e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b_JC.msi
Size

527KB
MD5

f21e7ee2ee6ab192ea920d1dbacbfc3e
SHA1

7df2489e660c9f0f060b2897d732deb51a5dea37
SHA256

e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b
SHA512

10bdbb79d00dedb5945c6f2398d2bb6a438da80bb7273405dab3f3c19e2ef1493e66f9e6d0110ad31bec40c4c70c6ab80112e7101db4e6bd0e09cf40a86f86b6
SSDEEP

12288:kfkdlY5AVTqp4nb5roPzfGXSjptsrYI21wlD:kfkdlY5Awp4b5fXSjp2b

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Application Signer.cmd	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	MsiExec.exe
1972	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
72	1972	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5a1195.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a1195.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1500.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A6E9290B-D3AF-490D-A2E6-D54A4B28F05F}	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d6f92995d065bd40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d6f92990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d6f9299000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d6f9299000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d6f929900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2748	msiexec.exe
2748	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1592	msiexec.exe
Token: SeSecurityPrivilege	2748	msiexec.exe
Token: SeCreateTokenPrivilege	1592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1592	msiexec.exe
Token: SeLockMemoryPrivilege	1592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1592	msiexec.exe
Token: SeMachineAccountPrivilege	1592	msiexec.exe
Token: SeTcbPrivilege	1592	msiexec.exe
Token: SeSecurityPrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeLoadDriverPrivilege	1592	msiexec.exe
Token: SeSystemProfilePrivilege	1592	msiexec.exe
Token: SeSystemtimePrivilege	1592	msiexec.exe
Token: SeProfSingleProcessPrivilege	1592	msiexec.exe
Token: SeIncBasePriorityPrivilege	1592	msiexec.exe
Token: SeCreatePagefilePrivilege	1592	msiexec.exe
Token: SeCreatePermanentPrivilege	1592	msiexec.exe
Token: SeBackupPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeShutdownPrivilege	1592	msiexec.exe
Token: SeDebugPrivilege	1592	msiexec.exe
Token: SeAuditPrivilege	1592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1592	msiexec.exe
Token: SeChangeNotifyPrivilege	1592	msiexec.exe
Token: SeRemoteShutdownPrivilege	1592	msiexec.exe
Token: SeUndockPrivilege	1592	msiexec.exe
Token: SeSyncAgentPrivilege	1592	msiexec.exe
Token: SeEnableDelegationPrivilege	1592	msiexec.exe
Token: SeManageVolumePrivilege	1592	msiexec.exe
Token: SeImpersonatePrivilege	1592	msiexec.exe
Token: SeCreateGlobalPrivilege	1592	msiexec.exe
Token: SeBackupPrivilege	3520	vssvc.exe
Token: SeRestorePrivilege	3520	vssvc.exe
Token: SeAuditPrivilege	3520	vssvc.exe
Token: SeBackupPrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2748	msiexec.exe
Token: SeTakeOwnershipPrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2748	msiexec.exe
Token: SeTakeOwnershipPrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2748	msiexec.exe
Token: SeTakeOwnershipPrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2748	msiexec.exe
Token: SeTakeOwnershipPrivilege	2748	msiexec.exe
Token: SeBackupPrivilege	4592	srtasks.exe
Token: SeRestorePrivilege	4592	srtasks.exe
Token: SeSecurityPrivilege	4592	srtasks.exe
Token: SeTakeOwnershipPrivilege	4592	srtasks.exe
Token: SeBackupPrivilege	4592	srtasks.exe
Token: SeRestorePrivilege	4592	srtasks.exe
Token: SeSecurityPrivilege	4592	srtasks.exe
Token: SeTakeOwnershipPrivilege	4592	srtasks.exe
Token: SeRestorePrivilege	2748	msiexec.exe
Token: SeTakeOwnershipPrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2748	msiexec.exe
Token: SeTakeOwnershipPrivilege	2748	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1592	msiexec.exe
1592	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4592	2748	msiexec.exe	103
PID 2748 wrote to memory of 4592	2748	msiexec.exe	103
PID 2748 wrote to memory of 1972	2748	msiexec.exe	105
PID 2748 wrote to memory of 1972	2748	msiexec.exe	105
PID 2748 wrote to memory of 1972	2748	msiexec.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b_JC.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 621ECF16696C248E9D52A1FC2404ED0D
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a1198.rbs

Filesize
1KB

MD5
affab7d07b869059fbd0bb0debbf1f08

SHA1
1fa372da7a5a6ec77569520213854481c63fbde0

SHA256
943e327719b76cc239390f3980c5116835da37780face092d70adcfc94bafa77

SHA512
eb3fb3af7993a81586312902e077c8bbf62ea42eb370c775a745fdc1a80dbacbe2cae3e24d7e33ce8194480a4a096c15f46c6e5423594aa1beec277008e230c1

Download Submit
C:\Windows\Installer\MSI1500.tmp

Filesize
91KB

MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
C:\Windows\Installer\MSI1500.tmp

Filesize
91KB

MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
C:\Windows\Installer\MSI32E9.tmp

Filesize
91KB

MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
C:\Windows\Installer\MSI32E9.tmp

Filesize
91KB

MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
c1756ec988416052b1cc38c58fdeefb8

SHA1
18011cf314de9a5c431ae2a6e2dc709d971ef8c8

SHA256
c5e8737223e0fab4f25ca92a64c6622e6363e20297576fd67a3557bb19ae9157

SHA512
5629afee10c425bf79c2155203380995159aac0a377bfc16978fc05d6e4e7bdacffa8799db95da2c2de9b30bc688ba89bb29c44bb532195111a7dbd697d4e262

Download Submit
\??\Volume{99926f1d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{43010e06-cf36-4ab5-97e8-855231c1781f}_OnDiskSnapshotProp

Filesize
5KB

MD5
123db48ca560d8b417dee3e14f1065de

SHA1
cedacef07c85a800acda1463e1309a573a44d1d1

SHA256
1e196891122656bf1f50a79b277b7d332ac88b95fbbff8cb8c22a87f4705be0f

SHA512
1eda00c4bf66beb7a7a5e5dfe23e7fb6d5b444fb71b00845f89b57f51e5642023a6864249583614694bc02024e5d50ab71862847f279829fa48d5009871d9938

Download Submit