Analysis
-
max time kernel
152s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:22
Static task
static1
Behavioral task
behavioral1
Sample
GEe97Z.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
GEe97Z.msi
Resource
win10v2004-20220414-en
General
-
Target
GEe97Z.msi
-
Size
4.5MB
-
MD5
4cd8781e8e4decc80f164492cb452a91
-
SHA1
9f920f504d5a918ef4aa7bd725b6a9ba58c010f1
-
SHA256
4447d83b1a103618cea2deaed2e10d38aef10df6dfd7c24288e632004d4590ea
-
SHA512
f33d567ddd5e2ae81b89b42d8d27686cb29b10c34dc48d6462377c8d6138e79b1107ecf622c4220ef8ffee01b1f986c2b3f56d89733a8ef6175f081b723aa7b1
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1336 msiexec.exe Token: SeIncreaseQuotaPrivilege 1336 msiexec.exe Token: SeSecurityPrivilege 3632 msiexec.exe Token: SeCreateTokenPrivilege 1336 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1336 msiexec.exe Token: SeLockMemoryPrivilege 1336 msiexec.exe Token: SeIncreaseQuotaPrivilege 1336 msiexec.exe Token: SeMachineAccountPrivilege 1336 msiexec.exe Token: SeTcbPrivilege 1336 msiexec.exe Token: SeSecurityPrivilege 1336 msiexec.exe Token: SeTakeOwnershipPrivilege 1336 msiexec.exe Token: SeLoadDriverPrivilege 1336 msiexec.exe Token: SeSystemProfilePrivilege 1336 msiexec.exe Token: SeSystemtimePrivilege 1336 msiexec.exe Token: SeProfSingleProcessPrivilege 1336 msiexec.exe Token: SeIncBasePriorityPrivilege 1336 msiexec.exe Token: SeCreatePagefilePrivilege 1336 msiexec.exe Token: SeCreatePermanentPrivilege 1336 msiexec.exe Token: SeBackupPrivilege 1336 msiexec.exe Token: SeRestorePrivilege 1336 msiexec.exe Token: SeShutdownPrivilege 1336 msiexec.exe Token: SeDebugPrivilege 1336 msiexec.exe Token: SeAuditPrivilege 1336 msiexec.exe Token: SeSystemEnvironmentPrivilege 1336 msiexec.exe Token: SeChangeNotifyPrivilege 1336 msiexec.exe Token: SeRemoteShutdownPrivilege 1336 msiexec.exe Token: SeUndockPrivilege 1336 msiexec.exe Token: SeSyncAgentPrivilege 1336 msiexec.exe Token: SeEnableDelegationPrivilege 1336 msiexec.exe Token: SeManageVolumePrivilege 1336 msiexec.exe Token: SeImpersonatePrivilege 1336 msiexec.exe Token: SeCreateGlobalPrivilege 1336 msiexec.exe Token: SeBackupPrivilege 4840 vssvc.exe Token: SeRestorePrivilege 4840 vssvc.exe Token: SeAuditPrivilege 4840 vssvc.exe Token: SeBackupPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1336 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GEe97Z.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI6bbb3.LOGFilesize
20KB
MD5cec6130c97b51f76a44df18d2a6696cd
SHA1599bafa828c6aec9a0ba3fc1bd70bbefb7b7d1c7
SHA2560e4fa046a58f03252f1f63744bf3b5d0f064c4c26a155a27af947cf711b60b5c
SHA5120492afb43d2a7e39d92e6d7a2f1c318d1632976aaa3a23f275382b8baba31a5b7b4733d86b732c9a1be06095415ed3798051ceb9c4bb1ddcccdbccfe4badc2b6