Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.msi
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.msi
Resource
win10v2004-20231215-en
General
-
Target
0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.msi
-
Size
1.1MB
-
MD5
a362de111d5dff6bcdeaf4717af268b6
-
SHA1
2e5104db35871c5bc7da2035d8b91398bb5d5e0e
-
SHA256
0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca
-
SHA512
b48a18158a0dff9a9012952c467fcf69b8bfc53ceeacaf32a90fc4b7f3afd34465e676b282fa87f3c5c85b4780baf96cc754dcdeef77ba5330fa8c4fd1d20b72
-
SSDEEP
12288:w6yilXxt+i9uJB5XladYq15U+F54Sy3JItYzpm+zF4KSlgNY/k09L4:byKtb9gXdqjF54/JuOplFB09
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Renames multiple (2002) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 1864 Wire_Transfer.docx.exe 1548 drpbx.exe -
Loads dropped DLL 6 IoCs
pid Process 2388 MsiExec.exe 2388 MsiExec.exe 2388 MsiExec.exe 2388 MsiExec.exe 2388 MsiExec.exe 832 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" Wire_Transfer.docx.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt drpbx.exe File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt drpbx.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg.fun drpbx.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\gadget.xml drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Fancy.dotx.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\gadget.xml drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar.fun drpbx.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml.fun drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.fun drpbx.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Installer\f76343a.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76343b.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3514.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Installer\f76343a.msi msiexec.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Installer\MSI387F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3891.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76343b.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3016 msiexec.exe 3016 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeShutdownPrivilege 2264 msiexec.exe Token: SeIncreaseQuotaPrivilege 2264 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeSecurityPrivilege 3016 msiexec.exe Token: SeCreateTokenPrivilege 2264 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2264 msiexec.exe Token: SeLockMemoryPrivilege 2264 msiexec.exe Token: SeIncreaseQuotaPrivilege 2264 msiexec.exe Token: SeMachineAccountPrivilege 2264 msiexec.exe Token: SeTcbPrivilege 2264 msiexec.exe Token: SeSecurityPrivilege 2264 msiexec.exe Token: SeTakeOwnershipPrivilege 2264 msiexec.exe Token: SeLoadDriverPrivilege 2264 msiexec.exe Token: SeSystemProfilePrivilege 2264 msiexec.exe Token: SeSystemtimePrivilege 2264 msiexec.exe Token: SeProfSingleProcessPrivilege 2264 msiexec.exe Token: SeIncBasePriorityPrivilege 2264 msiexec.exe Token: SeCreatePagefilePrivilege 2264 msiexec.exe Token: SeCreatePermanentPrivilege 2264 msiexec.exe Token: SeBackupPrivilege 2264 msiexec.exe Token: SeRestorePrivilege 2264 msiexec.exe Token: SeShutdownPrivilege 2264 msiexec.exe Token: SeDebugPrivilege 2264 msiexec.exe Token: SeAuditPrivilege 2264 msiexec.exe Token: SeSystemEnvironmentPrivilege 2264 msiexec.exe Token: SeChangeNotifyPrivilege 2264 msiexec.exe Token: SeRemoteShutdownPrivilege 2264 msiexec.exe Token: SeUndockPrivilege 2264 msiexec.exe Token: SeSyncAgentPrivilege 2264 msiexec.exe Token: SeEnableDelegationPrivilege 2264 msiexec.exe Token: SeManageVolumePrivilege 2264 msiexec.exe Token: SeImpersonatePrivilege 2264 msiexec.exe Token: SeCreateGlobalPrivilege 2264 msiexec.exe Token: SeBackupPrivilege 2816 vssvc.exe Token: SeRestorePrivilege 2816 vssvc.exe Token: SeAuditPrivilege 2816 vssvc.exe Token: SeBackupPrivilege 3016 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeLoadDriverPrivilege 3028 DrvInst.exe Token: SeLoadDriverPrivilege 3028 DrvInst.exe Token: SeLoadDriverPrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2264 msiexec.exe 2264 msiexec.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2388 3016 msiexec.exe 32 PID 3016 wrote to memory of 2388 3016 msiexec.exe 32 PID 3016 wrote to memory of 2388 3016 msiexec.exe 32 PID 3016 wrote to memory of 2388 3016 msiexec.exe 32 PID 3016 wrote to memory of 2388 3016 msiexec.exe 32 PID 3016 wrote to memory of 2388 3016 msiexec.exe 32 PID 3016 wrote to memory of 2388 3016 msiexec.exe 32 PID 2388 wrote to memory of 2856 2388 MsiExec.exe 33 PID 2388 wrote to memory of 2856 2388 MsiExec.exe 33 PID 2388 wrote to memory of 2856 2388 MsiExec.exe 33 PID 2388 wrote to memory of 2856 2388 MsiExec.exe 33 PID 2388 wrote to memory of 1864 2388 MsiExec.exe 35 PID 2388 wrote to memory of 1864 2388 MsiExec.exe 35 PID 2388 wrote to memory of 1864 2388 MsiExec.exe 35 PID 2388 wrote to memory of 1864 2388 MsiExec.exe 35 PID 1864 wrote to memory of 1548 1864 Wire_Transfer.docx.exe 36 PID 1864 wrote to memory of 1548 1864 Wire_Transfer.docx.exe 36 PID 1864 wrote to memory of 1548 1864 Wire_Transfer.docx.exe 36 PID 3016 wrote to memory of 832 3016 msiexec.exe 37 PID 3016 wrote to memory of 832 3016 msiexec.exe 37 PID 3016 wrote to memory of 832 3016 msiexec.exe 37 PID 3016 wrote to memory of 832 3016 msiexec.exe 37 PID 3016 wrote to memory of 832 3016 msiexec.exe 37 PID 3016 wrote to memory of 832 3016 msiexec.exe 37 PID 3016 wrote to memory of 832 3016 msiexec.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2264
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 99D0E94959858C5496566EA4187476712⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\expand.exe"C:\Windows\System32\expand.exe" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\MW-31343c9c-b84b-4b50-b57c-4f6e7c3dfad4\files\Wire_Transfer.docx.exe"C:\Users\Admin\AppData\Local\Temp\MW-31343c9c-b84b-4b50-b57c-4f6e7c3dfad4\files\Wire_Transfer.docx.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\MW-31343c9c-b84b-4b50-b57c-4f6e7c3dfad4\files\Wire_Transfer.docx.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1548
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3A05ECE0BB724A41C7C2791EEC9C8F8 M Global\MSI00002⤵
- Loads dropped DLL
PID:832
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A0" "00000000000002C4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD5000e8c41d4a15fb34d0be0dbb56e3778
SHA100c4eae64ee6239d7c65d819c6ce1ac329224f8c
SHA2568bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28
SHA512775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af
-
Filesize
282KB
MD5807718ec27e1cdf76ea45291e0b73dcb
SHA143fd298dff26c7cc2180d5b198ef23e0c37d578e
SHA2561001621d1b1d3cbba8d28644b24d7c4ff165c13ab2850661b3ed863efb6d1759
SHA512a01444e070e6cbcf6b0aeb00c54469ea2dcf36e841c9179bb8a8d4c316000ebab6cef72cfe21467cf283bbed8372ce4787f60296c985ab831c49e3d18646da43
-
C:\Users\Admin\AppData\Local\Temp\MW-31343c9c-b84b-4b50-b57c-4f6e7c3dfad4\files\Wire_Transfer.docx.exe
Filesize282KB
MD5fba7f5f58a53322d0b85cc588cfaacd1
SHA1da2617cb96dd02a075565de6a704551fd7995dab
SHA2561fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a
SHA512c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db
-
Filesize
513B
MD58a59e800c9176ad2c35a738c68ed3a8b
SHA1f41ce64187da05898086c592a50481a4c4edb458
SHA256dc3ce11b11d8f6ac3197e70945411053c12a955cb663df4fb5ed0f6805d723c1
SHA51226d58ff61db1f169cdcd3b2c7cdaeddafe29a0c99623a11849b27b6ed7c0a871cb42f9125ddfa22200045742c7b0859a9f289811caec2f13a67bfcf5344653fe
-
Filesize
16B
MD5cfdae8214d34112dbee6587664059558
SHA1f649f45d08c46572a9a50476478ddaef7e964353
SHA25633088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325
SHA512c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3
-
Filesize
601KB
MD5ffe70d3419a64f4be1982d5cdf1155f4
SHA1c62e03d533925c871cb9caac853a1d3a33f60f34
SHA2568b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909
SHA5125b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675
-
Filesize
414KB
MD5c5acfcd519ada4b817a83df08fe51c10
SHA1602beceddf23c5b4bbb27feb72cf978948033028
SHA256eabc60ad5a3c8a35e4a2b6a68a0341b17a2445d3b98fa7ae99aaaedd3aa5fa59
SHA512f61086f115d77bd7373fe0ae18352f975e6b28fb56ac3618078f7a7e4fdbde7a7fbb21a1db0f3ab7705c2c2821aba600363f9d9e59218bc9a4a3ae410e79273a
-
Filesize
515KB
MD5f1e058ff1369a6c83399459054fc8eb4
SHA130d1f123337705af870bd480239458ce2aa2fc43
SHA2563341e6179b42ff1f5fae3ddd2d13c43e63607e7c891c647fe1b2cd72492170f8
SHA5122e03b74aa1181f0729f9a3f6eed013b93540215b5a786ea273c38a63369960b8644dbd4ab0df492371b0702fbeff729a3e573b0e808b5c8572e97e59fce6d31b