Analysis

  • max time kernel
    94s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 14:57

General

  • Target

    6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi

  • Size

    5.5MB

  • MD5

    02fa1519052c14325f5f2dd46a79f47c

  • SHA1

    424bb2c61d0e7e21f38b278d4908801cc64f466d

  • SHA256

    6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6

  • SHA512

    02fa8208bf38ab9559014875f5ffe610997e2dd9ba46af3d746fb6d849eda54d8ef544b88a0b6d9274cd031f58faf8ac332f74d449948c813ffb70e4759d6e05

  • SSDEEP

    49152:kdfxM35NBCVbnGImqB+bhbSMv4P59TlN0j+G6/jwPX/7dCF0FBAALKiHKXrxpSVu:t5Q364jjwv/7+ZuKi20

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Loads dropped DLL 5 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6a369bbf57598496320767f720032cb17700d6239ec4909e001a116923b13ad6.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:848
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 9E2DF4B71A33E3F736C305B557F48359
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4704

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\e57beaf.rbs

          Filesize

          618B

          MD5

          b3b55f742d39f163a4494118c9ab2788

          SHA1

          d140dfc3dcf6ee04e30f65c998d2bdf473a7b40f

          SHA256

          1294b4c03b21c354b66e86e6013bb0fc01fdbf1b7d3bcff77f8aa9984f42b787

          SHA512

          3c520c888fed1d2f352dfd1abfc6fd891ce95dea8033f48d526bbb50e4eaebef44fe00048d8b14aa707d26998135898147b2386c5b8437995cf388c0c821ebe7

        • C:\Windows\Installer\MSIBF0A.tmp

          Filesize

          554KB

          MD5

          3b171ce087bb799aafcbbd93bab27f71

          SHA1

          7bd69efbc7797bdff5510830ca2cc817c8b86d08

          SHA256

          bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

          SHA512

          7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

        • C:\Windows\Installer\MSIC2D8.tmp

          Filesize

          4.5MB

          MD5

          828eebaef0c334851f2d16987d133114

          SHA1

          aca1525c7f9a29d3340edfc14e8bf54b062312f0

          SHA256

          696d4fcc8881c4e86e6aeb06a43b700c1f4e2f300abd2b20312f3196e379e4c3

          SHA512

          6fd2f4e4b2ae43e3d141ac9676af2680bbad94fb3d7d469cd3d5ed5115b5a851302ef879ff18ae4d6fd0015660ffba8aba3b702bb2fa55b00c0f09767529bd33

        • memory/4704-26-0x0000000074540000-0x00000000749CB000-memory.dmp

          Filesize

          4.5MB