Analysis
-
max time kernel
167s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2023 15:16
Static task
static1
Behavioral task
behavioral1
Sample
1c532f2594.msi
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral2
Sample
1c532f2594.msi
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
1c532f2594.msi
-
Size
8.5MB
-
MD5
fbf5d7b4c5f0e86a95b4fcd5c5ccc534
-
SHA1
51588315ff4ae36412c337361ea65f84810938d8
-
SHA256
6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d
-
SHA512
3ef2d34071fc10bed59dbe60df3789524f62b89284cc011f1ab0a790196f9010ef6fa41d809947f52668918aa72c90c17211d6be82707b0f8099df548fb40588
-
SSDEEP
196608:0eS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9OtaQCK0Ex7FVJi0:0dhVs6WXjX9HZ5AQX32WDb0ExZV8
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3100 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3372 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\e5a4799.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a4799.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{D70D8767-7D90-4463-918C-930A0DC2454D} msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4BB0.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000326c22034809cb6a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000326c22030000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900326c2203000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d326c2203000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000326c220300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 396 msiexec.exe 396 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeShutdownPrivilege 1932 msiexec.exe Token: SeIncreaseQuotaPrivilege 1932 msiexec.exe Token: SeSecurityPrivilege 396 msiexec.exe Token: SeCreateTokenPrivilege 1932 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1932 msiexec.exe Token: SeLockMemoryPrivilege 1932 msiexec.exe Token: SeIncreaseQuotaPrivilege 1932 msiexec.exe Token: SeMachineAccountPrivilege 1932 msiexec.exe Token: SeTcbPrivilege 1932 msiexec.exe Token: SeSecurityPrivilege 1932 msiexec.exe Token: SeTakeOwnershipPrivilege 1932 msiexec.exe Token: SeLoadDriverPrivilege 1932 msiexec.exe Token: SeSystemProfilePrivilege 1932 msiexec.exe Token: SeSystemtimePrivilege 1932 msiexec.exe Token: SeProfSingleProcessPrivilege 1932 msiexec.exe Token: SeIncBasePriorityPrivilege 1932 msiexec.exe Token: SeCreatePagefilePrivilege 1932 msiexec.exe Token: SeCreatePermanentPrivilege 1932 msiexec.exe Token: SeBackupPrivilege 1932 msiexec.exe Token: SeRestorePrivilege 1932 msiexec.exe Token: SeShutdownPrivilege 1932 msiexec.exe Token: SeDebugPrivilege 1932 msiexec.exe Token: SeAuditPrivilege 1932 msiexec.exe Token: SeSystemEnvironmentPrivilege 1932 msiexec.exe Token: SeChangeNotifyPrivilege 1932 msiexec.exe Token: SeRemoteShutdownPrivilege 1932 msiexec.exe Token: SeUndockPrivilege 1932 msiexec.exe Token: SeSyncAgentPrivilege 1932 msiexec.exe Token: SeEnableDelegationPrivilege 1932 msiexec.exe Token: SeManageVolumePrivilege 1932 msiexec.exe Token: SeImpersonatePrivilege 1932 msiexec.exe Token: SeCreateGlobalPrivilege 1932 msiexec.exe Token: SeBackupPrivilege 1560 vssvc.exe Token: SeRestorePrivilege 1560 vssvc.exe Token: SeAuditPrivilege 1560 vssvc.exe Token: SeBackupPrivilege 396 msiexec.exe Token: SeRestorePrivilege 396 msiexec.exe Token: SeRestorePrivilege 396 msiexec.exe Token: SeTakeOwnershipPrivilege 396 msiexec.exe Token: SeRestorePrivilege 396 msiexec.exe Token: SeTakeOwnershipPrivilege 396 msiexec.exe Token: SeBackupPrivilege 2308 srtasks.exe Token: SeRestorePrivilege 2308 srtasks.exe Token: SeSecurityPrivilege 2308 srtasks.exe Token: SeTakeOwnershipPrivilege 2308 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1932 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 396 wrote to memory of 2308 396 msiexec.exe 113 PID 396 wrote to memory of 2308 396 msiexec.exe 113 PID 396 wrote to memory of 3100 396 msiexec.exe 115 PID 396 wrote to memory of 3100 396 msiexec.exe 115 PID 396 wrote to memory of 3100 396 msiexec.exe 115 PID 3100 wrote to memory of 3372 3100 MsiExec.exe 116 PID 3100 wrote to memory of 3372 3100 MsiExec.exe 116 PID 3100 wrote to memory of 3372 3100 MsiExec.exe 116 PID 3100 wrote to memory of 4760 3100 MsiExec.exe 118 PID 3100 wrote to memory of 4760 3100 MsiExec.exe 118 PID 3100 wrote to memory of 4760 3100 MsiExec.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1c532f2594.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1932
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AC3018105642869BA994A6CBF72D9A962⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a93167d2-fa96-403b-aae1-eb2c9f17e4db\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:3372
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:4760
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.3MB
MD5d5298413b9d6dc59e277eb08f6e4431c
SHA155d71275c8737068b130dade96a8354d966e295a
SHA2565d8fea0c2e3a41247dada38ccaf7222aef40fc485e26e54dbee1fbcadb3079c0
SHA512983fee4dd48b55eb572b09eb1d743a61a67d320c23b55f7b9e8a9e55e407b8b3db00ffe5ca4c6793d26b436decb9dac9323003692c8ebac291c70396e6a0e2b6
-
Filesize
370B
MD5ab9a939eca79ccea8efe272b193da60d
SHA1e050460f33888ad7820cc4a6002754b51b663013
SHA2563a1b3f7f9480854fc215ab0284bd557fd8873bfe2278403c260bbec7624e3605
SHA5125311ca2a0b84cd82f43077c8b0a5dece52cd6ab830fb7b5909f19e500c2b6dffd24974656eff1e77f0d77a58d3217af2c3bba1c01778b5d2d98f49cc0c9c3dc5
-
Filesize
1KB
MD563253708d3121f06138ee6e9beb3fb14
SHA104dc179d309ffd2e2889e37716602a86b6272a71
SHA25691cb48d3c8e90beaa94a40f2420189c2a84fb487c4138fa585555b2b6ef06d74
SHA512f78963003677aca81d755a6dc22bd9a701dfffef13cff5ead52fd3d48050b4f15904a50766a30d52f7c9555bf3fc674cd8d6fec2deae584518c53c78cb2c7a5c
-
Filesize
1KB
MD563253708d3121f06138ee6e9beb3fb14
SHA104dc179d309ffd2e2889e37716602a86b6272a71
SHA25691cb48d3c8e90beaa94a40f2420189c2a84fb487c4138fa585555b2b6ef06d74
SHA512f78963003677aca81d755a6dc22bd9a701dfffef13cff5ead52fd3d48050b4f15904a50766a30d52f7c9555bf3fc674cd8d6fec2deae584518c53c78cb2c7a5c
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
\??\Volume{03226c32-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6e13da9b-8547-4261-be8a-141d0dad38b5}_OnDiskSnapshotProp
Filesize5KB
MD5e2aff051f705add4fdb6d3f2c6fa876a
SHA1fdfe3aca9fc4eb720bc963df1744b2e2cc4ab23f
SHA256af9642b8bb5e582ecf96feabca410bb87c628d3424d9ddedaeae88b5aab5a4be
SHA51226b1c882fa1bd5c46aa22522ae1b73904befcb1fe427076d43c67d20c4d9e58f473139aa56e127cfa2114561bd9e0627398756e524f9398dcd47e8a649f3ca18