398fdf5617eca81b8d24f8e226b0bad57055e4e220741bb158b921b6e10848ba

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2023 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows_exporter-0.16.0-amd64.msi
Size

8.2MB
MD5

2f79b0046007c6b3225a2adfe566a60e
SHA1

15bf190d4e0cef466f6b13c243ac5f284f4a3509
SHA256

398fdf5617eca81b8d24f8e226b0bad57055e4e220741bb158b921b6e10848ba
SHA512

8c21a457c40bfe9b70bc9d52da01d064704e16537365c0bf9fec11f7c15f6c341e3b4481f456219ecd2a8aedb96d70d9ca76a992b0fa17c23169e7b792cca52f
SSDEEP

196608:YSooSW62te7odmK5owRs0uUd+Wg74GmxZA0UqODHDC0QQ:xxL62ME47wRsN7DIZA03O6Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4532	windows_exporter.exe

Loads dropped DLL 5 IoCs

pid	Process
3768	MsiExec.exe
3768	MsiExec.exe
3768	MsiExec.exe
3612	MsiExec.exe
3612	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\windows_exporter\windows_exporter.exe	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57ebc7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF06E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF438.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED6E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF02E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ebc9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED5D.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{D6F05276-350B-4E3B-A608-19D8B00A8396}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\e57ebc7.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D6F05276-350B-4E3B-A608-19D8B00A8396}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2B1.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000754718877b32d5760000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000754718870000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff00000000070001000068090075471887000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff00000000070001000068091975471887000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007547188700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windows_exporter.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windows_exporter.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67250F6DB053B3E46A80918D0BA03869\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B5BE6A662CF141B43A26C5EE6C143380\67250F6DB053B3E46A80918D0BA03869	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67250F6DB053B3E46A80918D0BA03869	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\ProductName = "windows_exporter"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\PackageName = "windows_exporter-0.16.0-amd64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\PackageCode = "C6D75965D13268043A6B467E94F3A14A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\Version = "1048576"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B5BE6A662CF141B43A26C5EE6C143380	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67250F6DB053B3E46A80918D0BA03869\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4372	msiexec.exe
4372	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4468	msiexec.exe
Token: SeSecurityPrivilege	4372	msiexec.exe
Token: SeCreateTokenPrivilege	4468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4468	msiexec.exe
Token: SeLockMemoryPrivilege	4468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4468	msiexec.exe
Token: SeMachineAccountPrivilege	4468	msiexec.exe
Token: SeTcbPrivilege	4468	msiexec.exe
Token: SeSecurityPrivilege	4468	msiexec.exe
Token: SeTakeOwnershipPrivilege	4468	msiexec.exe
Token: SeLoadDriverPrivilege	4468	msiexec.exe
Token: SeSystemProfilePrivilege	4468	msiexec.exe
Token: SeSystemtimePrivilege	4468	msiexec.exe
Token: SeProfSingleProcessPrivilege	4468	msiexec.exe
Token: SeIncBasePriorityPrivilege	4468	msiexec.exe
Token: SeCreatePagefilePrivilege	4468	msiexec.exe
Token: SeCreatePermanentPrivilege	4468	msiexec.exe
Token: SeBackupPrivilege	4468	msiexec.exe
Token: SeRestorePrivilege	4468	msiexec.exe
Token: SeShutdownPrivilege	4468	msiexec.exe
Token: SeDebugPrivilege	4468	msiexec.exe
Token: SeAuditPrivilege	4468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4468	msiexec.exe
Token: SeChangeNotifyPrivilege	4468	msiexec.exe
Token: SeRemoteShutdownPrivilege	4468	msiexec.exe
Token: SeUndockPrivilege	4468	msiexec.exe
Token: SeSyncAgentPrivilege	4468	msiexec.exe
Token: SeEnableDelegationPrivilege	4468	msiexec.exe
Token: SeManageVolumePrivilege	4468	msiexec.exe
Token: SeImpersonatePrivilege	4468	msiexec.exe
Token: SeCreateGlobalPrivilege	4468	msiexec.exe
Token: SeBackupPrivilege	3820	vssvc.exe
Token: SeRestorePrivilege	3820	vssvc.exe
Token: SeAuditPrivilege	3820	vssvc.exe
Token: SeBackupPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeShutdownPrivilege	3612	MsiExec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4468	msiexec.exe
4468	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 2172	4372	msiexec.exe	98
PID 4372 wrote to memory of 2172	4372	msiexec.exe	98
PID 4372 wrote to memory of 3768	4372	msiexec.exe	100
PID 4372 wrote to memory of 3768	4372	msiexec.exe	100
PID 4372 wrote to memory of 3768	4372	msiexec.exe	100
PID 4372 wrote to memory of 3612	4372	msiexec.exe	102
PID 4372 wrote to memory of 3612	4372	msiexec.exe	102
PID 4372 wrote to memory of 3612	4372	msiexec.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\windows_exporter-0.16.0-amd64.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2172
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2BBBAA8BD52552DE62111F35078C1A0F
  2⤵
  - Loads dropped DLL
  PID:3768
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 042C9407B0E4A088B80A8DC142E11EE1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4228

C:\Program Files\windows_exporter\windows_exporter.exe
"C:\Program Files\windows_exporter\windows_exporter.exe" --log.format logger:eventlog?name=windows_exporter --telemetry.addr :9182
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ebc8.rbs

Filesize
329KB

MD5
3c89ec5e5b80f2c8d39a7ad7ae56e500

SHA1
a3e99ae617b7c18be704c7c1a292aea4a1a9afc1

SHA256
f87e12f9f78d4e2b9bda85eaf34b1a87124965bcd927b846acb676431b238f74

SHA512
39d8bfeada451939abcb9091ea8da31b2e44e7bec0c1ac5ca81c34ded2c0f134e5834ad988a1f9fee12e81ef36b4a1f1427503ade5cdac8dfa1100de582d452d

Download Submit
C:\Program Files\windows_exporter\windows_exporter.exe

Filesize
16.6MB

MD5
e3a0fa1dd54de39172d753ae803672c0

SHA1
8da903406ea08aacb026b296cf0730eaa988fc78

SHA256
3d1a7ac0820660c31ac9d5df15f28c95ee2c483bedb6a6336a88033f0136d826

SHA512
ecef987452ad8ccdc7d7d0ccb9305181b02234bbc17415dbc450cc6b261d4661fce89be80d607897a0318d4db58a4c51df2aa338cdc6f364efee32c23cd375d7

Download Submit
C:\Program Files\windows_exporter\windows_exporter.exe

Filesize
16.6MB

MD5
e3a0fa1dd54de39172d753ae803672c0

SHA1
8da903406ea08aacb026b296cf0730eaa988fc78

SHA256
3d1a7ac0820660c31ac9d5df15f28c95ee2c483bedb6a6336a88033f0136d826

SHA512
ecef987452ad8ccdc7d7d0ccb9305181b02234bbc17415dbc450cc6b261d4661fce89be80d607897a0318d4db58a4c51df2aa338cdc6f364efee32c23cd375d7

Download Submit
C:\Windows\Installer\MSIED6E.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSIED6E.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSIF02E.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSIF02E.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSIF06E.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\MSIF06E.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\MSIF2B1.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSIF2B1.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSIF2B1.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSIF438.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\MSIF438.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\e57ebc7.msi

Filesize
8.2MB

MD5
2f79b0046007c6b3225a2adfe566a60e

SHA1
15bf190d4e0cef466f6b13c243ac5f284f4a3509

SHA256
398fdf5617eca81b8d24f8e226b0bad57055e4e220741bb158b921b6e10848ba

SHA512
8c21a457c40bfe9b70bc9d52da01d064704e16537365c0bf9fec11f7c15f6c341e3b4481f456219ecd2a8aedb96d70d9ca76a992b0fa17c23169e7b792cca52f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
7c1e66e955f52768873829fa00f708c2

SHA1
8e4e14dce33ab0e48127003f46a1bd19def0fd5a

SHA256
0b30f70884e1963fefc9da7bb0c49bd6a509e80a10d5bf4bfce79c37995bae4b

SHA512
415401f8b1a7514156b7ed6fb2bf3173c09ea0260299d32db43d42039f639262847a4d72f7af04a0404aa38e0e3ffe94b3e5f5ffc647bb8310ef5602a77f1d3f

Download Submit
\??\Volume{87184775-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ef291e3d-8782-401f-9840-3d7dbf211b65}_OnDiskSnapshotProp

Filesize
5KB

MD5
d927cbc25bef6fc0f89354237556252a

SHA1
a47d217e2b0401aac199eb803f3b4fbe536629af

SHA256
46251a99d419f9e4ecdaab6e4465067cfb7d0adf3c967174e41ae0e8b1ceb9c0

SHA512
49c5473578b34fc7a546037744608edc5add6a12c5284aca01fce38f36e7196ad9a0702a57e51c2de86d4ac40989da0427d698b02245f0a86e1d188932a8495e

Download Submit