398fdf5617eca81b8d24f8e226b0bad57055e4e220741bb158b921b6e10848ba

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/07/2023, 09:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

windows_exporter-0.16.0-amd64.msi
Size

8.2MB
MD5

2f79b0046007c6b3225a2adfe566a60e
SHA1

15bf190d4e0cef466f6b13c243ac5f284f4a3509
SHA256

398fdf5617eca81b8d24f8e226b0bad57055e4e220741bb158b921b6e10848ba
SHA512

8c21a457c40bfe9b70bc9d52da01d064704e16537365c0bf9fec11f7c15f6c341e3b4481f456219ecd2a8aedb96d70d9ca76a992b0fa17c23169e7b792cca52f
SSDEEP

196608:YSooSW62te7odmK5owRs0uUd+Wg74GmxZA0UqODHDC0QQ:xxL62ME47wRsN7DIZA03O6Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1308	windows_exporter.exe

Loads dropped DLL 7 IoCs

pid	Process
2732	MsiExec.exe
2732	MsiExec.exe
2732	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
468	Process not Found
468	Process not Found

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\windows_exporter\windows_exporter.exe	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f776f08.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI712A.tmp	msiexec.exe
File created	C:\Windows\Installer\f776f0b.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f776f08.msi	msiexec.exe
File created	C:\Windows\Installer\f776f09.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f776f09.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI713B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7541.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79D7.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{D6F05276-350B-4E3B-A608-19D8B00A8396}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI7870.tmp	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	windows_exporter.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windows_exporter.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\PackageName = "windows_exporter-0.16.0-amd64.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67250F6DB053B3E46A80918D0BA03869	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B5BE6A662CF141B43A26C5EE6C143380\67250F6DB053B3E46A80918D0BA03869	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\ProductName = "windows_exporter"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\PackageCode = "C6D75965D13268043A6B467E94F3A14A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\Version = "1048576"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B5BE6A662CF141B43A26C5EE6C143380	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67250F6DB053B3E46A80918D0BA03869\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\Language = "1033"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
744	msiexec.exe
744	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1812	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1812	msiexec.exe
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeTakeOwnershipPrivilege	744	msiexec.exe
Token: SeSecurityPrivilege	744	msiexec.exe
Token: SeCreateTokenPrivilege	1812	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1812	msiexec.exe
Token: SeLockMemoryPrivilege	1812	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1812	msiexec.exe
Token: SeMachineAccountPrivilege	1812	msiexec.exe
Token: SeTcbPrivilege	1812	msiexec.exe
Token: SeSecurityPrivilege	1812	msiexec.exe
Token: SeTakeOwnershipPrivilege	1812	msiexec.exe
Token: SeLoadDriverPrivilege	1812	msiexec.exe
Token: SeSystemProfilePrivilege	1812	msiexec.exe
Token: SeSystemtimePrivilege	1812	msiexec.exe
Token: SeProfSingleProcessPrivilege	1812	msiexec.exe
Token: SeIncBasePriorityPrivilege	1812	msiexec.exe
Token: SeCreatePagefilePrivilege	1812	msiexec.exe
Token: SeCreatePermanentPrivilege	1812	msiexec.exe
Token: SeBackupPrivilege	1812	msiexec.exe
Token: SeRestorePrivilege	1812	msiexec.exe
Token: SeShutdownPrivilege	1812	msiexec.exe
Token: SeDebugPrivilege	1812	msiexec.exe
Token: SeAuditPrivilege	1812	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1812	msiexec.exe
Token: SeChangeNotifyPrivilege	1812	msiexec.exe
Token: SeRemoteShutdownPrivilege	1812	msiexec.exe
Token: SeUndockPrivilege	1812	msiexec.exe
Token: SeSyncAgentPrivilege	1812	msiexec.exe
Token: SeEnableDelegationPrivilege	1812	msiexec.exe
Token: SeManageVolumePrivilege	1812	msiexec.exe
Token: SeImpersonatePrivilege	1812	msiexec.exe
Token: SeCreateGlobalPrivilege	1812	msiexec.exe
Token: SeBackupPrivilege	2024	vssvc.exe
Token: SeRestorePrivilege	2024	vssvc.exe
Token: SeAuditPrivilege	2024	vssvc.exe
Token: SeBackupPrivilege	744	msiexec.exe
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeLoadDriverPrivilege	2156	DrvInst.exe
Token: SeLoadDriverPrivilege	2156	DrvInst.exe
Token: SeLoadDriverPrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeTakeOwnershipPrivilege	744	msiexec.exe
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeTakeOwnershipPrivilege	744	msiexec.exe
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeTakeOwnershipPrivilege	744	msiexec.exe
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeTakeOwnershipPrivilege	744	msiexec.exe
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeTakeOwnershipPrivilege	744	msiexec.exe
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeTakeOwnershipPrivilege	744	msiexec.exe
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeTakeOwnershipPrivilege	744	msiexec.exe
Token: SeRestorePrivilege	744	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1812	msiexec.exe
1812	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2732	744	msiexec.exe	34
PID 744 wrote to memory of 2732	744	msiexec.exe	34
PID 744 wrote to memory of 2732	744	msiexec.exe	34
PID 744 wrote to memory of 2732	744	msiexec.exe	34
PID 744 wrote to memory of 2732	744	msiexec.exe	34
PID 744 wrote to memory of 2732	744	msiexec.exe	34
PID 744 wrote to memory of 2732	744	msiexec.exe	34
PID 744 wrote to memory of 1692	744	msiexec.exe	35
PID 744 wrote to memory of 1692	744	msiexec.exe	35
PID 744 wrote to memory of 1692	744	msiexec.exe	35
PID 744 wrote to memory of 1692	744	msiexec.exe	35
PID 744 wrote to memory of 1692	744	msiexec.exe	35
PID 744 wrote to memory of 1692	744	msiexec.exe	35
PID 744 wrote to memory of 1692	744	msiexec.exe	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\windows_exporter-0.16.0-amd64.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 85A4038C91A5DC991CE9275E7FA14DD7
  2⤵
  - Loads dropped DLL
  PID:2732
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C15EDE53592947737103B81DC73B8117 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "00000000000003DC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1292

C:\Program Files\windows_exporter\windows_exporter.exe
"C:\Program Files\windows_exporter\windows_exporter.exe" --log.format logger:eventlog?name=windows_exporter --telemetry.addr :9182
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f776f0a.rbs

Filesize
329KB

MD5
168dbc459cf71b32a50caa39e240176f

SHA1
ed5fb74b8f1964da994f10e205176ba42355f24a

SHA256
487c9ef3b65dd06aeb883a2981ba0d1aba726103fa8218189cd9a45b0974d4d5

SHA512
4d53e6f8a771c5914a46e458551e5da58df0faabb0d8f0245c1cf6e5a993561a4d23cc1dd5f769a627176d51c71c2e8ee906883b69794c8e1b1bc9fdb11d3074

Download Submit
C:\Program Files\windows_exporter\windows_exporter.exe

Filesize
16.6MB

MD5
e3a0fa1dd54de39172d753ae803672c0

SHA1
8da903406ea08aacb026b296cf0730eaa988fc78

SHA256
3d1a7ac0820660c31ac9d5df15f28c95ee2c483bedb6a6336a88033f0136d826

SHA512
ecef987452ad8ccdc7d7d0ccb9305181b02234bbc17415dbc450cc6b261d4661fce89be80d607897a0318d4db58a4c51df2aa338cdc6f364efee32c23cd375d7

Download Submit
C:\Program Files\windows_exporter\windows_exporter.exe

Filesize
16.6MB

MD5
e3a0fa1dd54de39172d753ae803672c0

SHA1
8da903406ea08aacb026b296cf0730eaa988fc78

SHA256
3d1a7ac0820660c31ac9d5df15f28c95ee2c483bedb6a6336a88033f0136d826

SHA512
ecef987452ad8ccdc7d7d0ccb9305181b02234bbc17415dbc450cc6b261d4661fce89be80d607897a0318d4db58a4c51df2aa338cdc6f364efee32c23cd375d7

Download Submit
C:\Windows\Installer\MSI713B.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSI7541.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSI75B0.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\MSI7870.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSI7870.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSI79D7.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\f776f08.msi

Filesize
8.2MB

MD5
2f79b0046007c6b3225a2adfe566a60e

SHA1
15bf190d4e0cef466f6b13c243ac5f284f4a3509

SHA256
398fdf5617eca81b8d24f8e226b0bad57055e4e220741bb158b921b6e10848ba

SHA512
8c21a457c40bfe9b70bc9d52da01d064704e16537365c0bf9fec11f7c15f6c341e3b4481f456219ecd2a8aedb96d70d9ca76a992b0fa17c23169e7b792cca52f

Download Submit
\Program Files\windows_exporter\windows_exporter.exe

Filesize
16.6MB

MD5
e3a0fa1dd54de39172d753ae803672c0

SHA1
8da903406ea08aacb026b296cf0730eaa988fc78

SHA256
3d1a7ac0820660c31ac9d5df15f28c95ee2c483bedb6a6336a88033f0136d826

SHA512
ecef987452ad8ccdc7d7d0ccb9305181b02234bbc17415dbc450cc6b261d4661fce89be80d607897a0318d4db58a4c51df2aa338cdc6f364efee32c23cd375d7

Download Submit
\Program Files\windows_exporter\windows_exporter.exe

Filesize
16.6MB

MD5
e3a0fa1dd54de39172d753ae803672c0

SHA1
8da903406ea08aacb026b296cf0730eaa988fc78

SHA256
3d1a7ac0820660c31ac9d5df15f28c95ee2c483bedb6a6336a88033f0136d826

SHA512
ecef987452ad8ccdc7d7d0ccb9305181b02234bbc17415dbc450cc6b261d4661fce89be80d607897a0318d4db58a4c51df2aa338cdc6f364efee32c23cd375d7

Download Submit
\Windows\Installer\MSI713B.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
\Windows\Installer\MSI7541.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
\Windows\Installer\MSI75B0.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
\Windows\Installer\MSI7870.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
\Windows\Installer\MSI79D7.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit