93ff5d50aeb9242c733dd80f411eeafc0fe72c3eb37327ba85a5626edc4c545c

Analysis

max time kernel
590s
max time network
598s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07/03/2023, 16:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

si.msi
Size

588KB
MD5

262b3a8d59585a9840bcf39c0b98a84a
SHA1

3bbccf28a4b75f2ff0505684799f14a8f72969e9
SHA256

93ff5d50aeb9242c733dd80f411eeafc0fe72c3eb37327ba85a5626edc4c545c
SHA512

1f826b0113b0a1cd785cc311e37bcc6b87634bf5fef72554bef8289c0ae2ac525e063eaf475fb27b2925a1dd52b963da8187d6717dd81c2988aed5ebc2a2ad43
SSDEEP

3072:dPaJvTKlkihKyOeGNbb4crPpxBvlHOp2rrFc:dCBW5UyonOp2rrF

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 17 IoCs

flow	pid	Process
15	2568	msiexec.exe
17	2568	msiexec.exe
18	2568	msiexec.exe
19	2568	msiexec.exe
20	2568	msiexec.exe
21	2568	msiexec.exe
22	2568	msiexec.exe
23	2568	msiexec.exe
33	2568	msiexec.exe
37	2568	msiexec.exe
38	2568	msiexec.exe
39	2568	msiexec.exe
40	2568	msiexec.exe
41	2568	msiexec.exe
42	2568	msiexec.exe
43	5064	wscript.exe
44	2568	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4280	snap.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5790f5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5790f5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{93D7B7BF-E0D5-4E15-9385-169B71F064AC}	msiexec.exe
File created	C:\Windows\Installer\e5790f7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1625.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E30.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI92F9.tmp	msiexec.exe
File created	C:\Windows\Installer\e5790fa.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	43	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2568	msiexec.exe
2568	msiexec.exe
2568	msiexec.exe
2568	msiexec.exe
2568	msiexec.exe
2568	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2076	msiexec.exe
Token: SeSecurityPrivilege	2568	msiexec.exe
Token: SeCreateTokenPrivilege	2076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2076	msiexec.exe
Token: SeLockMemoryPrivilege	2076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2076	msiexec.exe
Token: SeMachineAccountPrivilege	2076	msiexec.exe
Token: SeTcbPrivilege	2076	msiexec.exe
Token: SeSecurityPrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeLoadDriverPrivilege	2076	msiexec.exe
Token: SeSystemProfilePrivilege	2076	msiexec.exe
Token: SeSystemtimePrivilege	2076	msiexec.exe
Token: SeProfSingleProcessPrivilege	2076	msiexec.exe
Token: SeIncBasePriorityPrivilege	2076	msiexec.exe
Token: SeCreatePagefilePrivilege	2076	msiexec.exe
Token: SeCreatePermanentPrivilege	2076	msiexec.exe
Token: SeBackupPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeShutdownPrivilege	2076	msiexec.exe
Token: SeDebugPrivilege	2076	msiexec.exe
Token: SeAuditPrivilege	2076	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2076	msiexec.exe
Token: SeChangeNotifyPrivilege	2076	msiexec.exe
Token: SeRemoteShutdownPrivilege	2076	msiexec.exe
Token: SeUndockPrivilege	2076	msiexec.exe
Token: SeSyncAgentPrivilege	2076	msiexec.exe
Token: SeEnableDelegationPrivilege	2076	msiexec.exe
Token: SeManageVolumePrivilege	2076	msiexec.exe
Token: SeImpersonatePrivilege	2076	msiexec.exe
Token: SeCreateGlobalPrivilege	2076	msiexec.exe
Token: SeBackupPrivilege	3672	vssvc.exe
Token: SeRestorePrivilege	3672	vssvc.exe
Token: SeAuditPrivilege	3672	vssvc.exe
Token: SeBackupPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2076	msiexec.exe
2076	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 3088	2568	msiexec.exe	71
PID 2568 wrote to memory of 3088	2568	msiexec.exe	71
PID 2568 wrote to memory of 4808	2568	msiexec.exe	73
PID 2568 wrote to memory of 4808	2568	msiexec.exe	73
PID 2568 wrote to memory of 5052	2568	msiexec.exe	74
PID 2568 wrote to memory of 5052	2568	msiexec.exe	74
PID 2568 wrote to memory of 5064	2568	msiexec.exe	75
PID 2568 wrote to memory of 5064	2568	msiexec.exe	75
PID 5052 wrote to memory of 4280	5052	wscript.exe	76
PID 5052 wrote to memory of 4280	5052	wscript.exe	76
PID 5052 wrote to memory of 4280	5052	wscript.exe	76
PID 5052 wrote to memory of 4264	5052	wscript.exe	77
PID 5052 wrote to memory of 4264	5052	wscript.exe	77

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\si.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3088
- C:\Windows\system32\wscript.exe
  "wscript.exe" "sdv.vbs"
  2⤵
  PID:4808
- C:\Windows\system32\wscript.exe
  "wscript.exe" "app.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\ProgramData\Zap\snap.exe
    "C:\ProgramData\Zap\snap.exe" /capture /convert=gs.jpg
    3⤵
    - Executes dropped EXE
    PID:4280
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" product where name='Tum' call uninstall /nointeractive
    3⤵
    PID:4264
- C:\Windows\system32\wscript.exe
  "wscript.exe" "index.js"
  2⤵
  - Blocklisted process makes network request
  PID:5064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5790f6.rbs

Filesize
9KB

MD5
32322bfd24a9a442f6207d700cc1e1a9

SHA1
11c5ae28c3dbc91528bd2f9637045f0bbda72c0b

SHA256
9620909be33acee15290bf308c25c069edd88840c4d6caa38e0c45ad66fba7f2

SHA512
98d0246c1f02411c5a3c947c013080feadf4682fc8d187c72724764d7ebc632451eedd967c9fa7dc162b94ded9528cfb773742e01144a114911ca43a89ef7ffd

Download Submit
C:\Config.Msi\e5790f9.rbs

Filesize
9KB

MD5
94ea3c356a1595952f4bca2fb6ca3299

SHA1
d752fdd103ab25dc445115c39d4c8e63bf8ef6d5

SHA256
d98387c3117cbd614cbb76b3c9a6d78e518840316f179cec863692c0dd4f1414

SHA512
9f4091bb6b2b111d6e2871d3744f57f01406b64a6b871b5667a3b7469f91d4258fb0c93d943634b4bbf4a0666feb4725ded292d0b59e842bd40b021266dd5922

Download Submit
C:\Config.Msi\e5790fc.rbs

Filesize
10KB

MD5
9c57f045ab54f6f8b314378ffe3043a9

SHA1
4a51df0ab115097ec82010246f71c7d2b90a0714

SHA256
da052995653c509d13e2f6783c4a989548bf969b44d6f618751ccdd0aa13840f

SHA512
4c9bfad4f2d885a360f1c86dde09877b7f44b796678e08b114c786c0e8c0af0d2f2465eedbfba5ac118feaa4cc0cf2b5a003f386530e160315f32539c79fdeea

Download Submit
C:\ProgramData\Zap\app.js

Filesize
200B

MD5
e2e694f471846e4004b30b673f217296

SHA1
3daa94a97871bae495e4cb925b591287b2c89505

SHA256
aec5bf19e72ed577b0a02cffeb4f5cc713ab4478267ce348cf337b508f2fcade

SHA512
6b314219ef82d85640187888442c5c52e8d7bf808a22522ac7768e7e1ca5d47a5d18fdad341fe78ea2b481295ae0c8479491a2290b4e6763aba552b7b3e1e68f

Download Submit
C:\ProgramData\Zap\gs.jpg

Filesize
72KB

MD5
f8448e27a2d0f871217ac250cb23a716

SHA1
07c46522a258be1abdcfc9d9cecc71c512883f6b

SHA256
b6a118a5e369b044b2ba196fbe24479851ee948a999ad3fd61e94daaeb91993a

SHA512
8408d1b450b4de41de81d7596a00c767bb842c0e4a68e8b226c14fb2aee9f9940764f32f43e9f054ee4680c411fc7298da3a6a7d5ed0a2fdf0bf707da4123827

Download Submit
C:\ProgramData\Zap\index.js

Filesize
1KB

MD5
8760674032a81254fdea5b8d15f92fe8

SHA1
471995c2a451ee06e25298541a2f9acef0976d41

SHA256
ea9ea1c7b055a3ecab327bdb74a7bc7bb0ba077828f6d219882316575baf928f

SHA512
c179936e17e21c8528e2e650fd8c439d06ea388854696b229b53419813100c61f0acac3ef8ce7c05c195443eeb5d63b870a63d02195fac1be1c73ab8c65f730c

Download Submit
C:\ProgramData\Zap\snap.exe

Filesize
1.9MB

MD5
b103655d23aab7ff124de7ea4fbc2361

SHA1
904bf233b9070af245f4dbcae11828615ef8715b

SHA256
6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc

SHA512
fda0e3855522039d3b56e15b169b4c634672ca181ced78a479b6723c22ce889308db55aa1ea58fa8cb01ed1657fddc52a2c45d904c6eb5b852a171bcba310a52

Download Submit
C:\ProgramData\Zap\snap.exe

Filesize
1.9MB

MD5
b103655d23aab7ff124de7ea4fbc2361

SHA1
904bf233b9070af245f4dbcae11828615ef8715b

SHA256
6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc

SHA512
fda0e3855522039d3b56e15b169b4c634672ca181ced78a479b6723c22ce889308db55aa1ea58fa8cb01ed1657fddc52a2c45d904c6eb5b852a171bcba310a52

Download Submit
C:\ProgramData\buas\sdv.vbs

Filesize
16KB

MD5
1ac262835ce10823fd6f7d7296e6fef1

SHA1
aedaac50010e8c708bb70cb38893697e565fbf89

SHA256
f1b4376472f23de643052e1552d8fdac0a4ba56aa342696b7d510b62f24c4e15

SHA512
e0177744a682f8913f74da6a428bd16487ff473548f740d99bd6098308136a81f40cea2603950658621db714622845c1ace95ff5851bc6ff325e51ad3f7776e5

Download Submit
C:\Windows\Installer\e5790f5.msi

Filesize
588KB

MD5
262b3a8d59585a9840bcf39c0b98a84a

SHA1
3bbccf28a4b75f2ff0505684799f14a8f72969e9

SHA256
93ff5d50aeb9242c733dd80f411eeafc0fe72c3eb37327ba85a5626edc4c545c

SHA512
1f826b0113b0a1cd785cc311e37bcc6b87634bf5fef72554bef8289c0ae2ac525e063eaf475fb27b2925a1dd52b963da8187d6717dd81c2988aed5ebc2a2ad43

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
d9f2dd2b99db0e19d550d865760a3406

SHA1
7de5bcd2c3b14e41796413e384a8ea754bf62a49

SHA256
95c4cb251fb4cdf1a50a12abb55be876c6822be007084a45bcf2a05bdd0c0764

SHA512
2b39b74305956263940f8125411b82435bdf2d89ebff95f9323a5def6760f0d402b38b13f9166984305fdd67d2d2cbef1a83799d5bdaefd824672f1429438ae3

Download Submit
\??\Volume{b2c2c2d8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ff3c7db7-08a0-4f02-87bf-2b448e3f3c99}_OnDiskSnapshotProp

Filesize
5KB

MD5
830ff71b38f446577008025aaaf38a95

SHA1
b22b812cf3333ee09658b39166ed6370f6b15619

SHA256
4c02cb14a1342f300b8dbdf6ceb0ce5410d69e92725780258d64ffb71799ca73

SHA512
33500b5fa88d72fd477046f0c7ff3eecc8ea3275808872975f13eb15c2d9490c825a54da97750e64b5546ca0c08a382126fc6f2d7c2fcad1e3b22c19819b7e49

Download Submit