4e5aa2e40cdf2dbba7a53b3aca2bfec7645a5ecef5e38cb6edcd27fb58539552

Analysis

max time kernel
602s
max time network
570s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jitsi-2.10.5550-x64.exe
Size

64.8MB
MD5

546ef502e1e1584a610515c0ac9c9f3a
SHA1

ba59d021517a7cde948510994fb3e9626c1b7376
SHA256

4e5aa2e40cdf2dbba7a53b3aca2bfec7645a5ecef5e38cb6edcd27fb58539552
SHA512

c754c45f7b3a545a65f1e98c3aa0bd1a94c9bc8770c189e3f4cde02d225064b217e569768f255bdcf1fb66d84d1814da6ec2ee9ace2c5b158f48087a98d86220
SSDEEP

1572864:fhr4diBG/dW5zueUx12uFv6AW0RFKQM6MRoVZHWXDuIGHZSkVn:ZX4MueUH2mijIFSzGZuD0Sa

Score

9^/10

Malware Config

Signatures

Detect jar appended to MSI 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jitsi-2.10.5550-x64.msi	jar_in_msi

Blocklisted process makes network request 7 IoCs

Processes:

msiexec.exe

flow pid process

28 1472 msiexec.exe
29 1472 msiexec.exe
31 1472 msiexec.exe
33 1472 msiexec.exe
37 1472 msiexec.exe
39 1472 msiexec.exe
42 1472 msiexec.exe

flow	pid	process
28	1472	msiexec.exe
29	1472	msiexec.exe
31	1472	msiexec.exe
33	1472	msiexec.exe
37	1472	msiexec.exe
39	1472	msiexec.exe
42	1472	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jitsi-2.10.5550-x64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	jitsi-2.10.5550-x64.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

4636 MsiExec.exe

pid	process
4636	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\Jitsi\sc-bundles\hid.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\hid-service.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\nio.dll	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\replacement-bliptv.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\replacement-directimage.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\replacement-vimeo.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\commons-codec.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\osdependent.jar	msiexec.exe
File created	C:\Program Files\Jitsi\splash.gif	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Jitsi\native\jmsoutlookaddrbookcomserver32.exe	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\plugin-msofficecomm.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\replacement-dailymotion.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\sip-api.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\unpack200.exe	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\credentialsstorage.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\flavormap.properties	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\httpclient.jar	msiexec.exe
File created	C:\Program Files\Jitsi\lib\jitsi-defaults.properties	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\jna-platform.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\management\management.properties	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\otr.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\replacement-vbox7.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\zip.dll	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\ext\access-bridge-64.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\contacteventhandler.jar	msiexec.exe
File created	C:\Program Files\Jitsi\Jitsi.exe	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\sound.properties	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\currency.data	msiexec.exe
File created	C:\Program Files\Jitsi\lib\felix.client.run.properties	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\generalconfig.jar	msiexec.exe
File created	C:\Program Files\Jitsi\native\IMsOutlookAddrBookClient.tlb	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\javafx_iio.dll	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\jjs.exe	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\jli.dll	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\tzmappings	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\eula.dll	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\security\javaws.policy	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\JAWTAccessBridge-64.dll	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\jdwp.dll	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\metahistory.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\replacement-hulu.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\replacement-metacafe.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\resources.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\ippiaccregwizz.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\README.txt	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\security\trusted.libraries	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\contactsource.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\dcpr.dll	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\fmj.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\j2pkcs11.dll	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\server\jvm.dll	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\lcms.dll	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\ext\nashorn.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\notificationconfig.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\propertieseditor.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\fileaccess.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\jce.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	msiexec.exe
File created	C:\Program Files\Jitsi\jre\lib\charsets.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\googletalkaccregwizz.jar	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\json.jar	msiexec.exe
File created	C:\Program Files\Jitsi\jre\bin\pack200.exe	msiexec.exe
File created	C:\Program Files\Jitsi\sc-bundles\spellChecker.jar	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{D20996B9-BCB6-4877-8104-BDEEF5ED3097}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB37.tmp	msiexec.exe
File created	C:\Windows\Installer\{D20996B9-BCB6-4877-8104-BDEEF5ED3097}\Icon.ico	msiexec.exe
File created	C:\Windows\Installer\e5bdd8b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5bdd8b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D20996B9-BCB6-4877-8104-BDEEF5ED3097}\Icon.ico	msiexec.exe
File created	C:\Windows\Installer\e5bdd8d.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 51 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\Version = "34215342"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmpp\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9B69902D6BCB77841840DBEE5FDE0379\Universe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmpp	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmpp\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sip	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmpp\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Jitsi.Url\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\SourceList\PackageName = "jitsi-2.10.5550-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sip\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmpp	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmpp\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmpp\shell\open\command\ = "\"C:\\Program Files\\Jitsi\\Jitsi.exe\" %1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jitsi.Url\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sip	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmpp\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\shell\open\command\ = "\"C:\\Program Files\\Jitsi\\Jitsi.exe\" %1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sip\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmpp\DefaultIcon\ = "C:\\Program Files\\Jitsi\\sc-logo.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\ = "URL: SIP Protocol handler"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jitsi.Url	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jitsi.Url\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jitsi.Url\shell\open\command\ = "\"C:\\Program Files\\Jitsi\\Jitsi.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9B69902D6BCB77841840DBEE5FDE0379	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EB90F9F57ABD0C4D8464E437D58844D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmpp\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\DefaultIcon\ = "C:\\Program Files\\Jitsi\\sc-logo.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jitsi.Url\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\ProductName = "Jitsi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\PackageCode = "251E15366A411E043B09F163FD3B4667"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B69902D6BCB77841840DBEE5FDE0379\ProductIcon = "C:\\Windows\\Installer\\{D20996B9-BCB6-4877-8104-BDEEF5ED3097}\\Icon.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EB90F9F57ABD0C4D8464E437D58844D\9B69902D6BCB77841840DBEE5FDE0379	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmpp\ = "URL: XMPP Protocol handler"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

4612 msiexec.exe
4612 msiexec.exe

pid	process
4612	msiexec.exe
4612	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	4612	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeMachineAccountPrivilege	1472	msiexec.exe
Token: SeTcbPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeLoadDriverPrivilege	1472	msiexec.exe
Token: SeSystemProfilePrivilege	1472	msiexec.exe
Token: SeSystemtimePrivilege	1472	msiexec.exe
Token: SeProfSingleProcessPrivilege	1472	msiexec.exe
Token: SeIncBasePriorityPrivilege	1472	msiexec.exe
Token: SeCreatePagefilePrivilege	1472	msiexec.exe
Token: SeCreatePermanentPrivilege	1472	msiexec.exe
Token: SeBackupPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeDebugPrivilege	1472	msiexec.exe
Token: SeAuditPrivilege	1472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1472	msiexec.exe
Token: SeChangeNotifyPrivilege	1472	msiexec.exe
Token: SeRemoteShutdownPrivilege	1472	msiexec.exe
Token: SeUndockPrivilege	1472	msiexec.exe
Token: SeSyncAgentPrivilege	1472	msiexec.exe
Token: SeEnableDelegationPrivilege	1472	msiexec.exe
Token: SeManageVolumePrivilege	1472	msiexec.exe
Token: SeImpersonatePrivilege	1472	msiexec.exe
Token: SeCreateGlobalPrivilege	1472	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeMachineAccountPrivilege	1472	msiexec.exe
Token: SeTcbPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeLoadDriverPrivilege	1472	msiexec.exe
Token: SeSystemProfilePrivilege	1472	msiexec.exe
Token: SeSystemtimePrivilege	1472	msiexec.exe
Token: SeProfSingleProcessPrivilege	1472	msiexec.exe
Token: SeIncBasePriorityPrivilege	1472	msiexec.exe
Token: SeCreatePagefilePrivilege	1472	msiexec.exe
Token: SeCreatePermanentPrivilege	1472	msiexec.exe
Token: SeBackupPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeDebugPrivilege	1472	msiexec.exe
Token: SeAuditPrivilege	1472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1472	msiexec.exe
Token: SeChangeNotifyPrivilege	1472	msiexec.exe
Token: SeRemoteShutdownPrivilege	1472	msiexec.exe
Token: SeUndockPrivilege	1472	msiexec.exe
Token: SeSyncAgentPrivilege	1472	msiexec.exe
Token: SeEnableDelegationPrivilege	1472	msiexec.exe
Token: SeManageVolumePrivilege	1472	msiexec.exe
Token: SeImpersonatePrivilege	1472	msiexec.exe
Token: SeCreateGlobalPrivilege	1472	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1472 msiexec.exe

pid	process
1472	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

jitsi-2.10.5550-x64.exemsiexec.exe

description	pid	process	target process
PID 1436 wrote to memory of 1472	1436	jitsi-2.10.5550-x64.exe	msiexec.exe
PID 1436 wrote to memory of 1472	1436	jitsi-2.10.5550-x64.exe	msiexec.exe
PID 4612 wrote to memory of 4636	4612	msiexec.exe	MsiExec.exe
PID 4612 wrote to memory of 4636	4612	msiexec.exe	MsiExec.exe
PID 4612 wrote to memory of 4636	4612	msiexec.exe	MsiExec.exe
PID 4612 wrote to memory of 4364	4612	msiexec.exe	srtasks.exe
PID 4612 wrote to memory of 4364	4612	msiexec.exe	srtasks.exe

C:\Users\Admin\AppData\Local\Temp\jitsi-2.10.5550-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jitsi-2.10.5550-x64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\jitsi-2.10.5550-x64.msi" REINSTALLMODE=amus
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1472

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 25CA49C73B89AEFA437F9F23D78AD4C4 C
2⤵
- Loads dropped DLL
PID:4636

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_1151833BB5788BDCAD7971E54EA7B930

Filesize
1KB

MD5
7b890e5d2af242037643de9c1c79b63c

SHA1
698d4dc6aa16fd7ea958f4192e037dec849d9cbc

SHA256
c5b783dd4cae87575d560cb46f13962c195e32389f7164485deb83683f74e3d5

SHA512
767601dfd173d6f5bf2a9aecde54ed0308ae874156be5844a7ec4761cadf5a348e2f76a6877285b0b23524d8a5e60dd397acf3b55f71721d92e39f68269898cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A242DAB82C3A2C6C33F27A249ED66F9B_3CECA90131B87816FB42DB83A02B5E98

Filesize
1KB

MD5
e231fa8d00f34db3579139c6d96a8305

SHA1
61ab062b6aa918b413a7eba853b370fd9e64886d

SHA256
5570c1e7ce5426df1adcb1e472006bc3726f79c821009bbd513dde2ae1ca4fe7

SHA512
aaebe54cbbfe4816ecf5410d396cab226c014ca8b25ae151c00d3758ba42d075adf4598cfbfd2d091e80cbc95f4cc3670132e2c6642310d13db7c6d8fcaa1106

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_1151833BB5788BDCAD7971E54EA7B930

Filesize
412B

MD5
b24b0d7f683c339035f288acfab58e92

SHA1
480e6f4aaeabe679f5ce92e1e4e4f42bf6ba1075

SHA256
6ed3d747bdb7c70b8d89e7a2504723303468309a792e9228be1e51092433e623

SHA512
42826cf1050980a79645542122b5e7362f66ca45040d4a9f92055c12dbb6d12af02c2a4de5886fe42db5083ff35246416914e907ff266a74d45c076197ef53b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A242DAB82C3A2C6C33F27A249ED66F9B_3CECA90131B87816FB42DB83A02B5E98

Filesize
422B

MD5
41b2fd99566c2bed3ed18d3833d795e8

SHA1
4d1d27bb9e1d3c60c61a9c24a69b2b31bb97fb24

SHA256
28700733c608ddcbe911b18bcea840a3db1f53d2d290745d054ffc5968a45956

SHA512
8cf5fb0daacb54ef0d9be8d9592d18f293b14dbbf0fa7ebee7713a16e68d7ac537384535148fa1d40c39145726c038e59bfef81d2c9fc0f2c3cdf055927d9ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6FE7.tmp

Filesize
64KB

MD5
5ea7455a71a9b481d0d9402c4e4e19d7

SHA1
4630e3d9788c445812ae7f3a5436b809c6cda09e

SHA256
428c16fad8a8190a6090fa940c2ef2d5c13168f721d958750a874ff8c13c5a85

SHA512
124b8cc4590eb31fbd336031ff4dc86987ca320a768cf8d6350f1d1628761d4099e8f4baf5b25bb9587afb903a4911efa950c15dcdae3aedfdd56b7ac2199370

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6FE7.tmp

Filesize
64KB

MD5
5ea7455a71a9b481d0d9402c4e4e19d7

SHA1
4630e3d9788c445812ae7f3a5436b809c6cda09e

SHA256
428c16fad8a8190a6090fa940c2ef2d5c13168f721d958750a874ff8c13c5a85

SHA512
124b8cc4590eb31fbd336031ff4dc86987ca320a768cf8d6350f1d1628761d4099e8f4baf5b25bb9587afb903a4911efa950c15dcdae3aedfdd56b7ac2199370

Download Submit
C:\Users\Admin\AppData\Local\Temp\jitsi-2.10.5550-x64.msi

Filesize
182.3MB

MD5
383544e80bcdf2bffca253c6e0d950f5

SHA1
1b0a6129379485b144f5b2ff5ea640f64de9183d

SHA256
56599f2bf7cba67a08a29ade3b11068a706d24634f20f54d5d96483c4f1e9aa7

SHA512
71aa29e3129320e62d769f47fda30859fb57e69b6d7b3c9e8bb9130fa556686f7fb1429b1eb392e5f7759e7d251d106b351dfdbdf5ede4d6611398b02015dd4d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
ad7d330faec13761a6a644c60d3eb7b7

SHA1
7a56ad4a081fc036ebf5851725916085b8fc8964

SHA256
1f18772ff54843b78c3a20080c8c5c3b785ca527c8e6f08eacbce7edb505d91c

SHA512
95b1a74d318a9daca94494c76c42d8d382de1ac657a7548dd3c5226621bb1120e3daf2c0c4a0ec125a67e4ef69795319f010cd9e8b64507028746ad8809e007d

Download Submit
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f9e7bce2-ce9d-406c-a90f-35f22ef94eaa}_OnDiskSnapshotProp

Filesize
5KB

MD5
3611d9558bfd8c89fab4db17da4523e1

SHA1
80907d28053c228f4bf1bba22488e9d4b7ded674

SHA256
6198688c9f6735d5c9f8629b5f45c9f6137e609e53e93789ba8e7d57ce40bbf7

SHA512
b87d43d5cf5f70d886163f93c09cd33c61a4cef39161646fd1174524cc8a4d4663d23f18e8a518dad659dbe3d179e0ed2e363803d3341ada4f15ae003501fb2b

Download Submit
memory/1472-132-0x0000000000000000-mapping.dmp

Download
memory/4364-137-0x0000000000000000-mapping.dmp

Download
memory/4636-134-0x0000000000000000-mapping.dmp

Download