0038c99f2a5285acd2d4ed02c9a444b93c01e8e632b995cf30103e2e4f067329

General

Target

8f07ea738d1c69b74fac16cabe39e858.msi
Size

730KB
MD5

8f07ea738d1c69b74fac16cabe39e858
SHA1

2a4c4e73106b0dcb87fbfc4a14426e72e0c368b6
SHA256

0038c99f2a5285acd2d4ed02c9a444b93c01e8e632b995cf30103e2e4f067329
SHA512

db3a5884f0c71923ff5aee2e4341d495cd863f68894bab5a8d7426c31e53f2362bc55ec74da76c065e54625f5eb9e3ba07fcb040d3320771a44da6eed34fab66
SSDEEP

12288:GGpswznMosyIa3FZjiazH1BpQc2Yf4U4oXMf6p2XHJZNNNh:GGOw7MAFZjiaZBuc2g4jocf6p2XHXNNr

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

4 2148 msiexec.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

1460 MsiExec.exe
1460 MsiExec.exe

flow	pid	process
4	2148	msiexec.exe

pid	process
1460	MsiExec.exe
1460	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e56ed24.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56ed24.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDB0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF022.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	2148	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2148	msiexec.exe
Token: SeSecurityPrivilege	4776	msiexec.exe
Token: SeCreateTokenPrivilege	2148	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2148	msiexec.exe
Token: SeLockMemoryPrivilege	2148	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2148	msiexec.exe
Token: SeMachineAccountPrivilege	2148	msiexec.exe
Token: SeTcbPrivilege	2148	msiexec.exe
Token: SeSecurityPrivilege	2148	msiexec.exe
Token: SeTakeOwnershipPrivilege	2148	msiexec.exe
Token: SeLoadDriverPrivilege	2148	msiexec.exe
Token: SeSystemProfilePrivilege	2148	msiexec.exe
Token: SeSystemtimePrivilege	2148	msiexec.exe
Token: SeProfSingleProcessPrivilege	2148	msiexec.exe
Token: SeIncBasePriorityPrivilege	2148	msiexec.exe
Token: SeCreatePagefilePrivilege	2148	msiexec.exe
Token: SeCreatePermanentPrivilege	2148	msiexec.exe
Token: SeBackupPrivilege	2148	msiexec.exe
Token: SeRestorePrivilege	2148	msiexec.exe
Token: SeShutdownPrivilege	2148	msiexec.exe
Token: SeDebugPrivilege	2148	msiexec.exe
Token: SeAuditPrivilege	2148	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2148	msiexec.exe
Token: SeChangeNotifyPrivilege	2148	msiexec.exe
Token: SeRemoteShutdownPrivilege	2148	msiexec.exe
Token: SeUndockPrivilege	2148	msiexec.exe
Token: SeSyncAgentPrivilege	2148	msiexec.exe
Token: SeEnableDelegationPrivilege	2148	msiexec.exe
Token: SeManageVolumePrivilege	2148	msiexec.exe
Token: SeImpersonatePrivilege	2148	msiexec.exe
Token: SeCreateGlobalPrivilege	2148	msiexec.exe
Token: SeBackupPrivilege	3772	vssvc.exe
Token: SeRestorePrivilege	3772	vssvc.exe
Token: SeAuditPrivilege	3772	vssvc.exe
Token: SeBackupPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeRestorePrivilege	4776	msiexec.exe
Token: SeTakeOwnershipPrivilege	4776	msiexec.exe
Token: SeBackupPrivilege	2228	srtasks.exe
Token: SeRestorePrivilege	2228	srtasks.exe
Token: SeSecurityPrivilege	2228	srtasks.exe
Token: SeTakeOwnershipPrivilege	2228	srtasks.exe
Token: SeBackupPrivilege	2228	srtasks.exe
Token: SeRestorePrivilege	2228	srtasks.exe
Token: SeSecurityPrivilege	2228	srtasks.exe
Token: SeTakeOwnershipPrivilege	2228	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2148 msiexec.exe
2148 msiexec.exe

pid	process
2148	msiexec.exe
2148	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4776 wrote to memory of 2228	4776	msiexec.exe	srtasks.exe
PID 4776 wrote to memory of 2228	4776	msiexec.exe	srtasks.exe
PID 4776 wrote to memory of 1460	4776	msiexec.exe	MsiExec.exe
PID 4776 wrote to memory of 1460	4776	msiexec.exe	MsiExec.exe
PID 4776 wrote to memory of 1460	4776	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8f07ea738d1c69b74fac16cabe39e858.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2148

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 13631ED2431C2E4B004B6B3798DA8B9A
  2⤵
  - Loads dropped DLL
  PID:1460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIEDB0.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
C:\Windows\Installer\MSIEDB0.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
C:\Windows\Installer\MSIF022.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
C:\Windows\Installer\MSIF022.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
a4f64b81aacaddb09958561414b310b0

SHA1
38696d787d4d7947648b752260d047c792312fb2

SHA256
2c6f8196c9e1caece5269d0dae0d419fa83c618167c0d73c63b0562c41ff066d

SHA512
434b46c2bc2fb28a68e2b56f2b654e447b9cb77319b8aaaf93a9d018774b8f1dba5cbd12ccf2eba168b7006246dbe19b2ce8573f02113507e5139818be701b21

Download Submit
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1d8cd0c0-e449-48ee-927a-c9ec04ef3c3d}_OnDiskSnapshotProp

Filesize
5KB

MD5
82b8c1def9c9dd8b14e740573b2c200e

SHA1
2366587d238dbf938994ae34b1dc8cf5eedd7ce1

SHA256
a4054677d701af9657616704852530f145daeeb5e73182cc639468c180b238a8

SHA512
d24a30b6e464f4331cfafba189ab0ed50972dba9e1dab456f02bfb831a5fb65ae370bf334666175f58d52c0f4455b3522fc034966741b2810577d87ea2f09aa1

Download Submit
memory/1460-133-0x0000000000000000-mapping.dmp

Download
memory/2228-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads