e5a0cc7fa478c96aa89a2329a5edd0a31c30dad7c6791a6057b8e4435a5c989a

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a6b9f54255bb9b541bfe380d908beff.msi
Size

156KB
MD5

7a6b9f54255bb9b541bfe380d908beff
SHA1

6ee8bc85cfb60f081118384c2eeb95743a433ddb
SHA256

e5a0cc7fa478c96aa89a2329a5edd0a31c30dad7c6791a6057b8e4435a5c989a
SHA512

32644d3ceb064cf1e0d5f80b6760c3eef0f9bf7a377b880dff3276786e4713b240e55bf86220f9f272a748b76069037e6ddfd843caf5ab588303669c4ff4b5f5
SSDEEP

384:iHpe4ZvJXK7gzFM7Wu5oXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyurDCUyWMDC

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICB10.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB5F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ca16.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ca16.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{705771E1-8028-4A2A-A93E-7DA02AB734CD}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fc6bda6a7e0913030000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fc6bda6a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fc6bda6a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfc6bda6a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fc6bda6a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4736	msiexec.exe
4736	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4664	msiexec.exe
Token: SeSecurityPrivilege	4736	msiexec.exe
Token: SeCreateTokenPrivilege	4664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4664	msiexec.exe
Token: SeLockMemoryPrivilege	4664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4664	msiexec.exe
Token: SeMachineAccountPrivilege	4664	msiexec.exe
Token: SeTcbPrivilege	4664	msiexec.exe
Token: SeSecurityPrivilege	4664	msiexec.exe
Token: SeTakeOwnershipPrivilege	4664	msiexec.exe
Token: SeLoadDriverPrivilege	4664	msiexec.exe
Token: SeSystemProfilePrivilege	4664	msiexec.exe
Token: SeSystemtimePrivilege	4664	msiexec.exe
Token: SeProfSingleProcessPrivilege	4664	msiexec.exe
Token: SeIncBasePriorityPrivilege	4664	msiexec.exe
Token: SeCreatePagefilePrivilege	4664	msiexec.exe
Token: SeCreatePermanentPrivilege	4664	msiexec.exe
Token: SeBackupPrivilege	4664	msiexec.exe
Token: SeRestorePrivilege	4664	msiexec.exe
Token: SeShutdownPrivilege	4664	msiexec.exe
Token: SeDebugPrivilege	4664	msiexec.exe
Token: SeAuditPrivilege	4664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4664	msiexec.exe
Token: SeChangeNotifyPrivilege	4664	msiexec.exe
Token: SeRemoteShutdownPrivilege	4664	msiexec.exe
Token: SeUndockPrivilege	4664	msiexec.exe
Token: SeSyncAgentPrivilege	4664	msiexec.exe
Token: SeEnableDelegationPrivilege	4664	msiexec.exe
Token: SeManageVolumePrivilege	4664	msiexec.exe
Token: SeImpersonatePrivilege	4664	msiexec.exe
Token: SeCreateGlobalPrivilege	4664	msiexec.exe
Token: SeBackupPrivilege	1028	vssvc.exe
Token: SeRestorePrivilege	1028	vssvc.exe
Token: SeAuditPrivilege	1028	vssvc.exe
Token: SeBackupPrivilege	4736	msiexec.exe
Token: SeRestorePrivilege	4736	msiexec.exe
Token: SeRestorePrivilege	4736	msiexec.exe
Token: SeTakeOwnershipPrivilege	4736	msiexec.exe
Token: SeRestorePrivilege	4736	msiexec.exe
Token: SeTakeOwnershipPrivilege	4736	msiexec.exe
Token: SeRestorePrivilege	4736	msiexec.exe
Token: SeTakeOwnershipPrivilege	4736	msiexec.exe
Token: SeRestorePrivilege	4736	msiexec.exe
Token: SeTakeOwnershipPrivilege	4736	msiexec.exe
Token: SeRestorePrivilege	4736	msiexec.exe
Token: SeTakeOwnershipPrivilege	4736	msiexec.exe
Token: SeRestorePrivilege	4736	msiexec.exe
Token: SeTakeOwnershipPrivilege	4736	msiexec.exe
Token: SeBackupPrivilege	2588	srtasks.exe
Token: SeRestorePrivilege	2588	srtasks.exe
Token: SeSecurityPrivilege	2588	srtasks.exe
Token: SeTakeOwnershipPrivilege	2588	srtasks.exe
Token: SeBackupPrivilege	2588	srtasks.exe
Token: SeRestorePrivilege	2588	srtasks.exe
Token: SeSecurityPrivilege	2588	srtasks.exe
Token: SeTakeOwnershipPrivilege	2588	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4664	msiexec.exe
4664	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2588	4736	msiexec.exe	100
PID 4736 wrote to memory of 2588	4736	msiexec.exe	100
PID 4736 wrote to memory of 4300	4736	msiexec.exe	102
PID 4736 wrote to memory of 4300	4736	msiexec.exe	102
PID 4736 wrote to memory of 4300	4736	msiexec.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7a6b9f54255bb9b541bfe380d908beff.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4664

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 51EEE3B98BA6016AB202160D7F91118E
  2⤵
  PID:4300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
183736d781a0e24c75dd39e4c433c661

SHA1
cdeceb9e57969713a706936d1a8e5eecab2a840d

SHA256
cb3b5ddbfcd2e79e9bb166aaa7349b60cc3ae4445b0eb6978436bcfdf41680ff

SHA512
b1aafd724f7e735aa38ae583eae524968290838e61bdfee5c328a7dbcdfe2f6b274a992b34d515e924a7ae1d536ebe91977143a33851b5e5d10dad16a3ba2d54

Download Submit
\??\Volume{6ada6bfc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{26fef6fb-e582-4a5a-89b5-9391cc6575b5}_OnDiskSnapshotProp

Filesize
5KB

MD5
62307dc40b4a91eaade9fb220d2a8581

SHA1
ea7b974ca84872cd7ed4bc56b928ae5613f58d56

SHA256
22ab4fde69e1e0a3f746e4188f0822774e0825a9c09e32c0866ee952d8001955

SHA512
2a69a3759aae8fec7703889bf7a1b8b6db757d49052883f9c5b125d6547c86c5c6fa845968f94789b7d3cf07d40d0620965887e7affa29686eee5e104a909cc8

Download Submit