Analysis
-
max time kernel
188s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:39
Static task
static1
Behavioral task
behavioral1
Sample
PAGA-TUS-MULTAS-34ed1ecf-1a2c-4d26_____________________________________________________________________85ba-ba597ff6089b.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PAGA-TUS-MULTAS-34ed1ecf-1a2c-4d26_____________________________________________________________________85ba-ba597ff6089b.msi
Resource
win10v2004-20221111-en
General
-
Target
PAGA-TUS-MULTAS-34ed1ecf-1a2c-4d26_____________________________________________________________________85ba-ba597ff6089b.msi
-
Size
1.6MB
-
MD5
895d068ffb4c4ca7c8e677a051bbbaae
-
SHA1
faf3d6eedbcd49d446059c2bf1cfed6a1b9b6913
-
SHA256
687ac0a86056ab61af2e1c34b053e7d58ab19b64bab5d13b81e2e3dcab878426
-
SHA512
1877e98c58f21060ffbe9726320deb43a342f0d969164b760842f8fcbc13d7b8413e3b37434dcaaec9137514e217e7d7685a31b6eaf190425ea654d847549b11
-
SSDEEP
49152:pCyNitjVqoA5AwxDOjSETeVfb/6LYE3c9ANB:qtMJAwOjSEPYP
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1272 msiexec.exe Token: SeIncreaseQuotaPrivilege 1272 msiexec.exe Token: SeSecurityPrivilege 3396 msiexec.exe Token: SeCreateTokenPrivilege 1272 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1272 msiexec.exe Token: SeLockMemoryPrivilege 1272 msiexec.exe Token: SeIncreaseQuotaPrivilege 1272 msiexec.exe Token: SeMachineAccountPrivilege 1272 msiexec.exe Token: SeTcbPrivilege 1272 msiexec.exe Token: SeSecurityPrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeLoadDriverPrivilege 1272 msiexec.exe Token: SeSystemProfilePrivilege 1272 msiexec.exe Token: SeSystemtimePrivilege 1272 msiexec.exe Token: SeProfSingleProcessPrivilege 1272 msiexec.exe Token: SeIncBasePriorityPrivilege 1272 msiexec.exe Token: SeCreatePagefilePrivilege 1272 msiexec.exe Token: SeCreatePermanentPrivilege 1272 msiexec.exe Token: SeBackupPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeShutdownPrivilege 1272 msiexec.exe Token: SeDebugPrivilege 1272 msiexec.exe Token: SeAuditPrivilege 1272 msiexec.exe Token: SeSystemEnvironmentPrivilege 1272 msiexec.exe Token: SeChangeNotifyPrivilege 1272 msiexec.exe Token: SeRemoteShutdownPrivilege 1272 msiexec.exe Token: SeUndockPrivilege 1272 msiexec.exe Token: SeSyncAgentPrivilege 1272 msiexec.exe Token: SeEnableDelegationPrivilege 1272 msiexec.exe Token: SeManageVolumePrivilege 1272 msiexec.exe Token: SeImpersonatePrivilege 1272 msiexec.exe Token: SeCreateGlobalPrivilege 1272 msiexec.exe Token: SeBackupPrivilege 4416 vssvc.exe Token: SeRestorePrivilege 4416 vssvc.exe Token: SeAuditPrivilege 4416 vssvc.exe Token: SeBackupPrivilege 3396 msiexec.exe Token: SeRestorePrivilege 3396 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1272 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PAGA-TUS-MULTAS-34ed1ecf-1a2c-4d26_____________________________________________________________________85ba-ba597ff6089b.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken