Analysis
-
max time kernel
62s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2022 10:41
Behavioral task
behavioral1
Sample
8f07ea738d1c69b74fac16cabe39e858.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8f07ea738d1c69b74fac16cabe39e858.msi
Resource
win10v2004-20220812-en
General
-
Target
8f07ea738d1c69b74fac16cabe39e858.msi
-
Size
730KB
-
MD5
8f07ea738d1c69b74fac16cabe39e858
-
SHA1
2a4c4e73106b0dcb87fbfc4a14426e72e0c368b6
-
SHA256
0038c99f2a5285acd2d4ed02c9a444b93c01e8e632b995cf30103e2e4f067329
-
SHA512
db3a5884f0c71923ff5aee2e4341d495cd863f68894bab5a8d7426c31e53f2362bc55ec74da76c065e54625f5eb9e3ba07fcb040d3320771a44da6eed34fab66
-
SSDEEP
12288:GGpswznMosyIa3FZjiazH1BpQc2Yf4U4oXMf6p2XHJZNNNh:GGOw7MAFZjiaZBuc2g4jocf6p2XHXNNr
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 4 2148 msiexec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 1460 MsiExec.exe 1460 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in Windows directory 5 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e56ed24.msi msiexec.exe File opened for modification C:\Windows\Installer\e56ed24.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIEDB0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF022.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 2148 msiexec.exe Token: SeIncreaseQuotaPrivilege 2148 msiexec.exe Token: SeSecurityPrivilege 4776 msiexec.exe Token: SeCreateTokenPrivilege 2148 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2148 msiexec.exe Token: SeLockMemoryPrivilege 2148 msiexec.exe Token: SeIncreaseQuotaPrivilege 2148 msiexec.exe Token: SeMachineAccountPrivilege 2148 msiexec.exe Token: SeTcbPrivilege 2148 msiexec.exe Token: SeSecurityPrivilege 2148 msiexec.exe Token: SeTakeOwnershipPrivilege 2148 msiexec.exe Token: SeLoadDriverPrivilege 2148 msiexec.exe Token: SeSystemProfilePrivilege 2148 msiexec.exe Token: SeSystemtimePrivilege 2148 msiexec.exe Token: SeProfSingleProcessPrivilege 2148 msiexec.exe Token: SeIncBasePriorityPrivilege 2148 msiexec.exe Token: SeCreatePagefilePrivilege 2148 msiexec.exe Token: SeCreatePermanentPrivilege 2148 msiexec.exe Token: SeBackupPrivilege 2148 msiexec.exe Token: SeRestorePrivilege 2148 msiexec.exe Token: SeShutdownPrivilege 2148 msiexec.exe Token: SeDebugPrivilege 2148 msiexec.exe Token: SeAuditPrivilege 2148 msiexec.exe Token: SeSystemEnvironmentPrivilege 2148 msiexec.exe Token: SeChangeNotifyPrivilege 2148 msiexec.exe Token: SeRemoteShutdownPrivilege 2148 msiexec.exe Token: SeUndockPrivilege 2148 msiexec.exe Token: SeSyncAgentPrivilege 2148 msiexec.exe Token: SeEnableDelegationPrivilege 2148 msiexec.exe Token: SeManageVolumePrivilege 2148 msiexec.exe Token: SeImpersonatePrivilege 2148 msiexec.exe Token: SeCreateGlobalPrivilege 2148 msiexec.exe Token: SeBackupPrivilege 3772 vssvc.exe Token: SeRestorePrivilege 3772 vssvc.exe Token: SeAuditPrivilege 3772 vssvc.exe Token: SeBackupPrivilege 4776 msiexec.exe Token: SeRestorePrivilege 4776 msiexec.exe Token: SeRestorePrivilege 4776 msiexec.exe Token: SeTakeOwnershipPrivilege 4776 msiexec.exe Token: SeRestorePrivilege 4776 msiexec.exe Token: SeTakeOwnershipPrivilege 4776 msiexec.exe Token: SeRestorePrivilege 4776 msiexec.exe Token: SeTakeOwnershipPrivilege 4776 msiexec.exe Token: SeBackupPrivilege 2228 srtasks.exe Token: SeRestorePrivilege 2228 srtasks.exe Token: SeSecurityPrivilege 2228 srtasks.exe Token: SeTakeOwnershipPrivilege 2228 srtasks.exe Token: SeBackupPrivilege 2228 srtasks.exe Token: SeRestorePrivilege 2228 srtasks.exe Token: SeSecurityPrivilege 2228 srtasks.exe Token: SeTakeOwnershipPrivilege 2228 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2148 msiexec.exe 2148 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
msiexec.exedescription pid process target process PID 4776 wrote to memory of 2228 4776 msiexec.exe srtasks.exe PID 4776 wrote to memory of 2228 4776 msiexec.exe srtasks.exe PID 4776 wrote to memory of 1460 4776 msiexec.exe MsiExec.exe PID 4776 wrote to memory of 1460 4776 msiexec.exe MsiExec.exe PID 4776 wrote to memory of 1460 4776 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8f07ea738d1c69b74fac16cabe39e858.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2148
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 13631ED2431C2E4B004B6B3798DA8B9A2⤵
- Loads dropped DLL
PID:1460
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
23.0MB
MD5a4f64b81aacaddb09958561414b310b0
SHA138696d787d4d7947648b752260d047c792312fb2
SHA2562c6f8196c9e1caece5269d0dae0d419fa83c618167c0d73c63b0562c41ff066d
SHA512434b46c2bc2fb28a68e2b56f2b654e447b9cb77319b8aaaf93a9d018774b8f1dba5cbd12ccf2eba168b7006246dbe19b2ce8573f02113507e5139818be701b21
-
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1d8cd0c0-e449-48ee-927a-c9ec04ef3c3d}_OnDiskSnapshotProp
Filesize5KB
MD582b8c1def9c9dd8b14e740573b2c200e
SHA12366587d238dbf938994ae34b1dc8cf5eedd7ce1
SHA256a4054677d701af9657616704852530f145daeeb5e73182cc639468c180b238a8
SHA512d24a30b6e464f4331cfafba189ab0ed50972dba9e1dab456f02bfb831a5fb65ae370bf334666175f58d52c0f4455b3522fc034966741b2810577d87ea2f09aa1