a9ee4f3dcb9ae9ef57d9677a899d5f1c011dcb17275e95baf87a869f4f3dadeb

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

p_terminal_x86_install.msi
Size

2.2MB
MD5

7996ed8cc6479124c941ab5d136e4841
SHA1

092bd61e92aa0745af69e777f341ea7184c3d743
SHA256

a9ee4f3dcb9ae9ef57d9677a899d5f1c011dcb17275e95baf87a869f4f3dadeb
SHA512

bf7270402f3cf4111a0a64d6bf29145ab9bc9c32ea4e5272d49beaf4d178a1bec540fa28935d36bbb0fc783fe42746f450e6c4e7a19ecc5317c4fbc097a0fb6d
SSDEEP

49152:NpUPhaTtpSD6TmY7GBXGBr4wBlBLr1GAtrlc+jjK0I7SfBx1jDbKg5A+:NpgktID6dFBrJBLrY+rmR1s3L

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	3700	msiexec.exe
7	3700	msiexec.exe
9	3700	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{489E3AC3-61B8-4645-AFF3-2168E6F726F2}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC69.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ac42c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ac42c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d6f92995d065bd40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d6f92990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d6f9299000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d6f9299000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d6f929900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3584	msiexec.exe
3584	msiexec.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3700	msiexec.exe
Token: SeSecurityPrivilege	3584	msiexec.exe
Token: SeCreateTokenPrivilege	3700	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3700	msiexec.exe
Token: SeLockMemoryPrivilege	3700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3700	msiexec.exe
Token: SeMachineAccountPrivilege	3700	msiexec.exe
Token: SeTcbPrivilege	3700	msiexec.exe
Token: SeSecurityPrivilege	3700	msiexec.exe
Token: SeTakeOwnershipPrivilege	3700	msiexec.exe
Token: SeLoadDriverPrivilege	3700	msiexec.exe
Token: SeSystemProfilePrivilege	3700	msiexec.exe
Token: SeSystemtimePrivilege	3700	msiexec.exe
Token: SeProfSingleProcessPrivilege	3700	msiexec.exe
Token: SeIncBasePriorityPrivilege	3700	msiexec.exe
Token: SeCreatePagefilePrivilege	3700	msiexec.exe
Token: SeCreatePermanentPrivilege	3700	msiexec.exe
Token: SeBackupPrivilege	3700	msiexec.exe
Token: SeRestorePrivilege	3700	msiexec.exe
Token: SeShutdownPrivilege	3700	msiexec.exe
Token: SeDebugPrivilege	3700	msiexec.exe
Token: SeAuditPrivilege	3700	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3700	msiexec.exe
Token: SeChangeNotifyPrivilege	3700	msiexec.exe
Token: SeRemoteShutdownPrivilege	3700	msiexec.exe
Token: SeUndockPrivilege	3700	msiexec.exe
Token: SeSyncAgentPrivilege	3700	msiexec.exe
Token: SeEnableDelegationPrivilege	3700	msiexec.exe
Token: SeManageVolumePrivilege	3700	msiexec.exe
Token: SeImpersonatePrivilege	3700	msiexec.exe
Token: SeCreateGlobalPrivilege	3700	msiexec.exe
Token: SeBackupPrivilege	2064	vssvc.exe
Token: SeRestorePrivilege	2064	vssvc.exe
Token: SeAuditPrivilege	2064	vssvc.exe
Token: SeBackupPrivilege	3584	msiexec.exe
Token: SeRestorePrivilege	3584	msiexec.exe
Token: SeRestorePrivilege	3584	msiexec.exe
Token: SeTakeOwnershipPrivilege	3584	msiexec.exe
Token: SeRestorePrivilege	3584	msiexec.exe
Token: SeTakeOwnershipPrivilege	3584	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3700	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 5080	3584	msiexec.exe	94
PID 3584 wrote to memory of 5080	3584	msiexec.exe	94
PID 3584 wrote to memory of 4880	3584	msiexec.exe	96
PID 3584 wrote to memory of 4880	3584	msiexec.exe	96
PID 3584 wrote to memory of 4880	3584	msiexec.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\p_terminal_x86_install.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5080
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 070EE554FA51B604840424803DC6D7E3
  2⤵
  PID:4880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073

Filesize
1KB

MD5
411cf7b3a06aceb22c09b02bcf846761

SHA1
7b9e330803a450e72b407bff6c9326ec4ee9aad3

SHA256
ee0115c4173eb7e799470026682db4691f4bc7fa3645b4daab9a296b7e57ddb6

SHA512
4514ff5b4c6730e7ad6ff65d2e9b9b57e0dbf45f21a3e849c8b76e21f9c088e6535c2dfc220e542b9fcb6a6f2b8c82f78c70484be462149f16d97acc871178e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
54740547dfb04a8d20029003ff79ec86

SHA1
e74c64996a9990165872490717921cd8f264c640

SHA256
a16b6ba9c234cf9f63d39062776f47bd9d2d0b9aa74a51b4d98c1c31cbcbc39f

SHA512
bf155da7c77710d9ca002145e14c19a0fec5abe9f0029b6da87589a0aab914a62fdaa129d23c1db98b2820470e6864d5e0056d151471cfd0edc680f21e1ea949

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073

Filesize
540B

MD5
08530794afdc056be19028cdb977bfa4

SHA1
d42cc1d9a49efa9365735bda05b7f11c48308d14

SHA256
9edf4bfc8af2344d0a52c495c437e6eec45484e86cab404084b91d303793af67

SHA512
9c146d7fa0391b596feeb5c68fbecad61679246aae8ecc035c8cf8e6d408d80a7fe33d424e8f6e55c345dde25329a51cac3a3dbfd577a2942e3060d195b131e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
2e61c34dac2186f6013fa100e84cd3d5

SHA1
7ca1f07b7bc997fe496450069e4a4598e9d343ea

SHA256
038a9cc11a0e2a6c09d4d352dcacd9362ee4d5d0258088a2c73b744c24e9b7a4

SHA512
7ce90251b4aa64d34b5a98fae3ae97ef708e0f3cb5577871998be9912d570e577a3d34d89b1efb6592e8171bf582495bfd0a46c255afef953961197867b05363

Download Submit