Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 14:57

General

  • Target

    6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi

  • Size

    5.5MB

  • MD5

    02fa1519052c14325f5f2dd46a79f47c

  • SHA1

    424bb2c61d0e7e21f38b278d4908801cc64f466d

  • SHA256

    6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6

  • SHA512

    02fa8208bf38ab9559014875f5ffe610997e2dd9ba46af3d746fb6d849eda54d8ef544b88a0b6d9274cd031f58faf8ac332f74d449948c813ffb70e4759d6e05

  • SSDEEP

    49152:kdfxM35NBCVbnGImqB+bhbSMv4P59TlN0j+G6/jwPX/7dCF0FBAALKiHKXrxpSVu:t5Q364jjwv/7+ZuKi20

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Loads dropped DLL 4 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2720
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 57B2DCA303DFDCF846FEDCADD4DFD9DE
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2864

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\f76ecf2.rbs

          Filesize

          618B

          MD5

          2d0d923046766cceac3efa2de6c4ea0c

          SHA1

          a0da1311970bb407f1f0f87958c45f90b1ca285d

          SHA256

          ae4ba377d74929158ee596a847a6f19e3904ed219b0773ef67b23fd19defc7cb

          SHA512

          b56918aa1fb4941867dd68de50670b90255864094e7048a0a69d2d91a34df3b62aefd0550f33d23e04636259b81bd8af8652510800799ee081db34a667e496be

        • C:\Windows\Installer\MSIED1D.tmp

          Filesize

          554KB

          MD5

          3b171ce087bb799aafcbbd93bab27f71

          SHA1

          7bd69efbc7797bdff5510830ca2cc817c8b86d08

          SHA256

          bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

          SHA512

          7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

        • C:\Windows\Installer\MSIEF73.tmp

          Filesize

          4.5MB

          MD5

          828eebaef0c334851f2d16987d133114

          SHA1

          aca1525c7f9a29d3340edfc14e8bf54b062312f0

          SHA256

          696d4fcc8881c4e86e6aeb06a43b700c1f4e2f300abd2b20312f3196e379e4c3

          SHA512

          6fd2f4e4b2ae43e3d141ac9676af2680bbad94fb3d7d469cd3d5ed5115b5a851302ef879ff18ae4d6fd0015660ffba8aba3b702bb2fa55b00c0f09767529bd33

        • memory/2864-21-0x00000000744F0000-0x000000007497B000-memory.dmp

          Filesize

          4.5MB