60a7462362c166a19f7b21254568c90c3d4ef5d27b624f68254180c0d4e01e3b

Analysis

max time kernel
121s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/02/2025, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60a7462362c166a19f7b21254568c90c3d4ef5d27b624f68254180c0d4e01e3b.msi
Size

2.9MB
MD5

73f95f387f28c4076c731baaf9e0aa2f
SHA1

7ad11a552545d11065bf318a6d631a1c4c441fd4
SHA256

60a7462362c166a19f7b21254568c90c3d4ef5d27b624f68254180c0d4e01e3b
SHA512

f5a1c75f1c6c56319787c458e12b9059252e4ee4c2f9c5e8b6269a03c559cdb85669581443ab434948f5378c8dd7ccd0ae2922cfe1ea6388f13b8fd087c714a9
SSDEEP

49152:m+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:m+lUlz9FKbsodq0YaH7ZPxMb8tT

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2760	msiexec.exe
5	2760	msiexec.exe
7	2760	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2760	msiexec.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeSecurityPrivilege	2680	msiexec.exe
Token: SeCreateTokenPrivilege	2760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2760	msiexec.exe
Token: SeLockMemoryPrivilege	2760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2760	msiexec.exe
Token: SeMachineAccountPrivilege	2760	msiexec.exe
Token: SeTcbPrivilege	2760	msiexec.exe
Token: SeSecurityPrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeLoadDriverPrivilege	2760	msiexec.exe
Token: SeSystemProfilePrivilege	2760	msiexec.exe
Token: SeSystemtimePrivilege	2760	msiexec.exe
Token: SeProfSingleProcessPrivilege	2760	msiexec.exe
Token: SeIncBasePriorityPrivilege	2760	msiexec.exe
Token: SeCreatePagefilePrivilege	2760	msiexec.exe
Token: SeCreatePermanentPrivilege	2760	msiexec.exe
Token: SeBackupPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeShutdownPrivilege	2760	msiexec.exe
Token: SeDebugPrivilege	2760	msiexec.exe
Token: SeAuditPrivilege	2760	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2760	msiexec.exe
Token: SeChangeNotifyPrivilege	2760	msiexec.exe
Token: SeRemoteShutdownPrivilege	2760	msiexec.exe
Token: SeUndockPrivilege	2760	msiexec.exe
Token: SeSyncAgentPrivilege	2760	msiexec.exe
Token: SeEnableDelegationPrivilege	2760	msiexec.exe
Token: SeManageVolumePrivilege	2760	msiexec.exe
Token: SeImpersonatePrivilege	2760	msiexec.exe
Token: SeCreateGlobalPrivilege	2760	msiexec.exe
Token: SeBackupPrivilege	2312	vssvc.exe
Token: SeRestorePrivilege	2312	vssvc.exe
Token: SeAuditPrivilege	2312	vssvc.exe
Token: SeBackupPrivilege	2680	msiexec.exe
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeRestorePrivilege	696	msiexec.exe
Token: SeTakeOwnershipPrivilege	696	msiexec.exe
Token: SeSecurityPrivilege	696	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2760	msiexec.exe
2760	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2456	2680	msiexec.exe	34
PID 2680 wrote to memory of 2456	2680	msiexec.exe	34
PID 2680 wrote to memory of 2456	2680	msiexec.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\60a7462362c166a19f7b21254568c90c3d4ef5d27b624f68254180c0d4e01e3b.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2680 -s 808
  2⤵
  PID:2456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabEEF3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF05D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads