5a49f64634ac29f37b3e53f5a1e37b90e8f3a385683f24083c68aee092408314

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xyxmml.msi
Size

1.7MB
MD5

51dd5767de678bb6359cbb175319f0ec
SHA1

76ae487dda6cf3651a9b2b30614c0fefd1f3149c
SHA256

5a49f64634ac29f37b3e53f5a1e37b90e8f3a385683f24083c68aee092408314
SHA512

ffb798290e2f6840eb8f0587dc675e8654589bfd070b1c54e49c7984272aa94da3a493cbd28b1dddef1f6a44b09ad9fd8a14ec0d77b90f948dc85089f91cc8a0
SSDEEP

49152:+EJnsHyjtk2MYC5GDChloJfWJ255hpB14Rd:1nsmtk2arhlTJ23h

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1824	msiexec.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1824	msiexec.exe
Token: SeRestorePrivilege	2872	msiexec.exe
Token: SeTakeOwnershipPrivilege	2872	msiexec.exe
Token: SeSecurityPrivilege	2872	msiexec.exe
Token: SeCreateTokenPrivilege	1824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1824	msiexec.exe
Token: SeLockMemoryPrivilege	1824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1824	msiexec.exe
Token: SeMachineAccountPrivilege	1824	msiexec.exe
Token: SeTcbPrivilege	1824	msiexec.exe
Token: SeSecurityPrivilege	1824	msiexec.exe
Token: SeTakeOwnershipPrivilege	1824	msiexec.exe
Token: SeLoadDriverPrivilege	1824	msiexec.exe
Token: SeSystemProfilePrivilege	1824	msiexec.exe
Token: SeSystemtimePrivilege	1824	msiexec.exe
Token: SeProfSingleProcessPrivilege	1824	msiexec.exe
Token: SeIncBasePriorityPrivilege	1824	msiexec.exe
Token: SeCreatePagefilePrivilege	1824	msiexec.exe
Token: SeCreatePermanentPrivilege	1824	msiexec.exe
Token: SeBackupPrivilege	1824	msiexec.exe
Token: SeRestorePrivilege	1824	msiexec.exe
Token: SeShutdownPrivilege	1824	msiexec.exe
Token: SeDebugPrivilege	1824	msiexec.exe
Token: SeAuditPrivilege	1824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1824	msiexec.exe
Token: SeChangeNotifyPrivilege	1824	msiexec.exe
Token: SeRemoteShutdownPrivilege	1824	msiexec.exe
Token: SeUndockPrivilege	1824	msiexec.exe
Token: SeSyncAgentPrivilege	1824	msiexec.exe
Token: SeEnableDelegationPrivilege	1824	msiexec.exe
Token: SeManageVolumePrivilege	1824	msiexec.exe
Token: SeImpersonatePrivilege	1824	msiexec.exe
Token: SeCreateGlobalPrivilege	1824	msiexec.exe
Token: SeBackupPrivilege	2828	vssvc.exe
Token: SeRestorePrivilege	2828	vssvc.exe
Token: SeAuditPrivilege	2828	vssvc.exe
Token: SeBackupPrivilege	2872	msiexec.exe
Token: SeRestorePrivilege	2872	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeSecurityPrivilege	1256	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1824	msiexec.exe
1824	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2716	2872	msiexec.exe	33
PID 2872 wrote to memory of 2716	2872	msiexec.exe	33
PID 2872 wrote to memory of 2716	2872	msiexec.exe	33

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\xyxmml.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2872 -s 872
  2⤵
  PID:2716