142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7538dd6e69d0c65d2dc0eb091c3ced18.msi
Size

3.8MB
MD5

7538dd6e69d0c65d2dc0eb091c3ced18
SHA1

9d91e4cc3c59c258ae2655119692c13c899d68d2
SHA256

142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4
SHA512

935aed41fbc1bb42cdc4b2c10fd306286642428c017248a71297d7674439415a410464a75b0529eec4b7a98f052408afcde24a501f6970fa405d642aafadb6c6
SSDEEP

98304:D77Pmq33rE/JDLPWZADUGer7B6iY74M/mmlwXVZaFB:L+R/eZADUXR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1820	MSI25EA.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1820	MSI25EA.tmp
1820	MSI25EA.tmp
1820	MSI25EA.tmp
1820	MSI25EA.tmp

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f7624df.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25AA.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f7624df.msi	msiexec.exe
File created	C:\Windows\Installer\f7624e2.ipi	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2532	msiexec.exe
2532	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1272	msiexec.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1272	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1272	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeSecurityPrivilege	2532	msiexec.exe
Token: SeCreateTokenPrivilege	1272	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1272	msiexec.exe
Token: SeLockMemoryPrivilege	1272	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1272	msiexec.exe
Token: SeMachineAccountPrivilege	1272	msiexec.exe
Token: SeTcbPrivilege	1272	msiexec.exe
Token: SeSecurityPrivilege	1272	msiexec.exe
Token: SeTakeOwnershipPrivilege	1272	msiexec.exe
Token: SeLoadDriverPrivilege	1272	msiexec.exe
Token: SeSystemProfilePrivilege	1272	msiexec.exe
Token: SeSystemtimePrivilege	1272	msiexec.exe
Token: SeProfSingleProcessPrivilege	1272	msiexec.exe
Token: SeIncBasePriorityPrivilege	1272	msiexec.exe
Token: SeCreatePagefilePrivilege	1272	msiexec.exe
Token: SeCreatePermanentPrivilege	1272	msiexec.exe
Token: SeBackupPrivilege	1272	msiexec.exe
Token: SeRestorePrivilege	1272	msiexec.exe
Token: SeShutdownPrivilege	1272	msiexec.exe
Token: SeDebugPrivilege	1272	msiexec.exe
Token: SeAuditPrivilege	1272	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1272	msiexec.exe
Token: SeChangeNotifyPrivilege	1272	msiexec.exe
Token: SeRemoteShutdownPrivilege	1272	msiexec.exe
Token: SeUndockPrivilege	1272	msiexec.exe
Token: SeSyncAgentPrivilege	1272	msiexec.exe
Token: SeEnableDelegationPrivilege	1272	msiexec.exe
Token: SeManageVolumePrivilege	1272	msiexec.exe
Token: SeImpersonatePrivilege	1272	msiexec.exe
Token: SeCreateGlobalPrivilege	1272	msiexec.exe
Token: SeBackupPrivilege	2168	vssvc.exe
Token: SeRestorePrivilege	2168	vssvc.exe
Token: SeAuditPrivilege	2168	vssvc.exe
Token: SeBackupPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2884	DrvInst.exe
Token: SeRestorePrivilege	2884	DrvInst.exe
Token: SeRestorePrivilege	2884	DrvInst.exe
Token: SeRestorePrivilege	2884	DrvInst.exe
Token: SeRestorePrivilege	2884	DrvInst.exe
Token: SeRestorePrivilege	2884	DrvInst.exe
Token: SeRestorePrivilege	2884	DrvInst.exe
Token: SeLoadDriverPrivilege	2884	DrvInst.exe
Token: SeLoadDriverPrivilege	2884	DrvInst.exe
Token: SeLoadDriverPrivilege	2884	DrvInst.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeDebugPrivilege	1820	MSI25EA.tmp
Token: SeShutdownPrivilege	1820	MSI25EA.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1272	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1820	MSI25EA.tmp
1820	MSI25EA.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1820	2532	msiexec.exe	32
PID 2532 wrote to memory of 1820	2532	msiexec.exe	32
PID 2532 wrote to memory of 1820	2532	msiexec.exe	32
PID 2532 wrote to memory of 1820	2532	msiexec.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7538dd6e69d0c65d2dc0eb091c3ced18.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1272

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\Installer\MSI25EA.tmp
  "C:\Windows\Installer\MSI25EA.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A0" "00000000000004C0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI25EA.tmp

Filesize
3.8MB

MD5
7f4cf5385ee25468ab2031d4e38c5ab8

SHA1
6b3253a4b7cc26942031d2b5cd8a3e05d9f35075

SHA256
07e12cd459d8702fd7a5366e060dbca732a3d4353dd6aa84381f98eec53f5426

SHA512
b8a25055753736fa162f67b381ebd5563c5b2f6a69a98ef56d88aeba760f4e596cebf2d3d5e949b2b9d433e5f4cda76f2657cf513a3e2dbb3c49785669835e8d

Download Submit