d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-02-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.msi
Size

3.3MB
MD5

4e5903c4ff6d79dbad178815b377554d
SHA1

74f50126aebbd186d6defa3641113cdc88a37fa2
SHA256

d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46
SHA512

9a513449963c860e9be50c05a79beeea554fc6bc9748b260340711d8cb705cb022f53f10cfdc35ce1ad8d97644df57a9aae959b6dbb96c15b85d8ecaf62031a8
SSDEEP

98304:5pKIwis1N1AaewONvZOIUFz+PlROVt1OTLmUsg:6IHmnqvZlUFz8RtyPg

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2280	ICACLS.EXE
2832	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76b09a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b09a.msi	msiexec.exe
File created	C:\Windows\Installer\f76b09b.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB30A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b09b.ipi	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
1612	MsiExec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2956	msiexec.exe
2956	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2112	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeSecurityPrivilege	2956	msiexec.exe
Token: SeCreateTokenPrivilege	2112	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2112	msiexec.exe
Token: SeLockMemoryPrivilege	2112	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2112	msiexec.exe
Token: SeMachineAccountPrivilege	2112	msiexec.exe
Token: SeTcbPrivilege	2112	msiexec.exe
Token: SeSecurityPrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeLoadDriverPrivilege	2112	msiexec.exe
Token: SeSystemProfilePrivilege	2112	msiexec.exe
Token: SeSystemtimePrivilege	2112	msiexec.exe
Token: SeProfSingleProcessPrivilege	2112	msiexec.exe
Token: SeIncBasePriorityPrivilege	2112	msiexec.exe
Token: SeCreatePagefilePrivilege	2112	msiexec.exe
Token: SeCreatePermanentPrivilege	2112	msiexec.exe
Token: SeBackupPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeShutdownPrivilege	2112	msiexec.exe
Token: SeDebugPrivilege	2112	msiexec.exe
Token: SeAuditPrivilege	2112	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2112	msiexec.exe
Token: SeChangeNotifyPrivilege	2112	msiexec.exe
Token: SeRemoteShutdownPrivilege	2112	msiexec.exe
Token: SeUndockPrivilege	2112	msiexec.exe
Token: SeSyncAgentPrivilege	2112	msiexec.exe
Token: SeEnableDelegationPrivilege	2112	msiexec.exe
Token: SeManageVolumePrivilege	2112	msiexec.exe
Token: SeImpersonatePrivilege	2112	msiexec.exe
Token: SeCreateGlobalPrivilege	2112	msiexec.exe
Token: SeBackupPrivilege	2668	vssvc.exe
Token: SeRestorePrivilege	2668	vssvc.exe
Token: SeAuditPrivilege	2668	vssvc.exe
Token: SeBackupPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2476	DrvInst.exe
Token: SeRestorePrivilege	2476	DrvInst.exe
Token: SeRestorePrivilege	2476	DrvInst.exe
Token: SeRestorePrivilege	2476	DrvInst.exe
Token: SeRestorePrivilege	2476	DrvInst.exe
Token: SeRestorePrivilege	2476	DrvInst.exe
Token: SeRestorePrivilege	2476	DrvInst.exe
Token: SeLoadDriverPrivilege	2476	DrvInst.exe
Token: SeLoadDriverPrivilege	2476	DrvInst.exe
Token: SeLoadDriverPrivilege	2476	DrvInst.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2112	msiexec.exe
2112	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1612	2956	msiexec.exe	32
PID 2956 wrote to memory of 1612	2956	msiexec.exe	32
PID 2956 wrote to memory of 1612	2956	msiexec.exe	32
PID 2956 wrote to memory of 1612	2956	msiexec.exe	32
PID 2956 wrote to memory of 1612	2956	msiexec.exe	32
PID 2956 wrote to memory of 1612	2956	msiexec.exe	32
PID 2956 wrote to memory of 1612	2956	msiexec.exe	32
PID 1612 wrote to memory of 2280	1612	MsiExec.exe	33
PID 1612 wrote to memory of 2280	1612	MsiExec.exe	33
PID 1612 wrote to memory of 2280	1612	MsiExec.exe	33
PID 1612 wrote to memory of 2280	1612	MsiExec.exe	33
PID 1612 wrote to memory of 332	1612	MsiExec.exe	35
PID 1612 wrote to memory of 332	1612	MsiExec.exe	35
PID 1612 wrote to memory of 332	1612	MsiExec.exe	35
PID 1612 wrote to memory of 332	1612	MsiExec.exe	35
PID 1612 wrote to memory of 1476	1612	MsiExec.exe	37
PID 1612 wrote to memory of 1476	1612	MsiExec.exe	37
PID 1612 wrote to memory of 1476	1612	MsiExec.exe	37
PID 1612 wrote to memory of 1476	1612	MsiExec.exe	37
PID 1612 wrote to memory of 2828	1612	MsiExec.exe	39
PID 1612 wrote to memory of 2828	1612	MsiExec.exe	39
PID 1612 wrote to memory of 2828	1612	MsiExec.exe	39
PID 1612 wrote to memory of 2828	1612	MsiExec.exe	39
PID 1612 wrote to memory of 2832	1612	MsiExec.exe	42
PID 1612 wrote to memory of 2832	1612	MsiExec.exe	42
PID 1612 wrote to memory of 2832	1612	MsiExec.exe	42
PID 1612 wrote to memory of 2832	1612	MsiExec.exe	42

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADC0A449030F3C46171B34182952AA38
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-549534c3-5850-47a5-b7eb-549a7d30fc5f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2280
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start msedge https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-549534c3-5850-47a5-b7eb-549a7d30fc5f\files"
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-549534c3-5850-47a5-b7eb-549a7d30fc5f\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "00000000000003AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-549534c3-5850-47a5-b7eb-549a7d30fc5f\files.cab

Filesize
3.1MB

MD5
c5251b4a0300ac59b9c51b39b48960ef

SHA1
1a9f4710e07aff28c8961b8bb4d5a525ea385e42

SHA256
4d5fd376d65beb611b661283d72a19f92e69812c716546e3b3809062671238f2

SHA512
a00ddbbd2e4d29b6e54ad422d3a69c4cf3b68cec704c677b5713afe8080774a7b35367464fe5bde19efdd07795f1f7ce2ef13f236241b048638f56fa158b2e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-549534c3-5850-47a5-b7eb-549a7d30fc5f\files\install.exe

Filesize
2.0MB

MD5
2c2ea0242494aaa1148d41eef37fded0

SHA1
b897396f4aaa44d5858cf4d6089884e047d88177

SHA256
b117a7915ab00828f88c69c982c7964bfc177321763cc750d2bdf44e329a804d

SHA512
25f415cf01a8e4da7626e4a2f1244d4a1b1bf64ba1d12271294df536f17bb1fa847df99546ab2786f47b08a7ce27d2cbf7d79b3ca1694c71fcce49bde6d9bc00

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-549534c3-5850-47a5-b7eb-549a7d30fc5f\msiwrapper.ini

Filesize
1KB

MD5
0f6b54b598aab4d866c9a59cb31777c4

SHA1
cc92e01e199d5f70c14e2a20b93dad6fa2c6249c

SHA256
32af45cffa92747c19a3777a2ffc40c122ff52b4fa1d214f8220856d2636e409

SHA512
1aaf40819588a0976fb26bdc79695d17b5db364eff0f874fc44d8c6fad83ffc5c2bb2ab19d4dfebcdc9dc5c837de0de47c08949110aa47122f3d14e76127500f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-549534c3-5850-47a5-b7eb-549a7d30fc5f\msiwrapper.ini

Filesize
1KB

MD5
775e52d2b82ba35c6bc36f235303ed9d

SHA1
6ca89f12e10e963d6e318955b1e9029a124b4885

SHA256
e66dfc2875590447df54e5ddd26242c84dc38e05c6fc5a338fd671009d76dd48

SHA512
c9598d6ec0d708b35598a167cf02e5061c2f4e4b9924067f8a6d40ca4c1bc9fe925185fbfc4d4c8422cacbb431d60de200d084cd565dfa62a8ca669f8255198a

Download Submit
C:\Windows\Installer\MSIB30A.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
memory/1476-75-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download