gozi | cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-05-2023 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05234599.msi
Size

5.8MB
MD5

82ff84cb9924f0855a894e75b5d3edb2
SHA1

df89381239f8a8ececeb697a6a35a573203bac09
SHA256

cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a
SHA512

416db643cbfda60b26bb3eac8b6a94b148b506bc016d562bc51e085f765400c56412462b42e2e29dcc44fa621349781c1c225081804c528a0a7fd1822663597b
SSDEEP

98304:ajJzMUpQ/2zKN5DmsQPKEvia5Zld9l4jH43ZnzgB1wLhQNHFRaFUDAQQHk8iQdvk:M5NzKNgsKKE6UZD9l4IZnzgLwLhQNHFd

Score

10^/10

gozi 1000 banker ldr4 trojan

Malware Config

Extracted

Family

gozi

Botnet

1000

https://sumarno.top

Attributes

host_keep_time
2
host_shift_time
1
idle_time
1
request_time
10

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

4 1576 rundll32.exe
6 1576 rundll32.exe
8 1576 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

MSI85C8.tmpMSI86C3.tmp

pid process

1168 MSI85C8.tmp
1316 MSI86C3.tmp
Loads dropped DLL 7 IoCs

Processes:

MsiExec.exerundll32.exe

pid process

1888 MsiExec.exe
1888 MsiExec.exe
1888 MsiExec.exe
1576 rundll32.exe
1576 rundll32.exe
1576 rundll32.exe
1576 rundll32.exe

flow	pid	process
4	1576	rundll32.exe
6	1576	rundll32.exe
8	1576	rundll32.exe

pid	process
1168	MSI85C8.tmp
1316	MSI86C3.tmp

pid	process
1888	MsiExec.exe
1888	MsiExec.exe
1888	MsiExec.exe
1576	rundll32.exe
1576	rundll32.exe
1576	rundll32.exe
1576	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\6c7f6d.msi	msiexec.exe
File created	C:\Windows\Installer\6c7f6d.msi	msiexec.exe
File created	C:\Windows\Installer\6c7f71.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86C3.tmp	msiexec.exe
File created	C:\Windows\Installer\6c7f6f.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI82A9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8346.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c7f6f.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI8077.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8598.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rundll32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSI86C3.tmp

pid	process
2016	msiexec.exe
2016	msiexec.exe
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp
1316	MSI86C3.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	824	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeSecurityPrivilege	2016	msiexec.exe
Token: SeCreateTokenPrivilege	824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	824	msiexec.exe
Token: SeLockMemoryPrivilege	824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	824	msiexec.exe
Token: SeMachineAccountPrivilege	824	msiexec.exe
Token: SeTcbPrivilege	824	msiexec.exe
Token: SeSecurityPrivilege	824	msiexec.exe
Token: SeTakeOwnershipPrivilege	824	msiexec.exe
Token: SeLoadDriverPrivilege	824	msiexec.exe
Token: SeSystemProfilePrivilege	824	msiexec.exe
Token: SeSystemtimePrivilege	824	msiexec.exe
Token: SeProfSingleProcessPrivilege	824	msiexec.exe
Token: SeIncBasePriorityPrivilege	824	msiexec.exe
Token: SeCreatePagefilePrivilege	824	msiexec.exe
Token: SeCreatePermanentPrivilege	824	msiexec.exe
Token: SeBackupPrivilege	824	msiexec.exe
Token: SeRestorePrivilege	824	msiexec.exe
Token: SeShutdownPrivilege	824	msiexec.exe
Token: SeDebugPrivilege	824	msiexec.exe
Token: SeAuditPrivilege	824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	824	msiexec.exe
Token: SeChangeNotifyPrivilege	824	msiexec.exe
Token: SeRemoteShutdownPrivilege	824	msiexec.exe
Token: SeUndockPrivilege	824	msiexec.exe
Token: SeSyncAgentPrivilege	824	msiexec.exe
Token: SeEnableDelegationPrivilege	824	msiexec.exe
Token: SeManageVolumePrivilege	824	msiexec.exe
Token: SeImpersonatePrivilege	824	msiexec.exe
Token: SeCreateGlobalPrivilege	824	msiexec.exe
Token: SeBackupPrivilege	268	vssvc.exe
Token: SeRestorePrivilege	268	vssvc.exe
Token: SeAuditPrivilege	268	vssvc.exe
Token: SeBackupPrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	808	DrvInst.exe
Token: SeLoadDriverPrivilege	808	DrvInst.exe
Token: SeLoadDriverPrivilege	808	DrvInst.exe
Token: SeLoadDriverPrivilege	808	DrvInst.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

824 msiexec.exe
824 msiexec.exe

pid	process
824	msiexec.exe
824	msiexec.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

msiexec.exerundll32.execmd.exenet.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1888	2016	msiexec.exe	MsiExec.exe
PID 2016 wrote to memory of 1888	2016	msiexec.exe	MsiExec.exe
PID 2016 wrote to memory of 1888	2016	msiexec.exe	MsiExec.exe
PID 2016 wrote to memory of 1888	2016	msiexec.exe	MsiExec.exe
PID 2016 wrote to memory of 1888	2016	msiexec.exe	MsiExec.exe
PID 2016 wrote to memory of 1888	2016	msiexec.exe	MsiExec.exe
PID 2016 wrote to memory of 1888	2016	msiexec.exe	MsiExec.exe
PID 2016 wrote to memory of 1168	2016	msiexec.exe	MSI85C8.tmp
PID 2016 wrote to memory of 1168	2016	msiexec.exe	MSI85C8.tmp
PID 2016 wrote to memory of 1168	2016	msiexec.exe	MSI85C8.tmp
PID 2016 wrote to memory of 1168	2016	msiexec.exe	MSI85C8.tmp
PID 2016 wrote to memory of 1168	2016	msiexec.exe	MSI85C8.tmp
PID 2016 wrote to memory of 1168	2016	msiexec.exe	MSI85C8.tmp
PID 2016 wrote to memory of 1168	2016	msiexec.exe	MSI85C8.tmp
PID 2016 wrote to memory of 1316	2016	msiexec.exe	MSI86C3.tmp
PID 2016 wrote to memory of 1316	2016	msiexec.exe	MSI86C3.tmp
PID 2016 wrote to memory of 1316	2016	msiexec.exe	MSI86C3.tmp
PID 2016 wrote to memory of 1316	2016	msiexec.exe	MSI86C3.tmp
PID 2016 wrote to memory of 1316	2016	msiexec.exe	MSI86C3.tmp
PID 2016 wrote to memory of 1316	2016	msiexec.exe	MSI86C3.tmp
PID 2016 wrote to memory of 1316	2016	msiexec.exe	MSI86C3.tmp
PID 1576 wrote to memory of 1504	1576	rundll32.exe	cmd.exe
PID 1576 wrote to memory of 1504	1576	rundll32.exe	cmd.exe
PID 1576 wrote to memory of 1504	1576	rundll32.exe	cmd.exe
PID 1504 wrote to memory of 860	1504	cmd.exe	net.exe
PID 1504 wrote to memory of 860	1504	cmd.exe	net.exe
PID 1504 wrote to memory of 860	1504	cmd.exe	net.exe
PID 860 wrote to memory of 1608	860	net.exe	net1.exe
PID 860 wrote to memory of 1608	860	net.exe	net1.exe
PID 860 wrote to memory of 1608	860	net.exe	net1.exe
PID 1576 wrote to memory of 1508	1576	rundll32.exe	cmd.exe
PID 1576 wrote to memory of 1508	1576	rundll32.exe	cmd.exe
PID 1576 wrote to memory of 1508	1576	rundll32.exe	cmd.exe
PID 1508 wrote to memory of 1152	1508	cmd.exe	nltest.exe
PID 1508 wrote to memory of 1152	1508	cmd.exe	nltest.exe
PID 1508 wrote to memory of 1152	1508	cmd.exe	nltest.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\05234599.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 24C7474EF82481C25281B64FB143BA03
2⤵
- Loads dropped DLL
PID:1888

C:\Windows\Installer\MSI85C8.tmp
"C:\Windows\Installer\MSI85C8.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,vips
2⤵
- Executes dropped EXE
PID:1168

C:\Windows\Installer\MSI86C3.tmp
"C:\Windows\Installer\MSI86C3.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\Admin\AppData\Roaming\MSTX340/Information_psw.pdf
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000390" "00000000000003CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,vips
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\System32\cmd.exe
cmd /c "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\4A90.tmp
2⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\System32\net.exe
net group "domain computers" /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
4⤵
PID:1608

C:\Windows\System32\cmd.exe
cmd /c "nltest /dclist:" >> C:\Users\Admin\AppData\Local\Temp\9424.tmp
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\System32\nltest.exe
nltest /dclist:
3⤵
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c7f70.rbs

Filesize
422KB

MD5
4911c02a23eef78756cf14cf502bf9c8

SHA1
1a7b3029c5a1fb3572838130bb024cf2bb50b645

SHA256
30326be316793210a3cff941f742e3b4dcc2997da200f43daf343dc77b475e2c

SHA512
88c506dfcd1e32c58e9ed3de7f53b234b4c40e93fe488d7ea49be69c2788b9c4650f15d3a2d5822cbc781f441cf76d82cc666a097c886f90b93dfd0c76d854cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A90.tmp

Filesize
78B

MD5
aaec14b2de8e2fdaf8427672122af65c

SHA1
ca953efad669c93af85b968d747baa544d4465fb

SHA256
14c94c44d0eb89a820d96e1791f4b754c87ee778b5f4478289df0fb22e1c3da1

SHA512
a5cbad3de5070fdcd6aa7f3f5eda42b69faef44a431cf48e20ca1f4f42c648ee80bd5f1d9b981624ae6b39e2435b4278c9fd1e97491e3b244a2bba7d629021a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9424.tmp

Filesize
36B

MD5
c58986635c266e6c06609b908580bede

SHA1
4672dce03d3dd9560cf74035aff3d9aebb7201e4

SHA256
a2f1bb2817f976e129974b003e3ec12fb8a644c1952bb667116317fd26416042

SHA512
36241e4bda8ad7e4137624bbfbb999c643d34a2095ba078f9886d92f4726913bdb9dc1e1f44141a6738c1e4d9042b802e49f774c0f1c6901735f4b069834449f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab96A7.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll

Filesize
287KB

MD5
d0584edcc980ef43e697629ade83c54b

SHA1
a68deea2d4f40bef60c7f605bc2aae9698259e69

SHA256
e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc

SHA512
917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e

Download Submit
C:\Windows\Installer\6c7f6d.msi

Filesize
5.8MB

MD5
82ff84cb9924f0855a894e75b5d3edb2

SHA1
df89381239f8a8ececeb697a6a35a573203bac09

SHA256
cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a

SHA512
416db643cbfda60b26bb3eac8b6a94b148b506bc016d562bc51e085f765400c56412462b42e2e29dcc44fa621349781c1c225081804c528a0a7fd1822663597b

Download Submit
C:\Windows\Installer\MSI8077.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI82A9.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI8346.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI8346.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI85C8.tmp

Filesize
414KB

MD5
0007940f5479831428131f029d3bd8f7

SHA1
8ded66acbd836388c1414512025bd9004c90903b

SHA256
340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320

SHA512
c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf

Download Submit
C:\Windows\Installer\MSI86C3.tmp

Filesize
414KB

MD5
0007940f5479831428131f029d3bd8f7

SHA1
8ded66acbd836388c1414512025bd9004c90903b

SHA256
340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320

SHA512
c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf

Download Submit
C:\Windows\Installer\MSI86C3.tmp

Filesize
414KB

MD5
0007940f5479831428131f029d3bd8f7

SHA1
8ded66acbd836388c1414512025bd9004c90903b

SHA256
340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320

SHA512
c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf

Download Submit
\Users\Admin\AppData\Roaming\MSTX340\ini.dll

Filesize
287KB

MD5
d0584edcc980ef43e697629ade83c54b

SHA1
a68deea2d4f40bef60c7f605bc2aae9698259e69

SHA256
e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc

SHA512
917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e

Download Submit
\Users\Admin\AppData\Roaming\MSTX340\ini.dll

Filesize
287KB

MD5
d0584edcc980ef43e697629ade83c54b

SHA1
a68deea2d4f40bef60c7f605bc2aae9698259e69

SHA256
e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc

SHA512
917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e

Download Submit
\Users\Admin\AppData\Roaming\MSTX340\ini.dll

Filesize
287KB

MD5
d0584edcc980ef43e697629ade83c54b

SHA1
a68deea2d4f40bef60c7f605bc2aae9698259e69

SHA256
e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc

SHA512
917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e

Download Submit
\Users\Admin\AppData\Roaming\MSTX340\ini.dll

Filesize
287KB

MD5
d0584edcc980ef43e697629ade83c54b

SHA1
a68deea2d4f40bef60c7f605bc2aae9698259e69

SHA256
e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc

SHA512
917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e

Download Submit
\Windows\Installer\MSI8077.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
\Windows\Installer\MSI82A9.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
\Windows\Installer\MSI8346.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
memory/1168-80-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1316-105-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1576-104-0x00000000001D0000-0x00000000001E3000-memory.dmp

Filesize
76KB

Download
memory/1576-98-0x00000000001D0000-0x00000000001E3000-memory.dmp

Filesize
76KB

Download
memory/1576-97-0x0000000000110000-0x0000000000114000-memory.dmp

Filesize
16KB

Download