bbdf4c8d657e3123bd009ab086758bfd707f9b8c7f5fabb22783c4cb81784ca8

Analysis

max time kernel
422s
max time network
449s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-es
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows
submitted
22-01-2025 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

openoffice4115.msi
Size

2.4MB
MD5

63d6263904b3783c61f70232bc6b0749
SHA1

140cc43faf463b74a60805aa80711a75b352ae18
SHA256

a63fc1a0b7664e6c62d5f4d277c8bb46c3ddbf2c941c92ebe97a452e0a493590
SHA512

3c6ed5d9a830801fff7fc0013de4e4f60b9fc00c3c43351a1739228e5278bd95d226b022e0341ec7cd0fe6faa7934ac517f11a116cf3d00b9f35bae1c7dab31d
SSDEEP

24576:vLwe12pZVGZwyYvyQG0VgiUJ3SB9mmYSsu84B9kwIuSx:vLwegpTGfktUtI1B3

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
4572	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4432	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4432	msiexec.exe
Token: SeSecurityPrivilege	320	msiexec.exe
Token: SeCreateTokenPrivilege	4432	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4432	msiexec.exe
Token: SeLockMemoryPrivilege	4432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4432	msiexec.exe
Token: SeMachineAccountPrivilege	4432	msiexec.exe
Token: SeTcbPrivilege	4432	msiexec.exe
Token: SeSecurityPrivilege	4432	msiexec.exe
Token: SeTakeOwnershipPrivilege	4432	msiexec.exe
Token: SeLoadDriverPrivilege	4432	msiexec.exe
Token: SeSystemProfilePrivilege	4432	msiexec.exe
Token: SeSystemtimePrivilege	4432	msiexec.exe
Token: SeProfSingleProcessPrivilege	4432	msiexec.exe
Token: SeIncBasePriorityPrivilege	4432	msiexec.exe
Token: SeCreatePagefilePrivilege	4432	msiexec.exe
Token: SeCreatePermanentPrivilege	4432	msiexec.exe
Token: SeBackupPrivilege	4432	msiexec.exe
Token: SeRestorePrivilege	4432	msiexec.exe
Token: SeShutdownPrivilege	4432	msiexec.exe
Token: SeDebugPrivilege	4432	msiexec.exe
Token: SeAuditPrivilege	4432	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4432	msiexec.exe
Token: SeChangeNotifyPrivilege	4432	msiexec.exe
Token: SeRemoteShutdownPrivilege	4432	msiexec.exe
Token: SeUndockPrivilege	4432	msiexec.exe
Token: SeSyncAgentPrivilege	4432	msiexec.exe
Token: SeEnableDelegationPrivilege	4432	msiexec.exe
Token: SeManageVolumePrivilege	4432	msiexec.exe
Token: SeImpersonatePrivilege	4432	msiexec.exe
Token: SeCreateGlobalPrivilege	4432	msiexec.exe
Token: SeCreateTokenPrivilege	4432	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4432	msiexec.exe
Token: SeLockMemoryPrivilege	4432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4432	msiexec.exe
Token: SeMachineAccountPrivilege	4432	msiexec.exe
Token: SeTcbPrivilege	4432	msiexec.exe
Token: SeSecurityPrivilege	4432	msiexec.exe
Token: SeTakeOwnershipPrivilege	4432	msiexec.exe
Token: SeLoadDriverPrivilege	4432	msiexec.exe
Token: SeSystemProfilePrivilege	4432	msiexec.exe
Token: SeSystemtimePrivilege	4432	msiexec.exe
Token: SeProfSingleProcessPrivilege	4432	msiexec.exe
Token: SeIncBasePriorityPrivilege	4432	msiexec.exe
Token: SeCreatePagefilePrivilege	4432	msiexec.exe
Token: SeCreatePermanentPrivilege	4432	msiexec.exe
Token: SeBackupPrivilege	4432	msiexec.exe
Token: SeRestorePrivilege	4432	msiexec.exe
Token: SeShutdownPrivilege	4432	msiexec.exe
Token: SeDebugPrivilege	4432	msiexec.exe
Token: SeAuditPrivilege	4432	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4432	msiexec.exe
Token: SeChangeNotifyPrivilege	4432	msiexec.exe
Token: SeRemoteShutdownPrivilege	4432	msiexec.exe
Token: SeUndockPrivilege	4432	msiexec.exe
Token: SeSyncAgentPrivilege	4432	msiexec.exe
Token: SeEnableDelegationPrivilege	4432	msiexec.exe
Token: SeManageVolumePrivilege	4432	msiexec.exe
Token: SeImpersonatePrivilege	4432	msiexec.exe
Token: SeCreateGlobalPrivilege	4432	msiexec.exe
Token: SeCreateTokenPrivilege	4432	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4432	msiexec.exe
Token: SeLockMemoryPrivilege	4432	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4432	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 4572	320	msiexec.exe	84
PID 320 wrote to memory of 4572	320	msiexec.exe	84
PID 320 wrote to memory of 4572	320	msiexec.exe	84

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\openoffice4115.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27D06B2C62356E61F74DA633ADED94F9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIB4AA.tmp

Filesize
164KB

MD5
34480728b3a659a7bc4bea865c25668d

SHA1
4ca4a1a5df7cb116ffa35e106705f2a2c20b0738

SHA256
a5b9ccf58eab9e907a151860f5630da52ae939625fd7065a05947c5e4376a09a

SHA512
6c6bf290e20d57477b9ee366e44d6c2559f27364063b03c23cf1687e41d5b9b44547f53751ea6b920bcb6471431443deafe4b0a638cd0ec4d7de903260cd978e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads