3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a

General

Target

612b7a607a8e.msi
Size

8.5MB
MD5

5e5704e30401f1ba9906e382f6a7c684
SHA1

f3d67076e491ab59f33a06afcd00a42d9a344711
SHA256

3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a
SHA512

a83c23efb0cc54a666a322a8d492c53ea9fc5a2de9b53dfadaab7d98724fcb53c93edbddb174f381e02e9cc47b0a4ba5bb217ce01069937c6e4bdd1a7dedd514
SSDEEP

196608:xeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9lqFM2CMhimhs4W:xdhVs6WXjX9HZ5AQX32WDuqRCMhif4W

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

4388 MsiExec.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXE

pid process

4244 ICACLS.EXE

pid	process
4388	MsiExec.exe

pid	process
4244	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 7 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{6D10BDA0-92A9-4D34-AD07-0BEAD9804F2B}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A0A.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a4816.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a4816.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000004e6fa88768ff2e40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000004e6fa880000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090004e6fa88000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d04e6fa88000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000004e6fa8800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

396 msiexec.exe
396 msiexec.exe

pid	process
396	msiexec.exe
396	msiexec.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	408	msiexec.exe
Token: SeIncreaseQuotaPrivilege	408	msiexec.exe
Token: SeSecurityPrivilege	396	msiexec.exe
Token: SeCreateTokenPrivilege	408	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	408	msiexec.exe
Token: SeLockMemoryPrivilege	408	msiexec.exe
Token: SeIncreaseQuotaPrivilege	408	msiexec.exe
Token: SeMachineAccountPrivilege	408	msiexec.exe
Token: SeTcbPrivilege	408	msiexec.exe
Token: SeSecurityPrivilege	408	msiexec.exe
Token: SeTakeOwnershipPrivilege	408	msiexec.exe
Token: SeLoadDriverPrivilege	408	msiexec.exe
Token: SeSystemProfilePrivilege	408	msiexec.exe
Token: SeSystemtimePrivilege	408	msiexec.exe
Token: SeProfSingleProcessPrivilege	408	msiexec.exe
Token: SeIncBasePriorityPrivilege	408	msiexec.exe
Token: SeCreatePagefilePrivilege	408	msiexec.exe
Token: SeCreatePermanentPrivilege	408	msiexec.exe
Token: SeBackupPrivilege	408	msiexec.exe
Token: SeRestorePrivilege	408	msiexec.exe
Token: SeShutdownPrivilege	408	msiexec.exe
Token: SeDebugPrivilege	408	msiexec.exe
Token: SeAuditPrivilege	408	msiexec.exe
Token: SeSystemEnvironmentPrivilege	408	msiexec.exe
Token: SeChangeNotifyPrivilege	408	msiexec.exe
Token: SeRemoteShutdownPrivilege	408	msiexec.exe
Token: SeUndockPrivilege	408	msiexec.exe
Token: SeSyncAgentPrivilege	408	msiexec.exe
Token: SeEnableDelegationPrivilege	408	msiexec.exe
Token: SeManageVolumePrivilege	408	msiexec.exe
Token: SeImpersonatePrivilege	408	msiexec.exe
Token: SeCreateGlobalPrivilege	408	msiexec.exe
Token: SeBackupPrivilege	3380	vssvc.exe
Token: SeRestorePrivilege	3380	vssvc.exe
Token: SeAuditPrivilege	3380	vssvc.exe
Token: SeBackupPrivilege	396	msiexec.exe
Token: SeRestorePrivilege	396	msiexec.exe
Token: SeRestorePrivilege	396	msiexec.exe
Token: SeTakeOwnershipPrivilege	396	msiexec.exe
Token: SeRestorePrivilege	396	msiexec.exe
Token: SeTakeOwnershipPrivilege	396	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

408 msiexec.exe

pid	process
408	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 396 wrote to memory of 2324	396	msiexec.exe	srtasks.exe
PID 396 wrote to memory of 2324	396	msiexec.exe	srtasks.exe
PID 396 wrote to memory of 4388	396	msiexec.exe	MsiExec.exe
PID 396 wrote to memory of 4388	396	msiexec.exe	MsiExec.exe
PID 396 wrote to memory of 4388	396	msiexec.exe	MsiExec.exe
PID 4388 wrote to memory of 4244	4388	MsiExec.exe	ICACLS.EXE
PID 4388 wrote to memory of 4244	4388	MsiExec.exe	ICACLS.EXE
PID 4388 wrote to memory of 4244	4388	MsiExec.exe	ICACLS.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\612b7a607a8e.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2324

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8CFD5A474FF8791F0CE1456DD15869D7
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-16d7c393-57a5-4dc2-af6a-6756c239abda\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:4244

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
PID:4220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-16d7c393-57a5-4dc2-af6a-6756c239abda\files.cab
Filesize
6.3MB

MD5
6adf69d5d9ac779111860c82848854bb

SHA1
94417ace2d280a0dbc502f1ac08214a790f7cb54

SHA256
5bb9888a6307f08d2ab05610b66bcfb69cffd724a6687e78c7647cddfd95ddc0

SHA512
ccfc066609fdf5bf9df139c25b54bd7c8b2c51e21d82d0ca2c1cea48afa8147d1be56c8c46a7a6c76d1438f9fd0d1dd9dc3dadc1ba7d5e4654afc5e9a0a77847

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-16d7c393-57a5-4dc2-af6a-6756c239abda\msiwrapper.ini
Filesize
330B

MD5
9877f4f3567c60e14bd8af7b5abac9ba

SHA1
8b36b30c12d17202242528ba810ce0aadcf6b507

SHA256
cef3b881ff1482efa8eb9fdbd3501e1bd4749ce7e44c6ffb905dc37ae4dcbfda

SHA512
3a9084be8e4805a3d8598ab7440edc394a2e4e2c06011b313e9105d2f77f1fc93689cfad8ee0eadab95c031301127c95f31a654483efe54cc12d0a17e77e5613

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-16d7c393-57a5-4dc2-af6a-6756c239abda\msiwrapper.ini
Filesize
1KB

MD5
690f1ae8217c5aaf62c4f31c190d25a5

SHA1
1a626a56b61837d890c4aebeabb96344dde980dd

SHA256
2a07d12b07cc8f0502a11871512d9cedbd1fc0fe2fda26218fc463b8ad98da52

SHA512
a0e5dc5c793c159990b1ffb20d0e8c6bd64f9b879112c5cf2452f804068327f96848fb338f4858a41f15444f515d273db8c885b9b152315b3dc8c34004dfa634

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-16d7c393-57a5-4dc2-af6a-6756c239abda\msiwrapper.ini
Filesize
1KB

MD5
690f1ae8217c5aaf62c4f31c190d25a5

SHA1
1a626a56b61837d890c4aebeabb96344dde980dd

SHA256
2a07d12b07cc8f0502a11871512d9cedbd1fc0fe2fda26218fc463b8ad98da52

SHA512
a0e5dc5c793c159990b1ffb20d0e8c6bd64f9b879112c5cf2452f804068327f96848fb338f4858a41f15444f515d273db8c885b9b152315b3dc8c34004dfa634

Download Submit
C:\Windows\Installer\MSI4A0A.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI4A0A.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads