6bf07c627ad8bd576633f65a96cbb8753515fc72929cb904b21440015e1c2218

General

Target

e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
Size

2.1MB
MD5

723dae8ed3f157e40635681f028328e6
SHA1

aa6dd8df02000fbfc884e687bcafed57f84a83b0
SHA256

e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115
SHA512

4e1829bfc470ea8624dee424db34b2b0f965597c1e300ca62f271727a7fd4dc6c90137d5ca8fd227ba3bad26fee2870788f91b00b225d6a626e99e18476473be
SSDEEP

49152:DNGitd+vszAlozTy4g5r8+5eNBADPGXJXrejhJ8I+jELv6:oihTyfIXreNJ8IpT6

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

2 4192 msiexec.exe
6 4192 msiexec.exe
8 4192 msiexec.exe
15 4192 msiexec.exe

flow	pid	process
2	4192	msiexec.exe
6	4192	msiexec.exe
8	4192	msiexec.exe
15	4192	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in Windows directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e59a791.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59a791.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Loads dropped DLL 7 IoCs

Processes:

MsiExec.exe

pid process

1008 MsiExec.exe
1008 MsiExec.exe
1008 MsiExec.exe
1008 MsiExec.exe
1008 MsiExec.exe
1008 MsiExec.exe
1008 MsiExec.exe

pid	process
1008	MsiExec.exe
1008	MsiExec.exe
1008	MsiExec.exe
1008	MsiExec.exe
1008	MsiExec.exe
1008	MsiExec.exe
1008	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008fdc540eeb98985f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008fdc540e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008fdc540e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8fdc540e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008fdc540e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4192	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4192	msiexec.exe
Token: SeSecurityPrivilege	1340	msiexec.exe
Token: SeCreateTokenPrivilege	4192	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4192	msiexec.exe
Token: SeLockMemoryPrivilege	4192	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4192	msiexec.exe
Token: SeMachineAccountPrivilege	4192	msiexec.exe
Token: SeTcbPrivilege	4192	msiexec.exe
Token: SeSecurityPrivilege	4192	msiexec.exe
Token: SeTakeOwnershipPrivilege	4192	msiexec.exe
Token: SeLoadDriverPrivilege	4192	msiexec.exe
Token: SeSystemProfilePrivilege	4192	msiexec.exe
Token: SeSystemtimePrivilege	4192	msiexec.exe
Token: SeProfSingleProcessPrivilege	4192	msiexec.exe
Token: SeIncBasePriorityPrivilege	4192	msiexec.exe
Token: SeCreatePagefilePrivilege	4192	msiexec.exe
Token: SeCreatePermanentPrivilege	4192	msiexec.exe
Token: SeBackupPrivilege	4192	msiexec.exe
Token: SeRestorePrivilege	4192	msiexec.exe
Token: SeShutdownPrivilege	4192	msiexec.exe
Token: SeDebugPrivilege	4192	msiexec.exe
Token: SeAuditPrivilege	4192	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4192	msiexec.exe
Token: SeChangeNotifyPrivilege	4192	msiexec.exe
Token: SeRemoteShutdownPrivilege	4192	msiexec.exe
Token: SeUndockPrivilege	4192	msiexec.exe
Token: SeSyncAgentPrivilege	4192	msiexec.exe
Token: SeEnableDelegationPrivilege	4192	msiexec.exe
Token: SeManageVolumePrivilege	4192	msiexec.exe
Token: SeImpersonatePrivilege	4192	msiexec.exe
Token: SeCreateGlobalPrivilege	4192	msiexec.exe
Token: SeCreateTokenPrivilege	4192	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4192	msiexec.exe
Token: SeLockMemoryPrivilege	4192	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4192	msiexec.exe
Token: SeMachineAccountPrivilege	4192	msiexec.exe
Token: SeTcbPrivilege	4192	msiexec.exe
Token: SeSecurityPrivilege	4192	msiexec.exe
Token: SeTakeOwnershipPrivilege	4192	msiexec.exe
Token: SeLoadDriverPrivilege	4192	msiexec.exe
Token: SeSystemProfilePrivilege	4192	msiexec.exe
Token: SeSystemtimePrivilege	4192	msiexec.exe
Token: SeProfSingleProcessPrivilege	4192	msiexec.exe
Token: SeIncBasePriorityPrivilege	4192	msiexec.exe
Token: SeCreatePagefilePrivilege	4192	msiexec.exe
Token: SeCreatePermanentPrivilege	4192	msiexec.exe
Token: SeBackupPrivilege	4192	msiexec.exe
Token: SeRestorePrivilege	4192	msiexec.exe
Token: SeShutdownPrivilege	4192	msiexec.exe
Token: SeDebugPrivilege	4192	msiexec.exe
Token: SeAuditPrivilege	4192	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4192	msiexec.exe
Token: SeChangeNotifyPrivilege	4192	msiexec.exe
Token: SeRemoteShutdownPrivilege	4192	msiexec.exe
Token: SeUndockPrivilege	4192	msiexec.exe
Token: SeSyncAgentPrivilege	4192	msiexec.exe
Token: SeEnableDelegationPrivilege	4192	msiexec.exe
Token: SeManageVolumePrivilege	4192	msiexec.exe
Token: SeImpersonatePrivilege	4192	msiexec.exe
Token: SeCreateGlobalPrivilege	4192	msiexec.exe
Token: SeCreateTokenPrivilege	4192	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4192	msiexec.exe
Token: SeLockMemoryPrivilege	4192	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4192 msiexec.exe

pid	process
4192	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1340 wrote to memory of 1008	1340	msiexec.exe	MsiExec.exe
PID 1340 wrote to memory of 1008	1340	msiexec.exe	MsiExec.exe
PID 1340 wrote to memory of 1008	1340	msiexec.exe	MsiExec.exe
PID 1340 wrote to memory of 2892	1340	msiexec.exe	srtasks.exe
PID 1340 wrote to memory of 2892	1340	msiexec.exe	srtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2B3062769EB0CB9EF9A04E6CDFE6C213 C
2⤵
- Loads dropped DLL
PID:1008

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3444

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
Filesize
50KB

MD5
e60b6fd9e945b2f60b6c07730604f545

SHA1
618025126dc2f02ea6b13839ee77a0003e95a413

SHA256
cb086b9e482866eb88005e4a03590c8e7de687e868027291095a0a463e028470

SHA512
dd77ba16e1239e81d2ed50f7f3b947e8cecb23f0072a24303e4732f3b5ac0b222dd1ccec063a42c54c505d94df10a778d5bf8cce66e8dc88e1be605af74a42ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
Filesize
314B

MD5
bdb7b15b6699818ac5bde857833136f4

SHA1
cdec81e7a852cf3f4bfbda0122f918244d63c6b8

SHA256
5b0f49b98671a0d5cc3a1a59d82a0813920966066bfbf326691cfca07820dcb4

SHA512
60920a2a9f45ad4607d748b0afec271aeafb881e8418e8eb9d9522cc4105a2e593d7a9848241027d0ded176b7d5435858e6c9c610a50560d24763004f7233cd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
478B

MD5
58a828596f991f71bd19b3797fcb010b

SHA1
f72abd1313111fc37277238822ba2047f4c202c7

SHA256
42801a1ad534af849f741896054759c6c299625fb12f867dffcf0fa86cdb2d81

SHA512
81d27a19cfce068069b9a6320df389ff1684496c32f45d91cfff10adbba66be4ddbb1cac2c413b71df1d27f791dcaba476b3ea0c01c361e0499f4d0baae30e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI69C6.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7025.tmp
Filesize
561KB

MD5
adc31d2586604bdc6c915c3cbf4fab01

SHA1
0e75b0a78b08a3859da5261ab7faf082e945ad3b

SHA256
f6d28a2adfa2904b023a761ccb213498ba565ae3f766cff48a7f15b9b06b8a50

SHA512
b2732c7d604937f546210f48629c18a449ffc26cf4a0c8ac01e5288bcdf166adc6ac5860d1800f450e8e8013c420bdfff7a159979bb02101474f0341d15a28ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads