Analysis
-
max time kernel
83s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 17:01
Static task
static1
Behavioral task
behavioral1
Sample
shipment.delievery.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
shipment.delievery.msi
Resource
win10v2004-20220414-en
General
-
Target
shipment.delievery.msi
-
Size
967KB
-
MD5
3c56483e8c0788b2862bfe0c490c865a
-
SHA1
3f541fbc9e927a718c1745b4b8d02f3768aa3fd2
-
SHA256
5e288df18d5f3797079c4962a447509fd4a60e9b76041d0b888bcf32f8197991
-
SHA512
ab45313032b3822b919b8a782422f15fd60f8c46cc61bb3294d937d98821795ab3b5089873419bbd9ada99357691759653a6fe50ba110ef04eee2bffba68ffe1
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 3676 MsiExec.exe 3676 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in Windows directory 5 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e576a24.msi msiexec.exe File opened for modification C:\Windows\Installer\e576a24.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6B4D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6D42.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000036afcf5ac1e326070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000036afcf5a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090036afcf5a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 776 msiexec.exe Token: SeIncreaseQuotaPrivilege 776 msiexec.exe Token: SeSecurityPrivilege 4576 msiexec.exe Token: SeCreateTokenPrivilege 776 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 776 msiexec.exe Token: SeLockMemoryPrivilege 776 msiexec.exe Token: SeIncreaseQuotaPrivilege 776 msiexec.exe Token: SeMachineAccountPrivilege 776 msiexec.exe Token: SeTcbPrivilege 776 msiexec.exe Token: SeSecurityPrivilege 776 msiexec.exe Token: SeTakeOwnershipPrivilege 776 msiexec.exe Token: SeLoadDriverPrivilege 776 msiexec.exe Token: SeSystemProfilePrivilege 776 msiexec.exe Token: SeSystemtimePrivilege 776 msiexec.exe Token: SeProfSingleProcessPrivilege 776 msiexec.exe Token: SeIncBasePriorityPrivilege 776 msiexec.exe Token: SeCreatePagefilePrivilege 776 msiexec.exe Token: SeCreatePermanentPrivilege 776 msiexec.exe Token: SeBackupPrivilege 776 msiexec.exe Token: SeRestorePrivilege 776 msiexec.exe Token: SeShutdownPrivilege 776 msiexec.exe Token: SeDebugPrivilege 776 msiexec.exe Token: SeAuditPrivilege 776 msiexec.exe Token: SeSystemEnvironmentPrivilege 776 msiexec.exe Token: SeChangeNotifyPrivilege 776 msiexec.exe Token: SeRemoteShutdownPrivilege 776 msiexec.exe Token: SeUndockPrivilege 776 msiexec.exe Token: SeSyncAgentPrivilege 776 msiexec.exe Token: SeEnableDelegationPrivilege 776 msiexec.exe Token: SeManageVolumePrivilege 776 msiexec.exe Token: SeImpersonatePrivilege 776 msiexec.exe Token: SeCreateGlobalPrivilege 776 msiexec.exe Token: SeBackupPrivilege 4836 vssvc.exe Token: SeRestorePrivilege 4836 vssvc.exe Token: SeAuditPrivilege 4836 vssvc.exe Token: SeBackupPrivilege 4576 msiexec.exe Token: SeRestorePrivilege 4576 msiexec.exe Token: SeRestorePrivilege 4576 msiexec.exe Token: SeTakeOwnershipPrivilege 4576 msiexec.exe Token: SeRestorePrivilege 4576 msiexec.exe Token: SeTakeOwnershipPrivilege 4576 msiexec.exe Token: SeRestorePrivilege 4576 msiexec.exe Token: SeTakeOwnershipPrivilege 4576 msiexec.exe Token: SeBackupPrivilege 464 srtasks.exe Token: SeRestorePrivilege 464 srtasks.exe Token: SeSecurityPrivilege 464 srtasks.exe Token: SeTakeOwnershipPrivilege 464 srtasks.exe Token: SeBackupPrivilege 464 srtasks.exe Token: SeRestorePrivilege 464 srtasks.exe Token: SeSecurityPrivilege 464 srtasks.exe Token: SeTakeOwnershipPrivilege 464 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 776 msiexec.exe 776 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
msiexec.exedescription pid process target process PID 4576 wrote to memory of 464 4576 msiexec.exe srtasks.exe PID 4576 wrote to memory of 464 4576 msiexec.exe srtasks.exe PID 4576 wrote to memory of 3676 4576 msiexec.exe MsiExec.exe PID 4576 wrote to memory of 3676 4576 msiexec.exe MsiExec.exe PID 4576 wrote to memory of 3676 4576 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\shipment.delievery.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:776
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FD0FDE29AC1F41533625680F17FEEC0B2⤵
- Loads dropped DLL
PID:3676
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
23.0MB
MD51c36931798a6f76644d28ba2459bc321
SHA1d36eaaac6bc5169acc911fa0a3ad253d20b19b27
SHA256c9eee33794df5669026e9c9dc05b6c043e7ddb9bf23d22719bb8d227ef2574f3
SHA512c76018f8de822a0d85236848b69fa935fcbe57c04bbd4847739b121493438255220f54d680c3ad5383fc68fd9fac73bdb981b70b25b8bb7c6cabf7b5c1b32983
-
\??\Volume{5acfaf36-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{315080d7-a72e-4991-aa5b-e3606f3b9aca}_OnDiskSnapshotProp
Filesize5KB
MD583af26e08b8f5f5ab66b19e1ee857c3c
SHA11408e7fe1fe4fbadc01e8279217d70a658f28ac3
SHA2563d64c68be11139ed0539275623fa75569ab9df0f58e787e73a778539184b5cbb
SHA512895f63c51a8d10761331eb33285dfb7ad436921f65c62c2fc3424d04570752a5eab7506914b57e9fbbddf5edbdd9d1d7def6fca565e7b85fa8e6b24d9a904e7d