4cc81933e786d546b1059f618bcf41fd20620be354b9600c044f5d8ffe3e70cf

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2023, 20:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

exec_payload.msi
Size

15KB
MD5

511f2dbcef2ef0bc4f02f60e724466f1
SHA1

85c1c51b36e9ee7cb94edcd71a078cc5da744c5b
SHA256

4cc81933e786d546b1059f618bcf41fd20620be354b9600c044f5d8ffe3e70cf
SHA512

ce761a2bdd9557cdb6dff1817adcae3f26a136c59aacf95d496031b6a41b90c3d395afad12cd951d3da02d66f9116e456ab13a1a81ab2b5aeb1ad4b8c857ca9e
SSDEEP

384:uZ+cUF43zYWN1oXg2srCCqgXey3M5BCqPm:QRUPEGCTeWMDC1

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e582296.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582296.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8322D020-0780-49DE-A72A-70C14248FE34}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23B0.tmp	msiexec.exe
File created	C:\Windows\Installer\e582298.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001e27da6a5c4e13030000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001e27da6a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001e27da6a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1e27da6a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001e27da6a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5024	msiexec.exe
5024	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3780	msiexec.exe
Token: SeSecurityPrivilege	5024	msiexec.exe
Token: SeCreateTokenPrivilege	3780	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3780	msiexec.exe
Token: SeLockMemoryPrivilege	3780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3780	msiexec.exe
Token: SeMachineAccountPrivilege	3780	msiexec.exe
Token: SeTcbPrivilege	3780	msiexec.exe
Token: SeSecurityPrivilege	3780	msiexec.exe
Token: SeTakeOwnershipPrivilege	3780	msiexec.exe
Token: SeLoadDriverPrivilege	3780	msiexec.exe
Token: SeSystemProfilePrivilege	3780	msiexec.exe
Token: SeSystemtimePrivilege	3780	msiexec.exe
Token: SeProfSingleProcessPrivilege	3780	msiexec.exe
Token: SeIncBasePriorityPrivilege	3780	msiexec.exe
Token: SeCreatePagefilePrivilege	3780	msiexec.exe
Token: SeCreatePermanentPrivilege	3780	msiexec.exe
Token: SeBackupPrivilege	3780	msiexec.exe
Token: SeRestorePrivilege	3780	msiexec.exe
Token: SeShutdownPrivilege	3780	msiexec.exe
Token: SeDebugPrivilege	3780	msiexec.exe
Token: SeAuditPrivilege	3780	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3780	msiexec.exe
Token: SeChangeNotifyPrivilege	3780	msiexec.exe
Token: SeRemoteShutdownPrivilege	3780	msiexec.exe
Token: SeUndockPrivilege	3780	msiexec.exe
Token: SeSyncAgentPrivilege	3780	msiexec.exe
Token: SeEnableDelegationPrivilege	3780	msiexec.exe
Token: SeManageVolumePrivilege	3780	msiexec.exe
Token: SeImpersonatePrivilege	3780	msiexec.exe
Token: SeCreateGlobalPrivilege	3780	msiexec.exe
Token: SeBackupPrivilege	4588	vssvc.exe
Token: SeRestorePrivilege	4588	vssvc.exe
Token: SeAuditPrivilege	4588	vssvc.exe
Token: SeBackupPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3780	msiexec.exe
3780	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 1140	5024	msiexec.exe	102
PID 5024 wrote to memory of 1140	5024	msiexec.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\exec_payload.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
83490074e4e89343196325a4172b5dec

SHA1
73171e82f4042672a4af7ab5f8ad2d628aa48f07

SHA256
08df92b4ed272eb8aa1a8c7f080de24fa378caa485d381f6114ee5f6def96e11

SHA512
43d3d66b16080597d4225b2e0972870194c8988af70b79b19afe9cf07408be04cd4892735178cf298beb339e2581e2fa8ee840e3d530994f36fad329727fa0d8

Download Submit
\??\Volume{6ada271e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c0c1b011-93dc-4a54-b1e4-753cd26d0e17}_OnDiskSnapshotProp

Filesize
5KB

MD5
fa1f84ce14a298142391a21b71efa32b

SHA1
b47d7bfd1fc8272b7617f742ff1292911fa3dad9

SHA256
1ba18b408c9a63d4665023963df4693ff13bf46b108bea9493d1d4f2f51e9031

SHA512
0c4f387e17749890d94fedcf86b4f177692f7b56fe6e18df81d6288d4b361c10f55ab2061c6f89f118a6dcfff507bdf3ec64baa4a8c885a4962d7b03842b0ae6

Download Submit