eb3a26dafee432003b092d843c80d262ff891343073286c29282faf0f3193035

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1978a25d9d96bdfced03af92b93256.exe
Size

12.0MB
MD5

ac1978a25d9d96bdfced03af92b93256
SHA1

ecea8d518fe39d05df7af9961dfb59aea6b0b039
SHA256

eb3a26dafee432003b092d843c80d262ff891343073286c29282faf0f3193035
SHA512

3d3536f95d1ce58a468f394d98876db10fa117f936e7786bd3c6858130aea3b9aa3074c46b569ac91757796d463e34f73b01d3d67f87de5c64514bd4f2e7bb0f
SSDEEP

196608:JUQfGMkASVqV26hgDneSccKbOwKaoXcUP7R/M/xNIPPDZ0oWsTkFP4i5r6uRc7YR:XuMkqE5ccGOwC9IxSPP1o+kh507Y+cN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5068	IDriver.exe

Loads dropped DLL 16 IoCs

pid	Process
2236	MsiExec.exe
2236	MsiExec.exe
2236	MsiExec.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe
5068	IDriver.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
28	4584	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	IDriver.exe
File opened (read-only)	\??\N:	IDriver.exe
File opened (read-only)	\??\P:	IDriver.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	IDriver.exe
File opened (read-only)	\??\T:	IDriver.exe
File opened (read-only)	\??\U:	IDriver.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	IDriver.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	IDriver.exe
File opened (read-only)	\??\Z:	IDriver.exe
File opened (read-only)	\??\S:	IDriver.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	IDriver.exe
File opened (read-only)	\??\G:	IDriver.exe
File opened (read-only)	\??\E:	IDriver.exe
File opened (read-only)	\??\L:	IDriver.exe
File opened (read-only)	\??\Q:	IDriver.exe
File opened (read-only)	\??\V:	IDriver.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	IDriver.exe
File opened (read-only)	\??\X:	IDriver.exe
File opened (read-only)	\??\M:	IDriver.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	IDriver.exe
File opened (read-only)	\??\Y:	IDriver.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	IDriver.exe
File opened (read-only)	\??\W:	IDriver.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IDriver2.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\ISRT.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\_ISRES1033.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IUserCnv.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IScrCnv.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\objpscnv.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\ID	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\iGdiCnv.dll	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI756E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e576e5a.msi	msiexec.exe
File created	C:\Windows\Installer\e576e5b.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\e576e5b.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{790EC520-CCCC-4810-A0FE-061633204CE4}	msiexec.exe
File created	C:\Windows\Installer\e576e5a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007d3392e9fd415b840000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007d3392e90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007d3392e9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7d3392e9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007d3392e900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B23DEBC2-3C5C-47A6-8FF8-148132D193F4}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11997148-EAEB-42A2-B3CC-B7C5A7199107}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CD1B2C1C-4F04-4B4F-851B-2DA036EF69FC}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE02E74A-C645-4C6E-BD1C-4099501A9F52}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF21D406-D32C-4413-81CE-B9AF860E1361}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE238E7E-00DB-4349-9949-2A10E52A6F68}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{724B3BD1-2098-4DDC-A229-B9BE6595398E}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724B3BD1-2098-4DDC-A229-B9BE6595398E}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{724B3BD1-2098-4DDC-A229-B9BE6595398E}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724B3BD1-2098-4DDC-A229-B9BE6595398E}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A485A16F-1011-42A0-A5B6-48336907A783}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAFAF854-1BF8-4DE1-8F96-752839422F73}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CBF197F-754C-4011-9019-1C632FD2897A}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90FFDCC6-889E-4394-B60A-36EB3A32CED7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DED5FE20-27D3-4F38-8DF3-93659038C417}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E104755-C78C-4BAC-941C-29857740D46F}\ = "InstallShield InstallDriver"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{566BECBB-A8DF-43EA-8D44-77BCC7B72F21}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{724B3BD1-2098-4DDC-A229-B9BE6595398E}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{22E4EB97-C4B0-4EE7-88AE-5E3502EA7831}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A351BCFD-F07F-48CB-91A0-AF69317D9D6D}\NumMethods\ = "5"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A351BCFD-F07F-48CB-91A0-AF69317D9D6D}\ProxyStubClsid32\ = "{1E4FB44E-D416-4243-B811-8E116F9CE39A}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE238E7E-00DB-4349-9949-2A10E52A6F68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2665F812-8C0D-46F5-91A3-E70E8F4E0417}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{99438BE3-EA31-4C13-85FD-FEB81A61AB34}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{293B98DF-5B92-42D2-A409-FA9A0C0E1E68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D1B3880C-54D7-4FE4-8B1B-DA5419081EF1}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15CF3576-8A86-4D1F-9A64-912F901F0173}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{78994A88-276B-4F15-BAF6-FB4CD3F9E223}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{65CD17AF-CCEE-4CD6-B304-A3BD48237B67}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7C0E5C96-A863-4869-BE93-F0EF748ADC5E}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A485A16F-1011-42A0-A5B6-48336907A783}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92559C8C-F9C8-4BE7-BA9D-26AFEA5E4389}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C514B88-F041-4813-82C0-C6BB0627BC3E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{44D68E56-4A11-4C14-806B-083FFA62767C}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{023F4789-ADC1-4030-9DE3-7ED7F57EA2CA}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAD11E89-6394-4747-A64E-634E4FF7DDDA}\ = "ISetupWizardUI"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{24D495A5-A174-4945-819D-CF294600C500}\ = "InstallShield InstallDriver"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1AEFB69D-57BB-4963-AFA8-09FA9614E1CB}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DBBC99EB-259B-4CD3-B167-3D75539D9E9C}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99438BE3-EA31-4C13-85FD-FEB81A61AB34}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D354A092-4A8E-4077-A738-8314F6BA0DE6}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AEED9AE1-AE66-4065-A274-DC7BBFEE354B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD889BE8-F7D6-415F-84B6-B17CCCB29A6D}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6EE9F4A-2D30-4A78-8720-90B6ED68763B}\ = "ISetupTransferEvents3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{184C53CC-8D6D-4A58-8108-90167678B84C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{EE02E74A-C645-4C6E-BD1C-4099501A9F52}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{82B47390-3D18-4100-B967-7790E0199744}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DE0B0AC-D65A-4B47-B4E4-37C8E065D9A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACC4DEAB-2CEA-4869-A2F7-5C7E5A6730B5}\ = "ISetupBasicFeature"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{BC859C55-34D2-43CE-A4B7-8AB67768B386}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{52305DC4-1B79-41CE-90D0-0B84AF096018}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{06DAA70F-FCCD-44E1-A676-716E6234C189}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A485A16F-1011-42A0-A5B6-48336907A783}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F74B51C-963F-420E-90FA-FD96FA7712DC}\ = "ISetupWindowBillBoards"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DBBC99EB-259B-4CD3-B167-3D75539D9E9C}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7DC20AA-E26E-4FC9-9DBE-FAFDE6C5CCCD}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F04EC9AA-E64B-4EE8-91CE-4026BAEA5D41}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2E30AE6C-8796-4207-968E-FAEFC5DD1818}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD889BE8-F7D6-415F-84B6-B17CCCB29A6D}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{82C616BD-E4A4-4556-B775-8449E75E191E}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D3EF9D-0157-4C5F-A74B-BAEE5D6ED3AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2FB74205-04B5-4683-B5B5-492FCFDE9ADF}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F74B51C-963F-420E-90FA-FD96FA7712DC}\ProxyStubClsid32	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4584	msiexec.exe
4584	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeIncreaseQuotaPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeSecurityPrivilege	4584	msiexec.exe
Token: SeCreateTokenPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeAssignPrimaryTokenPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeLockMemoryPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeIncreaseQuotaPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeMachineAccountPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeTcbPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeSecurityPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeTakeOwnershipPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeLoadDriverPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeSystemProfilePrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeSystemtimePrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeProfSingleProcessPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeIncBasePriorityPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeCreatePagefilePrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeCreatePermanentPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeBackupPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeRestorePrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeShutdownPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeDebugPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeAuditPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeSystemEnvironmentPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeChangeNotifyPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeRemoteShutdownPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeUndockPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeSyncAgentPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeEnableDelegationPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeManageVolumePrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeImpersonatePrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeCreateGlobalPrivilege	2916	ac1978a25d9d96bdfced03af92b93256.exe
Token: SeRestorePrivilege	4584	msiexec.exe
Token: SeTakeOwnershipPrivilege	4584	msiexec.exe
Token: SeRestorePrivilege	4584	msiexec.exe
Token: SeTakeOwnershipPrivilege	4584	msiexec.exe
Token: SeRestorePrivilege	4584	msiexec.exe
Token: SeTakeOwnershipPrivilege	4584	msiexec.exe
Token: SeRestorePrivilege	4584	msiexec.exe
Token: SeTakeOwnershipPrivilege	4584	msiexec.exe
Token: SeCreateTokenPrivilege	5068	IDriver.exe
Token: SeAssignPrimaryTokenPrivilege	5068	IDriver.exe
Token: SeLockMemoryPrivilege	5068	IDriver.exe
Token: SeIncreaseQuotaPrivilege	5068	IDriver.exe
Token: SeMachineAccountPrivilege	5068	IDriver.exe
Token: SeTcbPrivilege	5068	IDriver.exe
Token: SeSecurityPrivilege	5068	IDriver.exe
Token: SeTakeOwnershipPrivilege	5068	IDriver.exe
Token: SeLoadDriverPrivilege	5068	IDriver.exe
Token: SeSystemProfilePrivilege	5068	IDriver.exe
Token: SeSystemtimePrivilege	5068	IDriver.exe
Token: SeProfSingleProcessPrivilege	5068	IDriver.exe
Token: SeIncBasePriorityPrivilege	5068	IDriver.exe
Token: SeCreatePagefilePrivilege	5068	IDriver.exe
Token: SeCreatePermanentPrivilege	5068	IDriver.exe
Token: SeBackupPrivilege	5068	IDriver.exe
Token: SeRestorePrivilege	5068	IDriver.exe
Token: SeShutdownPrivilege	5068	IDriver.exe
Token: SeDebugPrivilege	5068	IDriver.exe
Token: SeAuditPrivilege	5068	IDriver.exe
Token: SeSystemEnvironmentPrivilege	5068	IDriver.exe
Token: SeChangeNotifyPrivilege	5068	IDriver.exe
Token: SeRemoteShutdownPrivilege	5068	IDriver.exe
Token: SeUndockPrivilege	5068	IDriver.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 2236	4584	msiexec.exe	95
PID 4584 wrote to memory of 2236	4584	msiexec.exe	95
PID 4584 wrote to memory of 2236	4584	msiexec.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ac1978a25d9d96bdfced03af92b93256.exe
"C:\Users\Admin\AppData\Local\Temp\ac1978a25d9d96bdfced03af92b93256.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ACEB5525EFDF7497F62C82DC15321038 C
  2⤵
  - Loads dropped DLL
  PID:2236

C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2716

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e576e5e.rbs

Filesize
51KB

MD5
27f6ec4c6e7e63667da4e3cdf15c85da

SHA1
1e72b782e900cfe955493d3764404a3ac1405cb3

SHA256
73f6ee68abfb2b5d108c675a4e6e0d239a265f47614ac10919cb59bca3f053bc

SHA512
43f09b5612c01aa78de6a1cef98ddb66a2715f8f6731a1ce111a855c3fbf781a563483a30aacec1b22b5a0ca7497d1a73a9540bb701070b50171ae9529e975ac

Download Submit
C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IScrCnv.dll

Filesize
260KB

MD5
f6aabdf85821a9c61c61dec9408f40cc

SHA1
ddac695de73be7a67357aea89c7b9c2ca21fc4e1

SHA256
9ee23586d456db53d59fbaa8669e817461aeaf94f81237ead3f2c23cac8c40fa

SHA512
73d2e4352c4055c8d08ad5499fc4495ff6fa7613970f9c0a3cf73dae645fc9102e62cf9c7dd046d6bc3c909cbafd06a30812d1d9bcf8f34c4a253c09d628b538

Download Submit
C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\iGdiCnv.dll

Filesize
176KB

MD5
afdfec6679ce99596261ff182afbe9e6

SHA1
3289711e3ce8bb72bd84bb0bc33f95d958648f4c

SHA256
81b931aaf908e1e372802db04dfbe5256209d488bfe88d58841fc13acadedfd6

SHA512
c8ce4617d03084f37b8766f0505922a8f380e0d2745658864197535c43c3b2f985c4a2bac2228752857782181cd41167bfa4b784c7ce3e8a94932d58d099753a

Download Submit
C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\objpscnv.dll

Filesize
32KB

MD5
aba70b81a5811e7b140271595d66f06f

SHA1
42ef824151e67cf921d861d83872c9ef13b500e6

SHA256
26d4765c2461fccd669e455d33659397d6f82fe261ece256c3f19b831dcfa0ba

SHA512
8780d68124e309b8ec2dbbbac18be3291fefabfd6ed9154645eddfb4dd8076e2fda97168d7c5ea9b378b54ee900f75bd409736cfc1262e0d167e0ff62078de0a

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe

Filesize
744KB

MD5
a9d3658c5be72816812a5a32e4560ba3

SHA1
649003292ee74d2407fae441fb92b605a0d91f90

SHA256
b2527d1e2297506796f898e90907fb4c8c7e063f2898194e74152fa9ca21923f

SHA512
b80283aafbe8cd59720979d51a5524a1d53b001e59c6fe9693c754b238101ac6058122130e0be97ce22dc4f7edce9cd84aa4fde869bf728cff8fba1733638c5b

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\ISRT.DLL

Filesize
400KB

MD5
db28ca3ba3c2045aa7b6e59aa9831c68

SHA1
55b44ea55f3a04b916339c81e1cc3f3db62d54cc

SHA256
ca41725fb64338211a9f9740f45f1b0c4d80e6c7e84a1d2e5580dcecbf87e489

SHA512
82c409611e61acad6b2986372ff72682e611b7ee5a88e74fec9c7864ce50c7494adba4165a44f2cc99b93daee33ad67320aed4fd5f85ef2fbc4779bf69f55efb

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IUserCnv.dll

Filesize
168KB

MD5
197c2ce7cf2a98ae895ece98d88b8245

SHA1
f734d8dc508138501e79b384fe1a689920c6ba93

SHA256
260924991dff4fbd2f691913007aee1f3136708671ef3309b4f9ec8687da6f1e

SHA512
a7ff5f0d56a13d340d9ec1b977f9e995bf7dc61f6bf4b8ecd7369793d39032a43e587146e6b9a9084be5a9cc709876bf971983a218c2af631d3950cd3391cd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8368.tmp

Filesize
108KB

MD5
9db0fe073e1dbf9bd99fd556ccf56518

SHA1
19df8a5cd14fc73b4e2d0196caf3b3d4cdc732dd

SHA256
18ca4f41e444e28ed2d2bd33d77c5fb994f6949833c2f7a0ddacfffe6b4c3450

SHA512
073d420bf8fd8f413de4ed661cf63d66c19c8dc5b875af54a73315dc755d1885697ba3004518fc0308bd8be444bc7c73419fbbd0b9682565569be3cd41933512

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8444.tmp

Filesize
48KB

MD5
fa13aa9996fe8d85aa680e9f5e4f23e8

SHA1
cbc23243a9a595b6d91431c4c275c1ab2adc6642

SHA256
8f40c1dc28323a3c5310bf21372b9756ca547c20c7cf63197e071a9e1e66b31b

SHA512
9f4bd08583dbaadaec281d05d79c11a1dc1651d2d96cc4ecddd68e74178c3eec843e43bea14c546ba18b371177684dde0c21211e8fdb0369bbeeb5e31fdbe87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is5A17\0x0804.ini

Filesize
3KB

MD5
f4173acfb530f6529b5a83f4734b7de2

SHA1
0ce31f6b2885ce5a891d61bb5cd65239550fac3a

SHA256
72f2993df49de0263e981a7d36a11df005755505c9f01c0b3560e427d79e5eb8

SHA512
2600c2b255516d88d3f62357071ff0674b6a5457dab36ad8770370e6430b1ccf3111ddbaf0fc9f608d65ebc0162ca622b13a1b064220ca8ec31cb433bc2fb131

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is5A17\ISScript10.Msi

Filesize
875KB

MD5
f93a766e58d9c06b5cfd7c095fdd4b97

SHA1
d02e24a8c14bc127ff1cbac8ef7c43830142d0e0

SHA256
c00e1e874d0093112e898c615b0f81fa8a0974c25cf01638fe6acb949b1940ed

SHA512
65089a6b7a916716866192781af098b8939ad8ef5881abfafbfebc53fd747c3af5b2451668f4e60ca6c3c15eacf485e009c260e710ab934537c4d98ab67d3bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is5A17\Netpise V1.2.msi

Filesize
7.3MB

MD5
da4d6064e40a80d4711c60eb92a2a9c2

SHA1
cdd8c94dd50dd109f19d46e68f8e700ae180dfb4

SHA256
b728cd6fd411eebccbec204e16d0ad2ff26920a1eb94101a64bdceb6a2ab8887

SHA512
37846abd95232bcd283a7e73adc9eeec417af32719e9ead94ee1d6777cf7310e16a34a664708b353f66c8317ade8e0837054cb8415e0a65c1583ee2b5ee75d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is5A17\Setup.INI

Filesize
1KB

MD5
87beddbe2c3d28da9186f10a9f86ec3c

SHA1
e7291e9fd895ab1c6e7e2472b695caa01ffbd4a3

SHA256
e840e95c3013e3b949fbc800c2f318ef8e29dd4bc753d0c65d4efc26e0ddd468

SHA512
3d53a2e3cc443e14b289dd0c94a2dabdf481d7c04b3bbfefd366f0f19f231d1ab17e3564fbd27d74127553ee6009356e71160d88b69a9537f058e04369507128

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is5A17\setup.isn

Filesize
233KB

MD5
a2c5d0d0c1153784aaac022bbd7bb780

SHA1
650204a126c15445f21f291f62e8eef9da2ceb93

SHA256
0018ddb503901be72a4c8febf7dc353ed185332192015c860c2a261a1e8b178e

SHA512
3746e2e585e8d7c13ff5dcd9381cfc96e5470bdf3a394b752345d6d3d4d6daef2041245b76113a1eccc7d9bc30e677fabe76225d02247eeb74f204b385aec4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EEA91040-AB62-468B-8011-36C8FF52191F}\ISRT.DLL

Filesize
256KB

MD5
35ea7080a50d5ba3518c0590e08a5d65

SHA1
7cdf2dc37ea5761f0cf3aab96fe5fa3e5603cee1

SHA256
a1519a4e3b67fa9a31e3d526849880b24928fa7b373d910d615b05adfc181202

SHA512
1ae3687a91d37506f1d1869df3a73ae7a867b3d7909e391a4ba1db8194074dfe222993e7f29dc7a6b4ea03468667cfff11a2fb8d880b6dbd568eff1afc6daca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EEA91040-AB62-468B-8011-36C8FF52191F}\_ISRES.DLL

Filesize
324KB

MD5
a16e3ace458e482ee09be13e67c45359

SHA1
9443fb115877739a6b76e2c8d635356f89d621b0

SHA256
9e1218651e63054d18eb5dcf86ec7e37744650063c833c341ff8d62baecd6d63

SHA512
54acaf56b185bf1c8658d7e1ea0d3bf5bfc0cdaaba72e29f772d24a710fb62f2329233964bbaf7fed07d438e7a7c4f1914e5f89e0dd8016788c5a6bb246c2bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EEA91040-AB62-468B-8011-36C8FF52191F}\_ISUSER.DLL

Filesize
16KB

MD5
6196e4a5aa6731ffc897ca8d1fef7345

SHA1
10a338da5920b84eefd1c557131825b24168b2ab

SHA256
cef66955af1139cac1b8b7713a5a1e5edd9331fb5aed142dd9b23876a5294b63

SHA512
3f9d0d869648b467485d1900fa8b6d047f552168bbff21a1b74236c8e17776070818f6afebbe4df788ee033fa44d9f99aa787ab5d2502c2b5c0c700afd96bbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EEA91040-AB62-468B-8011-36C8FF52191F}\skin8879.rra

Filesize
11KB

MD5
6c9226c6d56a83042587bc9a1b7abf3b

SHA1
259135c6ff4d9a706450809a08db389782b4ccd0

SHA256
11a7796e05198361d4775757e18a10cf02839b3dac9b9d1c1e9f2ab37281f725

SHA512
f70b56ca5898dcc9549a7911be739cadfd6ed0267295bec4899b50a06855ae853b09a239245c8c0c27283db943adbe774159d3da016bf88ae6ca26f14dd6d5fc

Download Submit
memory/5068-139-0x0000000002F40000-0x0000000002F6C000-memory.dmp

Filesize
176KB

Download
memory/5068-148-0x00000000043B0000-0x0000000004416000-memory.dmp

Filesize
408KB

Download
memory/5068-167-0x0000000005310000-0x000000000533E000-memory.dmp

Filesize
184KB

Download