Analysis
-
max time kernel
381s -
max time network
381s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 21:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ve2-2.vfo.digital/01215AJ172/VocalizerExpressive-2.2.121-frc-Amelie-PremiumHigh-enu.msi
Resource
win10v2004-20230220-en
General
-
Target
https://ve2-2.vfo.digital/01215AJ172/VocalizerExpressive-2.2.121-frc-Amelie-PremiumHigh-enu.msi
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 2 4276 msiexec.exe 68 4276 msiexec.exe 70 4276 msiexec.exe -
Unknown use of msiexec with remote resource 1 IoCs
pid Process 4276 msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI90C2.tmp msiexec.exe File created C:\Windows\Installer\e5891cc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAEF2.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a8dca56a4fb650f70000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a8dca56a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a8dca56a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe -
Modifies registry class 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0BFFF0A319798F84B9DC7E6D0CC9ECE7\0739576CC85C23F46825D928F8E37C02 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\SourceList\PackageName = "VocalizerExpressive-2.2.121-frc-Amelie-PremiumHigh-enu.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\SourceList\URL\1 = "https://ve2-2.vfo.digital/01215AJ172/" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0739576CC85C23F46825D928F8E37C02\AllVoicesFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\ProductName = "Vocalizer Expressive 2.2 Amelie Premium High" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\Version = "33685625" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\SourceList\URL msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\SourceList\Media\3 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\SourceList\URL\SourceType = "2" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0739576CC85C23F46825D928F8E37C02 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\PackageCode = "17DAEDFD88578874CAC67FA72DAF83D6" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\SourceList\Media\2 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\SourceList\LastUsedSource = "u;1;https://ve2-2.vfo.digital/01215AJ172/" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0BFFF0A319798F84B9DC7E6D0CC9ECE7 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0739576CC85C23F46825D928F8E37C02\frc_amelie_feature = "AllVoicesFeature" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0739576CC85C23F46825D928F8E37C02\DeploymentFlags = "3" msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4276 msiexec.exe Token: SeIncreaseQuotaPrivilege 4276 msiexec.exe Token: SeRestorePrivilege 4276 msiexec.exe Token: SeTakeOwnershipPrivilege 4276 msiexec.exe Token: SeSecurityPrivilege 60 msiexec.exe Token: SeCreateTokenPrivilege 4276 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4276 msiexec.exe Token: SeLockMemoryPrivilege 4276 msiexec.exe Token: SeIncreaseQuotaPrivilege 4276 msiexec.exe Token: SeMachineAccountPrivilege 4276 msiexec.exe Token: SeTcbPrivilege 4276 msiexec.exe Token: SeSecurityPrivilege 4276 msiexec.exe Token: SeTakeOwnershipPrivilege 4276 msiexec.exe Token: SeLoadDriverPrivilege 4276 msiexec.exe Token: SeSystemProfilePrivilege 4276 msiexec.exe Token: SeSystemtimePrivilege 4276 msiexec.exe Token: SeProfSingleProcessPrivilege 4276 msiexec.exe Token: SeIncBasePriorityPrivilege 4276 msiexec.exe Token: SeCreatePagefilePrivilege 4276 msiexec.exe Token: SeCreatePermanentPrivilege 4276 msiexec.exe Token: SeBackupPrivilege 4276 msiexec.exe Token: SeRestorePrivilege 4276 msiexec.exe Token: SeShutdownPrivilege 4276 msiexec.exe Token: SeDebugPrivilege 4276 msiexec.exe Token: SeAuditPrivilege 4276 msiexec.exe Token: SeSystemEnvironmentPrivilege 4276 msiexec.exe Token: SeChangeNotifyPrivilege 4276 msiexec.exe Token: SeRemoteShutdownPrivilege 4276 msiexec.exe Token: SeUndockPrivilege 4276 msiexec.exe Token: SeSyncAgentPrivilege 4276 msiexec.exe Token: SeEnableDelegationPrivilege 4276 msiexec.exe Token: SeManageVolumePrivilege 4276 msiexec.exe Token: SeImpersonatePrivilege 4276 msiexec.exe Token: SeCreateGlobalPrivilege 4276 msiexec.exe Token: SeBackupPrivilege 724 vssvc.exe Token: SeRestorePrivilege 724 vssvc.exe Token: SeAuditPrivilege 724 vssvc.exe Token: SeBackupPrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeTakeOwnershipPrivilege 60 msiexec.exe Token: SeBackupPrivilege 4368 srtasks.exe Token: SeRestorePrivilege 4368 srtasks.exe Token: SeSecurityPrivilege 4368 srtasks.exe Token: SeTakeOwnershipPrivilege 4368 srtasks.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeTakeOwnershipPrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeTakeOwnershipPrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeTakeOwnershipPrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeTakeOwnershipPrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeTakeOwnershipPrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeTakeOwnershipPrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeTakeOwnershipPrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeTakeOwnershipPrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe Token: SeTakeOwnershipPrivilege 60 msiexec.exe Token: SeRestorePrivilege 60 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4276 msiexec.exe 4276 msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 60 wrote to memory of 4368 60 msiexec.exe 108 PID 60 wrote to memory of 4368 60 msiexec.exe 108 PID 4184 wrote to memory of 4008 4184 sethc.exe 111 PID 4184 wrote to memory of 4008 4184 sethc.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I https://ve2-2.vfo.digital/01215AJ172/VocalizerExpressive-2.2.121-frc-Amelie-PremiumHigh-enu.msi1⤵
- Blocklisted process makes network request
- Unknown use of msiexec with remote resource
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4276
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:724
-
C:\Windows\system32\sethc.exesethc.exe 2311⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\system32\EaseOfAccessDialog.exe"C:\Windows\system32\EaseOfAccessDialog.exe" 2312⤵PID:4008
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a339e431443135a9ddf86baedf907886
SHA156e537e3c7ae616e5d60ab1787ecfc8540eb6d8b
SHA2565533beb1c13e6774869154a67b2026ffbbb5b96337b96204a3a3a5601c6c60ed
SHA512be024bf5ca7b62133b4dbf0148e19471ce300b29105bede62b5fde23dc1fa45d6f6f94661ff9056b23c5037fab61aa67c403af70954eebe988027feaf785130d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize1KB
MD50e8fb79c8cfb8022c09c29c9b1885a6d
SHA18abef17222288bc47ca24773ef45dfb8c7d51805
SHA256f4afbf56ee3304fbfc0d91bceeca8ae7ddc8b8504d65ca2dabf93b74c758120d
SHA512f9ed9c7d21b8da2bb3462930315e246ae84159a4fae99ade03a19f16248752830895448c8f5e0188dd0553eb5e83456f391e61eacaa1e3b8490eb5960bb2e987
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_450FCB4290F6670C0CF4B842C58D8B64
Filesize1KB
MD5ea0aa97b20d529c4ae56995fc647c0df
SHA183ad726ae54c92f0a06b0d7297993bf2b1624331
SHA256692ff6880fa97742d11a925cc22cba9e4e551b2a2ee968e8178b0a2f50c09471
SHA512b63813b9ad096988c80ecff8c0f7c12f39ae46aeb802bad1a767db2e8aaddfce03d4aadb67a4e0c232ff1ab10001841d61bd024aa78e7e2b8531d97e91273de2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize398B
MD512e14fe13c6fff954be5be0ebd48980b
SHA15dae0481bb7ffafa0586869e3d962884df948afd
SHA2563b820374336a44c58c85c09377906db05f1dfb57dc55f5ddb1873b022d55fa58
SHA5120f55db089a6f5528b37bea6a1a033dc6e8474d0a5d69d936d792bb2d351a5adf244b932f2c3dcf990d74e0a9c19bb9d0f85a2e306b43dab0a3b9f56852076d1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_450FCB4290F6670C0CF4B842C58D8B64
Filesize398B
MD5c8faec1ccc84995db9da8e862370a07e
SHA1705cb8c60cc4ac4b4cce7b4e6c0a4933ca44b66f
SHA256cba7049e6d06dbd810d119282481d76ca817fbf07e3b3171da95b7ada5450731
SHA512c573e1c7852349ff53b62508c6df3dfa0f966b5d7c1813c46325dd8a2c3bf154856fb7b6848172364e01c28c8c622f009070a7ad46c82c1189ae4d788d0d34c5
-
Filesize
313.1MB
MD54beaa30cf16d53a49972dc3353280907
SHA1f0ad81655ccae4f8878193fbd3a5a0e85ce4dbee
SHA256e1cff0ab067a754ae8aca8e55031530894d438a1d6ede3e46b17c3a8167fb596
SHA512732cd88bc2389166d4ba6bbd6fc1a35d12a46e53bac1ac54cc1414e2929277a89714b173411018416908312d679e11c5dddf05bee81528a78e394127f3762bda
-
Filesize
313.1MB
MD54beaa30cf16d53a49972dc3353280907
SHA1f0ad81655ccae4f8878193fbd3a5a0e85ce4dbee
SHA256e1cff0ab067a754ae8aca8e55031530894d438a1d6ede3e46b17c3a8167fb596
SHA512732cd88bc2389166d4ba6bbd6fc1a35d12a46e53bac1ac54cc1414e2929277a89714b173411018416908312d679e11c5dddf05bee81528a78e394127f3762bda
-
Filesize
11.8MB
MD56a04ca9bb5f6b905eafaedc528797cde
SHA112a47307a5673816ee2cb6bf815a7aafc25d6e5c
SHA25617fd36d986b774acdce774a6d1bcb5845005a73c2595668d59d3246463ed81b9
SHA5123c8b0152d224bf6bd55162966009c29db4f34988dd0d22c0d6bc91b39db3cf591d64c8c330ebead0135f11ac7b01ebffa1eb5374a9de4dd84e997bf2fa7b6485
-
\??\Volume{6aa5dca8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a2aa3238-bcee-4661-b203-d389439d3a32}_OnDiskSnapshotProp
Filesize5KB
MD5ff78f77d27383f8d4a8544f7270f243a
SHA1d32e66104cf950b6b1a523a1ca163216b967481d
SHA2567cf917d10ad13fac4f4bc44f451cfb6bb3bcaa1177c07f3cb36bfda8c4eb0990
SHA512cc3cec7b4da6f0c7d572ef0f183e900eba4013b31b29fac2e914fbd9595c8031b8b5adde7f9e8d50334be2906a8a31647a0e835a01bf2ee3f64fec4c35731d34