Analysis
-
max time kernel
88s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 04:59
Static task
static1
Behavioral task
behavioral1
Sample
94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a.msi
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a.msi
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a.msi
-
Size
1.5MB
-
MD5
9c8696dbb48add540a75737327c537d2
-
SHA1
78b4eb7d363e017eb06e03408d7952bbb843f9a9
-
SHA256
94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a
-
SHA512
6ee26ecedd0386eca113e61086f6623b36ca093d24e41d90cf45412072d94d91dddb39c86ce726c3514da3d0221d3cf03455b00cc5d0987ca63d45c12225cf4a
-
SSDEEP
49152:yErvYpW8zBQSc0ZnSKeZKumZr7Amyq3TGtezO:RYQ0ZncK/AEs
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{875666CF-F53F-4ED6-B062-37C9D770DE93} msiexec.exe File opened for modification C:\Windows\Installer\MSI7F05.tmp msiexec.exe File created C:\Windows\Installer\e577dea.msi msiexec.exe File opened for modification C:\Windows\Installer\e577dea.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7EB6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7E38.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7F64.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 3708 MSI7F64.tmp -
Loads dropped DLL 10 IoCs
pid Process 4208 MsiExec.exe 4208 MsiExec.exe 4208 MsiExec.exe 4208 MsiExec.exe 4208 MsiExec.exe 4208 MsiExec.exe 5092 MsiExec.exe 5092 MsiExec.exe 3428 rundll32.exe 5104 rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3692 msiexec.exe 3692 msiexec.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 5104 rundll32.exe 5104 rundll32.exe 5104 rundll32.exe 5104 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1872 msiexec.exe Token: SeIncreaseQuotaPrivilege 1872 msiexec.exe Token: SeSecurityPrivilege 3692 msiexec.exe Token: SeCreateTokenPrivilege 1872 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1872 msiexec.exe Token: SeLockMemoryPrivilege 1872 msiexec.exe Token: SeIncreaseQuotaPrivilege 1872 msiexec.exe Token: SeMachineAccountPrivilege 1872 msiexec.exe Token: SeTcbPrivilege 1872 msiexec.exe Token: SeSecurityPrivilege 1872 msiexec.exe Token: SeTakeOwnershipPrivilege 1872 msiexec.exe Token: SeLoadDriverPrivilege 1872 msiexec.exe Token: SeSystemProfilePrivilege 1872 msiexec.exe Token: SeSystemtimePrivilege 1872 msiexec.exe Token: SeProfSingleProcessPrivilege 1872 msiexec.exe Token: SeIncBasePriorityPrivilege 1872 msiexec.exe Token: SeCreatePagefilePrivilege 1872 msiexec.exe Token: SeCreatePermanentPrivilege 1872 msiexec.exe Token: SeBackupPrivilege 1872 msiexec.exe Token: SeRestorePrivilege 1872 msiexec.exe Token: SeShutdownPrivilege 1872 msiexec.exe Token: SeDebugPrivilege 1872 msiexec.exe Token: SeAuditPrivilege 1872 msiexec.exe Token: SeSystemEnvironmentPrivilege 1872 msiexec.exe Token: SeChangeNotifyPrivilege 1872 msiexec.exe Token: SeRemoteShutdownPrivilege 1872 msiexec.exe Token: SeUndockPrivilege 1872 msiexec.exe Token: SeSyncAgentPrivilege 1872 msiexec.exe Token: SeEnableDelegationPrivilege 1872 msiexec.exe Token: SeManageVolumePrivilege 1872 msiexec.exe Token: SeImpersonatePrivilege 1872 msiexec.exe Token: SeCreateGlobalPrivilege 1872 msiexec.exe Token: SeCreateTokenPrivilege 1872 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1872 msiexec.exe Token: SeLockMemoryPrivilege 1872 msiexec.exe Token: SeIncreaseQuotaPrivilege 1872 msiexec.exe Token: SeMachineAccountPrivilege 1872 msiexec.exe Token: SeTcbPrivilege 1872 msiexec.exe Token: SeSecurityPrivilege 1872 msiexec.exe Token: SeTakeOwnershipPrivilege 1872 msiexec.exe Token: SeLoadDriverPrivilege 1872 msiexec.exe Token: SeSystemProfilePrivilege 1872 msiexec.exe Token: SeSystemtimePrivilege 1872 msiexec.exe Token: SeProfSingleProcessPrivilege 1872 msiexec.exe Token: SeIncBasePriorityPrivilege 1872 msiexec.exe Token: SeCreatePagefilePrivilege 1872 msiexec.exe Token: SeCreatePermanentPrivilege 1872 msiexec.exe Token: SeBackupPrivilege 1872 msiexec.exe Token: SeRestorePrivilege 1872 msiexec.exe Token: SeShutdownPrivilege 1872 msiexec.exe Token: SeDebugPrivilege 1872 msiexec.exe Token: SeAuditPrivilege 1872 msiexec.exe Token: SeSystemEnvironmentPrivilege 1872 msiexec.exe Token: SeChangeNotifyPrivilege 1872 msiexec.exe Token: SeRemoteShutdownPrivilege 1872 msiexec.exe Token: SeUndockPrivilege 1872 msiexec.exe Token: SeSyncAgentPrivilege 1872 msiexec.exe Token: SeEnableDelegationPrivilege 1872 msiexec.exe Token: SeManageVolumePrivilege 1872 msiexec.exe Token: SeImpersonatePrivilege 1872 msiexec.exe Token: SeCreateGlobalPrivilege 1872 msiexec.exe Token: SeCreateTokenPrivilege 1872 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1872 msiexec.exe Token: SeLockMemoryPrivilege 1872 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1872 msiexec.exe 1872 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3692 wrote to memory of 4208 3692 msiexec.exe 88 PID 3692 wrote to memory of 4208 3692 msiexec.exe 88 PID 3692 wrote to memory of 4208 3692 msiexec.exe 88 PID 3692 wrote to memory of 2124 3692 msiexec.exe 96 PID 3692 wrote to memory of 2124 3692 msiexec.exe 96 PID 3692 wrote to memory of 5092 3692 msiexec.exe 98 PID 3692 wrote to memory of 5092 3692 msiexec.exe 98 PID 3692 wrote to memory of 5092 3692 msiexec.exe 98 PID 3692 wrote to memory of 3708 3692 msiexec.exe 99 PID 3692 wrote to memory of 3708 3692 msiexec.exe 99 PID 3692 wrote to memory of 3708 3692 msiexec.exe 99 PID 3428 wrote to memory of 5104 3428 rundll32.exe 101 PID 3428 wrote to memory of 5104 3428 rundll32.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1872
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 470EB73D076EC9B6ED34BC297D6674E0 C2⤵
- Loads dropped DLL
PID:4208
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2124
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 01F074FDC9745797A8F2A15136CB59B22⤵
- Loads dropped DLL
PID:5092
-
-
C:\Windows\Installer\MSI7F64.tmp"C:\Windows\Installer\MSI7F64.tmp" /DontWait C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Local\Putty/setordinal.dll,bhuf2⤵
- Executes dropped EXE
PID:3708
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2576
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Putty/setordinal.dll,bhuf1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\System32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_765773b8.dll", bhuf2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e610c3b3ea0fbb358b684d9634dc3b8c
SHA19c7b2ee2de7b1ef30bb72f1b162ccb8f53172ae3
SHA256ce3a36b7f12e56482633270eadcf0f29e97340e7509cfd9cd0a97dd6e83b942f
SHA51259b5fecca067fc399762f38ef26d90f6e5542c27aaf96785216cca1f5b20c6466dea201cba918639bc474a67ae7c0162157c9e84ef8e2a902212e46ef7b05c89
-
Filesize
809KB
MD54b8ecaac3e8a17382932e3daa29dc688
SHA13ed854b6fda284fdad105cb158949edd9276cd67
SHA25661925bfd71b4d2be670b0bd373b33645d6af062e5d41cb2b6f6c984acbd69de3
SHA512de0459c85786c97ff1b5b0051139fb30fb56cfba45b56384adf8d813faadda0fde80fe9c5fb99aba356d8f0e43f61a8b1bdc232cf12d5f3ba4c99403d9c7a8e1
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
384KB
MD5691334e4071e9a07554c04f8efd8c9f2
SHA1f7904dec0c31d94ef6370503c062458a0afad5bb
SHA2566629b517ae6dc1fd406889db00cafc6b060513defbfc6620ff7781e7a668ebb8
SHA5128eba08bef0e24e532b5b866677bb2447c543b4fd70e1dcc968c3e176fb7fde7b0a335567fbfdde47639a0e17b396c5cd11eb4793b6f41340668f6946c33c4d51
-
Filesize
302KB
MD5aded98c0bac3fc5f13b6594cb994d992
SHA1d0ef9c42a4fcda02c0853662fd0f8b509fe6916c
SHA2561fa420dd1230a332317712bc5d527183e727a70e352a503f9ef0dc6fb6c5fb43
SHA51283e60549108da7e4b136adaabaa29c1ecfa04d5d765e2c21f7bc6ddf63bf835ea2f2666e69cd4a49fb8370946c3feacb25be141dcc19efac1c9f455214c8834d
-
Filesize
46KB
MD5930ad88afc6659e00f4d190d23ae623d
SHA1fe423b990ecd72454222ea25ceb50d177147b3f0
SHA2562580cf122256e686ffc5da81b98b63bbc4d44ccd87fb81d7b60c90574b84779b
SHA512505be3cd9747652a4f37ba2fdea6c93da62d571b065daf23653dd0e5054eb9bc8d77aeed65423d9aa5d99b09c3eb5a56294dce7bfa6732cab523372cc0cc3edc
-
Filesize
37KB
MD5f8ba5c38ead9abc96e62250d60629914
SHA120b09af89d9bb40424665465dc4b489880112541
SHA256bab43f505747f1e17f6e6010ad64694aa50376ba3b16c91bf87647d23146988a
SHA512bb5430463dc8a08a6eac6ffde91d5a333bb1a87b9088a955cd5c5e1683ce53f4e902be05bc4ae249f214048637ab685b5476ee843c0cf3a07577d5d29af3bbca
-
Filesize
693KB
MD5054595b41814a0c8504a5689cd2aefa0
SHA12c58d49f8b0c1b0c6da8a9db6c060b2e1792b1ec
SHA25618ffb3b6d4b2ce4072443506ed9b98566f914a0835e51f1ab7edd59201509437
SHA512cb33ec9be0db47e745aec62b5b0512c2e40c818d2c359a966cbc2d1bca8e5070d730ae89278c534a39f9e3c38a53fffe5df78faa133f066487707b46a96347a1
-
\??\Volume{14f6f45c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cfdade96-b6be-4379-a717-a5fd3c0baef1}_OnDiskSnapshotProp
Filesize6KB
MD58f3c2eb98215190f380cbe63b4a0a100
SHA11a44d5631722268cc411a60d4131fb97838b534f
SHA25689fcf0ad13b96c6a315c0a2abb7ec08330d49f795fe4e492ce32cb65b47dc764
SHA512e60ca2520a784e018689173221ff840aeac92e96c65a566378ea827aa99a4c8f236b3c1b2e261c06dbfd223e60f2ea7c1d6f4d2a61dc1cae465d77d3c21f007f