d579e758e16f54d3c3594aa4fabce0181ef25bf953cceda3a6c47c099a77a40a

General

Target

Security_Upgrade_Software_Win10.0.msi
Size

96KB
MD5

997a3ae4006ae10c102258e5718f89f6
SHA1

8177181273ace0f8009b809d866764ce266b70dc
SHA256

d579e758e16f54d3c3594aa4fabce0181ef25bf953cceda3a6c47c099a77a40a
SHA512

231cd1f692e56c0a5be5818ec77e786f0f4d6e58ea6d6c097574908e8f42e39e9b3f78c627a898e142e01b900865a6ef7988a803f12b72640d76c2ddfde44958

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

2 1628 msiexec.exe
4 1628 msiexec.exe
7 1156 msiexec.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1240 MsiExec.exe

flow	pid	process
2	1628	msiexec.exe
4	1628	msiexec.exe
7	1156	msiexec.exe

pid	process
1240	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\6d2ccd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D7B.tmp	msiexec.exe
File created	C:\Windows\Installer\6d2ccf.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\6d2ccc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6d2ccc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4143.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6d2ccd.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1156 msiexec.exe
1156 msiexec.exe

pid	process
1156	msiexec.exe
1156	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	1628	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1156	msiexec.exe
Token: SeTakeOwnershipPrivilege	1156	msiexec.exe
Token: SeSecurityPrivilege	1156	msiexec.exe
Token: SeCreateTokenPrivilege	1628	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1628	msiexec.exe
Token: SeLockMemoryPrivilege	1628	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1628	msiexec.exe
Token: SeMachineAccountPrivilege	1628	msiexec.exe
Token: SeTcbPrivilege	1628	msiexec.exe
Token: SeSecurityPrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeLoadDriverPrivilege	1628	msiexec.exe
Token: SeSystemProfilePrivilege	1628	msiexec.exe
Token: SeSystemtimePrivilege	1628	msiexec.exe
Token: SeProfSingleProcessPrivilege	1628	msiexec.exe
Token: SeIncBasePriorityPrivilege	1628	msiexec.exe
Token: SeCreatePagefilePrivilege	1628	msiexec.exe
Token: SeCreatePermanentPrivilege	1628	msiexec.exe
Token: SeBackupPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeShutdownPrivilege	1628	msiexec.exe
Token: SeDebugPrivilege	1628	msiexec.exe
Token: SeAuditPrivilege	1628	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1628	msiexec.exe
Token: SeChangeNotifyPrivilege	1628	msiexec.exe
Token: SeRemoteShutdownPrivilege	1628	msiexec.exe
Token: SeUndockPrivilege	1628	msiexec.exe
Token: SeSyncAgentPrivilege	1628	msiexec.exe
Token: SeEnableDelegationPrivilege	1628	msiexec.exe
Token: SeManageVolumePrivilege	1628	msiexec.exe
Token: SeImpersonatePrivilege	1628	msiexec.exe
Token: SeCreateGlobalPrivilege	1628	msiexec.exe
Token: SeBackupPrivilege	2028	vssvc.exe
Token: SeRestorePrivilege	2028	vssvc.exe
Token: SeAuditPrivilege	2028	vssvc.exe
Token: SeBackupPrivilege	1156	msiexec.exe
Token: SeRestorePrivilege	1156	msiexec.exe
Token: SeRestorePrivilege	1500	DrvInst.exe
Token: SeRestorePrivilege	1500	DrvInst.exe
Token: SeRestorePrivilege	1500	DrvInst.exe
Token: SeRestorePrivilege	1500	DrvInst.exe
Token: SeRestorePrivilege	1500	DrvInst.exe
Token: SeRestorePrivilege	1500	DrvInst.exe
Token: SeRestorePrivilege	1500	DrvInst.exe
Token: SeLoadDriverPrivilege	1500	DrvInst.exe
Token: SeLoadDriverPrivilege	1500	DrvInst.exe
Token: SeLoadDriverPrivilege	1500	DrvInst.exe
Token: SeRestorePrivilege	1156	msiexec.exe
Token: SeTakeOwnershipPrivilege	1156	msiexec.exe
Token: SeRestorePrivilege	1156	msiexec.exe
Token: SeTakeOwnershipPrivilege	1156	msiexec.exe
Token: SeRestorePrivilege	1156	msiexec.exe
Token: SeTakeOwnershipPrivilege	1156	msiexec.exe
Token: SeRestorePrivilege	1156	msiexec.exe
Token: SeTakeOwnershipPrivilege	1156	msiexec.exe
Token: SeRestorePrivilege	1156	msiexec.exe
Token: SeTakeOwnershipPrivilege	1156	msiexec.exe
Token: SeRestorePrivilege	1156	msiexec.exe
Token: SeTakeOwnershipPrivilege	1156	msiexec.exe
Token: SeRestorePrivilege	1156	msiexec.exe
Token: SeTakeOwnershipPrivilege	1156	msiexec.exe
Token: SeRestorePrivilege	1156	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1628 msiexec.exe
1628 msiexec.exe

pid	process
1628	msiexec.exe
1628	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1156 wrote to memory of 1240	1156	msiexec.exe	MsiExec.exe
PID 1156 wrote to memory of 1240	1156	msiexec.exe	MsiExec.exe
PID 1156 wrote to memory of 1240	1156	msiexec.exe	MsiExec.exe
PID 1156 wrote to memory of 1240	1156	msiexec.exe	MsiExec.exe
PID 1156 wrote to memory of 1240	1156	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Security_Upgrade_Software_Win10.0.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1628

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 2946DBB7DF8E327DD0A7294E24B3E1D7
2⤵
- Loads dropped DLL
PID:1240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000049C" "0000000000000568"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1500

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c9ae194de6ac3d606e70ded5e53cbe34

SHA1
7dcb7ea95b9d770c5f00eb771f8efd6e4177f5c3

SHA256
69c138cfa9cc977bcf32e4113cadaf9f394d43c2fe35b0937d8f9493ed200b02

SHA512
47a566f4499b86d530b9659f97472c759ac0b617195d161dee50b9cae8f1483915f50a65949c8f0e3ad51c9c93df852bd1c46d16f6ab22f02b085cf1e4e03814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Filesize
254B

MD5
505fdbab7b3f8edb0ba775bd5b38bbb0

SHA1
aaea79bfad5442f28c2d99b50bd8099f3297b0b4

SHA256
22a1f9fdf872434b899a1d9373072194defa3453a1d510e654f4f99ff685bdf0

SHA512
8e954de6c44d6f5bc0fe278253c3496b3042a434143fbcf524aff8072a765d668edf6a365bb35d977a82f6494f8dcfe5d24575f32ee675c4d2ce156ee496ad0f

Download Submit
C:\Windows\Installer\MSI3D7B.tmp
Filesize
54KB

MD5
31903e57dcc15860380219f2fb15909e

SHA1
7b7ce68b05965e8c53c7f1f9afc1325af9f91272

SHA256
c28b8d613c100aa108adcdd461bce92dc620c2c88fc25be31594d38482f53451

SHA512
8f513cb654d225d92f9974e06f0eb005c76e5a23c1f199502f9335136abaa2ef0089373ebb9ad9f90b54a531b7548abae57c5b7a17d6c840a1d2b3146cb953a5

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\Installer\MSI3D7B.tmp
Filesize
54KB

MD5
31903e57dcc15860380219f2fb15909e

SHA1
7b7ce68b05965e8c53c7f1f9afc1325af9f91272

SHA256
c28b8d613c100aa108adcdd461bce92dc620c2c88fc25be31594d38482f53451

SHA512
8f513cb654d225d92f9974e06f0eb005c76e5a23c1f199502f9335136abaa2ef0089373ebb9ad9f90b54a531b7548abae57c5b7a17d6c840a1d2b3146cb953a5

Download Submit
memory/1240-60-0x0000000000000000-mapping.dmp

Download
memory/1628-54-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads