6ccb191f7b79cb8967de32761ebb54d141f5bba36cb3bd1f4ea71933c7b46494

Analysis

max time kernel
40s
max time network
50s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15-06-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

__x64___setup___x32__/setup.msi
Size

24.5MB
MD5

0bd85ea206276e8e5d6ea143c5cb8330
SHA1

75079d986324ff1d4150bf00fd10ea73f43d0a76
SHA256

8bd23057abb6865b761ae9719ea6a66ce97d70225abab2d7b2ddce84e35ca602
SHA512

6ac02552c727394ed9036d5015f8a6652619f9fab7ac8e06ccf5bb301580143e4c24477722cfa8ac7e5082b298e3d8ee72b04a14fbe9ee454a120ba58baf0192
SSDEEP

786432:zDMcQi4FgSUZGaQ5MHnPa4lJQJU8P8uBsTaxsn:zDMQ4KMaQqvu04On

Score

6^/10

execution

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 18 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\SystemTemp\~DF555D57C242D0E340.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{08EA20D6-C92C-411B-B7A1-55B3D80971DA}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI816B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4878.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC0FBEDECD31F9924.TMP	msiexec.exe
File created	C:\Windows\Installer\e574625.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI475A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47FA.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3E503F46F30B8EB8.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47CA.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA6F649334F61BD2D.TMP	msiexec.exe
File created	C:\Windows\Installer\e574621.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e574621.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46AE.tmp	msiexec.exe

Loads dropped DLL 6 IoCs

Processes:

MsiExec.exe

pid process

2460 MsiExec.exe
2460 MsiExec.exe
2460 MsiExec.exe
2460 MsiExec.exe
2460 MsiExec.exe
2460 MsiExec.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4496 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exemsiexec.exe

pid process

4496 powershell.exe
4496 powershell.exe
1196 msiexec.exe
1196 msiexec.exe

pid	process
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe

pid	process
4496	powershell.exe

pid	process
4496	powershell.exe
4496	powershell.exe
1196	msiexec.exe
1196	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2764	msiexec.exe
Token: SeSecurityPrivilege	1196	msiexec.exe
Token: SeCreateTokenPrivilege	2764	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2764	msiexec.exe
Token: SeLockMemoryPrivilege	2764	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2764	msiexec.exe
Token: SeMachineAccountPrivilege	2764	msiexec.exe
Token: SeTcbPrivilege	2764	msiexec.exe
Token: SeSecurityPrivilege	2764	msiexec.exe
Token: SeTakeOwnershipPrivilege	2764	msiexec.exe
Token: SeLoadDriverPrivilege	2764	msiexec.exe
Token: SeSystemProfilePrivilege	2764	msiexec.exe
Token: SeSystemtimePrivilege	2764	msiexec.exe
Token: SeProfSingleProcessPrivilege	2764	msiexec.exe
Token: SeIncBasePriorityPrivilege	2764	msiexec.exe
Token: SeCreatePagefilePrivilege	2764	msiexec.exe
Token: SeCreatePermanentPrivilege	2764	msiexec.exe
Token: SeBackupPrivilege	2764	msiexec.exe
Token: SeRestorePrivilege	2764	msiexec.exe
Token: SeShutdownPrivilege	2764	msiexec.exe
Token: SeDebugPrivilege	2764	msiexec.exe
Token: SeAuditPrivilege	2764	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2764	msiexec.exe
Token: SeChangeNotifyPrivilege	2764	msiexec.exe
Token: SeRemoteShutdownPrivilege	2764	msiexec.exe
Token: SeUndockPrivilege	2764	msiexec.exe
Token: SeSyncAgentPrivilege	2764	msiexec.exe
Token: SeEnableDelegationPrivilege	2764	msiexec.exe
Token: SeManageVolumePrivilege	2764	msiexec.exe
Token: SeImpersonatePrivilege	2764	msiexec.exe
Token: SeCreateGlobalPrivilege	2764	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe
Token: SeTakeOwnershipPrivilege	1196	msiexec.exe
Token: SeRestorePrivilege	1196	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2764 msiexec.exe
2764 msiexec.exe

pid	process
2764	msiexec.exe
2764	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 1196 wrote to memory of 2460	1196	msiexec.exe	MsiExec.exe
PID 1196 wrote to memory of 2460	1196	msiexec.exe	MsiExec.exe
PID 1196 wrote to memory of 2460	1196	msiexec.exe	MsiExec.exe
PID 2460 wrote to memory of 4496	2460	MsiExec.exe	powershell.exe
PID 2460 wrote to memory of 4496	2460	MsiExec.exe	powershell.exe
PID 2460 wrote to memory of 4496	2460	MsiExec.exe	powershell.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\__x64___setup___x32__\setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 46191B3F4E852B0DDD287FABAD5E20C6
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4950.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi493E.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr493F.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4940.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e574624.rbs
Filesize
21KB

MD5
6cf743d19ec74b40d422824b0212f30c

SHA1
e493b42ac2b3958d1ae6a57ed3abfea59e579d79

SHA256
bdf56e5675094ca784ed10abced3e3420304d066ebde75c6bd8bc3b235247d1e

SHA512
b788b1b369cd354c42962ab3c854a6c1787efbf5374c2690fcb362c94a6befae0bcf4d889d38832538d11cc2d43ab44f4f77f43b9078595b6aecda43dfd6abc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmbrx3lp.4lz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msi493E.txt
Filesize
54B

MD5
9f5bffbb1f8f8340bf45e22a09517ee1

SHA1
a5566c63b3681cd56e3b76ed528449ca33a36cc6

SHA256
4ca8664da66ad8c90ce03725f92bf7571cf86a290a9ec4a073dad293a60836ef

SHA512
8b1b1d13de5aee1748428ffe1ee6131a63e819df8dd42088b7d581ff957adb30e12ba3637e00fac7d7b5aa71a5e35ce09f52772d38f1c441adb19e5e2cd05423

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss4950.ps1
Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr493F.ps1
Filesize
682B

MD5
b32210f90a3fbfd1ef15caee45ebc871

SHA1
91deac74edcf1e6b4c3a81fa322ac76867075c62

SHA256
c2aaabc2c09034d97d1ee67d912f25fe5f966539ea19624f062ece0a5aad606b

SHA512
7b86aaa400b9f3b73720e99d1ae2f7ef3c4f23a7076b33545cdce6b34a003323fa05203193b1127f0bf25d718fe8d4f81ab282df04ba433dc1219e3f9ba4698b

Download Submit
C:\Windows\Installer\MSI46AE.tmp
Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI4878.tmp
Filesize
758KB

MD5
fb4665320c9da54598321c59cc5ed623

SHA1
89e87b3cc569edd26b5805244cfacb2f9c892bc7

SHA256
9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59

SHA512
b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

Download Submit
C:\Windows\Installer\e574621.msi
Filesize
24.5MB

MD5
0bd85ea206276e8e5d6ea143c5cb8330

SHA1
75079d986324ff1d4150bf00fd10ea73f43d0a76

SHA256
8bd23057abb6865b761ae9719ea6a66ce97d70225abab2d7b2ddce84e35ca602

SHA512
6ac02552c727394ed9036d5015f8a6652619f9fab7ac8e06ccf5bb301580143e4c24477722cfa8ac7e5082b298e3d8ee72b04a14fbe9ee454a120ba58baf0192

Download Submit
memory/4496-43-0x0000000005C00000-0x0000000005C4C000-memory.dmp

Filesize
304KB

Download
memory/4496-42-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/4496-41-0x0000000005760000-0x0000000005AB7000-memory.dmp

Filesize
3.3MB

Download
memory/4496-32-0x0000000005050000-0x00000000050B6000-memory.dmp

Filesize
408KB

Download
memory/4496-45-0x0000000007340000-0x00000000079BA000-memory.dmp

Filesize
6.5MB

Download
memory/4496-46-0x0000000006120000-0x000000000613A000-memory.dmp

Filesize
104KB

Download
memory/4496-47-0x0000000006EC0000-0x0000000006F56000-memory.dmp

Filesize
600KB

Download
memory/4496-48-0x0000000006B90000-0x0000000006BB2000-memory.dmp

Filesize
136KB

Download
memory/4496-49-0x0000000007F70000-0x0000000008516000-memory.dmp

Filesize
5.6MB

Download
memory/4496-31-0x0000000004FE0000-0x0000000005046000-memory.dmp

Filesize
408KB

Download
memory/4496-30-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/4496-29-0x00000000050D0000-0x00000000056FA000-memory.dmp

Filesize
6.2MB

Download
memory/4496-28-0x0000000002720000-0x0000000002756000-memory.dmp

Filesize
216KB

Download