ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000

Analysis

max time kernel
0s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000.msi
Size

1.7MB
MD5

7c26877fcd894cc1355f2a31a551243c
SHA1

80104216da4cd3449eabf0e0de2bb3a5b2de85ca
SHA256

ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000
SHA512

a57a961a3339b105f9d5653b69269ed7aab952a4e16600426edee80d628a9ac62a13b5ea642ffd9765fdada7b0db5c5a85a21bc88c125be122bf3c4e89d0cfb8
SSDEEP

49152:BpRhaYJ+2/8yJ5OA4COg9lyp31X01clj+u1GTsF:BpDJ+2pgA4+6p31is+u1G4

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

712 ICACLS.EXE
1312 ICACLS.EXE
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

3 1700 msiexec.exe

pid	process
712	ICACLS.EXE
1312	ICACLS.EXE

flow	pid	process
3	1700	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

1700 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeShutdownPrivilege 1700 msiexec.exe
Token: SeIncreaseQuotaPrivilege 1700 msiexec.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1700 msiexec.exe

pid	process
1700	msiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1700	msiexec.exe

pid	process
1700	msiexec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2740
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57B2598E5338DCD0A3DB63B646A732D9
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1312
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    PID:1812
- - C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\files\task.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\files\task.exe"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\files"
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2744

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "00000000000003DC"
1⤵
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

File and Directory Permissions Modification

T1222

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
719182e07998ae9226d45680aa1fe178

SHA1
8f8b03c110c129cb3a35841ed959de7a7266ffec

SHA256
8f1d64c2c4dbb6ca892083e4b4a8bdb4585597e1269c218340c6b12517bb3dbe

SHA512
2df474f0ac4d1ef93b14deda32c5476da130bc41f37c0a5cd0c271c990914613c3c788116a4b87d44876695f71e5a131847fdf96d609364c06cb2f5ed6ce76a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_6F243E053ACC5B86B13C52D626927FC5

Filesize
727B

MD5
28002d2c9820d1c41fd7bf3810cb8c85

SHA1
acc03c1d657705616dd654086fc54e9fcaef37b8

SHA256
84c9e00d5bdf6491a2320989d6c3b66814823d4b0905682b8386e33f7dae8974

SHA512
9765b7e3fc6c69cad64ffc49dd3b2f72e593c1be7f0f549b1e8b5ded5f73da0540216e44195c0b057cc1aecce552180d68c007b2abf72a28c695eb70512c46ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
4f2f44acff5c280ecd26b5e7144aff24

SHA1
d542052f27cf058cd2bd7d74e75deb8a009bb334

SHA256
c9725747ce7f281ac09f3a2287a236369b00e99f310eb837c45b2b4f66b82030

SHA512
33d4fcb341e625103b16af3f7b37f4fed5e8d56256980e341fff71356d1a1296192741b96be97de703d8f54af24e3438d0a514edb621ee6e42b1dc4d79089d45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
7b637007fb32826145cefc593c96d50f

SHA1
acfaff8779c8d8ec7e5507b47601070f27aef3dd

SHA256
cad243d0e1dd08dd70327be7871823e0acbf0131997555063fe748b621c88d23

SHA512
2e78e436f34bcd56c88f8aacadf51ba2fb37a070090ba5cf1ecd676e801f21fa4d546e0de3d8b43ea940a14fa08d5fb23890982657d71ee42ab5b22e8b4e397a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_6F243E053ACC5B86B13C52D626927FC5

Filesize
408B

MD5
ee407713a13648a613412bc171e6f6d9

SHA1
4e2bc2b8e5a9f51feccfaa2a1f312c829d667974

SHA256
cf6687226e3e3be32cb7479ef46594a4dfdea34bff290d0dc92181ebfb6cf239

SHA512
255613ddc863a6008086c36947eeb6cd456b8ebe8feef857d8c98221608d624458c57a32a4d352e5319a8919e0a35159149cd56ff5e0157e87a5e855313da8b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
71e8d0c32a6afb4c56556a589ac7a62b

SHA1
408ba9526d6c432b1911fe4aa236d27601c602cb

SHA256
2a26affd159fcd4f92248659cf1acb6eb680dcc3b2176bd459da592c2ed9009c

SHA512
d63911a462997c36b16654e74a2b3dc5bd1134ae9ed7c03cb16118f8390d60b386febfbaf8d75341dbd9f40033120af3db2af25dd12a7528506041372cac3e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9C03.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\files.cab

Filesize
1.4MB

MD5
240f5d10d0fdc6e3a73b6793e0ea260f

SHA1
b6b7549b2c1a98fe88dea9f9fb462cb203647dbc

SHA256
5afa0071f63b662d93ab35e8a9a6a44b8ad439c62160388690e5e5793cb2b2d4

SHA512
faa0654a4359a90338905bcf627cb75d10d277ce8e2aafc07eca75ea887f54750b118042dd1e25e45c02706791ea5f5741202309928140789c319988e05f5029

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\files\YOUR_P~1.DLL

Filesize
601KB

MD5
8522cf224cb875847762353c89d2dce2

SHA1
4947ef0a7b3da4972106a6a97fff8c03f9db6799

SHA256
3dc24e9a42d9230f4c0db64bf11b9df544066c80c49b2aa66ce9a01ddb8c4088

SHA512
8933f0add139fd10f452ad18bcc400ab288aebe5bf764da66eb332b9b97dc56f7aaab66fd396b0ca1bf3c29a1487255b562a97fdeffaacc142347a95cd503350

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\files\data.bin

Filesize
741KB

MD5
8d9b3ca29d78cda545cf0a3131536f17

SHA1
d823975e67320244f3f02a59e5d29b53e16a828b

SHA256
97978ec89a58611cdeeffc623805c91966bf1d861395082804efe05302daf7cd

SHA512
287799d662bf3f113aab8009503afe7306f489b7fdad69ceffb190c9757412e00f6d3eedf5d5254d90319b27577d9567dc4b67860dc0148e249c042575f4dc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\files\run.bat

Filesize
70B

MD5
f8abf91d350d39ff1a48934b88624291

SHA1
88ef29fd18441c628a43925a8b32535d39e07979

SHA256
5b4e3e3f739b1ae3cd907a0abe9d5aaf51455551f69f9da57e668f749584efd6

SHA512
3c572c7415fbc8ee5f976ac9b6cce43c901174777c859e9461451676bd5158e940e0bd173d83d980958295cb9daacc489f0d596d98e93f71cb81d2603f037876

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\files\task22.msi

Filesize
1.2MB

MD5
6406cce810c8aaa887ca6b8e004776d2

SHA1
1698d3d12341f3824e14f4dae75300eea9670797

SHA256
fbfde6f43c30f454b07dbd2fdcd83685ae0016227f5489c13ccb510a0cff00a6

SHA512
3cd6f24c1892abd1b12a02dac5ab53e2afe1c68bc366d1ddb26df1e56312da7ff5caca255e78cb61e3fcbbed21cd03fb8909c61302af4dbcdda7ad37eac73ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\msiwrapper.ini

Filesize
1KB

MD5
5f604a7e57574c8a46fe0f4451c5ee50

SHA1
376f2dd98a0f2475c9b8de198adbb4a6f21413e4

SHA256
faf1895efd034d42861dac317ecd757ac8bf895e6938bd36292984a68358df89

SHA512
4de7f2388b6efc020ebd29cd5f99a4aca5da29733ab83aa57a4625221d70819518a50707089a4c47da68cf1a86a90ac25250cd1a5563a63617403225177dcf60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9D6D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\f76bde3.msi

Filesize
1.7MB

MD5
7c26877fcd894cc1355f2a31a551243c

SHA1
80104216da4cd3449eabf0e0de2bb3a5b2de85ca

SHA256
ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000

SHA512
a57a961a3339b105f9d5653b69269ed7aab952a4e16600426edee80d628a9ac62a13b5ea642ffd9765fdada7b0db5c5a85a21bc88c125be122bf3c4e89d0cfb8

Download Submit
\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\files\g2m.dll

Filesize
603KB

MD5
fc284eee599385a7ae9f098d123e983f

SHA1
acaa1c92d85afd92184d49592aed3aeab6ad2ded

SHA256
16414419a8248a4a55c05859c467d1fafc298694f3f71916261fe2e08ebf4abd

SHA512
c2538a98de60aeddb72cb14513ecce3493f04e94135182af658d3fc6425ad890560945efb02c956b11aa10606c95e7cb286e73c0d27e71f2b17d3494506e7123

Download Submit
\Users\Admin\AppData\Local\Temp\MW-06e6476b-0632-42b7-bf13-3d5cf60addc0\files\task.exe

Filesize
39KB

MD5
f1b14f71252de9ac763dbfbfbfc8c2dc

SHA1
dcc2dcb26c1649887f1d5ae557a000b5fe34bb98

SHA256
796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5

SHA512
636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0

Download Submit
\Windows\Installer\MSIBEEE.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit