Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 19:14
Static task
static1
Behavioral task
behavioral1
Sample
e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
Resource
win10v2004-20240226-en
General
-
Target
e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi
-
Size
2.1MB
-
MD5
723dae8ed3f157e40635681f028328e6
-
SHA1
aa6dd8df02000fbfc884e687bcafed57f84a83b0
-
SHA256
e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115
-
SHA512
4e1829bfc470ea8624dee424db34b2b0f965597c1e300ca62f271727a7fd4dc6c90137d5ca8fd227ba3bad26fee2870788f91b00b225d6a626e99e18476473be
-
SSDEEP
49152:DNGitd+vszAlozTy4g5r8+5eNBADPGXJXrejhJ8I+jELv6:oihTyfIXreNJ8IpT6
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid process 2 4192 msiexec.exe 6 4192 msiexec.exe 8 4192 msiexec.exe 15 4192 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Windows directory 3 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e59a791.msi msiexec.exe File opened for modification C:\Windows\Installer\e59a791.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exepid process 1008 MsiExec.exe 1008 MsiExec.exe 1008 MsiExec.exe 1008 MsiExec.exe 1008 MsiExec.exe 1008 MsiExec.exe 1008 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008fdc540eeb98985f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008fdc540e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008fdc540e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8fdc540e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008fdc540e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4192 msiexec.exe Token: SeIncreaseQuotaPrivilege 4192 msiexec.exe Token: SeSecurityPrivilege 1340 msiexec.exe Token: SeCreateTokenPrivilege 4192 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4192 msiexec.exe Token: SeLockMemoryPrivilege 4192 msiexec.exe Token: SeIncreaseQuotaPrivilege 4192 msiexec.exe Token: SeMachineAccountPrivilege 4192 msiexec.exe Token: SeTcbPrivilege 4192 msiexec.exe Token: SeSecurityPrivilege 4192 msiexec.exe Token: SeTakeOwnershipPrivilege 4192 msiexec.exe Token: SeLoadDriverPrivilege 4192 msiexec.exe Token: SeSystemProfilePrivilege 4192 msiexec.exe Token: SeSystemtimePrivilege 4192 msiexec.exe Token: SeProfSingleProcessPrivilege 4192 msiexec.exe Token: SeIncBasePriorityPrivilege 4192 msiexec.exe Token: SeCreatePagefilePrivilege 4192 msiexec.exe Token: SeCreatePermanentPrivilege 4192 msiexec.exe Token: SeBackupPrivilege 4192 msiexec.exe Token: SeRestorePrivilege 4192 msiexec.exe Token: SeShutdownPrivilege 4192 msiexec.exe Token: SeDebugPrivilege 4192 msiexec.exe Token: SeAuditPrivilege 4192 msiexec.exe Token: SeSystemEnvironmentPrivilege 4192 msiexec.exe Token: SeChangeNotifyPrivilege 4192 msiexec.exe Token: SeRemoteShutdownPrivilege 4192 msiexec.exe Token: SeUndockPrivilege 4192 msiexec.exe Token: SeSyncAgentPrivilege 4192 msiexec.exe Token: SeEnableDelegationPrivilege 4192 msiexec.exe Token: SeManageVolumePrivilege 4192 msiexec.exe Token: SeImpersonatePrivilege 4192 msiexec.exe Token: SeCreateGlobalPrivilege 4192 msiexec.exe Token: SeCreateTokenPrivilege 4192 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4192 msiexec.exe Token: SeLockMemoryPrivilege 4192 msiexec.exe Token: SeIncreaseQuotaPrivilege 4192 msiexec.exe Token: SeMachineAccountPrivilege 4192 msiexec.exe Token: SeTcbPrivilege 4192 msiexec.exe Token: SeSecurityPrivilege 4192 msiexec.exe Token: SeTakeOwnershipPrivilege 4192 msiexec.exe Token: SeLoadDriverPrivilege 4192 msiexec.exe Token: SeSystemProfilePrivilege 4192 msiexec.exe Token: SeSystemtimePrivilege 4192 msiexec.exe Token: SeProfSingleProcessPrivilege 4192 msiexec.exe Token: SeIncBasePriorityPrivilege 4192 msiexec.exe Token: SeCreatePagefilePrivilege 4192 msiexec.exe Token: SeCreatePermanentPrivilege 4192 msiexec.exe Token: SeBackupPrivilege 4192 msiexec.exe Token: SeRestorePrivilege 4192 msiexec.exe Token: SeShutdownPrivilege 4192 msiexec.exe Token: SeDebugPrivilege 4192 msiexec.exe Token: SeAuditPrivilege 4192 msiexec.exe Token: SeSystemEnvironmentPrivilege 4192 msiexec.exe Token: SeChangeNotifyPrivilege 4192 msiexec.exe Token: SeRemoteShutdownPrivilege 4192 msiexec.exe Token: SeUndockPrivilege 4192 msiexec.exe Token: SeSyncAgentPrivilege 4192 msiexec.exe Token: SeEnableDelegationPrivilege 4192 msiexec.exe Token: SeManageVolumePrivilege 4192 msiexec.exe Token: SeImpersonatePrivilege 4192 msiexec.exe Token: SeCreateGlobalPrivilege 4192 msiexec.exe Token: SeCreateTokenPrivilege 4192 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4192 msiexec.exe Token: SeLockMemoryPrivilege 4192 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 4192 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
msiexec.exedescription pid process target process PID 1340 wrote to memory of 1008 1340 msiexec.exe MsiExec.exe PID 1340 wrote to memory of 1008 1340 msiexec.exe MsiExec.exe PID 1340 wrote to memory of 1008 1340 msiexec.exe MsiExec.exe PID 1340 wrote to memory of 2892 1340 msiexec.exe srtasks.exe PID 1340 wrote to memory of 2892 1340 msiexec.exe srtasks.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e88610db05636a1476435ec1f39d3651b080c8a6b8756452d421d7a822a2e115.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2B3062769EB0CB9EF9A04E6CDFE6C213 C2⤵
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05Filesize
50KB
MD5e60b6fd9e945b2f60b6c07730604f545
SHA1618025126dc2f02ea6b13839ee77a0003e95a413
SHA256cb086b9e482866eb88005e4a03590c8e7de687e868027291095a0a463e028470
SHA512dd77ba16e1239e81d2ed50f7f3b947e8cecb23f0072a24303e4732f3b5ac0b222dd1ccec063a42c54c505d94df10a778d5bf8cce66e8dc88e1be605af74a42ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1Filesize
727B
MD57a3b8457313a521e0d44f91765a4e041
SHA14ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267
SHA2562b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c
SHA5127349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05Filesize
314B
MD5bdb7b15b6699818ac5bde857833136f4
SHA1cdec81e7a852cf3f4bfbda0122f918244d63c6b8
SHA2565b0f49b98671a0d5cc3a1a59d82a0813920966066bfbf326691cfca07820dcb4
SHA51260920a2a9f45ad4607d748b0afec271aeafb881e8418e8eb9d9522cc4105a2e593d7a9848241027d0ded176b7d5435858e6c9c610a50560d24763004f7233cd1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1Filesize
478B
MD558a828596f991f71bd19b3797fcb010b
SHA1f72abd1313111fc37277238822ba2047f4c202c7
SHA25642801a1ad534af849f741896054759c6c299625fb12f867dffcf0fa86cdb2d81
SHA51281d27a19cfce068069b9a6320df389ff1684496c32f45d91cfff10adbba66be4ddbb1cac2c413b71df1d27f791dcaba476b3ea0c01c361e0499f4d0baae30e23
-
C:\Users\Admin\AppData\Local\Temp\MSI69C6.tmpFilesize
721KB
MD55a1f2196056c0a06b79a77ae981c7761
SHA1a880ae54395658f129e24732800e207ecd0b5603
SHA25652f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e
SHA5129afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a
-
C:\Users\Admin\AppData\Local\Temp\MSI7025.tmpFilesize
561KB
MD5adc31d2586604bdc6c915c3cbf4fab01
SHA10e75b0a78b08a3859da5261ab7faf082e945ad3b
SHA256f6d28a2adfa2904b023a761ccb213498ba565ae3f766cff48a7f15b9b06b8a50
SHA512b2732c7d604937f546210f48629c18a449ffc26cf4a0c8ac01e5288bcdf166adc6ac5860d1800f450e8e8013c420bdfff7a159979bb02101474f0341d15a28ea