Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-01-2025 02:58
Static task
static1
Behavioral task
behavioral1
Sample
msit.exe
Resource
win7-20240903-en
windows7-x64
General
-
Target
msit.exe
-
Size
19.2MB
-
MD5
bb0ca87d28e7c1bfd53e3e592e75e684
-
SHA1
23be4528fe7dd78243845a6a08a88ce68200d59a
-
SHA256
d34e7af4d266688eb65118de606ffbeb36d46d488c3be604a5cb240778550cea
-
SHA512
217effd932ae2b5e21527bcc7a22c0f8a8ae0d89902ef00669ef9cc11463995c8c48d34d0b75b55dd50421c2abf19e8b72289abfbb7757339f825fe6ccdb59a7
-
SSDEEP
393216:kxVUrUl7eOos7orHgF4n5tZkk5b4EMqbfhYwWMr220ItXVca6cjL6OcaAeEKQHeg:CVUrUl7eOuTg4VkDEMq1YpItB6YOO1Af
Malware Config
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
Signatures
-
Lumma family
-
Executes dropped EXE 1 IoCs
pid Process 2616 MSIEF06.tmp -
Loads dropped DLL 15 IoCs
pid Process 2692 MsiExec.exe 2692 MsiExec.exe 2692 MsiExec.exe 2692 MsiExec.exe 2692 MsiExec.exe 2692 MsiExec.exe 2692 MsiExec.exe 1944 MsiExec.exe 1944 MsiExec.exe 1944 MsiExec.exe 1944 MsiExec.exe 1944 MsiExec.exe 2728 msiexec.exe 2692 MsiExec.exe 2692 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msit.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msit.exe File opened (read-only) \??\E: msit.exe File opened (read-only) \??\H: msit.exe File opened (read-only) \??\I: msit.exe File opened (read-only) \??\N: msit.exe File opened (read-only) \??\R: msit.exe File opened (read-only) \??\V: msit.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msit.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msit.exe File opened (read-only) \??\X: msit.exe File opened (read-only) \??\Z: msit.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msit.exe File opened (read-only) \??\J: msit.exe File opened (read-only) \??\Q: msit.exe File opened (read-only) \??\T: msit.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msit.exe File opened (read-only) \??\P: msit.exe File opened (read-only) \??\Y: msit.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msit.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msit.exe File opened (read-only) \??\W: msit.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msit.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2616 set thread context of 1808 2616 MSIEF06.tmp 36 -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIEBE6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIECE0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEDBD.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIEEF6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEF06.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76e7df.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE9C3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIED2F.tmp msiexec.exe File created C:\Windows\Installer\f76e7e2.ipi msiexec.exe File opened for modification C:\Windows\Installer\f76e7e2.ipi msiexec.exe File created C:\Windows\Installer\f76e7df.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxdiag.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2728 msiexec.exe 2728 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2728 msiexec.exe Token: SeTakeOwnershipPrivilege 2728 msiexec.exe Token: SeSecurityPrivilege 2728 msiexec.exe Token: SeCreateTokenPrivilege 848 msit.exe Token: SeAssignPrimaryTokenPrivilege 848 msit.exe Token: SeLockMemoryPrivilege 848 msit.exe Token: SeIncreaseQuotaPrivilege 848 msit.exe Token: SeMachineAccountPrivilege 848 msit.exe Token: SeTcbPrivilege 848 msit.exe Token: SeSecurityPrivilege 848 msit.exe Token: SeTakeOwnershipPrivilege 848 msit.exe Token: SeLoadDriverPrivilege 848 msit.exe Token: SeSystemProfilePrivilege 848 msit.exe Token: SeSystemtimePrivilege 848 msit.exe Token: SeProfSingleProcessPrivilege 848 msit.exe Token: SeIncBasePriorityPrivilege 848 msit.exe Token: SeCreatePagefilePrivilege 848 msit.exe Token: SeCreatePermanentPrivilege 848 msit.exe Token: SeBackupPrivilege 848 msit.exe Token: SeRestorePrivilege 848 msit.exe Token: SeShutdownPrivilege 848 msit.exe Token: SeDebugPrivilege 848 msit.exe Token: SeAuditPrivilege 848 msit.exe Token: SeSystemEnvironmentPrivilege 848 msit.exe Token: SeChangeNotifyPrivilege 848 msit.exe Token: SeRemoteShutdownPrivilege 848 msit.exe Token: SeUndockPrivilege 848 msit.exe Token: SeSyncAgentPrivilege 848 msit.exe Token: SeEnableDelegationPrivilege 848 msit.exe Token: SeManageVolumePrivilege 848 msit.exe Token: SeImpersonatePrivilege 848 msit.exe Token: SeCreateGlobalPrivilege 848 msit.exe Token: SeCreateTokenPrivilege 848 msit.exe Token: SeAssignPrimaryTokenPrivilege 848 msit.exe Token: SeLockMemoryPrivilege 848 msit.exe Token: SeIncreaseQuotaPrivilege 848 msit.exe Token: SeMachineAccountPrivilege 848 msit.exe Token: SeTcbPrivilege 848 msit.exe Token: SeSecurityPrivilege 848 msit.exe Token: SeTakeOwnershipPrivilege 848 msit.exe Token: SeLoadDriverPrivilege 848 msit.exe Token: SeSystemProfilePrivilege 848 msit.exe Token: SeSystemtimePrivilege 848 msit.exe Token: SeProfSingleProcessPrivilege 848 msit.exe Token: SeIncBasePriorityPrivilege 848 msit.exe Token: SeCreatePagefilePrivilege 848 msit.exe Token: SeCreatePermanentPrivilege 848 msit.exe Token: SeBackupPrivilege 848 msit.exe Token: SeRestorePrivilege 848 msit.exe Token: SeShutdownPrivilege 848 msit.exe Token: SeDebugPrivilege 848 msit.exe Token: SeAuditPrivilege 848 msit.exe Token: SeSystemEnvironmentPrivilege 848 msit.exe Token: SeChangeNotifyPrivilege 848 msit.exe Token: SeRemoteShutdownPrivilege 848 msit.exe Token: SeUndockPrivilege 848 msit.exe Token: SeSyncAgentPrivilege 848 msit.exe Token: SeEnableDelegationPrivilege 848 msit.exe Token: SeManageVolumePrivilege 848 msit.exe Token: SeImpersonatePrivilege 848 msit.exe Token: SeCreateGlobalPrivilege 848 msit.exe Token: SeCreateTokenPrivilege 848 msit.exe Token: SeAssignPrimaryTokenPrivilege 848 msit.exe Token: SeLockMemoryPrivilege 848 msit.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2692 2728 msiexec.exe 32 PID 2728 wrote to memory of 2692 2728 msiexec.exe 32 PID 2728 wrote to memory of 2692 2728 msiexec.exe 32 PID 2728 wrote to memory of 2692 2728 msiexec.exe 32 PID 2728 wrote to memory of 2692 2728 msiexec.exe 32 PID 2728 wrote to memory of 2692 2728 msiexec.exe 32 PID 2728 wrote to memory of 2692 2728 msiexec.exe 32 PID 848 wrote to memory of 1760 848 msit.exe 33 PID 848 wrote to memory of 1760 848 msit.exe 33 PID 848 wrote to memory of 1760 848 msit.exe 33 PID 848 wrote to memory of 1760 848 msit.exe 33 PID 848 wrote to memory of 1760 848 msit.exe 33 PID 848 wrote to memory of 1760 848 msit.exe 33 PID 848 wrote to memory of 1760 848 msit.exe 33 PID 2728 wrote to memory of 1944 2728 msiexec.exe 34 PID 2728 wrote to memory of 1944 2728 msiexec.exe 34 PID 2728 wrote to memory of 1944 2728 msiexec.exe 34 PID 2728 wrote to memory of 1944 2728 msiexec.exe 34 PID 2728 wrote to memory of 1944 2728 msiexec.exe 34 PID 2728 wrote to memory of 1944 2728 msiexec.exe 34 PID 2728 wrote to memory of 1944 2728 msiexec.exe 34 PID 2728 wrote to memory of 2616 2728 msiexec.exe 35 PID 2728 wrote to memory of 2616 2728 msiexec.exe 35 PID 2728 wrote to memory of 2616 2728 msiexec.exe 35 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36 PID 2616 wrote to memory of 1808 2616 MSIEF06.tmp 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\msit.exe"C:\Users\Admin\AppData\Local\Temp\msit.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi" /qn /norestart AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\msit.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1736564075 "2⤵
- System Location Discovery: System Language Discovery
PID:1760
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 33DF03C0AAF1DC7181DB5F7129F5A054 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 310774D017B105D099F0515E8646E9C12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Windows\Installer\MSIEF06.tmp"C:\Windows\Installer\MSIEF06.tmp"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\dxdiag.exe"C:\Windows\SysWOW64\dxdiag.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55343ce1f8d9d37b9dfcfa98bc04d1413
SHA16d4bea4b351a1358ffdd9a778606c57c6ffd1b35
SHA256efeeff537433f6e67b8b4effad06577d0207230259c0c6f04dd880f9d5233214
SHA512dfe1598bde39c544ee44df332e1e95e88b0f004ed2693f08ada92fcec1160c55cda33ad3b22849fe275fbe3ed5866bcd086429587a8617f6503d6f29a5317542
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
997KB
MD5ec6ebf65fe4f361a73e473f46730e05c
SHA101f946dfbf773f977af5ade7c27fffc7fe311149
SHA256d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f
SHA512e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7
-
Filesize
1.1MB
MD503cc8828bb0e0105915b7695b1ec8d88
SHA1cbf8ec531ea7e3ee58b51bd642f8bfabdc759ee1
SHA2560e1491ae7344f3a5ec824732648ccdda19b271d6f01471793bf292840fc83b5e
SHA512593a76166eb6ce2e3537b0d93e216daef12e4ab5b181a194b55a90b39a1af2e0374c4ec3833a000530425319a003cd1a648489640fccaf108061ebea1d9cb1e7
-
Filesize
886KB
MD5accd9092a35e468e8af934accd81e9f6
SHA13751384e5e586481618002469190e3c1f271ce6d
SHA2568339a5ee92e53a155828e58e7700fc17d4f3f8ecb11daeb52aa1118ba3141ecd
SHA51218e49e56ad2f78db7f4bfabab25cc3ecfcc8180beea8ff162a5d80bd0a6db9eb598f9fa1d5167f078a12f382663a2b205d7e512370e4873a60955a174826e8e3
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
740B
MD5dba29b1cc6a0ac337a02a1b600e59e60
SHA1efeff3878b981326da4c70be8f9396f0b6020247
SHA2569331ea0e713c45e2439d7d12709fdd0e1528137c0ef89ae96fb03150d0d9a5de
SHA512e67a41bec75514ecb47ef2b0fe477cb2240ce9254d1656488f1f0e83b86e43e32b316f9deda9a67e731773928f9479cf80dabcefe88c99ac1f7de5dca795109e
-
Filesize
47.1MB
MD571b30f6890f9ecf0fabbf1cbbc2427f8
SHA141c12abedf033ca0e5d0114520b40f4160a20029
SHA2565fe2cd05a7cd3783644e141058408f08427f02ddba6b7bc4220f191a43523a85
SHA5122968e78f4ff28a77b2a6013d70774fed98df3b0cc6496f5d937cf046f37825027e4c2832f9342f0fd61eefda89dd4e1067fd602b9056d9b893be8d0f10628be1
-
Filesize
12.5MB
MD54d82074854750fdba89d76624cc1e6f6
SHA11cab8150956317418f64e67692072cac8472b75b
SHA256019cf1aad1f8d4f1b5dae3aa609b2b53cffc3c7894b58b9f0b225868aed7342d
SHA512068bd8c1db17c4def612618d463239f002e8f4712691a8fc9163215bdaa7bc5306aa861c396438c647e7b839c2c67c5709b25e0695e1baa668aa100310255f9d