Analysis
-
max time kernel
94s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 14:57
Static task
static1
Behavioral task
behavioral1
Sample
6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi
Resource
win10v2004-20241007-en
General
-
Target
6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi
-
Size
5.5MB
-
MD5
02fa1519052c14325f5f2dd46a79f47c
-
SHA1
424bb2c61d0e7e21f38b278d4908801cc64f466d
-
SHA256
6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6
-
SHA512
02fa8208bf38ab9559014875f5ffe610997e2dd9ba46af3d746fb6d849eda54d8ef544b88a0b6d9274cd031f58faf8ac332f74d449948c813ffb70e4759d6e05
-
SSDEEP
49152:kdfxM35NBCVbnGImqB+bhbSMv4P59TlN0j+G6/jwPX/7dCF0FBAALKiHKXrxpSVu:t5Q364jjwv/7+ZuKi20
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIC15D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC1BC.tmp msiexec.exe File created C:\Windows\Installer\e57beac.msi msiexec.exe File opened for modification C:\Windows\Installer\e57beac.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIBF0A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC289.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC2D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC1EB.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{7SWQRLTW-SNSK-YNGS-SEJ7-LO7R6ADS5SLJ} msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 4704 MsiExec.exe 4704 MsiExec.exe 4704 MsiExec.exe 4704 MsiExec.exe 4704 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 848 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3840 msiexec.exe 3840 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 848 msiexec.exe Token: SeIncreaseQuotaPrivilege 848 msiexec.exe Token: SeSecurityPrivilege 3840 msiexec.exe Token: SeCreateTokenPrivilege 848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 848 msiexec.exe Token: SeLockMemoryPrivilege 848 msiexec.exe Token: SeIncreaseQuotaPrivilege 848 msiexec.exe Token: SeMachineAccountPrivilege 848 msiexec.exe Token: SeTcbPrivilege 848 msiexec.exe Token: SeSecurityPrivilege 848 msiexec.exe Token: SeTakeOwnershipPrivilege 848 msiexec.exe Token: SeLoadDriverPrivilege 848 msiexec.exe Token: SeSystemProfilePrivilege 848 msiexec.exe Token: SeSystemtimePrivilege 848 msiexec.exe Token: SeProfSingleProcessPrivilege 848 msiexec.exe Token: SeIncBasePriorityPrivilege 848 msiexec.exe Token: SeCreatePagefilePrivilege 848 msiexec.exe Token: SeCreatePermanentPrivilege 848 msiexec.exe Token: SeBackupPrivilege 848 msiexec.exe Token: SeRestorePrivilege 848 msiexec.exe Token: SeShutdownPrivilege 848 msiexec.exe Token: SeDebugPrivilege 848 msiexec.exe Token: SeAuditPrivilege 848 msiexec.exe Token: SeSystemEnvironmentPrivilege 848 msiexec.exe Token: SeChangeNotifyPrivilege 848 msiexec.exe Token: SeRemoteShutdownPrivilege 848 msiexec.exe Token: SeUndockPrivilege 848 msiexec.exe Token: SeSyncAgentPrivilege 848 msiexec.exe Token: SeEnableDelegationPrivilege 848 msiexec.exe Token: SeManageVolumePrivilege 848 msiexec.exe Token: SeImpersonatePrivilege 848 msiexec.exe Token: SeCreateGlobalPrivilege 848 msiexec.exe Token: SeRestorePrivilege 3840 msiexec.exe Token: SeTakeOwnershipPrivilege 3840 msiexec.exe Token: SeRestorePrivilege 3840 msiexec.exe Token: SeTakeOwnershipPrivilege 3840 msiexec.exe Token: SeRestorePrivilege 3840 msiexec.exe Token: SeTakeOwnershipPrivilege 3840 msiexec.exe Token: SeRestorePrivilege 3840 msiexec.exe Token: SeTakeOwnershipPrivilege 3840 msiexec.exe Token: SeRestorePrivilege 3840 msiexec.exe Token: SeTakeOwnershipPrivilege 3840 msiexec.exe Token: SeRestorePrivilege 3840 msiexec.exe Token: SeTakeOwnershipPrivilege 3840 msiexec.exe Token: SeRestorePrivilege 3840 msiexec.exe Token: SeTakeOwnershipPrivilege 3840 msiexec.exe Token: SeRestorePrivilege 3840 msiexec.exe Token: SeTakeOwnershipPrivilege 3840 msiexec.exe Token: SeRestorePrivilege 3840 msiexec.exe Token: SeTakeOwnershipPrivilege 3840 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 848 msiexec.exe 848 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3840 wrote to memory of 4704 3840 msiexec.exe 84 PID 3840 wrote to memory of 4704 3840 msiexec.exe 84 PID 3840 wrote to memory of 4704 3840 msiexec.exe 84
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:848
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9E2DF4B71A33E3F736C305B557F483592⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
618B
MD5b3b55f742d39f163a4494118c9ab2788
SHA1d140dfc3dcf6ee04e30f65c998d2bdf473a7b40f
SHA2561294b4c03b21c354b66e86e6013bb0fc01fdbf1b7d3bcff77f8aa9984f42b787
SHA5123c520c888fed1d2f352dfd1abfc6fd891ce95dea8033f48d526bbb50e4eaebef44fe00048d8b14aa707d26998135898147b2386c5b8437995cf388c0c821ebe7
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
4.5MB
MD5828eebaef0c334851f2d16987d133114
SHA1aca1525c7f9a29d3340edfc14e8bf54b062312f0
SHA256696d4fcc8881c4e86e6aeb06a43b700c1f4e2f300abd2b20312f3196e379e4c3
SHA5126fd2f4e4b2ae43e3d141ac9676af2680bbad94fb3d7d469cd3d5ed5115b5a851302ef879ff18ae4d6fd0015660ffba8aba3b702bb2fa55b00c0f09767529bd33