Analysis
-
max time kernel
185s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2023 18:28
Static task
static1
Behavioral task
behavioral1
Sample
612b7a607a8e.msi
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
612b7a607a8e.msi
Resource
win10v2004-20231020-en
General
-
Target
612b7a607a8e.msi
-
Size
8.5MB
-
MD5
5e5704e30401f1ba9906e382f6a7c684
-
SHA1
f3d67076e491ab59f33a06afcd00a42d9a344711
-
SHA256
3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a
-
SHA512
a83c23efb0cc54a666a322a8d492c53ea9fc5a2de9b53dfadaab7d98724fcb53c93edbddb174f381e02e9cc47b0a4ba5bb217ce01069937c6e4bdd1a7dedd514
-
SSDEEP
196608:xeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9lqFM2CMhimhs4W:xdhVs6WXjX9HZ5AQX32WDuqRCMhif4W
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 4388 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Windows directory 7 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{6D10BDA0-92A9-4D34-AD07-0BEAD9804F2B} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4A0A.tmp msiexec.exe File created C:\Windows\Installer\e5a4816.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a4816.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000004e6fa88768ff2e40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000004e6fa880000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090004e6fa88000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d04e6fa88000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000004e6fa8800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 396 msiexec.exe 396 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 408 msiexec.exe Token: SeIncreaseQuotaPrivilege 408 msiexec.exe Token: SeSecurityPrivilege 396 msiexec.exe Token: SeCreateTokenPrivilege 408 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 408 msiexec.exe Token: SeLockMemoryPrivilege 408 msiexec.exe Token: SeIncreaseQuotaPrivilege 408 msiexec.exe Token: SeMachineAccountPrivilege 408 msiexec.exe Token: SeTcbPrivilege 408 msiexec.exe Token: SeSecurityPrivilege 408 msiexec.exe Token: SeTakeOwnershipPrivilege 408 msiexec.exe Token: SeLoadDriverPrivilege 408 msiexec.exe Token: SeSystemProfilePrivilege 408 msiexec.exe Token: SeSystemtimePrivilege 408 msiexec.exe Token: SeProfSingleProcessPrivilege 408 msiexec.exe Token: SeIncBasePriorityPrivilege 408 msiexec.exe Token: SeCreatePagefilePrivilege 408 msiexec.exe Token: SeCreatePermanentPrivilege 408 msiexec.exe Token: SeBackupPrivilege 408 msiexec.exe Token: SeRestorePrivilege 408 msiexec.exe Token: SeShutdownPrivilege 408 msiexec.exe Token: SeDebugPrivilege 408 msiexec.exe Token: SeAuditPrivilege 408 msiexec.exe Token: SeSystemEnvironmentPrivilege 408 msiexec.exe Token: SeChangeNotifyPrivilege 408 msiexec.exe Token: SeRemoteShutdownPrivilege 408 msiexec.exe Token: SeUndockPrivilege 408 msiexec.exe Token: SeSyncAgentPrivilege 408 msiexec.exe Token: SeEnableDelegationPrivilege 408 msiexec.exe Token: SeManageVolumePrivilege 408 msiexec.exe Token: SeImpersonatePrivilege 408 msiexec.exe Token: SeCreateGlobalPrivilege 408 msiexec.exe Token: SeBackupPrivilege 3380 vssvc.exe Token: SeRestorePrivilege 3380 vssvc.exe Token: SeAuditPrivilege 3380 vssvc.exe Token: SeBackupPrivilege 396 msiexec.exe Token: SeRestorePrivilege 396 msiexec.exe Token: SeRestorePrivilege 396 msiexec.exe Token: SeTakeOwnershipPrivilege 396 msiexec.exe Token: SeRestorePrivilege 396 msiexec.exe Token: SeTakeOwnershipPrivilege 396 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 408 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 396 wrote to memory of 2324 396 msiexec.exe srtasks.exe PID 396 wrote to memory of 2324 396 msiexec.exe srtasks.exe PID 396 wrote to memory of 4388 396 msiexec.exe MsiExec.exe PID 396 wrote to memory of 4388 396 msiexec.exe MsiExec.exe PID 396 wrote to memory of 4388 396 msiexec.exe MsiExec.exe PID 4388 wrote to memory of 4244 4388 MsiExec.exe ICACLS.EXE PID 4388 wrote to memory of 4244 4388 MsiExec.exe ICACLS.EXE PID 4388 wrote to memory of 4244 4388 MsiExec.exe ICACLS.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\612b7a607a8e.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8CFD5A474FF8791F0CE1456DD15869D72⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-16d7c393-57a5-4dc2-af6a-6756c239abda\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MW-16d7c393-57a5-4dc2-af6a-6756c239abda\files.cabFilesize
6.3MB
MD56adf69d5d9ac779111860c82848854bb
SHA194417ace2d280a0dbc502f1ac08214a790f7cb54
SHA2565bb9888a6307f08d2ab05610b66bcfb69cffd724a6687e78c7647cddfd95ddc0
SHA512ccfc066609fdf5bf9df139c25b54bd7c8b2c51e21d82d0ca2c1cea48afa8147d1be56c8c46a7a6c76d1438f9fd0d1dd9dc3dadc1ba7d5e4654afc5e9a0a77847
-
C:\Users\Admin\AppData\Local\Temp\MW-16d7c393-57a5-4dc2-af6a-6756c239abda\msiwrapper.iniFilesize
330B
MD59877f4f3567c60e14bd8af7b5abac9ba
SHA18b36b30c12d17202242528ba810ce0aadcf6b507
SHA256cef3b881ff1482efa8eb9fdbd3501e1bd4749ce7e44c6ffb905dc37ae4dcbfda
SHA5123a9084be8e4805a3d8598ab7440edc394a2e4e2c06011b313e9105d2f77f1fc93689cfad8ee0eadab95c031301127c95f31a654483efe54cc12d0a17e77e5613
-
C:\Users\Admin\AppData\Local\Temp\MW-16d7c393-57a5-4dc2-af6a-6756c239abda\msiwrapper.iniFilesize
1KB
MD5690f1ae8217c5aaf62c4f31c190d25a5
SHA11a626a56b61837d890c4aebeabb96344dde980dd
SHA2562a07d12b07cc8f0502a11871512d9cedbd1fc0fe2fda26218fc463b8ad98da52
SHA512a0e5dc5c793c159990b1ffb20d0e8c6bd64f9b879112c5cf2452f804068327f96848fb338f4858a41f15444f515d273db8c885b9b152315b3dc8c34004dfa634
-
C:\Users\Admin\AppData\Local\Temp\MW-16d7c393-57a5-4dc2-af6a-6756c239abda\msiwrapper.iniFilesize
1KB
MD5690f1ae8217c5aaf62c4f31c190d25a5
SHA11a626a56b61837d890c4aebeabb96344dde980dd
SHA2562a07d12b07cc8f0502a11871512d9cedbd1fc0fe2fda26218fc463b8ad98da52
SHA512a0e5dc5c793c159990b1ffb20d0e8c6bd64f9b879112c5cf2452f804068327f96848fb338f4858a41f15444f515d273db8c885b9b152315b3dc8c34004dfa634
-
C:\Windows\Installer\MSI4A0A.tmpFilesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
C:\Windows\Installer\MSI4A0A.tmpFilesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b