65949debc9240c584c463d372ec53519d99ac8491facaf179b7aff186133633b

General

Target

5e288df18d5f3797079c4962a447509fd4a60e9b76041d0b888bcf32f8197991.msi
Size

967KB
MD5

3c56483e8c0788b2862bfe0c490c865a
SHA1

3f541fbc9e927a718c1745b4b8d02f3768aa3fd2
SHA256

5e288df18d5f3797079c4962a447509fd4a60e9b76041d0b888bcf32f8197991
SHA512

ab45313032b3822b919b8a782422f15fd60f8c46cc61bb3294d937d98821795ab3b5089873419bbd9ada99357691759653a6fe50ba110ef04eee2bffba68ffe1
SSDEEP

24576:GGOw7MAFZjiaZBuc2g4jocf6p2XHXNNpbCClCtRGLovJs:QwHnjis3M6p2X/pbC7ALL

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

1576 MsiExec.exe
1576 MsiExec.exe

pid	process
1576	MsiExec.exe
1576	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e56ef66.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56ef66.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF031.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1E7.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	4756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4756	msiexec.exe
Token: SeSecurityPrivilege	4616	msiexec.exe
Token: SeCreateTokenPrivilege	4756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4756	msiexec.exe
Token: SeLockMemoryPrivilege	4756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4756	msiexec.exe
Token: SeMachineAccountPrivilege	4756	msiexec.exe
Token: SeTcbPrivilege	4756	msiexec.exe
Token: SeSecurityPrivilege	4756	msiexec.exe
Token: SeTakeOwnershipPrivilege	4756	msiexec.exe
Token: SeLoadDriverPrivilege	4756	msiexec.exe
Token: SeSystemProfilePrivilege	4756	msiexec.exe
Token: SeSystemtimePrivilege	4756	msiexec.exe
Token: SeProfSingleProcessPrivilege	4756	msiexec.exe
Token: SeIncBasePriorityPrivilege	4756	msiexec.exe
Token: SeCreatePagefilePrivilege	4756	msiexec.exe
Token: SeCreatePermanentPrivilege	4756	msiexec.exe
Token: SeBackupPrivilege	4756	msiexec.exe
Token: SeRestorePrivilege	4756	msiexec.exe
Token: SeShutdownPrivilege	4756	msiexec.exe
Token: SeDebugPrivilege	4756	msiexec.exe
Token: SeAuditPrivilege	4756	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4756	msiexec.exe
Token: SeChangeNotifyPrivilege	4756	msiexec.exe
Token: SeRemoteShutdownPrivilege	4756	msiexec.exe
Token: SeUndockPrivilege	4756	msiexec.exe
Token: SeSyncAgentPrivilege	4756	msiexec.exe
Token: SeEnableDelegationPrivilege	4756	msiexec.exe
Token: SeManageVolumePrivilege	4756	msiexec.exe
Token: SeImpersonatePrivilege	4756	msiexec.exe
Token: SeCreateGlobalPrivilege	4756	msiexec.exe
Token: SeBackupPrivilege	2072	vssvc.exe
Token: SeRestorePrivilege	2072	vssvc.exe
Token: SeAuditPrivilege	2072	vssvc.exe
Token: SeBackupPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeBackupPrivilege	1348	srtasks.exe
Token: SeRestorePrivilege	1348	srtasks.exe
Token: SeSecurityPrivilege	1348	srtasks.exe
Token: SeTakeOwnershipPrivilege	1348	srtasks.exe
Token: SeBackupPrivilege	1348	srtasks.exe
Token: SeRestorePrivilege	1348	srtasks.exe
Token: SeSecurityPrivilege	1348	srtasks.exe
Token: SeTakeOwnershipPrivilege	1348	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4756 msiexec.exe
4756 msiexec.exe

pid	process
4756	msiexec.exe
4756	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4616 wrote to memory of 1348	4616	msiexec.exe	srtasks.exe
PID 4616 wrote to memory of 1348	4616	msiexec.exe	srtasks.exe
PID 4616 wrote to memory of 1576	4616	msiexec.exe	MsiExec.exe
PID 4616 wrote to memory of 1576	4616	msiexec.exe	MsiExec.exe
PID 4616 wrote to memory of 1576	4616	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5e288df18d5f3797079c4962a447509fd4a60e9b76041d0b888bcf32f8197991.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 25604A3E46BC27664BC572F88418769A
  2⤵
  - Loads dropped DLL
  PID:1576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIF031.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
C:\Windows\Installer\MSIF031.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
C:\Windows\Installer\MSIF1E7.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
C:\Windows\Installer\MSIF1E7.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
10700b95ffc4fc02c75f118a4b0c8a86

SHA1
fc227dec2dcfd95f4790b297dabcfaad71b3cec6

SHA256
a7a3ac2623c1915cb892663e358d368d8e3ffa7e98c15262c781fbb8728f3040

SHA512
8589c79f6b24837a9cd7147dc71b00532809c047a0c342654d60aeb48859acaf8b58dc01179db2f6031cdca1d1a988239abcd5e5e9f9252685d67fd429b971a3

Download Submit
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a02c999b-ab9d-4cd6-88d4-095fe72dbda3}_OnDiskSnapshotProp

Filesize
5KB

MD5
f284dbdd6afa652631a59e6bf4daf0ee

SHA1
16956ee2147cb054c5c0e5f2ca4f5118364965ae

SHA256
b261582eb7f4760450bbf83471e22a98cbd2f32770ca96f89946d07df01cf6d4

SHA512
3117a0f8bff65f4888c10bf39548c42301057288c5dbfdc254ab9fca41138c3b75e985ef979f981f3bedcb02d6322befc2e0a72da432331b19b774d816febdb5

Download Submit
memory/1348-132-0x0000000000000000-mapping.dmp

Download
memory/1576-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads