102fa87868d13ae5527dc3f538641581bfb9e3203497ceccc119916df6e1d032

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.msi
Size

64.5MB
MD5

58b4627725e80ca0b93d1d7277f445b3
SHA1

3574cb5de829731dc22ea9fe6545c66b9334db2c
SHA256

b0f9e7accdcce6c2042c21bdbdf0d3fbd5819ae058f20abf943352bf952b66bc
SHA512

ec64f0ded7b098c6d65d06c2371b851b23dd7f5cd122434baf3dd84398afc3da312f4551d2346c71a16daf2cd1a15831b354ab46554c46eaeafdd404d9af296e
SSDEEP

1572864:fiVmrjV7eIjiOTZqLnsZ50myGd6gDUihExPZw6lZ3+k:NqnsZ5YQTDvuhw6l

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	4200	MsiExec.exe
17	4200	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e579bd6.msi	msiexec.exe
File created	C:\Windows\Installer\e579bd2.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F8E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA03A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579bd2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB626.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB685.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9431C6A7-C26A-456A-AFC6-3C7A04AD09BB}	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	steamerrorreporter64.exe

Loads dropped DLL 9 IoCs

pid	Process
4200	MsiExec.exe
4200	MsiExec.exe
4200	MsiExec.exe
4200	MsiExec.exe
4200	MsiExec.exe
4200	MsiExec.exe
4200	MsiExec.exe
2700	steamerrorreporter64.exe
2700	steamerrorreporter64.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4512	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3616	msiexec.exe
3616	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4512	msiexec.exe
Token: SeSecurityPrivilege	3616	msiexec.exe
Token: SeCreateTokenPrivilege	4512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4512	msiexec.exe
Token: SeLockMemoryPrivilege	4512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4512	msiexec.exe
Token: SeMachineAccountPrivilege	4512	msiexec.exe
Token: SeTcbPrivilege	4512	msiexec.exe
Token: SeSecurityPrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeLoadDriverPrivilege	4512	msiexec.exe
Token: SeSystemProfilePrivilege	4512	msiexec.exe
Token: SeSystemtimePrivilege	4512	msiexec.exe
Token: SeProfSingleProcessPrivilege	4512	msiexec.exe
Token: SeIncBasePriorityPrivilege	4512	msiexec.exe
Token: SeCreatePagefilePrivilege	4512	msiexec.exe
Token: SeCreatePermanentPrivilege	4512	msiexec.exe
Token: SeBackupPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeShutdownPrivilege	4512	msiexec.exe
Token: SeDebugPrivilege	4512	msiexec.exe
Token: SeAuditPrivilege	4512	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4512	msiexec.exe
Token: SeChangeNotifyPrivilege	4512	msiexec.exe
Token: SeRemoteShutdownPrivilege	4512	msiexec.exe
Token: SeUndockPrivilege	4512	msiexec.exe
Token: SeSyncAgentPrivilege	4512	msiexec.exe
Token: SeEnableDelegationPrivilege	4512	msiexec.exe
Token: SeManageVolumePrivilege	4512	msiexec.exe
Token: SeImpersonatePrivilege	4512	msiexec.exe
Token: SeCreateGlobalPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe
Token: SeRestorePrivilege	3616	msiexec.exe
Token: SeTakeOwnershipPrivilege	3616	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4512	msiexec.exe
4512	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 4200	3616	msiexec.exe	85
PID 3616 wrote to memory of 4200	3616	msiexec.exe	85
PID 3616 wrote to memory of 4200	3616	msiexec.exe	85
PID 3616 wrote to memory of 2700	3616	msiexec.exe	96
PID 3616 wrote to memory of 2700	3616	msiexec.exe	96

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 83F112C467B9DF62C0253896E4B4C5FA
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4200
- C:\Users\Admin\AppData\Roaming\Yuwei Qusi\Oovi Appc\steamerrorreporter64.exe
  "C:\Users\Admin\AppData\Roaming\Yuwei Qusi\Oovi Appc\steamerrorreporter64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579bd5.rbs

Filesize
23KB

MD5
2014f59478d10a13c7cf9fc5040ac352

SHA1
e74a8b5075946a569c4bd13e7c52435d1fe25474

SHA256
8ca3bbfecb1b6c9120372f29e521a7d16f9a904c705f74fd92aa739adc3699ca

SHA512
81c19ae6b7cd10698e779e33f799d6a32d520e7d9bc969f576f7a866bdfbfb7fbf720be54a3bcd67ea4646c877f83d42d5df2225583361d136fbfe0a81ccf030

Download Submit
C:\Users\Admin\AppData\Roaming\Yuwei Qusi\Oovi Appc\steamerrorreporter64.exe

Filesize
639KB

MD5
fd3ce044ac234fdab3df9d7f492c470a

SHA1
a74a287d5d82a8071ab36c72b2786342d83a8ef7

SHA256
0a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba

SHA512
86d7e805fab0e5130003facbb1525ee261440846f342f53ae64c3f8d676d1208d5fd9bd91e3222c63cc30c443348eb5ddedab14c8847dae138fba7e9be69d08d

Download Submit
C:\Users\Admin\AppData\Roaming\Yuwei Qusi\Oovi Appc\tier0_s64.dll

Filesize
386KB

MD5
7e60404cfb232a1d3708a9892d020e84

SHA1
31328d887bee17641608252fb2f9cd6caf8ba522

SHA256
5a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766

SHA512
4d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c

Download Submit
C:\Users\Admin\AppData\Roaming\Yuwei Qusi\Oovi Appc\vstdlib_s64.dll

Filesize
689KB

MD5
914ea18e05c253651da7b33385ad3947

SHA1
07b1fc5f308ada0aa4cd54777e2c935c768c8bf8

SHA256
e7c4ab8a5733b25864d699742183e83461926a18427a9e50df6c840e62133333

SHA512
8f86a23ea47f5686c79b11717fe6f7456e327e99a06744ea8e7788de86919b93ec3c7752417ca03a437a1b3918a6bd0eaf5f6aa4e94595c4a9b4e747935cdbcb

Download Submit
C:\Windows\Installer\MSI9CDC.tmp

Filesize
997KB

MD5
ee09d6a1bb908b42c05fd0beeb67dfd2

SHA1
1eb7c1304b7bca649c2a5902b18a1ea57ceaa532

SHA256
7bbf611f5e2a16439dc8cd11936f6364f6d5cc0044545c92775da5646afc7752

SHA512
2dd2e4e66d2f2277f031c5f3c829a31c3b29196ab27262c6a8f1896a2113a1be1687c9e8cd9667b89157f099dfb969ef14ae3ea602d4c772e960bc41d39c3d05

Download Submit
C:\Windows\Installer\MSIB685.tmp

Filesize
371KB

MD5
ffdaacb43c074a8cb9a608c612d7540b

SHA1
8f054a7f77853de365a7763d93933660e6e1a890

SHA256
7484797ea4480bc71509fa28b16e607f82323e05c44f59ffa65db3826ed1b388

SHA512
a9bd31377f7a6ecf75b1d90648847cb83d8bd65ad0b408c4f8de6eb50764eef1402e7acdff375b7c3b07ac9f94184bd399a10a22418db474908b5e7a1adfe263

Download Submit