Analysis
-
max time kernel
96s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2023 19:43
Behavioral task
behavioral1
Sample
0038c99f2a5285acd2d4ed02c9a444b93c01e8e632b995cf30103e2e4f067329.msi
Resource
win10v2004-20221111-en
General
-
Target
0038c99f2a5285acd2d4ed02c9a444b93c01e8e632b995cf30103e2e4f067329.msi
-
Size
730KB
-
MD5
8f07ea738d1c69b74fac16cabe39e858
-
SHA1
2a4c4e73106b0dcb87fbfc4a14426e72e0c368b6
-
SHA256
0038c99f2a5285acd2d4ed02c9a444b93c01e8e632b995cf30103e2e4f067329
-
SHA512
db3a5884f0c71923ff5aee2e4341d495cd863f68894bab5a8d7426c31e53f2362bc55ec74da76c065e54625f5eb9e3ba07fcb040d3320771a44da6eed34fab66
-
SSDEEP
12288:GGpswznMosyIa3FZjiazH1BpQc2Yf4U4oXMf6p2XHJZNNNh:GGOw7MAFZjiaZBuc2g4jocf6p2XHXNNr
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 5 3440 msiexec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 2964 MsiExec.exe 2964 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 5 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e56fbd9.msi msiexec.exe File opened for modification C:\Windows\Installer\e56fbd9.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIFC76.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFE6B.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000106161d2e731958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000106161d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900106161d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 3440 msiexec.exe Token: SeIncreaseQuotaPrivilege 3440 msiexec.exe Token: SeSecurityPrivilege 4340 msiexec.exe Token: SeCreateTokenPrivilege 3440 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3440 msiexec.exe Token: SeLockMemoryPrivilege 3440 msiexec.exe Token: SeIncreaseQuotaPrivilege 3440 msiexec.exe Token: SeMachineAccountPrivilege 3440 msiexec.exe Token: SeTcbPrivilege 3440 msiexec.exe Token: SeSecurityPrivilege 3440 msiexec.exe Token: SeTakeOwnershipPrivilege 3440 msiexec.exe Token: SeLoadDriverPrivilege 3440 msiexec.exe Token: SeSystemProfilePrivilege 3440 msiexec.exe Token: SeSystemtimePrivilege 3440 msiexec.exe Token: SeProfSingleProcessPrivilege 3440 msiexec.exe Token: SeIncBasePriorityPrivilege 3440 msiexec.exe Token: SeCreatePagefilePrivilege 3440 msiexec.exe Token: SeCreatePermanentPrivilege 3440 msiexec.exe Token: SeBackupPrivilege 3440 msiexec.exe Token: SeRestorePrivilege 3440 msiexec.exe Token: SeShutdownPrivilege 3440 msiexec.exe Token: SeDebugPrivilege 3440 msiexec.exe Token: SeAuditPrivilege 3440 msiexec.exe Token: SeSystemEnvironmentPrivilege 3440 msiexec.exe Token: SeChangeNotifyPrivilege 3440 msiexec.exe Token: SeRemoteShutdownPrivilege 3440 msiexec.exe Token: SeUndockPrivilege 3440 msiexec.exe Token: SeSyncAgentPrivilege 3440 msiexec.exe Token: SeEnableDelegationPrivilege 3440 msiexec.exe Token: SeManageVolumePrivilege 3440 msiexec.exe Token: SeImpersonatePrivilege 3440 msiexec.exe Token: SeCreateGlobalPrivilege 3440 msiexec.exe Token: SeBackupPrivilege 1496 vssvc.exe Token: SeRestorePrivilege 1496 vssvc.exe Token: SeAuditPrivilege 1496 vssvc.exe Token: SeBackupPrivilege 4340 msiexec.exe Token: SeRestorePrivilege 4340 msiexec.exe Token: SeRestorePrivilege 4340 msiexec.exe Token: SeTakeOwnershipPrivilege 4340 msiexec.exe Token: SeRestorePrivilege 4340 msiexec.exe Token: SeTakeOwnershipPrivilege 4340 msiexec.exe Token: SeRestorePrivilege 4340 msiexec.exe Token: SeTakeOwnershipPrivilege 4340 msiexec.exe Token: SeBackupPrivilege 4284 srtasks.exe Token: SeRestorePrivilege 4284 srtasks.exe Token: SeSecurityPrivilege 4284 srtasks.exe Token: SeTakeOwnershipPrivilege 4284 srtasks.exe Token: SeBackupPrivilege 4284 srtasks.exe Token: SeRestorePrivilege 4284 srtasks.exe Token: SeSecurityPrivilege 4284 srtasks.exe Token: SeTakeOwnershipPrivilege 4284 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3440 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
msiexec.exedescription pid process target process PID 4340 wrote to memory of 4284 4340 msiexec.exe srtasks.exe PID 4340 wrote to memory of 4284 4340 msiexec.exe srtasks.exe PID 4340 wrote to memory of 2964 4340 msiexec.exe MsiExec.exe PID 4340 wrote to memory of 2964 4340 msiexec.exe MsiExec.exe PID 4340 wrote to memory of 2964 4340 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0038c99f2a5285acd2d4ed02c9a444b93c01e8e632b995cf30103e2e4f067329.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3440
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4284 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CB96A1186F82FD5892C16A2F8753CDE82⤵
- Loads dropped DLL
PID:2964
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIFC76.tmpFilesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
C:\Windows\Installer\MSIFC76.tmpFilesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
C:\Windows\Installer\MSIFE6B.tmpFilesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
C:\Windows\Installer\MSIFE6B.tmpFilesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5b49d4a915621364a1ff26cb23082ece1
SHA1a2fec2da099b8027da6f220acd0eaf7ce3af40ba
SHA25627499f3db8f8cdfda081f07fc25919aa7fb1be3158c7c802467ebb1755148eff
SHA512a40664633132e9c642c9bbd1b357c06752dd7098576d3ea108da5f46b6d9bd76e53ebea12091f0e0d8c2627a281825e419db7cb0a2d5a73f5d5c297fd54e9062
-
\??\Volume{d2616110-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{436e76c1-6f9e-4f9e-b707-5f72e7cd79e2}_OnDiskSnapshotPropFilesize
5KB
MD577ac8f472dcb4271d0e89f1d53ace85b
SHA1caeeac385fddbe95538f07ff11dd18790c216e7a
SHA256960c9e1e0d7f81dfbd365da6e893a7cce4c23b4b3e0b642ac58b86372bfbe219
SHA51228867fb40969058256d7bb9548391e2dae4c1f34dc17649e1b92adce3262218af0e4a68d18a69507ddde039a7c500ea8f1666aa45c10521d1892053959790d4d
-
memory/2964-133-0x0000000000000000-mapping.dmp
-
memory/4284-132-0x0000000000000000-mapping.dmp