d2126415b32dadd857e41e8fc1505b034959d95d9ee24602e88152cb41b5a3e9

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 15:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Office32WW.msi
Size

1.9MB
MD5

61815eb334357d86a26f9b19faca9cc3
SHA1

512f533c4c2607ef03af1d66400080c36c3ae63a
SHA256

d2126415b32dadd857e41e8fc1505b034959d95d9ee24602e88152cb41b5a3e9
SHA512

7a52145c31b95aeb563d0011d88ea711666f8c60ae46a0c669f74f4901f615ca5ad5fa81b02837a50106a28959e6008c0429e2cc2aeac835f3ae55cd4eadcb39
SSDEEP

24576:SEIgZTxhF6WBckmh7EgVEG8o93s0ZWdrU+MAR+acIty0BqEI2S+o0k4Xqb9:ZHWLhHEGr0BqEI2S

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	3744	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
3876	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56e69c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56e69c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE777.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3744	msiexec.exe
Token: SeSecurityPrivilege	376	msiexec.exe
Token: SeCreateTokenPrivilege	3744	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3744	msiexec.exe
Token: SeLockMemoryPrivilege	3744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3744	msiexec.exe
Token: SeMachineAccountPrivilege	3744	msiexec.exe
Token: SeTcbPrivilege	3744	msiexec.exe
Token: SeSecurityPrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeLoadDriverPrivilege	3744	msiexec.exe
Token: SeSystemProfilePrivilege	3744	msiexec.exe
Token: SeSystemtimePrivilege	3744	msiexec.exe
Token: SeProfSingleProcessPrivilege	3744	msiexec.exe
Token: SeIncBasePriorityPrivilege	3744	msiexec.exe
Token: SeCreatePagefilePrivilege	3744	msiexec.exe
Token: SeCreatePermanentPrivilege	3744	msiexec.exe
Token: SeBackupPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeShutdownPrivilege	3744	msiexec.exe
Token: SeDebugPrivilege	3744	msiexec.exe
Token: SeAuditPrivilege	3744	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3744	msiexec.exe
Token: SeChangeNotifyPrivilege	3744	msiexec.exe
Token: SeRemoteShutdownPrivilege	3744	msiexec.exe
Token: SeUndockPrivilege	3744	msiexec.exe
Token: SeSyncAgentPrivilege	3744	msiexec.exe
Token: SeEnableDelegationPrivilege	3744	msiexec.exe
Token: SeManageVolumePrivilege	3744	msiexec.exe
Token: SeImpersonatePrivilege	3744	msiexec.exe
Token: SeCreateGlobalPrivilege	3744	msiexec.exe
Token: SeBackupPrivilege	4452	vssvc.exe
Token: SeRestorePrivilege	4452	vssvc.exe
Token: SeAuditPrivilege	4452	vssvc.exe
Token: SeBackupPrivilege	376	msiexec.exe
Token: SeRestorePrivilege	376	msiexec.exe
Token: SeRestorePrivilege	376	msiexec.exe
Token: SeTakeOwnershipPrivilege	376	msiexec.exe
Token: SeRestorePrivilege	376	msiexec.exe
Token: SeTakeOwnershipPrivilege	376	msiexec.exe
Token: SeBackupPrivilege	980	srtasks.exe
Token: SeRestorePrivilege	980	srtasks.exe
Token: SeSecurityPrivilege	980	srtasks.exe
Token: SeTakeOwnershipPrivilege	980	srtasks.exe
Token: SeBackupPrivilege	980	srtasks.exe
Token: SeRestorePrivilege	980	srtasks.exe
Token: SeSecurityPrivilege	980	srtasks.exe
Token: SeTakeOwnershipPrivilege	980	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3744	msiexec.exe
3744	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 980	376	msiexec.exe	87
PID 376 wrote to memory of 980	376	msiexec.exe	87
PID 376 wrote to memory of 3876	376	msiexec.exe	89
PID 376 wrote to memory of 3876	376	msiexec.exe	89

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Office32WW.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding D8BD402F58DEB8B6AC6C603038D95096
  2⤵
  - Loads dropped DLL
  PID:3876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIE777.tmp

Filesize
60KB

MD5
a51c3c270bb40fce972a9c86b842004a

SHA1
9571c5ea25e1075fb3a52c92a2e37d767bc8d01c

SHA256
159fcc993ed048937455447e4544e2079553f538f121471cdb9838d565c66563

SHA512
31b7bbd9e3fea63919527187ad95cd54ee3c8ef67d690c9b76a47a7392fe4562a3bf72209359979be7e139640b2ebedefa0485c29975da9d4306f7220e2a4c8a

Download Submit
C:\Windows\Installer\MSIE777.tmp

Filesize
60KB

MD5
a51c3c270bb40fce972a9c86b842004a

SHA1
9571c5ea25e1075fb3a52c92a2e37d767bc8d01c

SHA256
159fcc993ed048937455447e4544e2079553f538f121471cdb9838d565c66563

SHA512
31b7bbd9e3fea63919527187ad95cd54ee3c8ef67d690c9b76a47a7392fe4562a3bf72209359979be7e139640b2ebedefa0485c29975da9d4306f7220e2a4c8a

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
4a6e291f9cdbb2dea3f22ed05acb3541

SHA1
29f3feaab36df48e256877bf790b3b251fe6b080

SHA256
ee87f585b48cec35a08dd91e3c23e0edb20ba457e34f711a760eed12b7ca30df

SHA512
2283dc71ac2f15be30919d48a769485766bf05093259969ec8e2929ada2e96b020cd45a297b0abd1f835d1ed5cc9595fcebb7e3520f0098d0b4f9b28692ee87a

Download Submit
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2d670018-cdbb-4cfe-917b-6e47ff62efa5}_OnDiskSnapshotProp

Filesize
5KB

MD5
e15158e189e916f101cbae4061a9354e

SHA1
4414ccf2f4221b8cf3e895908a3c2eaf101b06f6

SHA256
bdb2c3f43ba11e257551652ad4844fec15c0899cc64c73dd956a46602001dbef

SHA512
ad4d19d8a3256d2a66e09637a002b583a7b67e9fbc9290eb56f7a2ae2c7c7beb0f546313985464f04b0b066317d55bbbd9048ff1d0c9d418bc1397b20b546134

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads