	msiexec.exe
Token: SeSecurityPrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeLoadDriverPrivilege	2040	msiexec.exe
Token: SeSystemProfilePrivilege	2040	msiexec.exe
Token: SeSystemtimePrivilege	2040	msiexec.exe
Token: SeProfSingleProcessPrivilege	2040	msiexec.exe
Token: SeIncBasePriorityPrivilege	2040	msiexec.exe
Token: SeCreatePagefilePrivilege	2040	msiexec.exe
Token: SeCreatePermanentPrivilege	2040	msiexec.exe
Token: SeBackupPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeShutdownPrivilege	2040	msiexec.exe
Token: SeDebugPrivilege	2040	msiexec.exe
Token: SeAuditPrivilege	2040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2040	msiexec.exe
Token: SeChangeNotifyPrivilege	2040	msiexec.exe
Token: SeRemoteShutdownPrivilege	2040	msiexec.exe
Token: SeUndockPrivilege	2040	msiexec.exe
Token: SeSyncAgentPrivilege	2040	msiexec.exe
Token: SeEnableDelegationPrivilege	2040	msiexec.exe
Token: SeManageVolumePrivilege	2040	msiexec.exe
Token: SeImpersonatePrivilege	2040	msiexec.exe
Token: SeCreateGlobalPrivilege	2040	msiexec.exe
Token: SeCreateTokenPrivilege	2040	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2040	msiexec.exe
2040	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2284	1900	msiexec.exe	32
PID 1900 wrote to memory of 2284	1900	msiexec.exe	32
PID 1900 wrote to memory of 2284	1900	msiexec.exe	32
PID 1900 wrote to memory of 2284	1900	msiexec.exe	32
PID 1900 wrote to memory of 2284	1900	msiexec.exe	32
PID 1900 wrote to memory of 2284	1900	msiexec.exe	32
PID 1900 wrote to memory of 2284	1900	msiexec.exe	32
PID 1900 wrote to memory of 2228	1900	msiexec.exe	33
PID 1900 wrote to memory of 2228	1900	msiexec.exe	33
PID 1900 wrote to memory of 2228	1900	msiexec.exe	33
PID 1900 wrote to memory of 2228	1900	msiexec.exe	33
PID 1900 wrote to memory of 2228	1900	msiexec.exe	33
PID 1900 wrote to memory of 2228	1900	msiexec.exe	33
PID 1900 wrote to memory of 2228	1900	msiexec.exe	33

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADA5DEC938DB1551A485271CE629C44D U
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1A7C0D015CF24D9BA8CFC5C2A7186B6 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dde46e2217f1b0bb19c070ab033aa01

SHA1
0170deaa43c37178715372e68eab4b1dbb035dcc

SHA256
120e8cb04a322ad6ad7337fecf71b9d1345e4f03e4cbafcef9c2229a428ea954

SHA512
e31e75f918afc93192e988c0ce76379532fabb29adbc67cc7f74f80029364b14a784538dbb27962a18d93dd4cd1e646f28754b554ae3813cbd730706131bab8c

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini

Filesize
84B

MD5
9eae3db1b68a671c37d05767c61541b0

SHA1
069533983193ce659e58e397951688c7b018da5f

SHA256
b4191f28c6dff17c8419efb8730b96ef30bb912c179d4690e73fff8fc6fb4982

SHA512
19c6e5a5860f63448291b5584ef6bb0be128dd451e8198a30a5815030e1ce6460cbde7d5341cbac5b1f271f7b3825b19d6f333a582e97656ae1029683be48e3e

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini

Filesize
84B

MD5
e7b1669a13b5a37a7fe9c0c0837693b3

SHA1
c1e19a48e49e89f5cc1cea57e7350af1df537ba3

SHA256
f8bc58f64d6d7467891f750fcd6b3eda3b7d0c72974a7c371e14781d73247685

SHA512
caaef631902e79cb964467cebc7370d9ddb3f8332de4908349be7eb66611de0bfe06b5e6124a3ae878906e646b6e5157237fa25d9de463418e12a2ed83f0132f

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{F3BF71FA-708A-4A6C-B5AB-B8317B068282}.session

Filesize
46KB

MD5
0d21901475a17d5a64c1a409fe101ebf

SHA1
1f038bd771d07a260ce97748dc38b90169b75980

SHA256
9a0a96f4aa48ab033333dd8b6cdddbea9b736f735d3684f210d70243364d86ae

SHA512
97d612e3fa810b8a90a02efa6ae1dda21fd94a696c65b2ecc5f30c59f38db51688f491a7e4aaf235e534987138bf577694e7b4a64c594b48165a354a3398340b

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{F3BF71FA-708A-4A6C-B5AB-B8317B068282}.session

Filesize
8KB

MD5
a4a202cbf1dea4b063414801a26b47b4

SHA1
b3dd59496028039392438ab32544202cb2459f95

SHA256
5f3eb0d0e630ced64d7006fcea373e8ed5fa33aedf6cf903d60f4977a7161681

SHA512
66be3a25bc2d4982a32d88ddd580756b2fdb56a2c2423019b868ecc2c8c9a62d0b2a4e39616480b372e3f6325ca4a12f2e80385faeb44f4fe9b991b7d4418cf7

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{F3BF71FA-708A-4A6C-B5AB-B8317B068282}.session

Filesize
9KB

MD5
c6d312c69afbe4a25ff1e1f22c464bb5

SHA1
13dafe1f25a7fcf43d4b1ddcea46d5892bcf0926

SHA256
1a23c5f6456859b40c23ee3a5e9fcb1c7e7d9a142e3044e0ccb7cacf6c9a0f2e

SHA512
39ed19b741ee4a22c0a07bf52683f3704374b3f71835f7a621b326c6fb80dbd107911413d626d8aa8ef8e37f44b809a00721d633507af6cff6a3b023870c14b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab714B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIACA.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDEA.tmp

Filesize
1.1MB

MD5
58c6476771f68f57661d0f6533cb70ef

SHA1
8080de39939f0a8f1e0c529cca30bf38b0e6abf2

SHA256
7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f

SHA512
2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar717D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\MSI27698\InstallerAnalytics.dll

Filesize
1.0MB

MD5
806e65956064190d6154d5de5cc96a5e

SHA1
f2fa1b10dec6f4166b79e710d81147c9028c4198

SHA256
17f79990c5455ac18abbca13fcd8f8584518881487f9fedcbd7cbbdbe003c6f8

SHA512
ae72ec2fe5895ca5e9e44b6c5e677356f9b7ba342d686a59be42b16027013d4b7c8c83ed0530705d792ac7b5881d10ec72dff546c2ee3c1452372d363501c62f

Download Submit
\Users\Admin\AppData\Local\Temp\MSI27698\embeddeduiproxy.dll

Filesize
23KB

MD5
6671824509f40eb0ddb8fad2a2c66886

SHA1
ab8e4380b5f0d104476793351334631e2fa6054f

SHA256
8ffa276ce0b7ceb444d1a1e898d80a46b87c5f506655f49c94b39f0a7581092f

SHA512
3b7570deeb144ead27165791c5a6eb3ab813fe19834ccb311c09aee04ab94a1fb08bae4236e5bacd02f62092689eac3292bef80a77933600cb0e3b70738b9258

Download Submit