Analysis
-
max time kernel
43s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-09-2022 23:15
Static task
static1
Behavioral task
behavioral1
Sample
ddf798fa09f7c72f9fec4478841990d7.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ddf798fa09f7c72f9fec4478841990d7.msi
Resource
win10v2004-20220812-en
General
-
Target
ddf798fa09f7c72f9fec4478841990d7.msi
-
Size
92KB
-
MD5
ddf798fa09f7c72f9fec4478841990d7
-
SHA1
42b8bc580bd77c330432fb7cf6d9b8c8212961bd
-
SHA256
b2b07b32c681a44c647814d09eeac5d691ae67ebf1862bd23c639fce7027685a
-
SHA512
fa39bd42f000e8dffb4638a65cb08ab0f4393a7ed8ef718efa7f3652c00cd1aa31c6f3fb5365674700a08eb066d3e514e7f8131fce0bccd9b5897ea96c9b2425
-
SSDEEP
768:8lUJ5BxTORGx4/dpZ6G+jzI/RyGwaW27N5MSdm4cyWMDC/yWMDCmYinj:hxTcdpZ6G//RzwaN1d00DU0D37n
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 2 560 msiexec.exe 4 560 msiexec.exe 5 1584 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 1392 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\6c6e1f.msi msiexec.exe File created C:\Windows\Installer\6c6e20.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6c6e1f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI73E5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI77FC.tmp msiexec.exe File created C:\Windows\Installer\6c6e22.msi msiexec.exe File opened for modification C:\Windows\Installer\6c6e20.ipi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1584 msiexec.exe 1584 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 560 msiexec.exe Token: SeIncreaseQuotaPrivilege 560 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeSecurityPrivilege 1584 msiexec.exe Token: SeCreateTokenPrivilege 560 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 560 msiexec.exe Token: SeLockMemoryPrivilege 560 msiexec.exe Token: SeIncreaseQuotaPrivilege 560 msiexec.exe Token: SeMachineAccountPrivilege 560 msiexec.exe Token: SeTcbPrivilege 560 msiexec.exe Token: SeSecurityPrivilege 560 msiexec.exe Token: SeTakeOwnershipPrivilege 560 msiexec.exe Token: SeLoadDriverPrivilege 560 msiexec.exe Token: SeSystemProfilePrivilege 560 msiexec.exe Token: SeSystemtimePrivilege 560 msiexec.exe Token: SeProfSingleProcessPrivilege 560 msiexec.exe Token: SeIncBasePriorityPrivilege 560 msiexec.exe Token: SeCreatePagefilePrivilege 560 msiexec.exe Token: SeCreatePermanentPrivilege 560 msiexec.exe Token: SeBackupPrivilege 560 msiexec.exe Token: SeRestorePrivilege 560 msiexec.exe Token: SeShutdownPrivilege 560 msiexec.exe Token: SeDebugPrivilege 560 msiexec.exe Token: SeAuditPrivilege 560 msiexec.exe Token: SeSystemEnvironmentPrivilege 560 msiexec.exe Token: SeChangeNotifyPrivilege 560 msiexec.exe Token: SeRemoteShutdownPrivilege 560 msiexec.exe Token: SeUndockPrivilege 560 msiexec.exe Token: SeSyncAgentPrivilege 560 msiexec.exe Token: SeEnableDelegationPrivilege 560 msiexec.exe Token: SeManageVolumePrivilege 560 msiexec.exe Token: SeImpersonatePrivilege 560 msiexec.exe Token: SeCreateGlobalPrivilege 560 msiexec.exe Token: SeBackupPrivilege 628 vssvc.exe Token: SeRestorePrivilege 628 vssvc.exe Token: SeAuditPrivilege 628 vssvc.exe Token: SeBackupPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1328 DrvInst.exe Token: SeRestorePrivilege 1328 DrvInst.exe Token: SeRestorePrivilege 1328 DrvInst.exe Token: SeRestorePrivilege 1328 DrvInst.exe Token: SeRestorePrivilege 1328 DrvInst.exe Token: SeRestorePrivilege 1328 DrvInst.exe Token: SeRestorePrivilege 1328 DrvInst.exe Token: SeLoadDriverPrivilege 1328 DrvInst.exe Token: SeLoadDriverPrivilege 1328 DrvInst.exe Token: SeLoadDriverPrivilege 1328 DrvInst.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 560 msiexec.exe 560 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1584 wrote to memory of 1392 1584 msiexec.exe 32 PID 1584 wrote to memory of 1392 1584 msiexec.exe 32 PID 1584 wrote to memory of 1392 1584 msiexec.exe 32 PID 1584 wrote to memory of 1392 1584 msiexec.exe 32 PID 1584 wrote to memory of 1392 1584 msiexec.exe 32
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ddf798fa09f7c72f9fec4478841990d7.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:560
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 22ADA5BF294DDB9685F512A1A4A8CE5C2⤵
- Loads dropped DLL
PID:1392
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:628
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E4" "0000000000000498"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD56c6a24456559f305308cb1fb6c5486b3
SHA13273ac27d78572f16c3316732b9756ebc22cb6ed
SHA256efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973
SHA512587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4
-
Filesize
1KB
MD578f2fcaa601f2fb4ebc937ba532e7549
SHA1ddfb16cd4931c973a2037d3fc83a4d7d775d05e4
SHA256552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988
SHA512bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5deb6245787aa02fa63e8be5f9ec8fa8e
SHA1181a6dd89a833ca6331b3ea298e8cc78d4e5f9b7
SHA256c73e73c25f0aedd2ed42a00746a29f838d50e6fba82b6a55df36f1e73b541795
SHA51274d087c5032c20a13616a587d15e265e0572cad32c9c15597fa01eef1b1a4c923c0b0c034d523e008ff594a94d61d02f9981894d62ab84d107a4c55654bd3e55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Filesize254B
MD566610947fe37b694926a930a82bfd265
SHA1c38ca8fa7273a50ea62c3c4260e9552ad5de376c
SHA25677aea8acd21971eecea7759a04fc47fc53da47d4508a3ac9a8901defbe34037b
SHA51250d25bb84faaff5b757ca069be0dbd51ad72aa580e9257bff2f7b37face6dd17bd46df977e8293d2ddc41878a14d1da11d0d62ec96a1f2f03e9627988001ed10
-
Filesize
50KB
MD519fa3be964d43ee5eaddb1198cb34cfa
SHA108214c36b827979ff393daf669709e516b305e49
SHA256d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373
SHA5127c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738
-
Filesize
50KB
MD519fa3be964d43ee5eaddb1198cb34cfa
SHA108214c36b827979ff393daf669709e516b305e49
SHA256d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373
SHA5127c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738