9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

Resubmissions

19-12-2024 13:09

241219-qdzx4stlfy 10

18-12-2024 23:58

18-12-2024 23:03

18-12-2024 22:59

18-12-2024 22:44

18-12-2024 22:36

18-12-2024 22:31

Analysis

max time kernel
98s
max time network
149s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18-12-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

node-v22.11.0-x64.msi
Size

28.9MB
MD5

fa9e1f3064a66913362e9bff7097cef5
SHA1

b34f1f9a9f6242c54486a4bc453a9336840b4425
SHA256

9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b
SHA512

ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f
SSDEEP

786432:EtShU+9S49htlhk3tKuiU9IsO9IP1/lBMS8k4:EAUK/U9IN961/l

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	3576	msiexec.exe
4	3576	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
2508	MsiExec.exe
2508	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3576	msiexec.exe

Runs regedit.exe 1 IoCs

pid	Process
2528	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2528	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	3712	msiexec.exe
Token: SeCreateTokenPrivilege	3576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3576	msiexec.exe
Token: SeLockMemoryPrivilege	3576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3576	msiexec.exe
Token: SeMachineAccountPrivilege	3576	msiexec.exe
Token: SeTcbPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeLoadDriverPrivilege	3576	msiexec.exe
Token: SeSystemProfilePrivilege	3576	msiexec.exe
Token: SeSystemtimePrivilege	3576	msiexec.exe
Token: SeProfSingleProcessPrivilege	3576	msiexec.exe
Token: SeIncBasePriorityPrivilege	3576	msiexec.exe
Token: SeCreatePagefilePrivilege	3576	msiexec.exe
Token: SeCreatePermanentPrivilege	3576	msiexec.exe
Token: SeBackupPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeShutdownPrivilege	3576	msiexec.exe
Token: SeDebugPrivilege	3576	msiexec.exe
Token: SeAuditPrivilege	3576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3576	msiexec.exe
Token: SeChangeNotifyPrivilege	3576	msiexec.exe
Token: SeRemoteShutdownPrivilege	3576	msiexec.exe
Token: SeUndockPrivilege	3576	msiexec.exe
Token: SeSyncAgentPrivilege	3576	msiexec.exe
Token: SeEnableDelegationPrivilege	3576	msiexec.exe
Token: SeManageVolumePrivilege	3576	msiexec.exe
Token: SeImpersonatePrivilege	3576	msiexec.exe
Token: SeCreateGlobalPrivilege	3576	msiexec.exe
Token: SeCreateTokenPrivilege	3576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3576	msiexec.exe
Token: SeLockMemoryPrivilege	3576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3576	msiexec.exe
Token: SeMachineAccountPrivilege	3576	msiexec.exe
Token: SeTcbPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeLoadDriverPrivilege	3576	msiexec.exe
Token: SeSystemProfilePrivilege	3576	msiexec.exe
Token: SeSystemtimePrivilege	3576	msiexec.exe
Token: SeProfSingleProcessPrivilege	3576	msiexec.exe
Token: SeIncBasePriorityPrivilege	3576	msiexec.exe
Token: SeCreatePagefilePrivilege	3576	msiexec.exe
Token: SeCreatePermanentPrivilege	3576	msiexec.exe
Token: SeBackupPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeShutdownPrivilege	3576	msiexec.exe
Token: SeDebugPrivilege	3576	msiexec.exe
Token: SeAuditPrivilege	3576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3576	msiexec.exe
Token: SeChangeNotifyPrivilege	3576	msiexec.exe
Token: SeRemoteShutdownPrivilege	3576	msiexec.exe
Token: SeUndockPrivilege	3576	msiexec.exe
Token: SeSyncAgentPrivilege	3576	msiexec.exe
Token: SeEnableDelegationPrivilege	3576	msiexec.exe
Token: SeManageVolumePrivilege	3576	msiexec.exe
Token: SeImpersonatePrivilege	3576	msiexec.exe
Token: SeCreateGlobalPrivilege	3576	msiexec.exe
Token: SeCreateTokenPrivilege	3576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3576	msiexec.exe
Token: SeLockMemoryPrivilege	3576	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3576	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 2508	3712	msiexec.exe	84
PID 3712 wrote to memory of 2508	3712	msiexec.exe	84

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\node-v22.11.0-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E0EA333CDDF3D3DCB0F802ACD77CB732 C
  2⤵
  - Loads dropped DLL
  PID:2508

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIC0CF.tmp

Filesize
144KB

MD5
7fa9d662d634534d7c2240dd126bdeee

SHA1
bd01e22ed2da0d0d485824b372ac67da683863d2

SHA256
c0e8683b697b3c6e55deb4497d3434d6e2cc841eb8c9a1b7d3f8907cff7de206

SHA512
cbc737e3eb94151c9dacaa5ee780cb550176ca2be2e0c66925884b5bc6222b7bcde5ed66e881f2a76f3d26edf5331abf0e74c819ad4f5fd7d0819bc4c138bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC17C.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads