a127a9f08c8d0bc85dc5645820232a408a1daabb6ec2a5b4c77d58b49431a64a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msit.exe
Size

19.2MB
MD5

bb0ca87d28e7c1bfd53e3e592e75e684
SHA1

23be4528fe7dd78243845a6a08a88ce68200d59a
SHA256

d34e7af4d266688eb65118de606ffbeb36d46d488c3be604a5cb240778550cea
SHA512

217effd932ae2b5e21527bcc7a22c0f8a8ae0d89902ef00669ef9cc11463995c8c48d34d0b75b55dd50421c2abf19e8b72289abfbb7757339f825fe6ccdb59a7
SSDEEP

393216:kxVUrUl7eOos7orHgF4n5tZkk5b4EMqbfhYwWMr220ItXVca6cjL6OcaAeEKQHeg:CVUrUl7eOuTg4VkDEMq1YpItB6YOO1Af

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
1872	MsiExec.exe
1872	MsiExec.exe
1872	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msit.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msit.exe
File opened (read-only)	\??\S:	msit.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msit.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msit.exe
File opened (read-only)	\??\R:	msit.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msit.exe
File opened (read-only)	\??\E:	msit.exe
File opened (read-only)	\??\O:	msit.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msit.exe
File opened (read-only)	\??\M:	msit.exe
File opened (read-only)	\??\W:	msit.exe
File opened (read-only)	\??\Z:	msit.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msit.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msit.exe
File opened (read-only)	\??\J:	msit.exe
File opened (read-only)	\??\V:	msit.exe
File opened (read-only)	\??\X:	msit.exe
File opened (read-only)	\??\Y:	msit.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msit.exe
File opened (read-only)	\??\U:	msit.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msit.exe
File opened (read-only)	\??\T:	msit.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2C01.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D4A.tmp	msiexec.exe
File created	C:\Windows\Installer\f772942.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f772942.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B26.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeSecurityPrivilege	2740	msiexec.exe
Token: SeCreateTokenPrivilege	2132	msit.exe
Token: SeAssignPrimaryTokenPrivilege	2132	msit.exe
Token: SeLockMemoryPrivilege	2132	msit.exe
Token: SeIncreaseQuotaPrivilege	2132	msit.exe
Token: SeMachineAccountPrivilege	2132	msit.exe
Token: SeTcbPrivilege	2132	msit.exe
Token: SeSecurityPrivilege	2132	msit.exe
Token: SeTakeOwnershipPrivilege	2132	msit.exe
Token: SeLoadDriverPrivilege	2132	msit.exe
Token: SeSystemProfilePrivilege	2132	msit.exe
Token: SeSystemtimePrivilege	2132	msit.exe
Token: SeProfSingleProcessPrivilege	2132	msit.exe
Token: SeIncBasePriorityPrivilege	2132	msit.exe
Token: SeCreatePagefilePrivilege	2132	msit.exe
Token: SeCreatePermanentPrivilege	2132	msit.exe
Token: SeBackupPrivilege	2132	msit.exe
Token: SeRestorePrivilege	2132	msit.exe
Token: SeShutdownPrivilege	2132	msit.exe
Token: SeDebugPrivilege	2132	msit.exe
Token: SeAuditPrivilege	2132	msit.exe
Token: SeSystemEnvironmentPrivilege	2132	msit.exe
Token: SeChangeNotifyPrivilege	2132	msit.exe
Token: SeRemoteShutdownPrivilege	2132	msit.exe
Token: SeUndockPrivilege	2132	msit.exe
Token: SeSyncAgentPrivilege	2132	msit.exe
Token: SeEnableDelegationPrivilege	2132	msit.exe
Token: SeManageVolumePrivilege	2132	msit.exe
Token: SeImpersonatePrivilege	2132	msit.exe
Token: SeCreateGlobalPrivilege	2132	msit.exe
Token: SeCreateTokenPrivilege	2132	msit.exe
Token: SeAssignPrimaryTokenPrivilege	2132	msit.exe
Token: SeLockMemoryPrivilege	2132	msit.exe
Token: SeIncreaseQuotaPrivilege	2132	msit.exe
Token: SeMachineAccountPrivilege	2132	msit.exe
Token: SeTcbPrivilege	2132	msit.exe
Token: SeSecurityPrivilege	2132	msit.exe
Token: SeTakeOwnershipPrivilege	2132	msit.exe
Token: SeLoadDriverPrivilege	2132	msit.exe
Token: SeSystemProfilePrivilege	2132	msit.exe
Token: SeSystemtimePrivilege	2132	msit.exe
Token: SeProfSingleProcessPrivilege	2132	msit.exe
Token: SeIncBasePriorityPrivilege	2132	msit.exe
Token: SeCreatePagefilePrivilege	2132	msit.exe
Token: SeCreatePermanentPrivilege	2132	msit.exe
Token: SeBackupPrivilege	2132	msit.exe
Token: SeRestorePrivilege	2132	msit.exe
Token: SeShutdownPrivilege	2132	msit.exe
Token: SeDebugPrivilege	2132	msit.exe
Token: SeAuditPrivilege	2132	msit.exe
Token: SeSystemEnvironmentPrivilege	2132	msit.exe
Token: SeChangeNotifyPrivilege	2132	msit.exe
Token: SeRemoteShutdownPrivilege	2132	msit.exe
Token: SeUndockPrivilege	2132	msit.exe
Token: SeSyncAgentPrivilege	2132	msit.exe
Token: SeEnableDelegationPrivilege	2132	msit.exe
Token: SeManageVolumePrivilege	2132	msit.exe
Token: SeImpersonatePrivilege	2132	msit.exe
Token: SeCreateGlobalPrivilege	2132	msit.exe
Token: SeCreateTokenPrivilege	2132	msit.exe
Token: SeAssignPrimaryTokenPrivilege	2132	msit.exe
Token: SeLockMemoryPrivilege	2132	msit.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2708	2740	msiexec.exe	31
PID 2740 wrote to memory of 2708	2740	msiexec.exe	31
PID 2740 wrote to memory of 2708	2740	msiexec.exe	31
PID 2740 wrote to memory of 2708	2740	msiexec.exe	31
PID 2740 wrote to memory of 2708	2740	msiexec.exe	31
PID 2740 wrote to memory of 2708	2740	msiexec.exe	31
PID 2740 wrote to memory of 2708	2740	msiexec.exe	31
PID 2132 wrote to memory of 1876	2132	msit.exe	32
PID 2132 wrote to memory of 1876	2132	msit.exe	32
PID 2132 wrote to memory of 1876	2132	msit.exe	32
PID 2132 wrote to memory of 1876	2132	msit.exe	32
PID 2132 wrote to memory of 1876	2132	msit.exe	32
PID 2132 wrote to memory of 1876	2132	msit.exe	32
PID 2132 wrote to memory of 1876	2132	msit.exe	32
PID 2740 wrote to memory of 1872	2740	msiexec.exe	33
PID 2740 wrote to memory of 1872	2740	msiexec.exe	33
PID 2740 wrote to memory of 1872	2740	msiexec.exe	33
PID 2740 wrote to memory of 1872	2740	msiexec.exe	33
PID 2740 wrote to memory of 1872	2740	msiexec.exe	33
PID 2740 wrote to memory of 1872	2740	msiexec.exe	33
PID 2740 wrote to memory of 1872	2740	msiexec.exe	33

C:\Users\Admin\AppData\Local\Temp\msit.exe
"C:\Users\Admin\AppData\Local\Temp\msit.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi" /qn /norestart AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\msit.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1736494430 "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1876

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADA591208451741BA7E9815146D08CA4 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1CDB27AAB15789DFF8A16E7DC971BBC1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI24CF.tmp

Filesize
997KB

MD5
ec6ebf65fe4f361a73e473f46730e05c

SHA1
01f946dfbf773f977af5ade7c27fffc7fe311149

SHA256
d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f

SHA512
e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI255D.tmp

Filesize
1.1MB

MD5
03cc8828bb0e0105915b7695b1ec8d88

SHA1
cbf8ec531ea7e3ee58b51bd642f8bfabdc759ee1

SHA256
0e1491ae7344f3a5ec824732648ccdda19b271d6f01471793bf292840fc83b5e

SHA512
593a76166eb6ce2e3537b0d93e216daef12e4ab5b181a194b55a90b39a1af2e0374c4ec3833a000530425319a003cd1a648489640fccaf108061ebea1d9cb1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI25CB.tmp

Filesize
886KB

MD5
accd9092a35e468e8af934accd81e9f6

SHA1
3751384e5e586481618002469190e3c1f271ce6d

SHA256
8339a5ee92e53a155828e58e7700fc17d4f3f8ecb11daeb52aa1118ba3141ecd

SHA512
18e49e56ad2f78db7f4bfabab25cc3ecfcc8180beea8ff162a5d80bd0a6db9eb598f9fa1d5167f078a12f382663a2b205d7e512370e4873a60955a174826e8e3

Download Submit
C:\Users\Admin\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi

Filesize
47.1MB

MD5
71b30f6890f9ecf0fabbf1cbbc2427f8

SHA1
41c12abedf033ca0e5d0114520b40f4160a20029

SHA256
5fe2cd05a7cd3783644e141058408f08427f02ddba6b7bc4220f191a43523a85

SHA512
2968e78f4ff28a77b2a6013d70774fed98df3b0cc6496f5d937cf046f37825027e4c2832f9342f0fd61eefda89dd4e1067fd602b9056d9b893be8d0f10628be1

Download Submit