ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0

General

Target

ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe
Size

3.4MB
MD5

f4451d3793694ca0f1d4c7a9163bd5ac
SHA1

f10851c9903c836c5c66445741ac1fe5f576a433
SHA256

ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0
SHA512

d6b99dc40fa379201ae704330c14e8323dc7da510a073589079711bfb12ef4b6b77add11bd20685676883fe5ff509a6c33048f6b9e3d73d51174cb05c861b3aa
SSDEEP

98304:jfwYwA0ECxTdjmguMoabIujhjJ9Qwb79:L4PmGTj/9

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	332	msiexec.exe
Token: SeIncreaseQuotaPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeSecurityPrivilege	2124	msiexec.exe
Token: SeCreateTokenPrivilege	332	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	332	msiexec.exe
Token: SeLockMemoryPrivilege	332	msiexec.exe
Token: SeIncreaseQuotaPrivilege	332	msiexec.exe
Token: SeMachineAccountPrivilege	332	msiexec.exe
Token: SeTcbPrivilege	332	msiexec.exe
Token: SeSecurityPrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeLoadDriverPrivilege	332	msiexec.exe
Token: SeSystemProfilePrivilege	332	msiexec.exe
Token: SeSystemtimePrivilege	332	msiexec.exe
Token: SeProfSingleProcessPrivilege	332	msiexec.exe
Token: SeIncBasePriorityPrivilege	332	msiexec.exe
Token: SeCreatePagefilePrivilege	332	msiexec.exe
Token: SeCreatePermanentPrivilege	332	msiexec.exe
Token: SeBackupPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeShutdownPrivilege	332	msiexec.exe
Token: SeDebugPrivilege	332	msiexec.exe
Token: SeAuditPrivilege	332	msiexec.exe
Token: SeSystemEnvironmentPrivilege	332	msiexec.exe
Token: SeChangeNotifyPrivilege	332	msiexec.exe
Token: SeRemoteShutdownPrivilege	332	msiexec.exe
Token: SeUndockPrivilege	332	msiexec.exe
Token: SeSyncAgentPrivilege	332	msiexec.exe
Token: SeEnableDelegationPrivilege	332	msiexec.exe
Token: SeManageVolumePrivilege	332	msiexec.exe
Token: SeImpersonatePrivilege	332	msiexec.exe
Token: SeCreateGlobalPrivilege	332	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
332	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 332	2532	ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe	31
PID 2532 wrote to memory of 332	2532	ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe	31
PID 2532 wrote to memory of 332	2532	ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe	31
PID 2532 wrote to memory of 332	2532	ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe	31
PID 2532 wrote to memory of 332	2532	ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe	31
PID 2532 wrote to memory of 332	2532	ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe	31
PID 2532 wrote to memory of 332	2532	ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe	31

C:\Users\Admin\AppData\Local\Temp\ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe
"C:\Users\Admin\AppData\Local\Temp\ee18775e61321ded4fd87b6de47cea2ea417156fbf05adc7a6af90b504e0d1d0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\4F1E2F6D\msxml.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:332

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4F1E2F6D\msxml.msi

Filesize
2.3MB

MD5
14e34a6cbd8f060a9c965e39b745657a

SHA1
aa70c5c1a7a069af824947bcda1d9893a895318b

SHA256
47c2ae679c37815da9267c81fc3777de900ad2551c11c19c2840938b346d70bb

SHA512
1fad41de3f61737072cd105f79fd2b48552c6e6db10d2c54e5dc875e046d80bd4de6268eaa8cb7f2de27a19d683c0a05e4cfb7baeaa159df291b1f63f0a96cb2

Download Submit
memory/2532-16-0x0000000000400000-0x000000000076C000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing