0584c52f946e866ea2caa2814b6a1787ef8470e85efdebab6e8fcee4654006df

General

Target

GEe97Z.msi
Size

4.5MB
MD5

4cd8781e8e4decc80f164492cb452a91
SHA1

9f920f504d5a918ef4aa7bd725b6a9ba58c010f1
SHA256

4447d83b1a103618cea2deaed2e10d38aef10df6dfd7c24288e632004d4590ea
SHA512

f33d567ddd5e2ae81b89b42d8d27686cb29b10c34dc48d6462377c8d6138e79b1107ecf622c4220ef8ffee01b1f986c2b3f56d89733a8ef6175f081b723aa7b1

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	1336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1336	msiexec.exe
Token: SeSecurityPrivilege	3632	msiexec.exe
Token: SeCreateTokenPrivilege	1336	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1336	msiexec.exe
Token: SeLockMemoryPrivilege	1336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1336	msiexec.exe
Token: SeMachineAccountPrivilege	1336	msiexec.exe
Token: SeTcbPrivilege	1336	msiexec.exe
Token: SeSecurityPrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeLoadDriverPrivilege	1336	msiexec.exe
Token: SeSystemProfilePrivilege	1336	msiexec.exe
Token: SeSystemtimePrivilege	1336	msiexec.exe
Token: SeProfSingleProcessPrivilege	1336	msiexec.exe
Token: SeIncBasePriorityPrivilege	1336	msiexec.exe
Token: SeCreatePagefilePrivilege	1336	msiexec.exe
Token: SeCreatePermanentPrivilege	1336	msiexec.exe
Token: SeBackupPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeShutdownPrivilege	1336	msiexec.exe
Token: SeDebugPrivilege	1336	msiexec.exe
Token: SeAuditPrivilege	1336	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1336	msiexec.exe
Token: SeChangeNotifyPrivilege	1336	msiexec.exe
Token: SeRemoteShutdownPrivilege	1336	msiexec.exe
Token: SeUndockPrivilege	1336	msiexec.exe
Token: SeSyncAgentPrivilege	1336	msiexec.exe
Token: SeEnableDelegationPrivilege	1336	msiexec.exe
Token: SeManageVolumePrivilege	1336	msiexec.exe
Token: SeImpersonatePrivilege	1336	msiexec.exe
Token: SeCreateGlobalPrivilege	1336	msiexec.exe
Token: SeBackupPrivilege	4840	vssvc.exe
Token: SeRestorePrivilege	4840	vssvc.exe
Token: SeAuditPrivilege	4840	vssvc.exe
Token: SeBackupPrivilege	3632	msiexec.exe
Token: SeRestorePrivilege	3632	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1336 msiexec.exe

pid	process
1336	msiexec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GEe97Z.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1336

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI6bbb3.LOG
Filesize
20KB

MD5
cec6130c97b51f76a44df18d2a6696cd

SHA1
599bafa828c6aec9a0ba3fc1bd70bbefb7b7d1c7

SHA256
0e4fa046a58f03252f1f63744bf3b5d0f064c4c26a155a27af947cf711b60b5c

SHA512
0492afb43d2a7e39d92e6d7a2f1c318d1632976aaa3a23f275382b8baba31a5b7b4733d86b732c9a1be06095415ed3798051ceb9c4bb1ddcccdbccfe4badc2b6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads