d1a0115f4afe30d9a973cb18bf95d34b67b2d548b4d49989fd0e36399dc562d0

Resubmissions

23-06-2024 14:14

240623-rj8ymsxdnn 10

17-06-2024 16:58

240617-vg68tazhkm 10

Analysis

max time kernel
46s
max time network
56s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
17-06-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

__x64___setup___x32__/setup.msi
Size

25.2MB
MD5

9e10d740b32cd15a4fb9a947f911b924
SHA1

6ed60f2f79f986cbf4cc6ab1076522b9c762c272
SHA256

ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a
SHA512

d793f50e6a417a8c75da3a3e809c9cb2d2724d92600e994a90c4198f47937ad462d1682a5277fcb3f0d6648fee2511a2b43c96ff96e8e6a7bec4e461b6bd7a08
SSDEEP

393216:o+OBUMu/xfGNU/6EiKJ5q7cPYALEUEZZ5XXMHjmPaKshz8Rk3KRrREZ78t0N:o+FMSuNCXFYHnbBXHaJ8a3wrREit0

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI566D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI577A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C44159C1-E286-4356-97E2-AC27693830B3}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI574B.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF36EF0CD1E1BE89A8.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF35033B12B23B86D5.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FB3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI579B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6FB9.tmp	msiexec.exe
File created	C:\Windows\Installer\e5755ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5755ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI574A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Loads dropped DLL 8 IoCs

Processes:

MsiExec.exe

pid process

3900 MsiExec.exe
3900 MsiExec.exe
3900 MsiExec.exe
3900 MsiExec.exe
3900 MsiExec.exe
3900 MsiExec.exe
3900 MsiExec.exe
3900 MsiExec.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

416 msiexec.exe
416 msiexec.exe

pid	process
3900	MsiExec.exe
3900	MsiExec.exe
3900	MsiExec.exe
3900	MsiExec.exe
3900	MsiExec.exe
3900	MsiExec.exe
3900	MsiExec.exe
3900	MsiExec.exe

pid	process
416	msiexec.exe
416	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	5036	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5036	msiexec.exe
Token: SeSecurityPrivilege	416	msiexec.exe
Token: SeCreateTokenPrivilege	5036	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5036	msiexec.exe
Token: SeLockMemoryPrivilege	5036	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5036	msiexec.exe
Token: SeMachineAccountPrivilege	5036	msiexec.exe
Token: SeTcbPrivilege	5036	msiexec.exe
Token: SeSecurityPrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeLoadDriverPrivilege	5036	msiexec.exe
Token: SeSystemProfilePrivilege	5036	msiexec.exe
Token: SeSystemtimePrivilege	5036	msiexec.exe
Token: SeProfSingleProcessPrivilege	5036	msiexec.exe
Token: SeIncBasePriorityPrivilege	5036	msiexec.exe
Token: SeCreatePagefilePrivilege	5036	msiexec.exe
Token: SeCreatePermanentPrivilege	5036	msiexec.exe
Token: SeBackupPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeShutdownPrivilege	5036	msiexec.exe
Token: SeDebugPrivilege	5036	msiexec.exe
Token: SeAuditPrivilege	5036	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5036	msiexec.exe
Token: SeChangeNotifyPrivilege	5036	msiexec.exe
Token: SeRemoteShutdownPrivilege	5036	msiexec.exe
Token: SeUndockPrivilege	5036	msiexec.exe
Token: SeSyncAgentPrivilege	5036	msiexec.exe
Token: SeEnableDelegationPrivilege	5036	msiexec.exe
Token: SeManageVolumePrivilege	5036	msiexec.exe
Token: SeImpersonatePrivilege	5036	msiexec.exe
Token: SeCreateGlobalPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	416	msiexec.exe
Token: SeTakeOwnershipPrivilege	416	msiexec.exe
Token: SeRestorePrivilege	416	msiexec.exe
Token: SeTakeOwnershipPrivilege	416	msiexec.exe
Token: SeRestorePrivilege	416	msiexec.exe
Token: SeTakeOwnershipPrivilege	416	msiexec.exe
Token: SeRestorePrivilege	416	msiexec.exe
Token: SeTakeOwnershipPrivilege	416	msiexec.exe
Token: SeRestorePrivilege	416	msiexec.exe
Token: SeTakeOwnershipPrivilege	416	msiexec.exe
Token: SeRestorePrivilege	416	msiexec.exe
Token: SeTakeOwnershipPrivilege	416	msiexec.exe
Token: SeRestorePrivilege	416	msiexec.exe
Token: SeTakeOwnershipPrivilege	416	msiexec.exe
Token: SeRestorePrivilege	416	msiexec.exe
Token: SeTakeOwnershipPrivilege	416	msiexec.exe
Token: SeRestorePrivilege	416	msiexec.exe
Token: SeTakeOwnershipPrivilege	416	msiexec.exe
Token: SeRestorePrivilege	416	msiexec.exe
Token: SeTakeOwnershipPrivilege	416	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

5036 msiexec.exe

pid	process
5036	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 416 wrote to memory of 3900	416	msiexec.exe	MsiExec.exe
PID 416 wrote to memory of 3900	416	msiexec.exe	MsiExec.exe
PID 416 wrote to memory of 3900	416	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\__x64___setup___x32__\setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5036

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 284BEFF37214E1EF7B06A88BEC7317D1
2⤵
- Loads dropped DLL
PID:3900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI566D.tmp
Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI577A.tmp
Filesize
1.1MB

MD5
1a2b237796742c26b11a008d0b175e29

SHA1
cfd5affcfb3b6fd407e58dfc7187fad4f186ea18

SHA256
81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730

SHA512
3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

Download Submit
C:\Windows\Installer\MSI6FB9.tmp
Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit