mountlocker | 30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83

Resubmissions

14-09-2022 11:45

220914-nwrncadhel 10

Analysis

max time kernel
53s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-09-2022 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83.msi
Size

112KB
MD5

ce3969ab935f0f5b1301cd70d2e59696
SHA1

e70d3341a6e2cc8ae0f140075837ceac4453b947
SHA256

30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83
SHA512

20998be53a994d7adab2b71bafccec1eeb93e356965582161fa1fccea023fbf62b0145adf5e0621118f00a4ea12a71fbb5de2fdd129d92879502a5a3da019a36
SSDEEP

1536:y7WSmywADwaY6FIsr4XSZ32tcOGwpin2NI2F4cdJ0DLx0DL:y7WgpDwd6+srGi32tcOGwpin2NMcd

Score

10^/10

mountlocker ransomware

Malware Config

Extracted

Path

\??\c:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RecoveryManual.html

Ransom Note

<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <pre> d11ebd6225c2dd096733ff8dad28b6433ed09466c0bc630babe00375993d6d4e </pre> <hr/> /!\ YOUR COMPANY' NETWORK HAS BEEN HACKED /!\ All your important documents have been encrypted and transferred to our premises! <hr/> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. However there is a solution for your problem! We can support you with your data decryption for a monetary reward. Also we will destroy your private data from our premises. And we can prove our decryption capabilities by decrypting couple of your files free of charge. Here are the next steps to get your valuable data back and get it wiped out from our premises: <a href="http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b6433ed09466c0bc630babe00375993d6d4e">http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b6433ed09466c0bc630babe00375993d6d4e</a> * Note that you need installed Tor Browser to open this kind of links. Follow the instructions to install/run Tor Browser: 1. Go to TOR Project website https://www.torproject.org using your usual browser (Chrome, Firefox, Internet Explorer or Edge) 2. Click "Download Tor Browser" and pick right version for your Operation System (this is Windows in 99.9% of cases) 3. Download and Install Tor Browser 4. After installation finished, click on "Tor Browser" link from your Desktop 5. By using Tor Browser visit <a href="http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b6433ed09466c0bc630babe00375993d6d4e">http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b6433ed09466c0bc630babe00375993d6d4e</a> 6. Copy your client id from the top of this document and paste it into Authorization window if requested 7. This will start a chat with our security experts. Please note, sometimes our team is away from keyboard, but make sure they will reply you back as soon as possible. Also, we kindly request you to contact with us as soon as possible. We will start publishing your private data to the Internet if you don't get in touch with us within next few days. </body> </html>

Signatures

Detected Mount Locker ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001313e-58.dat	RANSOM_mountlocker
behavioral1/files/0x000700000001313e-59.dat	RANSOM_mountlocker

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 16 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Pictures\BackupOpen.tiff.ReadManual.64BD3273	MsiExec.exe
File opened for modification	\??\c:\Users\Admin\Pictures\CheckpointRead.png.ReadManual.64BD3273	MsiExec.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SelectSearch.png.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\WatchRename.tiff => \??\c:\Users\Admin\Pictures\WatchRename.tiff.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\BackupOpen.tiff => \??\c:\Users\Admin\Pictures\BackupOpen.tiff.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ExitImport.crw => \??\c:\Users\Admin\Pictures\ExitImport.crw.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\SelectSearch.png => \??\c:\Users\Admin\Pictures\SelectSearch.png.ReadManual.64BD3273	MsiExec.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ClearRequest.raw.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ClearRequest.raw => \??\c:\Users\Admin\Pictures\ClearRequest.raw.ReadManual.64BD3273	MsiExec.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ExitImport.crw.ReadManual.64BD3273	MsiExec.exe
File opened for modification	\??\c:\Users\Admin\Pictures\WatchRename.tiff.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\CheckpointRead.png => \??\c:\Users\Admin\Pictures\CheckpointRead.png.ReadManual.64BD3273	MsiExec.exe
File opened for modification	\??\c:\Users\Admin\Pictures\CheckpointShow.png.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\DisableRegister.crw => \??\c:\Users\Admin\Pictures\DisableRegister.crw.ReadManual.64BD3273	MsiExec.exe
File opened for modification	\??\c:\Users\Admin\Pictures\DisableRegister.crw.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\CheckpointShow.png => \??\c:\Users\Admin\Pictures\CheckpointShow.png.ReadManual.64BD3273	MsiExec.exe

Loads dropped DLL 1 IoCs

pid	Process
976	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\teyefibowo\ReadMe.txt	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6D93.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DC3.tmp	msiexec.exe
File created	C:\Windows\Installer\6c6b93.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c6b91.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\6c6b90.msi	msiexec.exe
File created	C:\Windows\Installer\6c6b91.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\6c6b90.msi	msiexec.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1732	vssadmin.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7E99BE60AB9492F4EB40B1E891C24BA8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.64BD3273\shell\Open	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9A574297AD28B6E46A6E44B3871D80B4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7E99BE60AB9492F4EB40B1E891C24BA8\9A574297AD28B6E46A6E44B3871D80B4	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.64BD3273\shell\Open\command	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.64BD3273\shell	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.64BD3273\shell\Open\command\ = "explorer.exe RecoveryManual.html"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\Version = "53805056"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\Media\1 = ";CD-ROM #1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.64BD3273	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\ProductName = "zawani"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\PackageName = "30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9A574297AD28B6E46A6E44B3871D80B4\iDAAAF618FF524449BD8193E4A7C12996	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\PackageCode = "B6AA8A37A2DF03A4195563F9732E8294"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\Media\DiskPrompt = "zawani 3.53 Installation"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
952	msiexec.exe
952	msiexec.exe
976	MsiExec.exe
976	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeSecurityPrivilege	952	msiexec.exe
Token: SeCreateTokenPrivilege	2040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2040	msiexec.exe
Token: SeLockMemoryPrivilege	2040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2040	msiexec.exe
Token: SeMachineAccountPrivilege	2040	msiexec.exe
Token: SeTcbPrivilege	2040	msiexec.exe
Token: SeSecurityPrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeLoadDriverPrivilege	2040	msiexec.exe
Token: SeSystemProfilePrivilege	2040	msiexec.exe
Token: SeSystemtimePrivilege	2040	msiexec.exe
Token: SeProfSingleProcessPrivilege	2040	msiexec.exe
Token: SeIncBasePriorityPrivilege	2040	msiexec.exe
Token: SeCreatePagefilePrivilege	2040	msiexec.exe
Token: SeCreatePermanentPrivilege	2040	msiexec.exe
Token: SeBackupPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeShutdownPrivilege	2040	msiexec.exe
Token: SeDebugPrivilege	2040	msiexec.exe
Token: SeAuditPrivilege	2040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2040	msiexec.exe
Token: SeChangeNotifyPrivilege	2040	msiexec.exe
Token: SeRemoteShutdownPrivilege	2040	msiexec.exe
Token: SeUndockPrivilege	2040	msiexec.exe
Token: SeSyncAgentPrivilege	2040	msiexec.exe
Token: SeEnableDelegationPrivilege	2040	msiexec.exe
Token: SeManageVolumePrivilege	2040	msiexec.exe
Token: SeImpersonatePrivilege	2040	msiexec.exe
Token: SeCreateGlobalPrivilege	2040	msiexec.exe
Token: SeBackupPrivilege	1528	vssvc.exe
Token: SeRestorePrivilege	1528	vssvc.exe
Token: SeAuditPrivilege	1528	vssvc.exe
Token: SeBackupPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeRestorePrivilege	1776	DrvInst.exe
Token: SeRestorePrivilege	1776	DrvInst.exe
Token: SeRestorePrivilege	1776	DrvInst.exe
Token: SeRestorePrivilege	1776	DrvInst.exe
Token: SeRestorePrivilege	1776	DrvInst.exe
Token: SeRestorePrivilege	1776	DrvInst.exe
Token: SeRestorePrivilege	1776	DrvInst.exe
Token: SeLoadDriverPrivilege	1776	DrvInst.exe
Token: SeLoadDriverPrivilege	1776	DrvInst.exe
Token: SeLoadDriverPrivilege	1776	DrvInst.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeDebugPrivilege	976	MsiExec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2040	msiexec.exe
2040	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 976	952	msiexec.exe	32
PID 952 wrote to memory of 976	952	msiexec.exe	32
PID 952 wrote to memory of 976	952	msiexec.exe	32
PID 952 wrote to memory of 976	952	msiexec.exe	32
PID 952 wrote to memory of 976	952	msiexec.exe	32
PID 952 wrote to memory of 976	952	msiexec.exe	32
PID 952 wrote to memory of 976	952	msiexec.exe	32
PID 976 wrote to memory of 1732	976	MsiExec.exe	34
PID 976 wrote to memory of 1732	976	MsiExec.exe	34
PID 976 wrote to memory of 1732	976	MsiExec.exe	34
PID 976 wrote to memory of 1732	976	MsiExec.exe	34
PID 976 wrote to memory of 1680	976	MsiExec.exe	36
PID 976 wrote to memory of 1680	976	MsiExec.exe	36
PID 976 wrote to memory of 1680	976	MsiExec.exe	36
PID 976 wrote to memory of 1680	976	MsiExec.exe	36
PID 1680 wrote to memory of 1892	1680	cmd.exe	38
PID 1680 wrote to memory of 1892	1680	cmd.exe	38
PID 1680 wrote to memory of 1892	1680	cmd.exe	38
PID 1680 wrote to memory of 1892	1680	cmd.exe	38

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1892	attrib.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CEDBF4C2A715B6B6DC31D0538C246E76
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\system32\vssadmin.exe delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1732
- - C:\Windows\syswow64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006CBB83.bat" "C:\Windows\Installer\MSI6DC3.tmp""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -r -h "C:\Windows\Installer\MSI6DC3.tmp"
      4⤵
      Views/modifies file attributes
      PID:1892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000580" "0000000000000060"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\006CBB83.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Windows\Installer\MSI6DC3.tmp

Filesize
77KB

MD5
0aacf2c41ba9b872a52055ffcaeaef15

SHA1
c09b509699aeef71f3e205d53c5f4ff71cb48570

SHA256
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585

SHA512
d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec

Download Submit
\Windows\Installer\MSI6DC3.tmp

Filesize
77KB

MD5
0aacf2c41ba9b872a52055ffcaeaef15

SHA1
c09b509699aeef71f3e205d53c5f4ff71cb48570

SHA256
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585

SHA512
d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec

Download Submit
memory/976-57-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/2040-54-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp

Filesize
8KB

Download