ea104069fc5ac1fad61a51473ab875fa0a75866576d969ad6b6332bc5b8c4271

Resubmissions

02-05-2023 21:13

230502-z2yjmace97 8

20-02-2022 17:23

220220-vya7pscgbk 10

14-11-2021 04:08

211114-eqn6lacham 10

Analysis

max time kernel
31s
max time network
39s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-05-2023 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RASClient-x64.msi
Size

34.6MB
MD5

27fc803bd3e56f63f9dfbee16ab3b852
SHA1

f597d569cb4c1aa9ee2c29bbcaff3fa9def01c10
SHA256

ea104069fc5ac1fad61a51473ab875fa0a75866576d969ad6b6332bc5b8c4271
SHA512

537aff6ef9c54c0963211e5eae03c637a55c008f22e4ac977bc79b2e0644942f7c11d33a902ec47ba95bfd16f3b6f2cc902f4f3f0464f6dcc11f32b263a9fa85
SSDEEP

786432:zGb6kbODdRR8DtJEe74f6gJ1KkODhSB5l5:zGbJKdfWEe74fPykOFS95

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1588	msiexec.exe
4	1588	msiexec.exe
6	1588	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
1668	MsiExec.exe
1668	MsiExec.exe
1452	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1668	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1912	msiexec.exe
Token: SeTakeOwnershipPrivilege	1912	msiexec.exe
Token: SeSecurityPrivilege	1912	msiexec.exe
Token: SeCreateTokenPrivilege	1588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1588	msiexec.exe
Token: SeLockMemoryPrivilege	1588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1588	msiexec.exe
Token: SeMachineAccountPrivilege	1588	msiexec.exe
Token: SeTcbPrivilege	1588	msiexec.exe
Token: SeSecurityPrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeLoadDriverPrivilege	1588	msiexec.exe
Token: SeSystemProfilePrivilege	1588	msiexec.exe
Token: SeSystemtimePrivilege	1588	msiexec.exe
Token: SeProfSingleProcessPrivilege	1588	msiexec.exe
Token: SeIncBasePriorityPrivilege	1588	msiexec.exe
Token: SeCreatePagefilePrivilege	1588	msiexec.exe
Token: SeCreatePermanentPrivilege	1588	msiexec.exe
Token: SeBackupPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeShutdownPrivilege	1588	msiexec.exe
Token: SeDebugPrivilege	1588	msiexec.exe
Token: SeAuditPrivilege	1588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1588	msiexec.exe
Token: SeChangeNotifyPrivilege	1588	msiexec.exe
Token: SeRemoteShutdownPrivilege	1588	msiexec.exe
Token: SeUndockPrivilege	1588	msiexec.exe
Token: SeSyncAgentPrivilege	1588	msiexec.exe
Token: SeEnableDelegationPrivilege	1588	msiexec.exe
Token: SeManageVolumePrivilege	1588	msiexec.exe
Token: SeImpersonatePrivilege	1588	msiexec.exe
Token: SeCreateGlobalPrivilege	1588	msiexec.exe
Token: SeCreateTokenPrivilege	1588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1588	msiexec.exe
Token: SeLockMemoryPrivilege	1588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1588	msiexec.exe
Token: SeMachineAccountPrivilege	1588	msiexec.exe
Token: SeTcbPrivilege	1588	msiexec.exe
Token: SeSecurityPrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeLoadDriverPrivilege	1588	msiexec.exe
Token: SeSystemProfilePrivilege	1588	msiexec.exe
Token: SeSystemtimePrivilege	1588	msiexec.exe
Token: SeProfSingleProcessPrivilege	1588	msiexec.exe
Token: SeIncBasePriorityPrivilege	1588	msiexec.exe
Token: SeCreatePagefilePrivilege	1588	msiexec.exe
Token: SeCreatePermanentPrivilege	1588	msiexec.exe
Token: SeBackupPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeShutdownPrivilege	1588	msiexec.exe
Token: SeDebugPrivilege	1588	msiexec.exe
Token: SeAuditPrivilege	1588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1588	msiexec.exe
Token: SeChangeNotifyPrivilege	1588	msiexec.exe
Token: SeRemoteShutdownPrivilege	1588	msiexec.exe
Token: SeUndockPrivilege	1588	msiexec.exe
Token: SeSyncAgentPrivilege	1588	msiexec.exe
Token: SeEnableDelegationPrivilege	1588	msiexec.exe
Token: SeManageVolumePrivilege	1588	msiexec.exe
Token: SeImpersonatePrivilege	1588	msiexec.exe
Token: SeCreateGlobalPrivilege	1588	msiexec.exe
Token: SeCreateTokenPrivilege	1588	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1588	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1668	1912	msiexec.exe	27
PID 1912 wrote to memory of 1668	1912	msiexec.exe	27
PID 1912 wrote to memory of 1668	1912	msiexec.exe	27
PID 1912 wrote to memory of 1668	1912	msiexec.exe	27
PID 1912 wrote to memory of 1668	1912	msiexec.exe	27
PID 1912 wrote to memory of 1452	1912	msiexec.exe	28
PID 1912 wrote to memory of 1452	1912	msiexec.exe	28
PID 1912 wrote to memory of 1452	1912	msiexec.exe	28
PID 1912 wrote to memory of 1452	1912	msiexec.exe	28
PID 1912 wrote to memory of 1452	1912	msiexec.exe	28
PID 1912 wrote to memory of 1452	1912	msiexec.exe	28
PID 1912 wrote to memory of 1452	1912	msiexec.exe	28

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RASClient-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 05B6DB5932D90312F181207403DEDC0E C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 53D099C0BA29519F4ED092C9B6C7C2F4 C
  2⤵
  - Loads dropped DLL
  PID:1452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1104

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002A4" "00000000000003C0"
1⤵
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6CD2.tmp

Filesize
2.8MB

MD5
d25f337c8cd2c1866ebcac8c439ec39e

SHA1
a494842bcc9c04dd45bbf8f4986547b938158fbb

SHA256
c6e24bbce5ba9182d11afd6625037576debd749b8c8b090d653601a913874b58

SHA512
1160a1af517f612863e97b340c0e526914b7daec45cb8569089458f7ded0f792af23a1308745bc1da53d5b098fd052fb243954d4b7c4c1f0a60e9d6206f572d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI70D8.tmp

Filesize
2.6MB

MD5
37a9fe5a4ffde1a37a30890cb8f164d3

SHA1
152c3cc2053e5975887d80b0ac2e4e6f7a6922e6

SHA256
c2d088305e9da01eb68278b70e7967448057d52bf047ab63478f58824df785d4

SHA512
57960bb5f68983ae0bdc6539042cdbcf0a73053e9ed5d2ef2bbc12737453e20147c0bb57a5ed61577883cf04badd976dabeb2d27f0ed4f80e8de15f395b850be

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA66A.tmp

Filesize
102KB

MD5
d9ac1b56edf330a6eb7894ab293f14f6

SHA1
022d8944e3927fff2b330dab54716ddcbb366d16

SHA256
097f1c3f27b18010448d77e3f70c4d9f774cb9c5ab435c62baa1c00e4cadd5ef

SHA512
e434410e2b2c2bb1fba4f3fc7c277b978c45b1df1d3c3994d6dc1530558393d7d42a713506bf95d013b2e40e9da36fd3e588fea8d8dc062a24ad931e4d76c328

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6560.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\Users\Admin\AppData\Local\Temp\MSI6CD2.tmp

Filesize
2.8MB

MD5
d25f337c8cd2c1866ebcac8c439ec39e

SHA1
a494842bcc9c04dd45bbf8f4986547b938158fbb

SHA256
c6e24bbce5ba9182d11afd6625037576debd749b8c8b090d653601a913874b58

SHA512
1160a1af517f612863e97b340c0e526914b7daec45cb8569089458f7ded0f792af23a1308745bc1da53d5b098fd052fb243954d4b7c4c1f0a60e9d6206f572d1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI70D8.tmp

Filesize
2.6MB

MD5
37a9fe5a4ffde1a37a30890cb8f164d3

SHA1
152c3cc2053e5975887d80b0ac2e4e6f7a6922e6

SHA256
c2d088305e9da01eb68278b70e7967448057d52bf047ab63478f58824df785d4

SHA512
57960bb5f68983ae0bdc6539042cdbcf0a73053e9ed5d2ef2bbc12737453e20147c0bb57a5ed61577883cf04badd976dabeb2d27f0ed4f80e8de15f395b850be

Download Submit
\Users\Admin\AppData\Local\Temp\MSIA66A.tmp

Filesize
102KB

MD5
d9ac1b56edf330a6eb7894ab293f14f6

SHA1
022d8944e3927fff2b330dab54716ddcbb366d16

SHA256
097f1c3f27b18010448d77e3f70c4d9f774cb9c5ab435c62baa1c00e4cadd5ef

SHA512
e434410e2b2c2bb1fba4f3fc7c277b978c45b1df1d3c3994d6dc1530558393d7d42a713506bf95d013b2e40e9da36fd3e588fea8d8dc062a24ad931e4d76c328

Download Submit