e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b

Analysis

max time kernel
123s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 03:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b_JC.msi
Size

527KB
MD5

f21e7ee2ee6ab192ea920d1dbacbfc3e
SHA1

7df2489e660c9f0f060b2897d732deb51a5dea37
SHA256

e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b
SHA512

10bdbb79d00dedb5945c6f2398d2bb6a438da80bb7273405dab3f3c19e2ef1493e66f9e6d0110ad31bec40c4c70c6ab80112e7101db4e6bd0e09cf40a86f86b6
SSDEEP

12288:kfkdlY5AVTqp4nb5roPzfGXSjptsrYI21wlD:kfkdlY5Awp4b5fXSjp2b

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Application Signer.cmd	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
1412	MsiExec.exe
1412	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1412	MsiExec.exe
5	1412	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f7773f8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7773f8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7773fb.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI74B3.tmp	msiexec.exe
File created	C:\Windows\Installer\f7773fb.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CDF.tmp	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2540	msiexec.exe
2540	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1540	msiexec.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	2540	msiexec.exe
Token: SeTakeOwnershipPrivilege	2540	msiexec.exe
Token: SeSecurityPrivilege	2540	msiexec.exe
Token: SeCreateTokenPrivilege	1540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1540	msiexec.exe
Token: SeLockMemoryPrivilege	1540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1540	msiexec.exe
Token: SeMachineAccountPrivilege	1540	msiexec.exe
Token: SeTcbPrivilege	1540	msiexec.exe
Token: SeSecurityPrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeLoadDriverPrivilege	1540	msiexec.exe
Token: SeSystemProfilePrivilege	1540	msiexec.exe
Token: SeSystemtimePrivilege	1540	msiexec.exe
Token: SeProfSingleProcessPrivilege	1540	msiexec.exe
Token: SeIncBasePriorityPrivilege	1540	msiexec.exe
Token: SeCreatePagefilePrivilege	1540	msiexec.exe
Token: SeCreatePermanentPrivilege	1540	msiexec.exe
Token: SeBackupPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeShutdownPrivilege	1540	msiexec.exe
Token: SeDebugPrivilege	1540	msiexec.exe
Token: SeAuditPrivilege	1540	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1540	msiexec.exe
Token: SeChangeNotifyPrivilege	1540	msiexec.exe
Token: SeRemoteShutdownPrivilege	1540	msiexec.exe
Token: SeUndockPrivilege	1540	msiexec.exe
Token: SeSyncAgentPrivilege	1540	msiexec.exe
Token: SeEnableDelegationPrivilege	1540	msiexec.exe
Token: SeManageVolumePrivilege	1540	msiexec.exe
Token: SeImpersonatePrivilege	1540	msiexec.exe
Token: SeCreateGlobalPrivilege	1540	msiexec.exe
Token: SeBackupPrivilege	2776	vssvc.exe
Token: SeRestorePrivilege	2776	vssvc.exe
Token: SeAuditPrivilege	2776	vssvc.exe
Token: SeBackupPrivilege	2540	msiexec.exe
Token: SeRestorePrivilege	2540	msiexec.exe
Token: SeRestorePrivilege	2380	DrvInst.exe
Token: SeRestorePrivilege	2380	DrvInst.exe
Token: SeRestorePrivilege	2380	DrvInst.exe
Token: SeRestorePrivilege	2380	DrvInst.exe
Token: SeRestorePrivilege	2380	DrvInst.exe
Token: SeRestorePrivilege	2380	DrvInst.exe
Token: SeRestorePrivilege	2380	DrvInst.exe
Token: SeLoadDriverPrivilege	2380	DrvInst.exe
Token: SeLoadDriverPrivilege	2380	DrvInst.exe
Token: SeLoadDriverPrivilege	2380	DrvInst.exe
Token: SeRestorePrivilege	2540	msiexec.exe
Token: SeTakeOwnershipPrivilege	2540	msiexec.exe
Token: SeRestorePrivilege	2540	msiexec.exe
Token: SeTakeOwnershipPrivilege	2540	msiexec.exe
Token: SeRestorePrivilege	2540	msiexec.exe
Token: SeTakeOwnershipPrivilege	2540	msiexec.exe
Token: SeRestorePrivilege	2540	msiexec.exe
Token: SeTakeOwnershipPrivilege	2540	msiexec.exe
Token: SeRestorePrivilege	2540	msiexec.exe
Token: SeTakeOwnershipPrivilege	2540	msiexec.exe
Token: SeRestorePrivilege	2540	msiexec.exe
Token: SeTakeOwnershipPrivilege	2540	msiexec.exe
Token: SeRestorePrivilege	2540	msiexec.exe
Token: SeTakeOwnershipPrivilege	2540	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1540	msiexec.exe
1540	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1412	2540	msiexec.exe	34
PID 2540 wrote to memory of 1412	2540	msiexec.exe	34
PID 2540 wrote to memory of 1412	2540	msiexec.exe	34
PID 2540 wrote to memory of 1412	2540	msiexec.exe	34
PID 2540 wrote to memory of 1412	2540	msiexec.exe	34
PID 2540 wrote to memory of 1412	2540	msiexec.exe	34
PID 2540 wrote to memory of 1412	2540	msiexec.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b_JC.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2ED057DC74E98C22F3762932C80E4AB2
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  PID:1412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "0000000000000588"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7773fc.rbs

Filesize
1KB

MD5
43d4fbf95fdbf957ecc58fa11f307134

SHA1
c793573537ac8c42f4a1d6bd6726eb50e8ee1fe9

SHA256
c727d0e8f0471f37cc3256b8af24569cc2484d65a8fc31868fd14c034560cb59

SHA512
c113d9cc913801f69d33ea5037ce699fb431624dccdd1d67dba21b8afc838e03384fdd5e2342d96eba4c07eeada7d70c2fa016491237cf86a53007b4b6650418

Download Submit
C:\Windows\Installer\MSI74B3.tmp

Filesize
91KB

MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
C:\Windows\Installer\MSI7A30.tmp

Filesize
91KB

MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Windows\Installer\MSI74B3.tmp

Filesize
91KB

MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Windows\Installer\MSI7A30.tmp

Filesize
91KB

MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
memory/1412-15-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download