Analysis
-
max time kernel
46s -
max time network
56s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-06-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
__x64___setup___x32__/setup.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
__x64___setup___x32__/setup.msi
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
__x64___setup___x32__/setup.msi
Resource
win11-20240419-en
General
-
Target
__x64___setup___x32__/setup.msi
-
Size
25.2MB
-
MD5
9e10d740b32cd15a4fb9a947f911b924
-
SHA1
6ed60f2f79f986cbf4cc6ab1076522b9c762c272
-
SHA256
ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a
-
SHA512
d793f50e6a417a8c75da3a3e809c9cb2d2724d92600e994a90c4198f47937ad462d1682a5277fcb3f0d6648fee2511a2b43c96ff96e8e6a7bec4e461b6bd7a08
-
SSDEEP
393216:o+OBUMu/xfGNU/6EiKJ5q7cPYALEUEZZ5XXMHjmPaKshz8Rk3KRrREZ78t0N:o+FMSuNCXFYHnbBXHaJ8a3wrREit0
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 17 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI566D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI577A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6F89.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{C44159C1-E286-4356-97E2-AC27693830B3} msiexec.exe File opened for modification C:\Windows\Installer\MSI56DB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI574B.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF36EF0CD1E1BE89A8.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF35033B12B23B86D5.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI9FB3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI579B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6FB9.tmp msiexec.exe File created C:\Windows\Installer\e5755ff.msi msiexec.exe File opened for modification C:\Windows\Installer\e5755ff.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI574A.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Loads dropped DLL 8 IoCs
Processes:
MsiExec.exepid process 3900 MsiExec.exe 3900 MsiExec.exe 3900 MsiExec.exe 3900 MsiExec.exe 3900 MsiExec.exe 3900 MsiExec.exe 3900 MsiExec.exe 3900 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 416 msiexec.exe 416 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 5036 msiexec.exe Token: SeIncreaseQuotaPrivilege 5036 msiexec.exe Token: SeSecurityPrivilege 416 msiexec.exe Token: SeCreateTokenPrivilege 5036 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5036 msiexec.exe Token: SeLockMemoryPrivilege 5036 msiexec.exe Token: SeIncreaseQuotaPrivilege 5036 msiexec.exe Token: SeMachineAccountPrivilege 5036 msiexec.exe Token: SeTcbPrivilege 5036 msiexec.exe Token: SeSecurityPrivilege 5036 msiexec.exe Token: SeTakeOwnershipPrivilege 5036 msiexec.exe Token: SeLoadDriverPrivilege 5036 msiexec.exe Token: SeSystemProfilePrivilege 5036 msiexec.exe Token: SeSystemtimePrivilege 5036 msiexec.exe Token: SeProfSingleProcessPrivilege 5036 msiexec.exe Token: SeIncBasePriorityPrivilege 5036 msiexec.exe Token: SeCreatePagefilePrivilege 5036 msiexec.exe Token: SeCreatePermanentPrivilege 5036 msiexec.exe Token: SeBackupPrivilege 5036 msiexec.exe Token: SeRestorePrivilege 5036 msiexec.exe Token: SeShutdownPrivilege 5036 msiexec.exe Token: SeDebugPrivilege 5036 msiexec.exe Token: SeAuditPrivilege 5036 msiexec.exe Token: SeSystemEnvironmentPrivilege 5036 msiexec.exe Token: SeChangeNotifyPrivilege 5036 msiexec.exe Token: SeRemoteShutdownPrivilege 5036 msiexec.exe Token: SeUndockPrivilege 5036 msiexec.exe Token: SeSyncAgentPrivilege 5036 msiexec.exe Token: SeEnableDelegationPrivilege 5036 msiexec.exe Token: SeManageVolumePrivilege 5036 msiexec.exe Token: SeImpersonatePrivilege 5036 msiexec.exe Token: SeCreateGlobalPrivilege 5036 msiexec.exe Token: SeRestorePrivilege 416 msiexec.exe Token: SeTakeOwnershipPrivilege 416 msiexec.exe Token: SeRestorePrivilege 416 msiexec.exe Token: SeTakeOwnershipPrivilege 416 msiexec.exe Token: SeRestorePrivilege 416 msiexec.exe Token: SeTakeOwnershipPrivilege 416 msiexec.exe Token: SeRestorePrivilege 416 msiexec.exe Token: SeTakeOwnershipPrivilege 416 msiexec.exe Token: SeRestorePrivilege 416 msiexec.exe Token: SeTakeOwnershipPrivilege 416 msiexec.exe Token: SeRestorePrivilege 416 msiexec.exe Token: SeTakeOwnershipPrivilege 416 msiexec.exe Token: SeRestorePrivilege 416 msiexec.exe Token: SeTakeOwnershipPrivilege 416 msiexec.exe Token: SeRestorePrivilege 416 msiexec.exe Token: SeTakeOwnershipPrivilege 416 msiexec.exe Token: SeRestorePrivilege 416 msiexec.exe Token: SeTakeOwnershipPrivilege 416 msiexec.exe Token: SeRestorePrivilege 416 msiexec.exe Token: SeTakeOwnershipPrivilege 416 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 5036 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 416 wrote to memory of 3900 416 msiexec.exe MsiExec.exe PID 416 wrote to memory of 3900 416 msiexec.exe MsiExec.exe PID 416 wrote to memory of 3900 416 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\__x64___setup___x32__\setup.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 284BEFF37214E1EF7B06A88BEC7317D12⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI566D.tmpFilesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
C:\Windows\Installer\MSI577A.tmpFilesize
1.1MB
MD51a2b237796742c26b11a008d0b175e29
SHA1cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA25681e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA5123135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5
-
C:\Windows\Installer\MSI6FB9.tmpFilesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f