c2a3c0000a0d54fde6c2e566e27e4117c0b761dbdec609d9178fabf1bcedd995

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05/10/2023, 14:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AccessMUISet.msi
Size

490KB
MD5

3349f76de5b4a7fceb2c8af46086cafc
SHA1

c4a526305929fff165cf5186a6311f022b2e6a40
SHA256

c2a3c0000a0d54fde6c2e566e27e4117c0b761dbdec609d9178fabf1bcedd995
SHA512

0b2ebdef719b1aeb5c7ce2c17f862f1aee8e66b10904dd5c7bc616ecfefa816ae81e59ae26b2cf1584a00edde49e8b00cb8d14dab1a827676109f541bc3a2992
SSDEEP

6144:0rKbKjkr/9nGx+cUry2NQMMM7HA38KvMOYa7edvCkYpd3x9dE39KE:0rKbZ9nGyrymCy28KE99z+ZDdEV

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
844	MsiExec.exe
844	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2248	msiexec.exe
7	2688	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f771cb4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f771cb4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2262.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2688	msiexec.exe
Token: SeTakeOwnershipPrivilege	2688	msiexec.exe
Token: SeSecurityPrivilege	2688	msiexec.exe
Token: SeCreateTokenPrivilege	2248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2248	msiexec.exe
Token: SeLockMemoryPrivilege	2248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2248	msiexec.exe
Token: SeMachineAccountPrivilege	2248	msiexec.exe
Token: SeTcbPrivilege	2248	msiexec.exe
Token: SeSecurityPrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeLoadDriverPrivilege	2248	msiexec.exe
Token: SeSystemProfilePrivilege	2248	msiexec.exe
Token: SeSystemtimePrivilege	2248	msiexec.exe
Token: SeProfSingleProcessPrivilege	2248	msiexec.exe
Token: SeIncBasePriorityPrivilege	2248	msiexec.exe
Token: SeCreatePagefilePrivilege	2248	msiexec.exe
Token: SeCreatePermanentPrivilege	2248	msiexec.exe
Token: SeBackupPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeShutdownPrivilege	2248	msiexec.exe
Token: SeDebugPrivilege	2248	msiexec.exe
Token: SeAuditPrivilege	2248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2248	msiexec.exe
Token: SeChangeNotifyPrivilege	2248	msiexec.exe
Token: SeRemoteShutdownPrivilege	2248	msiexec.exe
Token: SeUndockPrivilege	2248	msiexec.exe
Token: SeSyncAgentPrivilege	2248	msiexec.exe
Token: SeEnableDelegationPrivilege	2248	msiexec.exe
Token: SeManageVolumePrivilege	2248	msiexec.exe
Token: SeImpersonatePrivilege	2248	msiexec.exe
Token: SeCreateGlobalPrivilege	2248	msiexec.exe
Token: SeBackupPrivilege	2644	vssvc.exe
Token: SeRestorePrivilege	2644	vssvc.exe
Token: SeAuditPrivilege	2644	vssvc.exe
Token: SeBackupPrivilege	2688	msiexec.exe
Token: SeRestorePrivilege	2688	msiexec.exe
Token: SeRestorePrivilege	872	DrvInst.exe
Token: SeRestorePrivilege	872	DrvInst.exe
Token: SeRestorePrivilege	872	DrvInst.exe
Token: SeRestorePrivilege	872	DrvInst.exe
Token: SeRestorePrivilege	872	DrvInst.exe
Token: SeRestorePrivilege	872	DrvInst.exe
Token: SeRestorePrivilege	872	DrvInst.exe
Token: SeLoadDriverPrivilege	872	DrvInst.exe
Token: SeLoadDriverPrivilege	872	DrvInst.exe
Token: SeLoadDriverPrivilege	872	DrvInst.exe
Token: SeRestorePrivilege	2688	msiexec.exe
Token: SeTakeOwnershipPrivilege	2688	msiexec.exe
Token: SeRestorePrivilege	2688	msiexec.exe
Token: SeTakeOwnershipPrivilege	2688	msiexec.exe
Token: SeRestorePrivilege	2688	msiexec.exe
Token: SeTakeOwnershipPrivilege	2688	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2248	msiexec.exe
2248	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 844	2688	msiexec.exe	34
PID 2688 wrote to memory of 844	2688	msiexec.exe	34
PID 2688 wrote to memory of 844	2688	msiexec.exe	34
PID 2688 wrote to memory of 844	2688	msiexec.exe	34
PID 2688 wrote to memory of 844	2688	msiexec.exe	34
PID 2688 wrote to memory of 844	2688	msiexec.exe	34
PID 2688 wrote to memory of 844	2688	msiexec.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AccessMUISet.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B1D0B2B7A8DDD7C1A5A44E96C96E514D
  2⤵
  - Loads dropped DLL
  PID:844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A8" "0000000000000064"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD

Filesize
558B

MD5
3cc0012f96f8f44164c18d7de05023d9

SHA1
c8feb560d751fe720c8bdb53f5e78aa92abb9a9e

SHA256
2654c273c211ae1afc60a7736153a853142e3db028417206948576d1d57bf5d5

SHA512
626746176663e2460b18f1eb245306107060c172c4e65ad710dd75ec0b348d8f000342c0dd2f7ea3bb2e0796f61e1ddd2cd77c312d6a177ff2e70a10b68cc6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16e9d0e12e80cd8a51e8fe7e1afa0d87

SHA1
1d420397027d2998afba877d2f1ad829c598f136

SHA256
90948a0f48758496305edc0f2900869c277eb28e6a702436e6aedaa54799f450

SHA512
6da81aedd0a3c6bf771014f3ddc1b4171fba992826db6df116cfbaf8f147fad788651eafd2945184ac3c5c0fea9a067c156583c192b19c58e7e238cf352e4d95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD

Filesize
234B

MD5
9d74320e0b6b4d7943a49f11d12c78ff

SHA1
e72dd5c0f9f2f93d32002b2be75d36f0b5a4efc5

SHA256
6afcf82593a237225633302c046c1f372f1866dfde9442b124446fa4669620ad

SHA512
45403c0b7ee49c781c07819dc631f54a4ac43298e450b380756a4267f69a02802058630d1afce0fa25554a345cdf41f1f76dc2919e5e676494c467dcb2b622b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D41.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\Installer\MSI1E9A.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
C:\Windows\Installer\MSI2262.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
\Windows\Installer\MSI1E9A.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
\Windows\Installer\MSI2262.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit