cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-en-20211104
submitted
22-11-2021 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e519d0a4bab2d08e14a5c175d431ce3e.msi
Size

6.1MB
MD5

e519d0a4bab2d08e14a5c175d431ce3e
SHA1

56f8327c426952cb3f85de5927274974c9dc89b8
SHA256

cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1
SHA512

43372e37b07d4586f951c7911df635f375f778f9182583cdaafe8bac38e99d42da32534c445c0f2febdda0153682f83956dbcd573d942127aca8ae162ab4f350

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2044	MsiExec.exe
2044	MsiExec.exe
2044	MsiExec.exe
2044	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI388F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DBF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7634b9.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7634b7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40FC.tmp	msiexec.exe
File created	C:\Windows\Installer\f7634b7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI39A8.tmp	msiexec.exe
File created	C:\Windows\Installer\f7634b9.ipi	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1400	msiexec.exe
1400	msiexec.exe
1892	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	660	msiexec.exe
Token: SeIncreaseQuotaPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeTakeOwnershipPrivilege	1400	msiexec.exe
Token: SeSecurityPrivilege	1400	msiexec.exe
Token: SeCreateTokenPrivilege	660	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	660	msiexec.exe
Token: SeLockMemoryPrivilege	660	msiexec.exe
Token: SeIncreaseQuotaPrivilege	660	msiexec.exe
Token: SeMachineAccountPrivilege	660	msiexec.exe
Token: SeTcbPrivilege	660	msiexec.exe
Token: SeSecurityPrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeLoadDriverPrivilege	660	msiexec.exe
Token: SeSystemProfilePrivilege	660	msiexec.exe
Token: SeSystemtimePrivilege	660	msiexec.exe
Token: SeProfSingleProcessPrivilege	660	msiexec.exe
Token: SeIncBasePriorityPrivilege	660	msiexec.exe
Token: SeCreatePagefilePrivilege	660	msiexec.exe
Token: SeCreatePermanentPrivilege	660	msiexec.exe
Token: SeBackupPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeShutdownPrivilege	660	msiexec.exe
Token: SeDebugPrivilege	660	msiexec.exe
Token: SeAuditPrivilege	660	msiexec.exe
Token: SeSystemEnvironmentPrivilege	660	msiexec.exe
Token: SeChangeNotifyPrivilege	660	msiexec.exe
Token: SeRemoteShutdownPrivilege	660	msiexec.exe
Token: SeUndockPrivilege	660	msiexec.exe
Token: SeSyncAgentPrivilege	660	msiexec.exe
Token: SeEnableDelegationPrivilege	660	msiexec.exe
Token: SeManageVolumePrivilege	660	msiexec.exe
Token: SeImpersonatePrivilege	660	msiexec.exe
Token: SeCreateGlobalPrivilege	660	msiexec.exe
Token: SeBackupPrivilege	596	vssvc.exe
Token: SeRestorePrivilege	596	vssvc.exe
Token: SeAuditPrivilege	596	vssvc.exe
Token: SeBackupPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1632	DrvInst.exe
Token: SeRestorePrivilege	1632	DrvInst.exe
Token: SeRestorePrivilege	1632	DrvInst.exe
Token: SeRestorePrivilege	1632	DrvInst.exe
Token: SeRestorePrivilege	1632	DrvInst.exe
Token: SeRestorePrivilege	1632	DrvInst.exe
Token: SeRestorePrivilege	1632	DrvInst.exe
Token: SeLoadDriverPrivilege	1632	DrvInst.exe
Token: SeLoadDriverPrivilege	1632	DrvInst.exe
Token: SeLoadDriverPrivilege	1632	DrvInst.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeTakeOwnershipPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeTakeOwnershipPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeTakeOwnershipPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeTakeOwnershipPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeTakeOwnershipPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeTakeOwnershipPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeTakeOwnershipPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
660	msiexec.exe
660	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2044	1400	msiexec.exe	32
PID 1400 wrote to memory of 2044	1400	msiexec.exe	32
PID 1400 wrote to memory of 2044	1400	msiexec.exe	32
PID 1400 wrote to memory of 2044	1400	msiexec.exe	32
PID 1400 wrote to memory of 2044	1400	msiexec.exe	32
PID 1400 wrote to memory of 2044	1400	msiexec.exe	32
PID 1400 wrote to memory of 2044	1400	msiexec.exe	32
PID 2044 wrote to memory of 1892	2044	MsiExec.exe	33
PID 2044 wrote to memory of 1892	2044	MsiExec.exe	33
PID 2044 wrote to memory of 1892	2044	MsiExec.exe	33
PID 2044 wrote to memory of 1892	2044	MsiExec.exe	33

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e519d0a4bab2d08e14a5c175d431ce3e.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCAA3CF433B6B7D7A7BAC1522E29B6DC
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4157.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4144.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4145.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4156.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "0000000000000554" "00000000000003D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/660-55-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/1892-69-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/1892-70-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/2044-58-0x0000000076341000-0x0000000076343000-memory.dmp

Filesize
8KB

Download