2fa24f30ddf550369262d28e97a989bf318c6c5ab08b5958c5a783680e05c2ae

Analysis

max time kernel
122s
max time network
85s
platform
windows7_x64
resource
win7-20230220-de
resource tags

arch:x64arch:x86image:win7-20230220-delocale:de-deos:windows7-x64systemwindows
submitted
15-06-2023 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kanri_0.4.2_x64_en-US.msi
Size

2.8MB
MD5

0dcc1cbc7517b184b046622967bb268d
SHA1

a7cff6578d73216a82ea5fdd2ce0dc65ccc40f6a
SHA256

2fa24f30ddf550369262d28e97a989bf318c6c5ab08b5958c5a783680e05c2ae
SHA512

087014b8d378b7dcf500a37630bb24094b603e25fb74005b4b5f2881c990ad545afed672d7991162ea0a2af1db06888bbcb0f7bba86216fdd80fb169f9301fdd
SSDEEP

49152:yhpmIQFq1O2e7vmDMxMoqPuzY8jGSOUoX2d90I39+s+rnPGnUIwI:ipmjFq1ORvmMqPuzY8jG3md90ItWnNr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
604	kanri.exe

Loads dropped DLL 11 IoCs

pid	Process
556	MsiExec.exe
864	msiexec.exe
864	msiexec.exe
1408	Process not Found
1408	Process not Found
1408	Process not Found
1408	Process not Found
1408	Process not Found
1408	Process not Found
556	MsiExec.exe
556	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF	DrvInst.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\kanri\kanri.exe	msiexec.exe
File created	C:\Program Files\kanri\Uninstall kanri.lnk	msiexec.exe
File opened for modification	C:\Program Files\kanri\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI51D9.tmp	msiexec.exe
File created	C:\Windows\Installer\6d4e53.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6d4e51.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\6d4e50.msi	msiexec.exe
File created	C:\Windows\Installer\6d4e51.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{3667FB4C-03C2-4B2E-8EF4-1D092CB6A5F1}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\volsnap.PNF	DrvInst.exe
File created	C:\Windows\Installer\6d4e50.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{3667FB4C-03C2-4B2E-8EF4-1D092CB6A5F1}\ProductIcon	msiexec.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%SystemRoot%\system32\dnsapi.dll,-103 = "DNS-Serververtrauen (Domain Name System)"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer-zu-Peer-Vertrauensstellung"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%SystemRoot%\system32\qagentrt.dll,-10 = "Systemintegritätsauthentifizierung"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\LanguageList = 640065002d0044004500000064006500000065006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker-Datenwiederherstellungs-Agent"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker-Laufwerkverschlüsselung"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4BF76632C30E2B4E84FD190C26B5A1F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4BF76632C30E2B4E84FD190C26B5A1F\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\Version = "262146"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DC0FC7922D28D725FA97C92A9053A41A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4BF76632C30E2B4E84FD190C26B5A1F\Environment = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4BF76632C30E2B4E84FD190C26B5A1F\External	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\ProductName = "kanri"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DC0FC7922D28D725FA97C92A9053A41A\C4BF76632C30E2B4E84FD190C26B5A1F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4BF76632C30E2B4E84FD190C26B5A1F\MainProgram	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\ProductIcon = "C:\\Windows\\Installer\\{3667FB4C-03C2-4B2E-8EF4-1D092CB6A5F1}\\ProductIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\SourceList\PackageName = "kanri_0.4.2_x64_en-US.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\PackageCode = "60EF665489572DF4FAF872EA991D40D2"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4BF76632C30E2B4E84FD190C26B5A1F\AuthorizedLUAApp = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
864	msiexec.exe
864	msiexec.exe
112	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1324	msiexec.exe
Token: SeRestorePrivilege	864	msiexec.exe
Token: SeTakeOwnershipPrivilege	864	msiexec.exe
Token: SeSecurityPrivilege	864	msiexec.exe
Token: SeCreateTokenPrivilege	1324	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1324	msiexec.exe
Token: SeLockMemoryPrivilege	1324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1324	msiexec.exe
Token: SeMachineAccountPrivilege	1324	msiexec.exe
Token: SeTcbPrivilege	1324	msiexec.exe
Token: SeSecurityPrivilege	1324	msiexec.exe
Token: SeTakeOwnershipPrivilege	1324	msiexec.exe
Token: SeLoadDriverPrivilege	1324	msiexec.exe
Token: SeSystemProfilePrivilege	1324	msiexec.exe
Token: SeSystemtimePrivilege	1324	msiexec.exe
Token: SeProfSingleProcessPrivilege	1324	msiexec.exe
Token: SeIncBasePriorityPrivilege	1324	msiexec.exe
Token: SeCreatePagefilePrivilege	1324	msiexec.exe
Token: SeCreatePermanentPrivilege	1324	msiexec.exe
Token: SeBackupPrivilege	1324	msiexec.exe
Token: SeRestorePrivilege	1324	msiexec.exe
Token: SeShutdownPrivilege	1324	msiexec.exe
Token: SeDebugPrivilege	1324	msiexec.exe
Token: SeAuditPrivilege	1324	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1324	msiexec.exe
Token: SeChangeNotifyPrivilege	1324	msiexec.exe
Token: SeRemoteShutdownPrivilege	1324	msiexec.exe
Token: SeUndockPrivilege	1324	msiexec.exe
Token: SeSyncAgentPrivilege	1324	msiexec.exe
Token: SeEnableDelegationPrivilege	1324	msiexec.exe
Token: SeManageVolumePrivilege	1324	msiexec.exe
Token: SeImpersonatePrivilege	1324	msiexec.exe
Token: SeCreateGlobalPrivilege	1324	msiexec.exe
Token: SeCreateTokenPrivilege	1324	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1324	msiexec.exe
Token: SeLockMemoryPrivilege	1324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1324	msiexec.exe
Token: SeMachineAccountPrivilege	1324	msiexec.exe
Token: SeTcbPrivilege	1324	msiexec.exe
Token: SeSecurityPrivilege	1324	msiexec.exe
Token: SeTakeOwnershipPrivilege	1324	msiexec.exe
Token: SeLoadDriverPrivilege	1324	msiexec.exe
Token: SeSystemProfilePrivilege	1324	msiexec.exe
Token: SeSystemtimePrivilege	1324	msiexec.exe
Token: SeProfSingleProcessPrivilege	1324	msiexec.exe
Token: SeIncBasePriorityPrivilege	1324	msiexec.exe
Token: SeCreatePagefilePrivilege	1324	msiexec.exe
Token: SeCreatePermanentPrivilege	1324	msiexec.exe
Token: SeBackupPrivilege	1324	msiexec.exe
Token: SeRestorePrivilege	1324	msiexec.exe
Token: SeShutdownPrivilege	1324	msiexec.exe
Token: SeDebugPrivilege	1324	msiexec.exe
Token: SeAuditPrivilege	1324	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1324	msiexec.exe
Token: SeChangeNotifyPrivilege	1324	msiexec.exe
Token: SeRemoteShutdownPrivilege	1324	msiexec.exe
Token: SeUndockPrivilege	1324	msiexec.exe
Token: SeSyncAgentPrivilege	1324	msiexec.exe
Token: SeEnableDelegationPrivilege	1324	msiexec.exe
Token: SeManageVolumePrivilege	1324	msiexec.exe
Token: SeImpersonatePrivilege	1324	msiexec.exe
Token: SeCreateGlobalPrivilege	1324	msiexec.exe
Token: SeCreateTokenPrivilege	1324	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1324	msiexec.exe
1324	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 556	864	msiexec.exe	29
PID 864 wrote to memory of 556	864	msiexec.exe	29
PID 864 wrote to memory of 556	864	msiexec.exe	29
PID 864 wrote to memory of 556	864	msiexec.exe	29
PID 864 wrote to memory of 556	864	msiexec.exe	29
PID 864 wrote to memory of 556	864	msiexec.exe	29
PID 864 wrote to memory of 556	864	msiexec.exe	29
PID 864 wrote to memory of 112	864	msiexec.exe	33
PID 864 wrote to memory of 112	864	msiexec.exe	33
PID 864 wrote to memory of 112	864	msiexec.exe	33
PID 556 wrote to memory of 604	556	MsiExec.exe	36
PID 556 wrote to memory of 604	556	MsiExec.exe	36
PID 556 wrote to memory of 604	556	MsiExec.exe	36
PID 556 wrote to memory of 604	556	MsiExec.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\kanri_0.4.2_x64_en-US.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1324

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 29B6476EDDD7898EA159E915AAFC221D C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Program Files\kanri\kanri.exe
    "C:\Program Files\kanri\kanri.exe"
    3⤵
    - Executes dropped EXE
    PID:604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:716

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000598" "000000000000056C"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6d4e52.rbs

Filesize
9KB

MD5
7bc917809288e042e5a6275773025085

SHA1
9ff7df7a181e15b38b68208c83846c62b2f7db40

SHA256
5d3be3140f5618b0893788378a0ea0b16d2e176c4a5e9f7f63c984ef54593cfb

SHA512
aa7ee77b7e09c93d4e5ded07e3dea2c23e355c83d252219ce0ac14ae2f6c76ae6ccd06cb84dbef827490ebe7fde327875b1187e98587ed085ad6eb42c861c20e

Download Submit
C:\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
C:\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
C:\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\kanri\kanri.lnk

Filesize
1KB

MD5
332853da1cef37a57cb491dd6d8a511c

SHA1
d31b1de8c7c6211d183474694585b676cd978242

SHA256
ad57b4ef7ee86fed27310ee35337a5802730fa1ba4cd9a37c018aa2c708b666a

SHA512
274258ed39187286fb4ad59c34f9c334e7a9e53fdae44a4808324d561b875c5b26cb596a2ef8c6b90df4f598d6e27c929944e42f2126c5246e792dcfc6fe2ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI902F.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIACC5.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\6d4e50.msi

Filesize
2.8MB

MD5
0dcc1cbc7517b184b046622967bb268d

SHA1
a7cff6578d73216a82ea5fdd2ce0dc65ccc40f6a

SHA256
2fa24f30ddf550369262d28e97a989bf318c6c5ab08b5958c5a783680e05c2ae

SHA512
087014b8d378b7dcf500a37630bb24094b603e25fb74005b4b5f2881c990ad545afed672d7991162ea0a2af1db06888bbcb0f7bba86216fdd80fb169f9301fdd

Download Submit
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF

Filesize
5KB

MD5
3edfb950e9858ffbabb0d8bbbab8f115

SHA1
580b94288c367206fe24fc879058652a8cf42562

SHA256
1a4e2bd082d7e712539245f0a4a34b1a9e84e0b214e0afcadb8289d5a334fc8d

SHA512
93bd6fe511c2326057806cf68b9bdcdd6d4585f18d44a8b4f5c1d43b38921ae53e00a9adecd5c4d77b11733873f60878361d265b5f9cf894be8608dc9276b82c

Download Submit
\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
\Program Files\kanri\kanri.exe

Filesize
6.2MB

MD5
771760ba210db66208d88926780e475b

SHA1
aeef295c35637bac4846575e2febf77e786b90a4

SHA256
9706ea287690f8824b5fdb7b51533de01691d492293c6a1659b7e15b892d9967

SHA512
7d6aaae6df4002fd75c0ff7ee479aa65a34e1e11aa383ffd3e1f232e2b6edcc5747e2d97c863dd4304859c99d3db47298f73dd91df5344bbb473e2750da18bf3

Download Submit
\Users\Admin\AppData\Local\Temp\MSI902F.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
\Users\Admin\AppData\Local\Temp\MSIACC5.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
memory/112-116-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/112-122-0x00000000025AB000-0x00000000025E2000-memory.dmp

Filesize
220KB

Download
memory/112-121-0x0000000002570000-0x0000000002578000-memory.dmp

Filesize
32KB

Download
memory/112-120-0x0000000002560000-0x000000000256A000-memory.dmp

Filesize
40KB

Download
memory/112-119-0x000000001B1A0000-0x000000001B1E8000-memory.dmp

Filesize
288KB

Download
memory/112-118-0x000000001B150000-0x000000001B1A0000-memory.dmp

Filesize
320KB

Download
memory/112-117-0x00000000024A0000-0x00000000024AE000-memory.dmp

Filesize
56KB

Download
memory/112-114-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/112-115-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/112-113-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/112-112-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download