788f1abb67d6f21cf299e2f67a2b414d169e8ab16cc8a61bf698e5c7f1482999

General

Target

788f1abb67d6f21cf299e2f67a2b414d169e8ab16cc8a61bf698e5c7f1482999.msi
Size

967KB
MD5

e435c7fe014ceb78e4bc09bf3f71c5d0
SHA1

d895c75ea47413b96df4673e929cb55dab912306
SHA256

788f1abb67d6f21cf299e2f67a2b414d169e8ab16cc8a61bf698e5c7f1482999
SHA512

e86a5d43dccbc44a6bdfd8967a51ec02d1741afda00d8fc6d63b45babf30e91a260603e9d3207160b9484a99fa7f3a8030674806c5b7f4e08188994b87f7c14a
SSDEEP

24576:GGOw7MAFZjiaZBuc2g4jocf6p2XHXNNpbCClCtRGLovJX:QwHnjis3M6p2X/pbC7ALE

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

6 2164 msiexec.exe
18 2164 msiexec.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

3880 MsiExec.exe
3880 MsiExec.exe

flow	pid	process
6	2164	msiexec.exe
18	2164	msiexec.exe

pid	process
3880	MsiExec.exe
3880	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI151E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1771.tmp	msiexec.exe
File created	C:\Windows\Installer\e571463.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571463.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	2164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2164	msiexec.exe
Token: SeSecurityPrivilege	5080	msiexec.exe
Token: SeCreateTokenPrivilege	2164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2164	msiexec.exe
Token: SeLockMemoryPrivilege	2164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2164	msiexec.exe
Token: SeMachineAccountPrivilege	2164	msiexec.exe
Token: SeTcbPrivilege	2164	msiexec.exe
Token: SeSecurityPrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeLoadDriverPrivilege	2164	msiexec.exe
Token: SeSystemProfilePrivilege	2164	msiexec.exe
Token: SeSystemtimePrivilege	2164	msiexec.exe
Token: SeProfSingleProcessPrivilege	2164	msiexec.exe
Token: SeIncBasePriorityPrivilege	2164	msiexec.exe
Token: SeCreatePagefilePrivilege	2164	msiexec.exe
Token: SeCreatePermanentPrivilege	2164	msiexec.exe
Token: SeBackupPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeShutdownPrivilege	2164	msiexec.exe
Token: SeDebugPrivilege	2164	msiexec.exe
Token: SeAuditPrivilege	2164	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2164	msiexec.exe
Token: SeChangeNotifyPrivilege	2164	msiexec.exe
Token: SeRemoteShutdownPrivilege	2164	msiexec.exe
Token: SeUndockPrivilege	2164	msiexec.exe
Token: SeSyncAgentPrivilege	2164	msiexec.exe
Token: SeEnableDelegationPrivilege	2164	msiexec.exe
Token: SeManageVolumePrivilege	2164	msiexec.exe
Token: SeImpersonatePrivilege	2164	msiexec.exe
Token: SeCreateGlobalPrivilege	2164	msiexec.exe
Token: SeBackupPrivilege	2764	vssvc.exe
Token: SeRestorePrivilege	2764	vssvc.exe
Token: SeAuditPrivilege	2764	vssvc.exe
Token: SeBackupPrivilege	5080	msiexec.exe
Token: SeRestorePrivilege	5080	msiexec.exe
Token: SeRestorePrivilege	5080	msiexec.exe
Token: SeTakeOwnershipPrivilege	5080	msiexec.exe
Token: SeRestorePrivilege	5080	msiexec.exe
Token: SeTakeOwnershipPrivilege	5080	msiexec.exe
Token: SeRestorePrivilege	5080	msiexec.exe
Token: SeTakeOwnershipPrivilege	5080	msiexec.exe
Token: SeBackupPrivilege	4316	srtasks.exe
Token: SeRestorePrivilege	4316	srtasks.exe
Token: SeSecurityPrivilege	4316	srtasks.exe
Token: SeTakeOwnershipPrivilege	4316	srtasks.exe
Token: SeBackupPrivilege	4316	srtasks.exe
Token: SeRestorePrivilege	4316	srtasks.exe
Token: SeSecurityPrivilege	4316	srtasks.exe
Token: SeTakeOwnershipPrivilege	4316	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2164 msiexec.exe

pid	process
2164	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 5080 wrote to memory of 4316	5080	msiexec.exe	srtasks.exe
PID 5080 wrote to memory of 4316	5080	msiexec.exe	srtasks.exe
PID 5080 wrote to memory of 3880	5080	msiexec.exe	MsiExec.exe
PID 5080 wrote to memory of 3880	5080	msiexec.exe	MsiExec.exe
PID 5080 wrote to memory of 3880	5080	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\788f1abb67d6f21cf299e2f67a2b414d169e8ab16cc8a61bf698e5c7f1482999.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56EBEF4774B3B6399F97105FD19BBDF5
  2⤵
  - Loads dropped DLL
  PID:3880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI151E.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
C:\Windows\Installer\MSI151E.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
C:\Windows\Installer\MSI1771.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
C:\Windows\Installer\MSI1771.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
1476be7e6d33b0c56266f5c5277de982

SHA1
995e21f80602bbe48e0723837671983c416dd63d

SHA256
21b7799016247a62543d5092ca8deade06474e27a0e4489ce25b1c55c70fe6de

SHA512
2158365161ed49922fc439e947a83bda424c9802d2690a67e7ebdaa6f125006ec64dfb2401734ba9e6c554f5027046ebb0bdab2143b27bccbd8e314c69d3d3f8

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{14c75601-690e-40b3-9101-1551bb17c862}_OnDiskSnapshotProp

Filesize
5KB

MD5
4c407f9aa3de6943a4836dd0bbe88429

SHA1
a7ea61573b4ba2c596c7e6013f1da67805d4865d

SHA256
8648dcb69e6d00c05fee65baecc884e35e61622c71e71ce09023a546c54f18f1

SHA512
3b17f20ed0f7f86b9b9c17f49f0b3c877f166e9966a9b8921a4a3c25296f8cc8bc60d7e84ebca6faa5a46b35dbaf995410fd0f80dd25a82d9f07e8c8519e9eb2

Download Submit
memory/3880-133-0x0000000000000000-mapping.dmp

Download
memory/4316-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads