Analysis
-
max time kernel
94s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2023 10:02
Behavioral task
behavioral1
Sample
a5dc13abd8b4769fbd2a8cc1a4f70a73.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a5dc13abd8b4769fbd2a8cc1a4f70a73.msi
Resource
win10v2004-20221111-en
General
-
Target
a5dc13abd8b4769fbd2a8cc1a4f70a73.msi
-
Size
774KB
-
MD5
a5dc13abd8b4769fbd2a8cc1a4f70a73
-
SHA1
87cb437244076e1119b49aae7cf72b7ba0d1c1e3
-
SHA256
61ea7131b658175e023681829bad0d108d9d74c318c184bc5be456cfdaf670c6
-
SHA512
e65dc2601448d11706df7cb9a1cce7c2b21a386a1cf056a6c4c36a61f1f87a891bbcdd1a5ddfdbf4caf74d011474079eb0f7741ee04c5043a17ff3edef011429
-
SSDEEP
24576:GGOw7MAFZjiaZBuc2g4jocf6p2XHXNNpO:QwHnjis3M6p2X/pO
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 916 MsiExec.exe 916 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in Windows directory 5 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e56e8de.msi msiexec.exe File opened for modification C:\Windows\Installer\e56e8de.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE9D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEBDD.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 4904 msiexec.exe Token: SeIncreaseQuotaPrivilege 4904 msiexec.exe Token: SeSecurityPrivilege 5052 msiexec.exe Token: SeCreateTokenPrivilege 4904 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4904 msiexec.exe Token: SeLockMemoryPrivilege 4904 msiexec.exe Token: SeIncreaseQuotaPrivilege 4904 msiexec.exe Token: SeMachineAccountPrivilege 4904 msiexec.exe Token: SeTcbPrivilege 4904 msiexec.exe Token: SeSecurityPrivilege 4904 msiexec.exe Token: SeTakeOwnershipPrivilege 4904 msiexec.exe Token: SeLoadDriverPrivilege 4904 msiexec.exe Token: SeSystemProfilePrivilege 4904 msiexec.exe Token: SeSystemtimePrivilege 4904 msiexec.exe Token: SeProfSingleProcessPrivilege 4904 msiexec.exe Token: SeIncBasePriorityPrivilege 4904 msiexec.exe Token: SeCreatePagefilePrivilege 4904 msiexec.exe Token: SeCreatePermanentPrivilege 4904 msiexec.exe Token: SeBackupPrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeShutdownPrivilege 4904 msiexec.exe Token: SeDebugPrivilege 4904 msiexec.exe Token: SeAuditPrivilege 4904 msiexec.exe Token: SeSystemEnvironmentPrivilege 4904 msiexec.exe Token: SeChangeNotifyPrivilege 4904 msiexec.exe Token: SeRemoteShutdownPrivilege 4904 msiexec.exe Token: SeUndockPrivilege 4904 msiexec.exe Token: SeSyncAgentPrivilege 4904 msiexec.exe Token: SeEnableDelegationPrivilege 4904 msiexec.exe Token: SeManageVolumePrivilege 4904 msiexec.exe Token: SeImpersonatePrivilege 4904 msiexec.exe Token: SeCreateGlobalPrivilege 4904 msiexec.exe Token: SeBackupPrivilege 4644 vssvc.exe Token: SeRestorePrivilege 4644 vssvc.exe Token: SeAuditPrivilege 4644 vssvc.exe Token: SeBackupPrivilege 5052 msiexec.exe Token: SeRestorePrivilege 5052 msiexec.exe Token: SeRestorePrivilege 5052 msiexec.exe Token: SeTakeOwnershipPrivilege 5052 msiexec.exe Token: SeRestorePrivilege 5052 msiexec.exe Token: SeTakeOwnershipPrivilege 5052 msiexec.exe Token: SeRestorePrivilege 5052 msiexec.exe Token: SeTakeOwnershipPrivilege 5052 msiexec.exe Token: SeBackupPrivilege 3260 srtasks.exe Token: SeRestorePrivilege 3260 srtasks.exe Token: SeSecurityPrivilege 3260 srtasks.exe Token: SeTakeOwnershipPrivilege 3260 srtasks.exe Token: SeBackupPrivilege 3260 srtasks.exe Token: SeRestorePrivilege 3260 srtasks.exe Token: SeSecurityPrivilege 3260 srtasks.exe Token: SeTakeOwnershipPrivilege 3260 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4904 msiexec.exe 4904 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
msiexec.exedescription pid process target process PID 5052 wrote to memory of 3260 5052 msiexec.exe srtasks.exe PID 5052 wrote to memory of 3260 5052 msiexec.exe srtasks.exe PID 5052 wrote to memory of 916 5052 msiexec.exe MsiExec.exe PID 5052 wrote to memory of 916 5052 msiexec.exe MsiExec.exe PID 5052 wrote to memory of 916 5052 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a5dc13abd8b4769fbd2a8cc1a4f70a73.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4904
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7684EE9C96403DF4ED4F3FE3AE7A2EC72⤵
- Loads dropped DLL
PID:916
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
56KB
MD538a4250c5e678728a0cdf126f1cdd937
SHA1d55553ab896f085fd5cd191022c64442c99f48a4
SHA25663c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08
SHA512cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894
-
Filesize
23.0MB
MD5d295d88ad8536f1eeae45f248c59d6b3
SHA17d92be72c1b9ba4110e5b512df2538720c56b994
SHA25678ec218e9ec1042bea641d80503072c25f1ca5dbbfc78111052a88b3e6e7a5b5
SHA512de187bc030d7b34b4058829ef5886007e70fe7dae544d2a9a1e8cde0a0d811a96d10e3728ac04acc7ccb10b363045c3f99510e202376c8286407b52d404b3aca
-
\??\Volume{d2609e0b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2cd3f48d-a584-481e-ac94-767b76aa41ce}_OnDiskSnapshotProp
Filesize5KB
MD5a650c820c29d94793f5fe8e83d3c3a91
SHA1378f50af128453c50894acbe90c797951c84bb9e
SHA256361e4d24765c62e4c4120d4d462d210503474042469360bfbec469fe5eb387da
SHA512e215df8ef445010a37f8d801b6e57ab58f58508143f70d6a11c2efdf6a09eccc52e33b063abe054a503de0fe150a500222d46f27922980e74d46984ede7fc647