Analysis
-
max time kernel
151s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 06:27
Static task
static1
Behavioral task
behavioral1
Sample
60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi
Resource
win10v2004-20220414-en
General
-
Target
60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi
-
Size
2.0MB
-
MD5
e34e031f90002ad25ca1b315e0a0e1ca
-
SHA1
ed594f951eed29c1354e6d9e65f82cc27b39b060
-
SHA256
60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899
-
SHA512
4c08ffaa9301f963c54cb8aa17bce30d833121b056c06903606ca1fe0d9e3a112b20ae72dde5e623acdf3bde15e75830f43f86594eed46e3ddc411e2bee9149f
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 7 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI594.tmp msiexec.exe File created C:\Windows\Installer\e590361.msi msiexec.exe File opened for modification C:\Windows\Installer\e590361.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{1BCCC744-C9F2-4623-BB86-4B588A51334D} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e111c2ed168134740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e111c2ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900e111c2ed000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2040 msiexec.exe 2040 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1436 msiexec.exe Token: SeIncreaseQuotaPrivilege 1436 msiexec.exe Token: SeSecurityPrivilege 2040 msiexec.exe Token: SeCreateTokenPrivilege 1436 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1436 msiexec.exe Token: SeLockMemoryPrivilege 1436 msiexec.exe Token: SeIncreaseQuotaPrivilege 1436 msiexec.exe Token: SeMachineAccountPrivilege 1436 msiexec.exe Token: SeTcbPrivilege 1436 msiexec.exe Token: SeSecurityPrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeLoadDriverPrivilege 1436 msiexec.exe Token: SeSystemProfilePrivilege 1436 msiexec.exe Token: SeSystemtimePrivilege 1436 msiexec.exe Token: SeProfSingleProcessPrivilege 1436 msiexec.exe Token: SeIncBasePriorityPrivilege 1436 msiexec.exe Token: SeCreatePagefilePrivilege 1436 msiexec.exe Token: SeCreatePermanentPrivilege 1436 msiexec.exe Token: SeBackupPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeShutdownPrivilege 1436 msiexec.exe Token: SeDebugPrivilege 1436 msiexec.exe Token: SeAuditPrivilege 1436 msiexec.exe Token: SeSystemEnvironmentPrivilege 1436 msiexec.exe Token: SeChangeNotifyPrivilege 1436 msiexec.exe Token: SeRemoteShutdownPrivilege 1436 msiexec.exe Token: SeUndockPrivilege 1436 msiexec.exe Token: SeSyncAgentPrivilege 1436 msiexec.exe Token: SeEnableDelegationPrivilege 1436 msiexec.exe Token: SeManageVolumePrivilege 1436 msiexec.exe Token: SeImpersonatePrivilege 1436 msiexec.exe Token: SeCreateGlobalPrivilege 1436 msiexec.exe Token: SeBackupPrivilege 4224 vssvc.exe Token: SeRestorePrivilege 4224 vssvc.exe Token: SeAuditPrivilege 4224 vssvc.exe Token: SeBackupPrivilege 2040 msiexec.exe Token: SeRestorePrivilege 2040 msiexec.exe Token: SeRestorePrivilege 2040 msiexec.exe Token: SeTakeOwnershipPrivilege 2040 msiexec.exe Token: SeRestorePrivilege 2040 msiexec.exe Token: SeTakeOwnershipPrivilege 2040 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1436 msiexec.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
msiexec.exedescription pid process target process PID 2040 wrote to memory of 3972 2040 msiexec.exe srtasks.exe PID 2040 wrote to memory of 3972 2040 msiexec.exe srtasks.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CAD9F8B5DF67CE5727E5E750A4C1A66E2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken