Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 14:57
Static task
static1
Behavioral task
behavioral1
Sample
6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi
Resource
win10v2004-20241007-en
General
-
Target
6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi
-
Size
5.5MB
-
MD5
02fa1519052c14325f5f2dd46a79f47c
-
SHA1
424bb2c61d0e7e21f38b278d4908801cc64f466d
-
SHA256
6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6
-
SHA512
02fa8208bf38ab9559014875f5ffe610997e2dd9ba46af3d746fb6d849eda54d8ef544b88a0b6d9274cd031f58faf8ac332f74d449948c813ffb70e4759d6e05
-
SSDEEP
49152:kdfxM35NBCVbnGImqB+bhbSMv4P59TlN0j+G6/jwPX/7dCF0FBAALKiHKXrxpSVu:t5Q364jjwv/7+ZuKi20
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\f76ecee.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIED1D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEDEA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEF51.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76ecf1.ipi msiexec.exe File opened for modification C:\Windows\Installer\f76ecee.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIEDAA.tmp msiexec.exe File created C:\Windows\Installer\f76ecf1.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIEF73.tmp msiexec.exe -
Loads dropped DLL 4 IoCs
pid Process 2864 MsiExec.exe 2864 MsiExec.exe 2864 MsiExec.exe 2864 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2720 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2844 msiexec.exe 2844 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeShutdownPrivilege 2720 msiexec.exe Token: SeIncreaseQuotaPrivilege 2720 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeSecurityPrivilege 2844 msiexec.exe Token: SeCreateTokenPrivilege 2720 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2720 msiexec.exe Token: SeLockMemoryPrivilege 2720 msiexec.exe Token: SeIncreaseQuotaPrivilege 2720 msiexec.exe Token: SeMachineAccountPrivilege 2720 msiexec.exe Token: SeTcbPrivilege 2720 msiexec.exe Token: SeSecurityPrivilege 2720 msiexec.exe Token: SeTakeOwnershipPrivilege 2720 msiexec.exe Token: SeLoadDriverPrivilege 2720 msiexec.exe Token: SeSystemProfilePrivilege 2720 msiexec.exe Token: SeSystemtimePrivilege 2720 msiexec.exe Token: SeProfSingleProcessPrivilege 2720 msiexec.exe Token: SeIncBasePriorityPrivilege 2720 msiexec.exe Token: SeCreatePagefilePrivilege 2720 msiexec.exe Token: SeCreatePermanentPrivilege 2720 msiexec.exe Token: SeBackupPrivilege 2720 msiexec.exe Token: SeRestorePrivilege 2720 msiexec.exe Token: SeShutdownPrivilege 2720 msiexec.exe Token: SeDebugPrivilege 2720 msiexec.exe Token: SeAuditPrivilege 2720 msiexec.exe Token: SeSystemEnvironmentPrivilege 2720 msiexec.exe Token: SeChangeNotifyPrivilege 2720 msiexec.exe Token: SeRemoteShutdownPrivilege 2720 msiexec.exe Token: SeUndockPrivilege 2720 msiexec.exe Token: SeSyncAgentPrivilege 2720 msiexec.exe Token: SeEnableDelegationPrivilege 2720 msiexec.exe Token: SeManageVolumePrivilege 2720 msiexec.exe Token: SeImpersonatePrivilege 2720 msiexec.exe Token: SeCreateGlobalPrivilege 2720 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2720 msiexec.exe 2720 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2864 2844 msiexec.exe 32 PID 2844 wrote to memory of 2864 2844 msiexec.exe 32 PID 2844 wrote to memory of 2864 2844 msiexec.exe 32 PID 2844 wrote to memory of 2864 2844 msiexec.exe 32 PID 2844 wrote to memory of 2864 2844 msiexec.exe 32 PID 2844 wrote to memory of 2864 2844 msiexec.exe 32 PID 2844 wrote to memory of 2864 2844 msiexec.exe 32
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2720
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 57B2DCA303DFDCF846FEDCADD4DFD9DE2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
618B
MD52d0d923046766cceac3efa2de6c4ea0c
SHA1a0da1311970bb407f1f0f87958c45f90b1ca285d
SHA256ae4ba377d74929158ee596a847a6f19e3904ed219b0773ef67b23fd19defc7cb
SHA512b56918aa1fb4941867dd68de50670b90255864094e7048a0a69d2d91a34df3b62aefd0550f33d23e04636259b81bd8af8652510800799ee081db34a667e496be
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
4.5MB
MD5828eebaef0c334851f2d16987d133114
SHA1aca1525c7f9a29d3340edfc14e8bf54b062312f0
SHA256696d4fcc8881c4e86e6aeb06a43b700c1f4e2f300abd2b20312f3196e379e4c3
SHA5126fd2f4e4b2ae43e3d141ac9676af2680bbad94fb3d7d469cd3d5ed5115b5a851302ef879ff18ae4d6fd0015660ffba8aba3b702bb2fa55b00c0f09767529bd33