6f01c5b71094c47c7fbb73cdb456b49a96cbfd7597401766e1831c3c98cf0ed1

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05/10/2023, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Office64MUISet.msi
Size

490KB
MD5

5e566b9c302fb20a7d89677f75274205
SHA1

6520b190bb2e7d21396951d72212ab8234e15b7c
SHA256

6f01c5b71094c47c7fbb73cdb456b49a96cbfd7597401766e1831c3c98cf0ed1
SHA512

f670321b2908f77f7004aa74db44e800544aee6075f42675d028094bf79c6cdfe14ccb2cc8ee64cde05c1833e203b1f42f4cc97e304a162130606b9c27d9015c
SSDEEP

6144:SrKf8jknJ9nGx+cUry2NQMMM7HA38KvMOYa7edvCkYpd3V9dE39KX:SrKfN9nGyrymCy28KE99z+ZXdES

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1888	MsiExec.exe
1888	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2076	msiexec.exe
7	2704	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f774c8a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f774c8a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4FB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5802.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2704	msiexec.exe
Token: SeTakeOwnershipPrivilege	2704	msiexec.exe
Token: SeSecurityPrivilege	2704	msiexec.exe
Token: SeCreateTokenPrivilege	2076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2076	msiexec.exe
Token: SeLockMemoryPrivilege	2076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2076	msiexec.exe
Token: SeMachineAccountPrivilege	2076	msiexec.exe
Token: SeTcbPrivilege	2076	msiexec.exe
Token: SeSecurityPrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeLoadDriverPrivilege	2076	msiexec.exe
Token: SeSystemProfilePrivilege	2076	msiexec.exe
Token: SeSystemtimePrivilege	2076	msiexec.exe
Token: SeProfSingleProcessPrivilege	2076	msiexec.exe
Token: SeIncBasePriorityPrivilege	2076	msiexec.exe
Token: SeCreatePagefilePrivilege	2076	msiexec.exe
Token: SeCreatePermanentPrivilege	2076	msiexec.exe
Token: SeBackupPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeShutdownPrivilege	2076	msiexec.exe
Token: SeDebugPrivilege	2076	msiexec.exe
Token: SeAuditPrivilege	2076	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2076	msiexec.exe
Token: SeChangeNotifyPrivilege	2076	msiexec.exe
Token: SeRemoteShutdownPrivilege	2076	msiexec.exe
Token: SeUndockPrivilege	2076	msiexec.exe
Token: SeSyncAgentPrivilege	2076	msiexec.exe
Token: SeEnableDelegationPrivilege	2076	msiexec.exe
Token: SeManageVolumePrivilege	2076	msiexec.exe
Token: SeImpersonatePrivilege	2076	msiexec.exe
Token: SeCreateGlobalPrivilege	2076	msiexec.exe
Token: SeBackupPrivilege	2568	vssvc.exe
Token: SeRestorePrivilege	2568	vssvc.exe
Token: SeAuditPrivilege	2568	vssvc.exe
Token: SeBackupPrivilege	2704	msiexec.exe
Token: SeRestorePrivilege	2704	msiexec.exe
Token: SeRestorePrivilege	2004	DrvInst.exe
Token: SeRestorePrivilege	2004	DrvInst.exe
Token: SeRestorePrivilege	2004	DrvInst.exe
Token: SeRestorePrivilege	2004	DrvInst.exe
Token: SeRestorePrivilege	2004	DrvInst.exe
Token: SeRestorePrivilege	2004	DrvInst.exe
Token: SeRestorePrivilege	2004	DrvInst.exe
Token: SeLoadDriverPrivilege	2004	DrvInst.exe
Token: SeLoadDriverPrivilege	2004	DrvInst.exe
Token: SeLoadDriverPrivilege	2004	DrvInst.exe
Token: SeRestorePrivilege	2704	msiexec.exe
Token: SeTakeOwnershipPrivilege	2704	msiexec.exe
Token: SeRestorePrivilege	2704	msiexec.exe
Token: SeTakeOwnershipPrivilege	2704	msiexec.exe
Token: SeRestorePrivilege	2704	msiexec.exe
Token: SeTakeOwnershipPrivilege	2704	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2076	msiexec.exe
2076	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 1888	2704	msiexec.exe	34
PID 2704 wrote to memory of 1888	2704	msiexec.exe	34
PID 2704 wrote to memory of 1888	2704	msiexec.exe	34
PID 2704 wrote to memory of 1888	2704	msiexec.exe	34
PID 2704 wrote to memory of 1888	2704	msiexec.exe	34
PID 2704 wrote to memory of 1888	2704	msiexec.exe	34
PID 2704 wrote to memory of 1888	2704	msiexec.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Office64MUISet.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 247134E1A717766EA154CFC0460E3820
  2⤵
  - Loads dropped DLL
  PID:1888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C4" "00000000000002FC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD

Filesize
558B

MD5
3cc0012f96f8f44164c18d7de05023d9

SHA1
c8feb560d751fe720c8bdb53f5e78aa92abb9a9e

SHA256
2654c273c211ae1afc60a7736153a853142e3db028417206948576d1d57bf5d5

SHA512
626746176663e2460b18f1eb245306107060c172c4e65ad710dd75ec0b348d8f000342c0dd2f7ea3bb2e0796f61e1ddd2cd77c312d6a177ff2e70a10b68cc6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7aa0566d4dd1093c77d5f51027500d9

SHA1
bbd272840d82951b61bd97abe4c3d974c07b91c5

SHA256
3c6b5a7e071fcceebe020539820c7cf125077eab125deb27775b030d753551d2

SHA512
fc817ac1c93aea0a57d8b6d8ede96c91137b5597d5efb5e9b6a2aab6fcac6b8b82529c60e5f05de62ae3b832146974675ae2cca675fe74ab19edbd9e8a2528b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD

Filesize
234B

MD5
d34d93efb608d37cb0a11d056321fc22

SHA1
737e737ebcbb0dd6812ee3faba895e219f16fa79

SHA256
a7ec69f8857c8bcdd66c7580526a0197f72ec505443ba9a782e3b590ff4c4983

SHA512
a2bd0b23b565c54f9fa2dd513139b0da3a08f1bafde0cfd871b75aedb62169ea94170480dc600837b0d0b6913c564518cf962b930b129c2abb7735f0a720ad9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4E01.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\Installer\MSI4FB8.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
C:\Windows\Installer\MSI5802.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
\Windows\Installer\MSI4FB8.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
\Windows\Installer\MSI5802.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit