d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.msi
Size

3.3MB
MD5

4e5903c4ff6d79dbad178815b377554d
SHA1

74f50126aebbd186d6defa3641113cdc88a37fa2
SHA256

d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46
SHA512

9a513449963c860e9be50c05a79beeea554fc6bc9748b260340711d8cb705cb022f53f10cfdc35ce1ad8d97644df57a9aae959b6dbb96c15b85d8ecaf62031a8
SSDEEP

98304:5pKIwis1N1AaewONvZOIUFz+PlROVt1OTLmUsg:6IHmnqvZlUFz8RtyPg

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2816	ICACLS.EXE
2584	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a44c.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76a44b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a44b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA5F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76a44c.ipi	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	MsiExec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2684	msiexec.exe
2684	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	844	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeSecurityPrivilege	2684	msiexec.exe
Token: SeCreateTokenPrivilege	844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	844	msiexec.exe
Token: SeLockMemoryPrivilege	844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	844	msiexec.exe
Token: SeMachineAccountPrivilege	844	msiexec.exe
Token: SeTcbPrivilege	844	msiexec.exe
Token: SeSecurityPrivilege	844	msiexec.exe
Token: SeTakeOwnershipPrivilege	844	msiexec.exe
Token: SeLoadDriverPrivilege	844	msiexec.exe
Token: SeSystemProfilePrivilege	844	msiexec.exe
Token: SeSystemtimePrivilege	844	msiexec.exe
Token: SeProfSingleProcessPrivilege	844	msiexec.exe
Token: SeIncBasePriorityPrivilege	844	msiexec.exe
Token: SeCreatePagefilePrivilege	844	msiexec.exe
Token: SeCreatePermanentPrivilege	844	msiexec.exe
Token: SeBackupPrivilege	844	msiexec.exe
Token: SeRestorePrivilege	844	msiexec.exe
Token: SeShutdownPrivilege	844	msiexec.exe
Token: SeDebugPrivilege	844	msiexec.exe
Token: SeAuditPrivilege	844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	844	msiexec.exe
Token: SeChangeNotifyPrivilege	844	msiexec.exe
Token: SeRemoteShutdownPrivilege	844	msiexec.exe
Token: SeUndockPrivilege	844	msiexec.exe
Token: SeSyncAgentPrivilege	844	msiexec.exe
Token: SeEnableDelegationPrivilege	844	msiexec.exe
Token: SeManageVolumePrivilege	844	msiexec.exe
Token: SeImpersonatePrivilege	844	msiexec.exe
Token: SeCreateGlobalPrivilege	844	msiexec.exe
Token: SeBackupPrivilege	2128	vssvc.exe
Token: SeRestorePrivilege	2128	vssvc.exe
Token: SeAuditPrivilege	2128	vssvc.exe
Token: SeBackupPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2416	DrvInst.exe
Token: SeRestorePrivilege	2416	DrvInst.exe
Token: SeRestorePrivilege	2416	DrvInst.exe
Token: SeRestorePrivilege	2416	DrvInst.exe
Token: SeRestorePrivilege	2416	DrvInst.exe
Token: SeRestorePrivilege	2416	DrvInst.exe
Token: SeRestorePrivilege	2416	DrvInst.exe
Token: SeLoadDriverPrivilege	2416	DrvInst.exe
Token: SeLoadDriverPrivilege	2416	DrvInst.exe
Token: SeLoadDriverPrivilege	2416	DrvInst.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
844	msiexec.exe
844	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2384	2684	msiexec.exe	32
PID 2684 wrote to memory of 2384	2684	msiexec.exe	32
PID 2684 wrote to memory of 2384	2684	msiexec.exe	32
PID 2684 wrote to memory of 2384	2684	msiexec.exe	32
PID 2684 wrote to memory of 2384	2684	msiexec.exe	32
PID 2684 wrote to memory of 2384	2684	msiexec.exe	32
PID 2684 wrote to memory of 2384	2684	msiexec.exe	32
PID 2384 wrote to memory of 2816	2384	MsiExec.exe	33
PID 2384 wrote to memory of 2816	2384	MsiExec.exe	33
PID 2384 wrote to memory of 2816	2384	MsiExec.exe	33
PID 2384 wrote to memory of 2816	2384	MsiExec.exe	33
PID 2384 wrote to memory of 2168	2384	MsiExec.exe	35
PID 2384 wrote to memory of 2168	2384	MsiExec.exe	35
PID 2384 wrote to memory of 2168	2384	MsiExec.exe	35
PID 2384 wrote to memory of 2168	2384	MsiExec.exe	35
PID 2384 wrote to memory of 1508	2384	MsiExec.exe	37
PID 2384 wrote to memory of 1508	2384	MsiExec.exe	37
PID 2384 wrote to memory of 1508	2384	MsiExec.exe	37
PID 2384 wrote to memory of 1508	2384	MsiExec.exe	37
PID 2384 wrote to memory of 2904	2384	MsiExec.exe	39
PID 2384 wrote to memory of 2904	2384	MsiExec.exe	39
PID 2384 wrote to memory of 2904	2384	MsiExec.exe	39
PID 2384 wrote to memory of 2904	2384	MsiExec.exe	39
PID 2384 wrote to memory of 2584	2384	MsiExec.exe	41
PID 2384 wrote to memory of 2584	2384	MsiExec.exe	41
PID 2384 wrote to memory of 2584	2384	MsiExec.exe	41
PID 2384 wrote to memory of 2584	2384	MsiExec.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADA863A7C034317451C08EFEDCA3F332
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2816
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start msedge https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\files"
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C8" "00000000000003D0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\files.cab

Filesize
3.1MB

MD5
c5251b4a0300ac59b9c51b39b48960ef

SHA1
1a9f4710e07aff28c8961b8bb4d5a525ea385e42

SHA256
4d5fd376d65beb611b661283d72a19f92e69812c716546e3b3809062671238f2

SHA512
a00ddbbd2e4d29b6e54ad422d3a69c4cf3b68cec704c677b5713afe8080774a7b35367464fe5bde19efdd07795f1f7ce2ef13f236241b048638f56fa158b2e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\files\install.exe

Filesize
17.4MB

MD5
ccdd9f0ac61884935d08e0d7153d64b1

SHA1
6bb497ff904c908698fe84782e6d001821016461

SHA256
40cc8405c8cfdd9e3945aa9925211eab6530174b721d933603037d62be974695

SHA512
f3ef9829422c53bad188bcb9ef540b031a857db00c318810d630fba8dc69e4580aaf7e5817624051998add315c23a740d58564860af23009d03535e2ed80fbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\msiwrapper.ini

Filesize
378B

MD5
4524354783ff302b9d276a4c1515a8a3

SHA1
998a6fb6417bf28b11c2c73b6ea7c7d2f4c67e23

SHA256
a939b426b5fc0a9125873185848f34a11ed91c7502f6828d20cc39b8b44a620d

SHA512
79e9e9930cee7c1dc6a4e9adee5d7096f680264aa1722f98c3493771eef15b773c8d5cf32650f6090f8ee42fbf872c2ef97448493bad305d5fec4f703ba53af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\msiwrapper.ini

Filesize
1KB

MD5
c54a138f0fd664a16c5aae2e01662336

SHA1
3004454b9f723c304905cd0cf5bf1e2edef310d5

SHA256
0dfa1978d72e412d687034d92fc462920a7fe3912aaca3b75455eb989ba0fd7a

SHA512
5d8826fe4fbd6f1d962bb78cf659b7f16af4d94ff9cccaa4b2e3ef579db6e7ad955adfd4f6f06e7f89d62097f7ba4742289a1a3a41a0707df535f0678da76df8

Download Submit
C:\Windows\Installer\MSIA5F0.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
memory/1508-75-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download