cc49bdc9aef4d1448eae83b55e55723ad737dabaf4b9620f48728329ce6b6cf2

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9999.msi
Size

156KB
MD5

ebda5dc3980cd9246488a9446ceab215
SHA1

1b16b02d423eb8dcc57673390e666ed349a91030
SHA256

cc49bdc9aef4d1448eae83b55e55723ad737dabaf4b9620f48728329ce6b6cf2
SHA512

5641dc04318e177b0c10d726c4f3c0e3ece55b91f9f46f3a1deb4471f81bf37eb261341987437f3db0bceea2e58f5697c0d5b2f4653adf83319c3e4f8da487ce
SSDEEP

384:iHpe4ZvJXK7gzFM7Wu81j9SaoXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyucjDCUyWMDC

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76ea20.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC23.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC73.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ea21.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76ea20.msi	msiexec.exe
File created	C:\Windows\Installer\f76ea21.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	MSIEC73.tmp

Loads dropped DLL 2 IoCs

pid	Process
2504	msiexec.exe
2504	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2504	msiexec.exe
2504	msiexec.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1216	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeSecurityPrivilege	2504	msiexec.exe
Token: SeCreateTokenPrivilege	1216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1216	msiexec.exe
Token: SeLockMemoryPrivilege	1216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1216	msiexec.exe
Token: SeMachineAccountPrivilege	1216	msiexec.exe
Token: SeTcbPrivilege	1216	msiexec.exe
Token: SeSecurityPrivilege	1216	msiexec.exe
Token: SeTakeOwnershipPrivilege	1216	msiexec.exe
Token: SeLoadDriverPrivilege	1216	msiexec.exe
Token: SeSystemProfilePrivilege	1216	msiexec.exe
Token: SeSystemtimePrivilege	1216	msiexec.exe
Token: SeProfSingleProcessPrivilege	1216	msiexec.exe
Token: SeIncBasePriorityPrivilege	1216	msiexec.exe
Token: SeCreatePagefilePrivilege	1216	msiexec.exe
Token: SeCreatePermanentPrivilege	1216	msiexec.exe
Token: SeBackupPrivilege	1216	msiexec.exe
Token: SeRestorePrivilege	1216	msiexec.exe
Token: SeShutdownPrivilege	1216	msiexec.exe
Token: SeDebugPrivilege	1216	msiexec.exe
Token: SeAuditPrivilege	1216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1216	msiexec.exe
Token: SeChangeNotifyPrivilege	1216	msiexec.exe
Token: SeRemoteShutdownPrivilege	1216	msiexec.exe
Token: SeUndockPrivilege	1216	msiexec.exe
Token: SeSyncAgentPrivilege	1216	msiexec.exe
Token: SeEnableDelegationPrivilege	1216	msiexec.exe
Token: SeManageVolumePrivilege	1216	msiexec.exe
Token: SeImpersonatePrivilege	1216	msiexec.exe
Token: SeCreateGlobalPrivilege	1216	msiexec.exe
Token: SeBackupPrivilege	2312	vssvc.exe
Token: SeRestorePrivilege	2312	vssvc.exe
Token: SeAuditPrivilege	2312	vssvc.exe
Token: SeBackupPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeLoadDriverPrivilege	2684	DrvInst.exe
Token: SeLoadDriverPrivilege	2684	DrvInst.exe
Token: SeLoadDriverPrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1216	msiexec.exe
1216	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2888	2504	msiexec.exe	34
PID 2504 wrote to memory of 2888	2504	msiexec.exe	34
PID 2504 wrote to memory of 2888	2504	msiexec.exe	34
PID 2504 wrote to memory of 2916	2504	msiexec.exe	35
PID 2504 wrote to memory of 2916	2504	msiexec.exe	35
PID 2504 wrote to memory of 2916	2504	msiexec.exe	35
PID 2504 wrote to memory of 2916	2504	msiexec.exe	35
PID 2504 wrote to memory of 2916	2504	msiexec.exe	35
PID 2504 wrote to memory of 2916	2504	msiexec.exe	35
PID 2504 wrote to memory of 2916	2504	msiexec.exe	35
PID 2888 wrote to memory of 1720	2888	MSIEC73.tmp	36
PID 2888 wrote to memory of 1720	2888	MSIEC73.tmp	36
PID 2888 wrote to memory of 1720	2888	MSIEC73.tmp	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9999.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Installer\MSIEC73.tmp
  "C:\Windows\Installer\MSIEC73.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:1720
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CD731F58E1BDCDD56DFD4F1F3F496DB
  2⤵
  PID:2916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000494" "0000000000000490"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Installer\MSIEC73.tmp

Filesize
124KB

MD5
57e4ce0234325fcc001f2e465d14751c

SHA1
6767375014b90a73b53a7851e43b6fa8fddeda25

SHA256
20507f00ba2b9da6ea725d676243b45da92f99fd9d6e3ab4d1c861ba31484ec8

SHA512
33db14230d8c0ad89fd2dbc70c40a7391f506120d309027ee00c934734c9a6784958e265b74aff689393b5d627ad056a91475c84b05cf4f77e80c97e5abbcebf

Download Submit
memory/2504-13-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2504-15-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2504-29-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2504-30-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2888-16-0x0000000140000000-0x0000000140004248-memory.dmp

Filesize
16KB

Download