2b5d121af33ed02c634fe39d3d178f7263d923640a9d9125a62fe6a612642122

Resubmissions

22/09/2023, 01:31

230922-bxdfwsdf43 7

21/09/2023, 06:53

230921-hnmrjaea4z 6

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22/09/2023, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ws400eval.msi
Size

3.5MB
MD5

90cb0a3346b88eabcdbdfb31de144867
SHA1

1ea3b6246a0f0ee23fbe371368f40c9abb1d60f6
SHA256

2b5d121af33ed02c634fe39d3d178f7263d923640a9d9125a62fe6a612642122
SHA512

4cc61074cd286060a29fb7d597d7aa14c5618fc8c805a3f32949fe3d166fae258bbb10f9a6de1b87f39ad944bf87b8b617cd3e17dee435a32c948a1334185410
SSDEEP

98304:u7RMkgMPxvzDTU/goe6kEMyV1i4c7iTiVg1dGCp:uVMJMPdDTUR1MyfXTiVgV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1264	ws4eval.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WinSolve\WinSolve\ws4eval.exe	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\guide.cnt	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\dat\rbclin.txt	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\dat\rbc.log	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\winsolve.cnt	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\dat\rbcnl.txt	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\convert.exe	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\diycom.cnt	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\logcom.cnt	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\logcom.hlp	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\dat\rbc.sdf	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\dat\rbc.txt	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\tutorial.pdf	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\version4tut.pdf	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\forecast.pdf	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\guide4.pdf	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\dat\klein1.log	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\dat\klein1.txt	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\diycom.hlp	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\guide.hlp	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\dat\klein1.sdf	msiexec.exe
File created	C:\Program Files (x86)\WinSolve\WinSolve\winsolve.hlp	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\winsolve.ini	ws4eval.exe
File created	C:\Windows\Installer\f76a7f4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA43.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a7f6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a7f4.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76a7f3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a7f3.msi	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSolve.1\CLSID	ws4eval.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSolve.1\DefaultIcon\ = "C:\\Program Files (x86)\\WinSolve\\WinSolve\\ws4eval.exe,1"	ws4eval.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1	ws4eval.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.smf\Content Type = "application/smf"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.smf	ws4eval.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\shell\open\command\ = "C:\\Program Files (x86)\\WinSolve\\WinSolve\\ws4eval.exe %1"	ws4eval.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1	ws4eval.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.sdf\ = "WinSolve.Data.1"	ws4eval.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSolve\\WinSolve\\ws4eval.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.sdf	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.smf\ = "WinSolve.Model.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.smf\ = "WinSolve.Model.1"	ws4eval.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.smf	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\ = "WinSolve model file"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSolve.1\CLSID\ = "{3D146841-78AC-11D0-AB3A-0020AF71E433}"	ws4eval.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSolve.1\shell\open\command\ = "C:\\Program Files (x86)\\WinSolve\\WinSolve\\ws4eval.exe"	ws4eval.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\ = "WinSolve model file"	ws4eval.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\shell\open	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\shell\open\ = "open"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\shell\open\command	ws4eval.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSolve\\WinSolve\\ws4eval.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSolve.1	ws4eval.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.sdf\ = "WinSolve.Data.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSolve\\WinSolve\\ws4eval.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\shell\open\ = "open"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\ = "WinSolve data file"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSolve.1\shell\open\command	ws4eval.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSolve.1\shell	ws4eval.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\ = "WinSolve data file"	ws4eval.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSolve.1\shell\open	ws4eval.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSolve\\WinSolve\\ws4eval.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSolve.1\DefaultIcon	ws4eval.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\shell\open\command	ws4eval.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Model.1\shell\open\command\ = "C:\\Program Files (x86)\\WinSolve\\WinSolve\\ws4eval.exe %1"	ws4eval.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.sdf	ws4eval.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\WinSolve.Data.1\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.sdf\Content Type = "application/sdf"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2808	msiexec.exe
2808	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeSecurityPrivilege	2808	msiexec.exe
Token: SeCreateTokenPrivilege	2488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2488	msiexec.exe
Token: SeLockMemoryPrivilege	2488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2488	msiexec.exe
Token: SeMachineAccountPrivilege	2488	msiexec.exe
Token: SeTcbPrivilege	2488	msiexec.exe
Token: SeSecurityPrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeLoadDriverPrivilege	2488	msiexec.exe
Token: SeSystemProfilePrivilege	2488	msiexec.exe
Token: SeSystemtimePrivilege	2488	msiexec.exe
Token: SeProfSingleProcessPrivilege	2488	msiexec.exe
Token: SeIncBasePriorityPrivilege	2488	msiexec.exe
Token: SeCreatePagefilePrivilege	2488	msiexec.exe
Token: SeCreatePermanentPrivilege	2488	msiexec.exe
Token: SeBackupPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeShutdownPrivilege	2488	msiexec.exe
Token: SeDebugPrivilege	2488	msiexec.exe
Token: SeAuditPrivilege	2488	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2488	msiexec.exe
Token: SeChangeNotifyPrivilege	2488	msiexec.exe
Token: SeRemoteShutdownPrivilege	2488	msiexec.exe
Token: SeUndockPrivilege	2488	msiexec.exe
Token: SeSyncAgentPrivilege	2488	msiexec.exe
Token: SeEnableDelegationPrivilege	2488	msiexec.exe
Token: SeManageVolumePrivilege	2488	msiexec.exe
Token: SeImpersonatePrivilege	2488	msiexec.exe
Token: SeCreateGlobalPrivilege	2488	msiexec.exe
Token: SeBackupPrivilege	2628	vssvc.exe
Token: SeRestorePrivilege	2628	vssvc.exe
Token: SeAuditPrivilege	2628	vssvc.exe
Token: SeBackupPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	484	DrvInst.exe
Token: SeRestorePrivilege	484	DrvInst.exe
Token: SeRestorePrivilege	484	DrvInst.exe
Token: SeRestorePrivilege	484	DrvInst.exe
Token: SeRestorePrivilege	484	DrvInst.exe
Token: SeRestorePrivilege	484	DrvInst.exe
Token: SeRestorePrivilege	484	DrvInst.exe
Token: SeLoadDriverPrivilege	484	DrvInst.exe
Token: SeLoadDriverPrivilege	484	DrvInst.exe
Token: SeLoadDriverPrivilege	484	DrvInst.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2488	msiexec.exe
2488	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1320	1264	ws4eval.exe	36
PID 1264 wrote to memory of 1320	1264	ws4eval.exe	36
PID 1264 wrote to memory of 1320	1264	ws4eval.exe	36
PID 1264 wrote to memory of 1320	1264	ws4eval.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ws400eval.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "00000000000003F8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Program Files (x86)\WinSolve\WinSolve\ws4eval.exe
"C:\Program Files (x86)\WinSolve\WinSolve\ws4eval.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76a7f5.rbs

Filesize
14KB

MD5
34367672ae025ae5e668e9f8183a8856

SHA1
48dc451cae9a36e67ee6674ac004f61e4521fb8b

SHA256
59198f13abf73e6c10774e36b56753997d43f85f43892c6b9e381233543d2fe9

SHA512
051fc4ce9b51bd0b3e51c84a7689ab2a278877be468ff1249c8be2385748107e9b4bf672a159280ef05c1891e4ad12c93964569fd0db0cffdb96eb8305a2eb1b

Download Submit
C:\Program Files (x86)\WinSolve\WinSolve\ws4eval.exe

Filesize
1.5MB

MD5
59ded6806112e6861ca451a277564859

SHA1
7722e59fe481379a33e7edfde6ce7b0e316cf622

SHA256
5c6f9a4838f1916ff29d75353f933d13ff4a9ff1504a7a89db800a3511dc2cc9

SHA512
7330226301ef10dfb2bd5d24ac2ae9eaaa008270f5f9e7a24146c2be8f62642eb0b42d20d992d869ba503598647c7b0dbab470de98a4efa0a5364ad856899571

Download Submit
C:\Windows\Installer\f76a7f3.msi

Filesize
3.5MB

MD5
90cb0a3346b88eabcdbdfb31de144867

SHA1
1ea3b6246a0f0ee23fbe371368f40c9abb1d60f6

SHA256
2b5d121af33ed02c634fe39d3d178f7263d923640a9d9125a62fe6a612642122

SHA512
4cc61074cd286060a29fb7d597d7aa14c5618fc8c805a3f32949fe3d166fae258bbb10f9a6de1b87f39ad944bf87b8b617cd3e17dee435a32c948a1334185410

Download Submit
C:\Windows\winsolve.ini

Filesize
16B

MD5
4cf8ad872352c1d18bdf2e1553e8dc1a

SHA1
1dcbcc107f537396c7dfbd3b8f9e41ccd5d43657

SHA256
c57df93830db1e5d4f3ad79101341dc70870058a5b946bdfd1e5fd2493a8a8f5

SHA512
2d4bc4a718ae0a149d0e97c1d0cba05a34a0287bd1add597b3135c8dda0020d1fa425a8fbe6491a0aad70f190a04d061c797d2bc289fb55d7e5e1ed6e161d0d9

Download Submit
memory/1264-112-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1264-120-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download