dc49169e6add3a466d2a9637576de136b40f290cb7020c847e2f7ab1e4e79e93

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

microsoft_update.msi
Size

156KB
MD5

3dd9945d005ea0f444f0130b00775fa6
SHA1

fd78a5c757df34effd3958051cb28c3f27c52b04
SHA256

dc49169e6add3a466d2a9637576de136b40f290cb7020c847e2f7ab1e4e79e93
SHA512

c7f0dd9d6681bf3da4a5bdb21e7e3eab391e9546400ba807640cdcd8024be542cd6aa28f3ba3c97a3def433e7f57d2b3684ac4ee40574a0e606ec7317a546937
SSDEEP

384:UHpCsZ3rBKNTgzFDSWLQEi5ooXgZsjBCq2g5Pyy3M5BCqPN:/S3tGTgBDdL+FCeyWMDC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
340	MSIEE6D.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56ed14.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56ed14.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4B04965E-0435-470C-BF97-8AF3EBCA18E3}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE6D.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3744	msiexec.exe
3744	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3832	msiexec.exe
Token: SeSecurityPrivilege	3744	msiexec.exe
Token: SeCreateTokenPrivilege	3832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3832	msiexec.exe
Token: SeLockMemoryPrivilege	3832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3832	msiexec.exe
Token: SeMachineAccountPrivilege	3832	msiexec.exe
Token: SeTcbPrivilege	3832	msiexec.exe
Token: SeSecurityPrivilege	3832	msiexec.exe
Token: SeTakeOwnershipPrivilege	3832	msiexec.exe
Token: SeLoadDriverPrivilege	3832	msiexec.exe
Token: SeSystemProfilePrivilege	3832	msiexec.exe
Token: SeSystemtimePrivilege	3832	msiexec.exe
Token: SeProfSingleProcessPrivilege	3832	msiexec.exe
Token: SeIncBasePriorityPrivilege	3832	msiexec.exe
Token: SeCreatePagefilePrivilege	3832	msiexec.exe
Token: SeCreatePermanentPrivilege	3832	msiexec.exe
Token: SeBackupPrivilege	3832	msiexec.exe
Token: SeRestorePrivilege	3832	msiexec.exe
Token: SeShutdownPrivilege	3832	msiexec.exe
Token: SeDebugPrivilege	3832	msiexec.exe
Token: SeAuditPrivilege	3832	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3832	msiexec.exe
Token: SeChangeNotifyPrivilege	3832	msiexec.exe
Token: SeRemoteShutdownPrivilege	3832	msiexec.exe
Token: SeUndockPrivilege	3832	msiexec.exe
Token: SeSyncAgentPrivilege	3832	msiexec.exe
Token: SeEnableDelegationPrivilege	3832	msiexec.exe
Token: SeManageVolumePrivilege	3832	msiexec.exe
Token: SeImpersonatePrivilege	3832	msiexec.exe
Token: SeCreateGlobalPrivilege	3832	msiexec.exe
Token: SeBackupPrivilege	5040	vssvc.exe
Token: SeRestorePrivilege	5040	vssvc.exe
Token: SeAuditPrivilege	5040	vssvc.exe
Token: SeBackupPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeBackupPrivilege	2860	srtasks.exe
Token: SeRestorePrivilege	2860	srtasks.exe
Token: SeSecurityPrivilege	2860	srtasks.exe
Token: SeTakeOwnershipPrivilege	2860	srtasks.exe
Token: SeBackupPrivilege	2860	srtasks.exe
Token: SeRestorePrivilege	2860	srtasks.exe
Token: SeSecurityPrivilege	2860	srtasks.exe
Token: SeTakeOwnershipPrivilege	2860	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3832	msiexec.exe
3832	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2860	3744	msiexec.exe	95
PID 3744 wrote to memory of 2860	3744	msiexec.exe	95
PID 3744 wrote to memory of 340	3744	msiexec.exe	98
PID 3744 wrote to memory of 340	3744	msiexec.exe	98
PID 3744 wrote to memory of 2388	3744	msiexec.exe	99
PID 3744 wrote to memory of 2388	3744	msiexec.exe	99
PID 3744 wrote to memory of 2388	3744	msiexec.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\microsoft_update.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3832

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\Installer\MSIEE6D.tmp
  "C:\Windows\Installer\MSIEE6D.tmp"
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FE4F447D77DDEF22481E338A5ACBAC07
  2⤵
  PID:2388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIEE6D.tmp

Filesize
124KB

MD5
99bc58c0db7da90b0b7348ec84218540

SHA1
6c5519e4a98ff120e1565ee288090e64fce7753a

SHA256
c6cc696dd368cbb220cfbd822ca256d720ccbadaa30cd4b05f546e29dd86372e

SHA512
548f51a3bea89880da474b99362ffe0e4e00897ed188577b5368bd4d77154f154e6b2c009e1b39d8bcda001ab4a469ef023f7fb490e44eab02c88ab0cbe056a1

Download Submit
C:\Windows\Installer\MSIEE6D.tmp

Filesize
124KB

MD5
99bc58c0db7da90b0b7348ec84218540

SHA1
6c5519e4a98ff120e1565ee288090e64fce7753a

SHA256
c6cc696dd368cbb220cfbd822ca256d720ccbadaa30cd4b05f546e29dd86372e

SHA512
548f51a3bea89880da474b99362ffe0e4e00897ed188577b5368bd4d77154f154e6b2c009e1b39d8bcda001ab4a469ef023f7fb490e44eab02c88ab0cbe056a1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
5309974e0f63b2c42c3e9e52faacb61b

SHA1
d64d868c9abf7e9e22cb5507c3722bcbb236a162

SHA256
c3206bb82aea3b22341cd01d7a6d5e35094572338b67290f5a90e5909be04c92

SHA512
31163bcfa142bac8e704bcd94d349de36aa4d4037e34b1a13cf2c6c280db41dc10168255ff4fc5ca980080bee43ce0dd77468555d39a456fb09217b2dac12b90

Download Submit
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d8494c3b-c5c6-4af0-9a8c-763ed41628e9}_OnDiskSnapshotProp

Filesize
5KB

MD5
eda3c0fa71d004b46d1078dad2cd3b60

SHA1
58b8237353d99d5d2c5f95522614e60f6bfead2b

SHA256
8c12fe8f0aadb09e9566ea9356d8d78d0a9d95284c0badd7ad5f655075943fac

SHA512
551049dbe2706b134bc9dbe861dc91c3c104f0c3b1ede38be4346bd568f75db283e8a8ae5669ccf0566380ad5d9bb7c1f069be3deab390432a7bb5f5b002a0b4

Download Submit
memory/340-145-0x0000000140000000-0x0000000140004378-memory.dmp

Filesize
16KB

Download