cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40

Analysis

max time kernel
147s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
28/01/2022, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40.msi
Size

372KB
MD5

4acd155b901884134f01b383eb035c23
SHA1

63aeb16b5d001cbd94b636e9f557fe97b8467c8d
SHA256

cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40
SHA512

e1dcd24397793fcf8d9e3575d2f37ccf4323c90f50dafeb36ae4d9f8f8dc98ed49435f38d0269a38db0a491b52bb6c693038c24764201527b24a232d75462047

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1332	MSIF53A.tmp

Loads dropped DLL 5 IoCs

pid	Process
1332	MSIF53A.tmp
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF53A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76f142.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76f142.msi	msiexec.exe
File created	C:\Windows\Installer\f76f144.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4BB.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000013980-79.dat	nsis_installer_1
behavioral1/files/0x0006000000013980-79.dat	nsis_installer_2
behavioral1/files/0x0006000000013980-81.dat	nsis_installer_1
behavioral1/files/0x0006000000013980-81.dat	nsis_installer_2

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
732	msiexec.exe
732	msiexec.exe
1192	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1712	msiexec.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1712	msiexec.exe
Token: SeRestorePrivilege	732	msiexec.exe
Token: SeTakeOwnershipPrivilege	732	msiexec.exe
Token: SeSecurityPrivilege	732	msiexec.exe
Token: SeCreateTokenPrivilege	1712	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1712	msiexec.exe
Token: SeLockMemoryPrivilege	1712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1712	msiexec.exe
Token: SeMachineAccountPrivilege	1712	msiexec.exe
Token: SeTcbPrivilege	1712	msiexec.exe
Token: SeSecurityPrivilege	1712	msiexec.exe
Token: SeTakeOwnershipPrivilege	1712	msiexec.exe
Token: SeLoadDriverPrivilege	1712	msiexec.exe
Token: SeSystemProfilePrivilege	1712	msiexec.exe
Token: SeSystemtimePrivilege	1712	msiexec.exe
Token: SeProfSingleProcessPrivilege	1712	msiexec.exe
Token: SeIncBasePriorityPrivilege	1712	msiexec.exe
Token: SeCreatePagefilePrivilege	1712	msiexec.exe
Token: SeCreatePermanentPrivilege	1712	msiexec.exe
Token: SeBackupPrivilege	1712	msiexec.exe
Token: SeRestorePrivilege	1712	msiexec.exe
Token: SeShutdownPrivilege	1712	msiexec.exe
Token: SeDebugPrivilege	1712	msiexec.exe
Token: SeAuditPrivilege	1712	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1712	msiexec.exe
Token: SeChangeNotifyPrivilege	1712	msiexec.exe
Token: SeRemoteShutdownPrivilege	1712	msiexec.exe
Token: SeUndockPrivilege	1712	msiexec.exe
Token: SeSyncAgentPrivilege	1712	msiexec.exe
Token: SeEnableDelegationPrivilege	1712	msiexec.exe
Token: SeManageVolumePrivilege	1712	msiexec.exe
Token: SeImpersonatePrivilege	1712	msiexec.exe
Token: SeCreateGlobalPrivilege	1712	msiexec.exe
Token: SeBackupPrivilege	1988	vssvc.exe
Token: SeRestorePrivilege	1988	vssvc.exe
Token: SeAuditPrivilege	1988	vssvc.exe
Token: SeBackupPrivilege	732	msiexec.exe
Token: SeRestorePrivilege	732	msiexec.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeLoadDriverPrivilege	808	DrvInst.exe
Token: SeLoadDriverPrivilege	808	DrvInst.exe
Token: SeLoadDriverPrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	732	msiexec.exe
Token: SeTakeOwnershipPrivilege	732	msiexec.exe
Token: SeRestorePrivilege	732	msiexec.exe
Token: SeTakeOwnershipPrivilege	732	msiexec.exe
Token: SeRestorePrivilege	732	msiexec.exe
Token: SeTakeOwnershipPrivilege	732	msiexec.exe
Token: SeRestorePrivilege	732	msiexec.exe
Token: SeTakeOwnershipPrivilege	732	msiexec.exe
Token: 33	1684	rundll32.exe
Token: SeIncBasePriorityPrivilege	1684	rundll32.exe
Token: SeDebugPrivilege	1192	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1712	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 1332	732	msiexec.exe	33
PID 732 wrote to memory of 1332	732	msiexec.exe	33
PID 732 wrote to memory of 1332	732	msiexec.exe	33
PID 732 wrote to memory of 1332	732	msiexec.exe	33
PID 1332 wrote to memory of 1704	1332	MSIF53A.tmp	34
PID 1332 wrote to memory of 1704	1332	MSIF53A.tmp	34
PID 1332 wrote to memory of 1704	1332	MSIF53A.tmp	34
PID 1332 wrote to memory of 1704	1332	MSIF53A.tmp	34
PID 1704 wrote to memory of 1684	1704	cmd.exe	36
PID 1704 wrote to memory of 1684	1704	cmd.exe	36
PID 1704 wrote to memory of 1684	1704	cmd.exe	36
PID 1704 wrote to memory of 1684	1704	cmd.exe	36
PID 1704 wrote to memory of 1684	1704	cmd.exe	36
PID 1704 wrote to memory of 1684	1704	cmd.exe	36
PID 1704 wrote to memory of 1684	1704	cmd.exe	36
PID 1684 wrote to memory of 1816	1684	rundll32.exe	37
PID 1684 wrote to memory of 1816	1684	rundll32.exe	37
PID 1684 wrote to memory of 1816	1684	rundll32.exe	37
PID 1684 wrote to memory of 1816	1684	rundll32.exe	37
PID 1816 wrote to memory of 1192	1816	cmd.exe	39
PID 1816 wrote to memory of 1192	1816	cmd.exe	39
PID 1816 wrote to memory of 1192	1816	cmd.exe	39
PID 1816 wrote to memory of 1192	1816	cmd.exe	39

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\Installer\MSIF53A.tmp
  "C:\Windows\Installer\MSIF53A.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rundll32 C:\Users\Admin\AppData\Local\Temp\pegas.dll, kest
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 C:\Users\Admin\AppData\Local\Temp\pegas.dll, kest
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C powershell -nop -ep bypass -f %temp%\enu.ps1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nop -ep bypass -f C:\Users\Admin\AppData\Local\Temp\enu.ps1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "0000000000000398" "0000000000000578"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-80-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/1684-89-0x0000000013140000-0x0000000013266000-memory.dmp

Filesize
1.1MB

Download
memory/1684-93-0x0000000013140000-0x0000000013266000-memory.dmp

Filesize
1.1MB

Download
memory/1712-54-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download