378aaaf87dd28992eb2dff01fde5698ac9d10ab28cb8cf6fb28956639261f77b

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-09-2023 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Win10.0_System_Upgrade_Software (1).msi
Size

96KB
MD5

6c120194a2f94ef993950e55bd00108b
SHA1

670b20bf3be343efec6a162c3fc5443c9ec0f367
SHA256

48b9a931b49c1b20ec23f182246b937265e735937c2d798f9f2fee557018b629
SHA512

b4976bd4ba4bc3092ac924cbd7423e27a73aa926282f3fa36ba14892defec5e8fec2f6460fbcbb03ee4b7831610d45dd7290dd12ab61a8ce24911f51879494ae
SSDEEP

1536:9w6uKzgNtoaIbxxmNDMOVASySUXFmff0D80Dq7fx5:9kKzkYs3SSyS+UbLx5

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2444	msiexec.exe
5	2444	msiexec.exe
6	2756	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
744	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f767742.msi	msiexec.exe
File created	C:\Windows\Installer\f767743.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C6E.tmp	msiexec.exe
File created	C:\Windows\Installer\f767745.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f767743.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f767742.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B92.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2756	msiexec.exe
2756	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeSecurityPrivilege	2756	msiexec.exe
Token: SeCreateTokenPrivilege	2444	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2444	msiexec.exe
Token: SeLockMemoryPrivilege	2444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2444	msiexec.exe
Token: SeMachineAccountPrivilege	2444	msiexec.exe
Token: SeTcbPrivilege	2444	msiexec.exe
Token: SeSecurityPrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeLoadDriverPrivilege	2444	msiexec.exe
Token: SeSystemProfilePrivilege	2444	msiexec.exe
Token: SeSystemtimePrivilege	2444	msiexec.exe
Token: SeProfSingleProcessPrivilege	2444	msiexec.exe
Token: SeIncBasePriorityPrivilege	2444	msiexec.exe
Token: SeCreatePagefilePrivilege	2444	msiexec.exe
Token: SeCreatePermanentPrivilege	2444	msiexec.exe
Token: SeBackupPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeShutdownPrivilege	2444	msiexec.exe
Token: SeDebugPrivilege	2444	msiexec.exe
Token: SeAuditPrivilege	2444	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2444	msiexec.exe
Token: SeChangeNotifyPrivilege	2444	msiexec.exe
Token: SeRemoteShutdownPrivilege	2444	msiexec.exe
Token: SeUndockPrivilege	2444	msiexec.exe
Token: SeSyncAgentPrivilege	2444	msiexec.exe
Token: SeEnableDelegationPrivilege	2444	msiexec.exe
Token: SeManageVolumePrivilege	2444	msiexec.exe
Token: SeImpersonatePrivilege	2444	msiexec.exe
Token: SeCreateGlobalPrivilege	2444	msiexec.exe
Token: SeBackupPrivilege	2556	vssvc.exe
Token: SeRestorePrivilege	2556	vssvc.exe
Token: SeAuditPrivilege	2556	vssvc.exe
Token: SeBackupPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2028	DrvInst.exe
Token: SeRestorePrivilege	2028	DrvInst.exe
Token: SeRestorePrivilege	2028	DrvInst.exe
Token: SeRestorePrivilege	2028	DrvInst.exe
Token: SeRestorePrivilege	2028	DrvInst.exe
Token: SeRestorePrivilege	2028	DrvInst.exe
Token: SeRestorePrivilege	2028	DrvInst.exe
Token: SeLoadDriverPrivilege	2028	DrvInst.exe
Token: SeLoadDriverPrivilege	2028	DrvInst.exe
Token: SeLoadDriverPrivilege	2028	DrvInst.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2444	msiexec.exe
2444	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 744	2756	msiexec.exe	33
PID 2756 wrote to memory of 744	2756	msiexec.exe	33
PID 2756 wrote to memory of 744	2756	msiexec.exe	33
PID 2756 wrote to memory of 744	2756	msiexec.exe	33
PID 2756 wrote to memory of 744	2756	msiexec.exe	33

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Win10.0_System_Upgrade_Software (1).msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2444

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 1C1BB6E9D076B6712485DB9959B117DB
  2⤵
  - Loads dropped DLL
  PID:744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C8" "00000000000002A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f767744.rbs

Filesize
7KB

MD5
2ae9d8a14feda49c46590ee5fa74e910

SHA1
ab7ada9df19a5ab3c9fd6670be4fe7483e7f9998

SHA256
121bdb81cadb2a381bc04c5a5585dfebe6b8839d4bedb5fbe6655544f5c12ed1

SHA512
142b4b0a2c2b867a785435cac163db47ae651e793a1de022dd9ff7bf7c9535c6014dcc73ae0de06dc60b9d1c529650a1e4e37b3f707593c406028201a16ebad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10dc43e0d2cd63ba02152592b56f6b7e

SHA1
6f6015817a8b05e1c0be02ded6ea5b6109bf05bb

SHA256
2a29ee566dd39f7243be57d7a518bc6b8236ff3e0c880ff5c260d1b1b3da2b55

SHA512
0bcc1fbc98808fc8799c587690e454072ffc5c0eb3e9fecaa1aefc2806e2fae3595df7eaeecbd9de7bde26c9b8c9aac3b3fef72c04aaf964ea487bc5a557005a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
072139a4495923e8760e08dc8b318a71

SHA1
c8a44f20aea1d4403590bfb9060b82153661fdf1

SHA256
d1d45b7b5824f5704d9ce7b1d0a9e6ca1f8b855ce33eba425cda9e8b840ce28c

SHA512
fe06af24405867da5d5a971a5d5f7bb506fafe627a015196feff1bf193a446ec4293b00249ef9d4f730873411e03c15c90fe7e9aa619b0bacacedbfceba84afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3065.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3087.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\Installer\MSI7B92.tmp

Filesize
53KB

MD5
b1b419f1d12b690013e7946efb733bd8

SHA1
93bc125eefb3daca36dc8014214c7c3d788d443c

SHA256
a1c5c0b2f1bc8e40a6e59c5d66876a031a593287e939ca6f79486ef8f68e34fb

SHA512
66bf4cd551a47c8c0ca30a0d1366ac034d8a6b99caaf880daaff01d23b445e4257f4776904270619a1e072bcbba37aef0c245dc2fae9f412614f92bd7e1f3af6

Download Submit
C:\Windows\Installer\f767742.msi

Filesize
96KB

MD5
6c120194a2f94ef993950e55bd00108b

SHA1
670b20bf3be343efec6a162c3fc5443c9ec0f367

SHA256
48b9a931b49c1b20ec23f182246b937265e735937c2d798f9f2fee557018b629

SHA512
b4976bd4ba4bc3092ac924cbd7423e27a73aa926282f3fa36ba14892defec5e8fec2f6460fbcbb03ee4b7831610d45dd7290dd12ab61a8ce24911f51879494ae

Download Submit
\Windows\Installer\MSI7B92.tmp

Filesize
53KB

MD5
b1b419f1d12b690013e7946efb733bd8

SHA1
93bc125eefb3daca36dc8014214c7c3d788d443c

SHA256
a1c5c0b2f1bc8e40a6e59c5d66876a031a593287e939ca6f79486ef8f68e34fb

SHA512
66bf4cd551a47c8c0ca30a0d1366ac034d8a6b99caaf880daaff01d23b445e4257f4776904270619a1e072bcbba37aef0c245dc2fae9f412614f92bd7e1f3af6

Download Submit