4cb38b3310f986a2d3ab7886031afbb3b4791cdf5e5e99afbf9171a798c32a8e

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161.exe
Size

2.6MB
MD5

1f8e9fec647700b21d45e6cda97c39b7
SHA1

037288ee51553f84498ae4873c357d367d1a3667
SHA256

9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161
SHA512

42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad
SSDEEP

49152:IJFEcHcHfnIpvSUxuB4vkjfCSfil3ObWcrJhxSkm6Fo4Ea0g/I2Pz7citcU7tmLq:S2c8gfd87CQgu9xNpW4t/Ic7csd7t0q

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4560	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll	msiexec.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\InstallTemp\20231002114533144.0\8.0.50727.762.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533160.0\8.0.50727.762.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532035.0\msvcp80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532269.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532269.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231002114533160.0	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532035.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533144.0\8.0.50727.762.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533191.0\8.0.50727.762.cat	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20F2.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533066.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532269.0\mfc80.dll	msiexec.exe
File created	C:\Windows\Installer\e5815d9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1827.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533191.0\8.0.50727.762.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231002114533144.0	msiexec.exe
File created	C:\Windows\Installer\e5815d5.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533066.0\vcomp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532269.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231002114531863.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231002114532269.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231002114532644.0	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532269.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7299052b-02a4-4627-81f2-1818da5d550d}	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533207.0\8.0.50727.762.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231002114532035.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\mfc80ESP.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\mfc80ENU.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231002114533066.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533207.0\8.0.50727.762.cat	msiexec.exe
File opened for modification	C:\Windows\Installer\e5815d5.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114531863.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114531863.0\ATL80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532035.0\msvcr80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533113.0\8.0.50727.762.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533113.0\8.0.50727.762.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231002114533113.0	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114531863.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532035.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\mfc80ITA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533066.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114533160.0\8.0.50727.762.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231002114533207.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\mfc80CHS.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\mfc80JPN.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532035.0\msvcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532269.0\mfcm80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231002114532644.0\mfc80FRA.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231002114533191.0	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fc6bda6a7e0913030000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fc6bda6a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fc6bda6a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfc6bda6a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fc6bda6a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\PackageCode = "ECF0C5769D85D534A98DCACD5B08A8A3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0\VC_Redist	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Version = "134274064"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Language = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\ProductName = "Microsoft Visual C++ 2005 Redistributable"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\b25099274a207264182f8181add555d0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4616	msiexec.exe
4616	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4300	msiexec.exe
Token: SeSecurityPrivilege	4616	msiexec.exe
Token: SeCreateTokenPrivilege	4300	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4300	msiexec.exe
Token: SeLockMemoryPrivilege	4300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4300	msiexec.exe
Token: SeMachineAccountPrivilege	4300	msiexec.exe
Token: SeTcbPrivilege	4300	msiexec.exe
Token: SeSecurityPrivilege	4300	msiexec.exe
Token: SeTakeOwnershipPrivilege	4300	msiexec.exe
Token: SeLoadDriverPrivilege	4300	msiexec.exe
Token: SeSystemProfilePrivilege	4300	msiexec.exe
Token: SeSystemtimePrivilege	4300	msiexec.exe
Token: SeProfSingleProcessPrivilege	4300	msiexec.exe
Token: SeIncBasePriorityPrivilege	4300	msiexec.exe
Token: SeCreatePagefilePrivilege	4300	msiexec.exe
Token: SeCreatePermanentPrivilege	4300	msiexec.exe
Token: SeBackupPrivilege	4300	msiexec.exe
Token: SeRestorePrivilege	4300	msiexec.exe
Token: SeShutdownPrivilege	4300	msiexec.exe
Token: SeDebugPrivilege	4300	msiexec.exe
Token: SeAuditPrivilege	4300	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4300	msiexec.exe
Token: SeChangeNotifyPrivilege	4300	msiexec.exe
Token: SeRemoteShutdownPrivilege	4300	msiexec.exe
Token: SeUndockPrivilege	4300	msiexec.exe
Token: SeSyncAgentPrivilege	4300	msiexec.exe
Token: SeEnableDelegationPrivilege	4300	msiexec.exe
Token: SeManageVolumePrivilege	4300	msiexec.exe
Token: SeImpersonatePrivilege	4300	msiexec.exe
Token: SeCreateGlobalPrivilege	4300	msiexec.exe
Token: SeBackupPrivilege	4580	vssvc.exe
Token: SeRestorePrivilege	4580	vssvc.exe
Token: SeAuditPrivilege	4580	vssvc.exe
Token: SeBackupPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeBackupPrivilege	3732	srtasks.exe
Token: SeRestorePrivilege	3732	srtasks.exe
Token: SeSecurityPrivilege	3732	srtasks.exe
Token: SeTakeOwnershipPrivilege	3732	srtasks.exe
Token: SeBackupPrivilege	3732	srtasks.exe
Token: SeRestorePrivilege	3732	srtasks.exe
Token: SeSecurityPrivilege	3732	srtasks.exe
Token: SeTakeOwnershipPrivilege	3732	srtasks.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4300	msiexec.exe
4300	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4300	1980	9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161.exe	87
PID 1980 wrote to memory of 4300	1980	9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161.exe	87
PID 1980 wrote to memory of 4300	1980	9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161.exe	87
PID 4616 wrote to memory of 3732	4616	msiexec.exe	107
PID 4616 wrote to memory of 3732	4616	msiexec.exe	107
PID 4616 wrote to memory of 4560	4616	msiexec.exe	109
PID 4616 wrote to memory of 4560	4616	msiexec.exe	109
PID 4616 wrote to memory of 4560	4616	msiexec.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161.exe
"C:\Users\Admin\AppData\Local\Temp\9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\msiexec.exe
  msiexec /i vcredist.msi
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4300

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EC574FAE399F1FDC6D11DB83791102C2
  2⤵
  - Loads dropped DLL
  PID:4560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5815d8.rbs

Filesize
50KB

MD5
7f78358d8fe3bc0bedec7dd53ba7e031

SHA1
f027781d758211936189d49f259a03c446686a1a

SHA256
ab666eade3874f255a1317cac36aaee312d9e0acfcb2e8bf66ea63a80ef01037

SHA512
0f622df89059bca984f8e1761e9ffc9739dfeb5cb2c530f56126a8238e64c92528defe1227517d2b487a3c6b2d829858881c4f5145655801e84eb3ec416daaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
247KB

MD5
aa85aa3738acfe30e197d9dfd5c3428d

SHA1
7f3ee53bd967265afe32b31d75b4f6c47363654a

SHA256
af3560ef0c55c7e4eff2170c63e7860498b5830e405a3841f96c91601e62e108

SHA512
e1bf248d6425f6ba91bf0a1f3d364321b09477af9be2f31f8bf6d92defbaddfbab8f3e6284262742378f1f87d60d06eee3b98fb081e60f9fb6f19c1797489861

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
2.7MB

MD5
dc1ab7ce3b89fc7cac369d8b246cdafe

SHA1
c9a2d5a312f770189c4b65cb500905e4773c14ad

SHA256
dde77dd3473d3d07c459f17cd267f96f19264f976f2fcc85b4bbbecf26487560

SHA512
e554b8b36a7a853d4e6efb4e6faf2d784f41e8d26edafbb1689a944bf0a7a4b58258d820a3fada1496b8c8d295d8771fc713b29127d54a3fbc317659b7565cbe

Download Submit
C:\Windows\Installer\MSI1827.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\MSI1827.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\e5815d5.msi

Filesize
2.7MB

MD5
dc1ab7ce3b89fc7cac369d8b246cdafe

SHA1
c9a2d5a312f770189c4b65cb500905e4773c14ad

SHA256
dde77dd3473d3d07c459f17cd267f96f19264f976f2fcc85b4bbbecf26487560

SHA512
e554b8b36a7a853d4e6efb4e6faf2d784f41e8d26edafbb1689a944bf0a7a4b58258d820a3fada1496b8c8d295d8771fc713b29127d54a3fbc317659b7565cbe

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
267e616b1b3d29035d5c9c3aaf4f1a5c

SHA1
e787c0b1d251623cdc87ba262b939fa2f3de1986

SHA256
15f94e83b908b1d039560fd86fd8553be433dcdf6fe182a03f6c874f7206d791

SHA512
2f0ee82dc3bb0cb4066cd1812fac5abf0db9f7147d9abbec0975daaa55a953d4e4a106d46c6a370944f5557644ddc6cf85654ce2f6e48dde8580e4c76c699cbd

Download Submit
\??\Volume{6ada6bfc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a02cb0aa-571a-4a6a-847f-cc4b12106fff}_OnDiskSnapshotProp

Filesize
5KB

MD5
3ee67bc881bc96f8e6195b2d34801da2

SHA1
219f03380c4affc22dc8947090b81df44cf0b4df

SHA256
9992a407af732913878a79ab43a7a2b168d9dc902b7b6458e9fdfced4b5a40ec

SHA512
b10a673503051a6507364f56de288398f133dc9ab2261d97335151fba0fd087c76618d1a01c74a1a30c35bbf9ea250347b3fa8091d33c27e0ef2cd8deb355581

Download Submit