142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4

General

Target

7538dd6e69d0c65d2dc0eb091c3ced18.msi
Size

3.8MB
MD5

7538dd6e69d0c65d2dc0eb091c3ced18
SHA1

9d91e4cc3c59c258ae2655119692c13c899d68d2
SHA256

142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4
SHA512

935aed41fbc1bb42cdc4b2c10fd306286642428c017248a71297d7674439415a410464a75b0529eec4b7a98f052408afcde24a501f6970fa405d642aafadb6c6
SSDEEP

98304:D77Pmq33rE/JDLPWZADUGer7B6iY74M/mmlwXVZaFB:L+R/eZADUXR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

MSI7991.tmp

pid process

5048 MSI7991.tmp

pid	process
5048	MSI7991.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

MSI7991.tmp

pid process

5048 MSI7991.tmp
5048 MSI7991.tmp
5048 MSI7991.tmp
5048 MSI7991.tmp

pid	process
5048	MSI7991.tmp
5048	MSI7991.tmp
5048	MSI7991.tmp
5048	MSI7991.tmp

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7991.tmp	msiexec.exe
File created	C:\Windows\Installer\e5876d1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5876d1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004a3253d230439a9b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004a3253d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004a3253d2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4a3253d2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004a3253d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

512 msiexec.exe
512 msiexec.exe

pid	process
512	msiexec.exe
512	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeMSI7991.tmpsrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	1596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1596	msiexec.exe
Token: SeSecurityPrivilege	512	msiexec.exe
Token: SeCreateTokenPrivilege	1596	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1596	msiexec.exe
Token: SeLockMemoryPrivilege	1596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1596	msiexec.exe
Token: SeMachineAccountPrivilege	1596	msiexec.exe
Token: SeTcbPrivilege	1596	msiexec.exe
Token: SeSecurityPrivilege	1596	msiexec.exe
Token: SeTakeOwnershipPrivilege	1596	msiexec.exe
Token: SeLoadDriverPrivilege	1596	msiexec.exe
Token: SeSystemProfilePrivilege	1596	msiexec.exe
Token: SeSystemtimePrivilege	1596	msiexec.exe
Token: SeProfSingleProcessPrivilege	1596	msiexec.exe
Token: SeIncBasePriorityPrivilege	1596	msiexec.exe
Token: SeCreatePagefilePrivilege	1596	msiexec.exe
Token: SeCreatePermanentPrivilege	1596	msiexec.exe
Token: SeBackupPrivilege	1596	msiexec.exe
Token: SeRestorePrivilege	1596	msiexec.exe
Token: SeShutdownPrivilege	1596	msiexec.exe
Token: SeDebugPrivilege	1596	msiexec.exe
Token: SeAuditPrivilege	1596	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1596	msiexec.exe
Token: SeChangeNotifyPrivilege	1596	msiexec.exe
Token: SeRemoteShutdownPrivilege	1596	msiexec.exe
Token: SeUndockPrivilege	1596	msiexec.exe
Token: SeSyncAgentPrivilege	1596	msiexec.exe
Token: SeEnableDelegationPrivilege	1596	msiexec.exe
Token: SeManageVolumePrivilege	1596	msiexec.exe
Token: SeImpersonatePrivilege	1596	msiexec.exe
Token: SeCreateGlobalPrivilege	1596	msiexec.exe
Token: SeBackupPrivilege	4488	vssvc.exe
Token: SeRestorePrivilege	4488	vssvc.exe
Token: SeAuditPrivilege	4488	vssvc.exe
Token: SeBackupPrivilege	512	msiexec.exe
Token: SeRestorePrivilege	512	msiexec.exe
Token: SeRestorePrivilege	512	msiexec.exe
Token: SeTakeOwnershipPrivilege	512	msiexec.exe
Token: SeRestorePrivilege	512	msiexec.exe
Token: SeTakeOwnershipPrivilege	512	msiexec.exe
Token: SeRestorePrivilege	512	msiexec.exe
Token: SeTakeOwnershipPrivilege	512	msiexec.exe
Token: SeShutdownPrivilege	5048	MSI7991.tmp
Token: SeBackupPrivilege	2968	srtasks.exe
Token: SeRestorePrivilege	2968	srtasks.exe
Token: SeSecurityPrivilege	2968	srtasks.exe
Token: SeTakeOwnershipPrivilege	2968	srtasks.exe
Token: SeBackupPrivilege	2968	srtasks.exe
Token: SeRestorePrivilege	2968	srtasks.exe
Token: SeSecurityPrivilege	2968	srtasks.exe
Token: SeTakeOwnershipPrivilege	2968	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1596 msiexec.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MSI7991.tmp

pid process

5048 MSI7991.tmp
5048 MSI7991.tmp

pid	process
1596	msiexec.exe

pid	process
5048	MSI7991.tmp
5048	MSI7991.tmp

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 512 wrote to memory of 2968	512	msiexec.exe	srtasks.exe
PID 512 wrote to memory of 2968	512	msiexec.exe	srtasks.exe
PID 512 wrote to memory of 5048	512	msiexec.exe	MSI7991.tmp
PID 512 wrote to memory of 5048	512	msiexec.exe	MSI7991.tmp
PID 512 wrote to memory of 5048	512	msiexec.exe	MSI7991.tmp

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7538dd6e69d0c65d2dc0eb091c3ced18.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\Installer\MSI7991.tmp
"C:\Windows\Installer\MSI7991.tmp"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5048-16-0x0000000075140000-0x0000000075179000-memory.dmp

Filesize
228KB

Download
memory/5048-17-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/5048-18-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/5048-21-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/5048-22-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/5048-23-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads