f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca

Analysis

max time kernel
36s
max time network
34s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-02-2024 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7z2201-x64 (6).msi
Size

1.8MB
MD5

50515f156ae516461e28dd453230d448
SHA1

3209574e09ec235b2613570e6d7d8d5058a64971
SHA256

f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca
SHA512

14593ca96d416a2fbb6bbbf8adec51978e6c0fb513882d5442ab5876e28dd79be14ca9dd77acff2d3d329cb7733f7e969e784c57e1f414d00f3c7b9d581638e5
SSDEEP

49152:ynV9R5GSuwYgV4mN4eOYq4Z0APsx/Eho:ynV9Ro/mTlbqC04s/

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\License.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\be.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\va.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\th.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	msiexec.exe
File created	C:\Program Files\7-Zip\History.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\az.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\si.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	msiexec.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll	msiexec.exe
File created	C:\Windows\Installer\f76b4b0.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76b462.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b461.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB616.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b462.ipi	msiexec.exe
File created	C:\Windows\Installer\f76b461.msi	msiexec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\ProductName = "7-Zip 22.01 (x64 edition)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\PackageName = "7z2201-x64 (6).msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Version = "369164288"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\LanguageFiles = "Complete"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\PackageCode = "96F071321C0420722210000020000000"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000\96F071321C0420722210000010000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Program = "Complete"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AdvertiseFlags = "388"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	msiexec.exe
2696	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeSecurityPrivilege	2696	msiexec.exe
Token: SeCreateTokenPrivilege	2460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2460	msiexec.exe
Token: SeLockMemoryPrivilege	2460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2460	msiexec.exe
Token: SeMachineAccountPrivilege	2460	msiexec.exe
Token: SeTcbPrivilege	2460	msiexec.exe
Token: SeSecurityPrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeLoadDriverPrivilege	2460	msiexec.exe
Token: SeSystemProfilePrivilege	2460	msiexec.exe
Token: SeSystemtimePrivilege	2460	msiexec.exe
Token: SeProfSingleProcessPrivilege	2460	msiexec.exe
Token: SeIncBasePriorityPrivilege	2460	msiexec.exe
Token: SeCreatePagefilePrivilege	2460	msiexec.exe
Token: SeCreatePermanentPrivilege	2460	msiexec.exe
Token: SeBackupPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeShutdownPrivilege	2460	msiexec.exe
Token: SeDebugPrivilege	2460	msiexec.exe
Token: SeAuditPrivilege	2460	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2460	msiexec.exe
Token: SeChangeNotifyPrivilege	2460	msiexec.exe
Token: SeRemoteShutdownPrivilege	2460	msiexec.exe
Token: SeUndockPrivilege	2460	msiexec.exe
Token: SeSyncAgentPrivilege	2460	msiexec.exe
Token: SeEnableDelegationPrivilege	2460	msiexec.exe
Token: SeManageVolumePrivilege	2460	msiexec.exe
Token: SeImpersonatePrivilege	2460	msiexec.exe
Token: SeCreateGlobalPrivilege	2460	msiexec.exe
Token: SeBackupPrivilege	2864	vssvc.exe
Token: SeRestorePrivilege	2864	vssvc.exe
Token: SeAuditPrivilege	2864	vssvc.exe
Token: SeBackupPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2656	DrvInst.exe
Token: SeRestorePrivilege	2656	DrvInst.exe
Token: SeRestorePrivilege	2656	DrvInst.exe
Token: SeRestorePrivilege	2656	DrvInst.exe
Token: SeRestorePrivilege	2656	DrvInst.exe
Token: SeRestorePrivilege	2656	DrvInst.exe
Token: SeRestorePrivilege	2656	DrvInst.exe
Token: SeLoadDriverPrivilege	2656	DrvInst.exe
Token: SeLoadDriverPrivilege	2656	DrvInst.exe
Token: SeLoadDriverPrivilege	2656	DrvInst.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2460	msiexec.exe
2460	msiexec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\7z2201-x64 (6).msi"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "000000000000047C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76b463.rbs

Filesize
26KB

MD5
564493ec979bb6ba5b1bfe57552500c0

SHA1
7d94a81d4d640112ab28f4b6ae58c066f9579181

SHA256
8643e5199277b8212253f44cbe4fdbcf7fc30e582aa6cee3ec4bac92914e0118

SHA512
5473c58ffe2f3b403e09fc90c8d709aa0e359cbdac6e04866db37d7c117235d641b5e3b03827abec65e184fa1ed944bea50e56f087b7b5baa422d30180880261

Download Submit
C:\Windows\Installer\f76b4b0.msi

Filesize
1.4MB

MD5
1e4d329c9fdbd520eff05b143494afef

SHA1
d15b50c4c8a910febbeb476d6ebec7f0b1fd3b2d

SHA256
6b2e4bc41b0e7bfa4457ecdeea8878af70523ee960288240237072e19a7d0258

SHA512
2ec4a76c6263831d2f25c327660185b46572accdcc26e2517322d4c2a46bb142831c4e9177959531cc534a5bf0c84b9ed9a0d20974386c6902ac521cd6a494b7

Download Submit