378aaaf87dd28992eb2dff01fde5698ac9d10ab28cb8cf6fb28956639261f77b

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-09-2023 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Win10.0_System_Upgrade_Software.msi
Size

92KB
MD5

108c1a102c58234f4cda627079df75c3
SHA1

21d6f08bd6bab100eb0b1a09c806c78577ec5b25
SHA256

a0e41e8c856a4e7a71893abf513b6ebefde78dd81b37e560a29cf25a83b9df9b
SHA512

0f4476005fa08acf212e1ec8bb548a9503a998e063e048de9cce438500f13ff5a98acac8ba4c3eeaf5572b583c6da9e2af23e23e3971675e260c628c2d6afb9b
SSDEEP

1536:hzzvCgcyW/eh+qZR1alA9Dh0naIk2maifvWxWxWrspnfp+0D80Duu7fxFa:R1cz2h+gilA1fp3LxFa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2232	msiexec.exe
5	2232	msiexec.exe
6	2772	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76e263.msi	msiexec.exe
File created	C:\Windows\Installer\f76e264.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE608.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7FC.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76e266.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e264.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76e263.msi	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2772	msiexec.exe
2772	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2232	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2232	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeSecurityPrivilege	2772	msiexec.exe
Token: SeCreateTokenPrivilege	2232	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2232	msiexec.exe
Token: SeLockMemoryPrivilege	2232	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2232	msiexec.exe
Token: SeMachineAccountPrivilege	2232	msiexec.exe
Token: SeTcbPrivilege	2232	msiexec.exe
Token: SeSecurityPrivilege	2232	msiexec.exe
Token: SeTakeOwnershipPrivilege	2232	msiexec.exe
Token: SeLoadDriverPrivilege	2232	msiexec.exe
Token: SeSystemProfilePrivilege	2232	msiexec.exe
Token: SeSystemtimePrivilege	2232	msiexec.exe
Token: SeProfSingleProcessPrivilege	2232	msiexec.exe
Token: SeIncBasePriorityPrivilege	2232	msiexec.exe
Token: SeCreatePagefilePrivilege	2232	msiexec.exe
Token: SeCreatePermanentPrivilege	2232	msiexec.exe
Token: SeBackupPrivilege	2232	msiexec.exe
Token: SeRestorePrivilege	2232	msiexec.exe
Token: SeShutdownPrivilege	2232	msiexec.exe
Token: SeDebugPrivilege	2232	msiexec.exe
Token: SeAuditPrivilege	2232	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2232	msiexec.exe
Token: SeChangeNotifyPrivilege	2232	msiexec.exe
Token: SeRemoteShutdownPrivilege	2232	msiexec.exe
Token: SeUndockPrivilege	2232	msiexec.exe
Token: SeSyncAgentPrivilege	2232	msiexec.exe
Token: SeEnableDelegationPrivilege	2232	msiexec.exe
Token: SeManageVolumePrivilege	2232	msiexec.exe
Token: SeImpersonatePrivilege	2232	msiexec.exe
Token: SeCreateGlobalPrivilege	2232	msiexec.exe
Token: SeBackupPrivilege	2652	vssvc.exe
Token: SeRestorePrivilege	2652	vssvc.exe
Token: SeAuditPrivilege	2652	vssvc.exe
Token: SeBackupPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeLoadDriverPrivilege	1652	DrvInst.exe
Token: SeLoadDriverPrivilege	1652	DrvInst.exe
Token: SeLoadDriverPrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2232	msiexec.exe
2232	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2264	2772	msiexec.exe	33
PID 2772 wrote to memory of 2264	2772	msiexec.exe	33
PID 2772 wrote to memory of 2264	2772	msiexec.exe	33
PID 2772 wrote to memory of 2264	2772	msiexec.exe	33
PID 2772 wrote to memory of 2264	2772	msiexec.exe	33

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Win10.0_System_Upgrade_Software.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2232

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 96295FA8C2DEA1C04671DC71765751F4
  2⤵
  - Loads dropped DLL
  PID:2264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000004A0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e265.rbs

Filesize
7KB

MD5
aca4ef87a4732cee65df16ac82c2a446

SHA1
498b1fb9a795ce66bc5e8887cddeb5882dd1948c

SHA256
8d5a9b1b2051a7b72b05fb5db85b0b64596ea183ca21cbbe63e4a58d0777e8fc

SHA512
8e88647ed59d0826871601400ce8cc7c8a04801b5a5ae90e4d201d62f371fdc34f4515c2e0267ee0203e5c746ea220b84cabefa415438a2db041a58020869c02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ebb3eb43d2612143337c964e4efed6d1

SHA1
b240ca5ac8edbc8e57e3daf079418184eb3adca4

SHA256
89a85df68fe0947281f21efb94ed50f28d8cdec1851f345ec5a66a3d9f5311b1

SHA512
4dd5558397998307a60174d3f8d4b7b47d5f10b5effd2bc93acc64e7b4a91d0e89e70767105f4a7a2394770988c89ef2b2fab78a0abb5179f128128050ac0a7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
464075c911283bbb33cbef08f735aa8d

SHA1
157374bcf91fa8e614162e69f24eba97c4ff6df3

SHA256
49318b285c8f30e90522f1ab1eea9582613310a764cc3fc5161900a5613494f0

SHA512
46a12403e935c47310c592c823c072f88ebe4359b5b825d372a1d7c3e714c6ebe249f180459caa4ca1051fca316cdcbcbce452554fef90927ad7b7a7276b3dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7E56.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7F24.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\Installer\MSIE608.tmp

Filesize
52KB

MD5
f005f55386eadf6580d39b51eb8b3b9d

SHA1
3c2c6e752c1b7c1380722b3d73ceef080c212bbd

SHA256
9dcd2d8b8e4ed0ec47a617ac34ec595259450c97cd07027fe5e63c6bba48ce0c

SHA512
43972b1e6a22f8763b84e8208ee8c83f90970052fe52f54645ad7c27c08075d367d9e7d68a8b727a2390c4946d27913aadde868f79b3363716a50380a667b409

Download Submit
C:\Windows\Installer\f76e263.msi

Filesize
92KB

MD5
108c1a102c58234f4cda627079df75c3

SHA1
21d6f08bd6bab100eb0b1a09c806c78577ec5b25

SHA256
a0e41e8c856a4e7a71893abf513b6ebefde78dd81b37e560a29cf25a83b9df9b

SHA512
0f4476005fa08acf212e1ec8bb548a9503a998e063e048de9cce438500f13ff5a98acac8ba4c3eeaf5572b583c6da9e2af23e23e3971675e260c628c2d6afb9b

Download Submit
\Windows\Installer\MSIE608.tmp

Filesize
52KB

MD5
f005f55386eadf6580d39b51eb8b3b9d

SHA1
3c2c6e752c1b7c1380722b3d73ceef080c212bbd

SHA256
9dcd2d8b8e4ed0ec47a617ac34ec595259450c97cd07027fe5e63c6bba48ce0c

SHA512
43972b1e6a22f8763b84e8208ee8c83f90970052fe52f54645ad7c27c08075d367d9e7d68a8b727a2390c4946d27913aadde868f79b3363716a50380a667b409

Download Submit