bf387933e27d310da037dde32bf0614380b58bd51e84b7c35be7039c82f4c648

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2023, 16:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

s1.msi
Size

13.2MB
MD5

13a1b2521d9b2e5e8171c6fc040fa776
SHA1

99be7105097d3126c8a94ee0507e51544fe0a8ef
SHA256

bf387933e27d310da037dde32bf0614380b58bd51e84b7c35be7039c82f4c648
SHA512

46e8948c2b8988c231bee253fe136c0743249a27ccc5249a9ec6a6eae9e46f064b4fddfb816d432b746bc01aa2157e6a67b511330fc9aae01446f4b0bf1e50a4
SSDEEP

393216:gZ3hxPnY76k/vIk+xkkrPwZa1hf7L744FKhorP3kvdX:gthRWokNA1B7HswSX

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	s1.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dovanireni.url	s1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dovanireni.url	s1.exe

Executes dropped EXE 2 IoCs

pid	Process
3932	s1.exe
224	todigope.exe

Loads dropped DLL 1 IoCs

pid	Process
4024	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4436	ICACLS.EXE

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5702fd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{255B41D7-2EAD-4FE1-AED6-800E97D5A7A8}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A3.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\e5702fd.msi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5104	msiexec.exe
5104	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	5104	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeMachineAccountPrivilege	1472	msiexec.exe
Token: SeTcbPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeLoadDriverPrivilege	1472	msiexec.exe
Token: SeSystemProfilePrivilege	1472	msiexec.exe
Token: SeSystemtimePrivilege	1472	msiexec.exe
Token: SeProfSingleProcessPrivilege	1472	msiexec.exe
Token: SeIncBasePriorityPrivilege	1472	msiexec.exe
Token: SeCreatePagefilePrivilege	1472	msiexec.exe
Token: SeCreatePermanentPrivilege	1472	msiexec.exe
Token: SeBackupPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeDebugPrivilege	1472	msiexec.exe
Token: SeAuditPrivilege	1472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1472	msiexec.exe
Token: SeChangeNotifyPrivilege	1472	msiexec.exe
Token: SeRemoteShutdownPrivilege	1472	msiexec.exe
Token: SeUndockPrivilege	1472	msiexec.exe
Token: SeSyncAgentPrivilege	1472	msiexec.exe
Token: SeEnableDelegationPrivilege	1472	msiexec.exe
Token: SeManageVolumePrivilege	1472	msiexec.exe
Token: SeImpersonatePrivilege	1472	msiexec.exe
Token: SeCreateGlobalPrivilege	1472	msiexec.exe
Token: SeBackupPrivilege	2196	vssvc.exe
Token: SeRestorePrivilege	2196	vssvc.exe
Token: SeAuditPrivilege	2196	vssvc.exe
Token: SeBackupPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeBackupPrivilege	1640	srtasks.exe
Token: SeRestorePrivilege	1640	srtasks.exe
Token: SeSecurityPrivilege	1640	srtasks.exe
Token: SeTakeOwnershipPrivilege	1640	srtasks.exe
Token: SeBackupPrivilege	1640	srtasks.exe
Token: SeRestorePrivilege	1640	srtasks.exe
Token: SeSecurityPrivilege	1640	srtasks.exe
Token: SeTakeOwnershipPrivilege	1640	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1472	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 1640	5104	msiexec.exe	93
PID 5104 wrote to memory of 1640	5104	msiexec.exe	93
PID 5104 wrote to memory of 4024	5104	msiexec.exe	95
PID 5104 wrote to memory of 4024	5104	msiexec.exe	95
PID 5104 wrote to memory of 4024	5104	msiexec.exe	95
PID 4024 wrote to memory of 4436	4024	MsiExec.exe	97
PID 4024 wrote to memory of 4436	4024	MsiExec.exe	97
PID 4024 wrote to memory of 4436	4024	MsiExec.exe	97
PID 4024 wrote to memory of 624	4024	MsiExec.exe	99
PID 4024 wrote to memory of 624	4024	MsiExec.exe	99
PID 4024 wrote to memory of 624	4024	MsiExec.exe	99
PID 4024 wrote to memory of 3932	4024	MsiExec.exe	101
PID 4024 wrote to memory of 3932	4024	MsiExec.exe	101
PID 4024 wrote to memory of 3932	4024	MsiExec.exe	101
PID 3932 wrote to memory of 224	3932	s1.exe	102
PID 3932 wrote to memory of 224	3932	s1.exe	102
PID 3932 wrote to memory of 224	3932	s1.exe	102

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\s1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1472

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D6C0F5E5BCA36F6612287EDC89D4C3E5
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-41706bed-3407-452d-8025-e17c7777ddd0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4436
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:624
- - C:\Users\Admin\AppData\Local\Temp\MW-41706bed-3407-452d-8025-e17c7777ddd0\files\s1.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-41706bed-3407-452d-8025-e17c7777ddd0\files\s1.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\ProgramData\quohihiloqua\todigope.exe
      "C:\ProgramData\quohihiloqua\todigope.exe"
      4⤵
      Executes dropped EXE
      PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c @echo off & ping 127.0.0.1 -n 5 -w 1000 > nul & del "C:\Users\Admin\AppData\Local\Temp\MW-41706bed-3407-452d-8025-e17c7777ddd0\files\s1.exe"
      4⤵
      PID:308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\quohihiloqua\todigope.exe

Filesize
5.2MB

MD5
2d89f93b1031c59f6bcf8433626009bd

SHA1
5ef1becae18f8f4d78f0e974adbeabc7215aaa52

SHA256
6e52d4f097aeda5bb96e8bf2bde9b89ed104fe5bd8ddaacd6012686582003818

SHA512
fde40bde211d6ad55996178992c97fd2f526c3824e5605cfa0ef53757b4f83a3939e25406c01312b75ed54695eb9be494980fd34d50606e0dfc99a9552d32f8b

Download Submit
C:\ProgramData\quohihiloqua\todigope.exe

Filesize
3.7MB

MD5
5fb999ed689ebf8877f04c4c924f66fb

SHA1
1883ac784776d1156cfb62d05e4698a89bc64f7f

SHA256
938fca659ffd1868cc859a87f1a2db355b5bb20b9a00a391c8ba221a1d9160b9

SHA512
21eadbe2b6374b1f54d4d72248377b98db58eee9d8eea8391345614af9b748ceb5589c97010ef2b2343962f801656fbba19d712918a2060c90678f7a1faff054

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-41706bed-3407-452d-8025-e17c7777ddd0\files.cab

Filesize
13.0MB

MD5
8800c3df21f8582a51ca9ecbd281bc20

SHA1
958b82af6932f78804fc2115d5f0a075192cc6a4

SHA256
922bb0d99b6531ba4c0a0a9b5b1e13baa43418079e973766f90efb9a46285d05

SHA512
d4be9f9c64cf0bbf09a01daf719a245b4133b0dc307096a92247dcf86019203cc2addc3728d30b2cc33c0efb66894f1bded4470b6ad29da394324a54651d5d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-41706bed-3407-452d-8025-e17c7777ddd0\files\s1.exe

Filesize
912.0MB

MD5
ee5f9c13b93ed91d7683b1574b77b05a

SHA1
52e181334b5ea30e98b2c55e7b7f49f7bca3b49c

SHA256
6090e9597263a47ae924bed93d76d771ae310d5d6cb47ba7fe85499f17c1c05d

SHA512
2ad6f8cac91230a08f5cab1809397b3addc04546f15788a49cf0506903b79fc79bb95d1ece4af9d85b9ce2c902d301ea4048e48a2305c478414b5c348880f52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-41706bed-3407-452d-8025-e17c7777ddd0\files\s1.exe

Filesize
912.0MB

MD5
ee5f9c13b93ed91d7683b1574b77b05a

SHA1
52e181334b5ea30e98b2c55e7b7f49f7bca3b49c

SHA256
6090e9597263a47ae924bed93d76d771ae310d5d6cb47ba7fe85499f17c1c05d

SHA512
2ad6f8cac91230a08f5cab1809397b3addc04546f15788a49cf0506903b79fc79bb95d1ece4af9d85b9ce2c902d301ea4048e48a2305c478414b5c348880f52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-41706bed-3407-452d-8025-e17c7777ddd0\msiwrapper.ini

Filesize
1KB

MD5
3c0935e0fabb95bdf1cb50501320696f

SHA1
fecbf6c557cf7fcc066813438f74123fd43653df

SHA256
ef747776a5fe932df53af40e82df11bfdb19459fe2d08cc47752dff07bae5f57

SHA512
c5a809df564de579c11a7595d4437cbe4d4f73dab31989b8cbd305df731a8980417aa5ca7e55c5a76e7561fe51fd6da363b889507afc434fdddd4a2ccff26c9e

Download Submit
C:\Windows\Installer\MSI4A3.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI4A3.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
be2b8435b022870802c4b4390a479ea9

SHA1
82277afd095288d136d6642e080794d2f4ab7fc1

SHA256
870b56258a90c5e3ffe410f4481bc462d354cfd424b19279488086d7aa227b23

SHA512
46de9e36ed5d3cb8ffec4e8f20de87bbc40edcb0903bda0351b8064899769b740c126bee9cfe22e3ac3686f8afd24c32f6da535642989626d051e81c4fbdd769

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{50dd5817-f6e7-4863-b0d9-6a2f7ca4da1e}_OnDiskSnapshotProp

Filesize
5KB

MD5
2ab761698a87ce6037b450b15e9a041d

SHA1
306b668a4d7510e588db7ad92ac021f34008948b

SHA256
78faa56815d4c6de5360e3fdab711e7b84418dcf1c26f54ce1da2e59e568a5c8

SHA512
d9543d8ee95936289f3da8674048b257421c7bc07b611b8784d6b34837cb533a924e95d626d8792ac41fdc2e8003c157bcf5b9597eff37e1ee4b1460b0d7eaf1

Download Submit
memory/3932-149-0x0000000001E03000-0x0000000001E0D000-memory.dmp

Filesize
40KB

Download
memory/3932-148-0x0000000001E03000-0x0000000001E0D000-memory.dmp

Filesize
40KB

Download
memory/3932-145-0x0000000000090000-0x0000000001680000-memory.dmp

Filesize
21.9MB

Download
memory/3932-154-0x0000000001E03000-0x0000000001E0D000-memory.dmp

Filesize
40KB

Download