30657b042364630a3bda4ebc7ef2f9ddf5837e0128b0332396df31cfbefefa1e

Analysis

max time kernel
1702s
max time network
1182s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

swat4_spdemo_en.exe
Size

183.1MB
MD5

37cd68b32d7b95b85d289fc3cdab305c
SHA1

fcbdf4786fb70832d02f78548ab20e9b7ea62d4b
SHA256

30657b042364630a3bda4ebc7ef2f9ddf5837e0128b0332396df31cfbefefa1e
SHA512

f593606c016fdd9a5c72c1cb6f9fa49a6f008439bd605a8c8d9812995197aaaf0c0c1cd94977e55361b561a20cf920491d1e4f996f1b356f8832bc5b0e07a992
SSDEEP

3145728:VeO4XB8wYHiFMRX0Jkl2Je3nvCl6GfkZJAvK4WyuozvpOPh8Rr23ttI1htVC0BwH:gLXOwYHimXMkdv664kgNWGxOPh8kze8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3004	IDriver.exe

Loads dropped DLL 19 IoCs

pid	Process
3504	MsiExec.exe
3504	MsiExec.exe
3504	MsiExec.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe
3004	IDriver.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
36	2192	msiexec.exe
38	2192	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	IDriver.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	IDriver.exe
File opened (read-only)	\??\R:	IDriver.exe
File opened (read-only)	\??\S:	IDriver.exe
File opened (read-only)	\??\T:	IDriver.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	IDriver.exe
File opened (read-only)	\??\E:	IDriver.exe
File opened (read-only)	\??\O:	IDriver.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	IDriver.exe
File opened (read-only)	\??\Y:	IDriver.exe
File opened (read-only)	\??\Z:	IDriver.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	IDriver.exe
File opened (read-only)	\??\U:	IDriver.exe
File opened (read-only)	\??\V:	IDriver.exe
File opened (read-only)	\??\W:	IDriver.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	IDriver.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	IDriver.exe
File opened (read-only)	\??\L:	IDriver.exe
File opened (read-only)	\??\P:	IDriver.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	IDriver.exe
File opened (read-only)	\??\M:	IDriver.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	IDriver.exe
File opened (read-only)	\??\N:	IDriver.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IScrCnv.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\ID	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\ISRT.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\_ISRES1033.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\iGdiCnv.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IUserCnv.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\objpscnv.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IDriver2.exe	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e575c3a.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FF2.tmp	msiexec.exe
File created	C:\Windows\Installer\e575c39.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e575c3a.mst	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{790EC520-CCCC-4810-A0FE-061633204CE4}	msiexec.exe
File opened for modification	C:\Windows\Installer\e575c39.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5032	3004	WerFault.exe	100

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000982641fbe24eac720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000982641fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900982641fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d982641fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000982641fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{023F4789-ADC1-4030-9DE3-7ED7F57EA2CA}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{15CF3576-8A86-4D1F-9A64-912F901F0173}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F6EE9F4A-2D30-4A78-8720-90B6ED68763B}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6EE9F4A-2D30-4A78-8720-90B6ED68763B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D32D517-C668-44B4-97AE-8ECC0CE064FB}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CD1B2C1C-4F04-4B4F-851B-2DA036EF69FC}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724B3BD1-2098-4DDC-A229-B9BE6595398E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{FD889BE8-F7D6-415F-84B6-B17CCCB29A6D}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B23DEBC2-3C5C-47A6-8FF8-148132D193F4}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{724B3BD1-2098-4DDC-A229-B9BE6595398E}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4C514B88-F041-4813-82C0-C6BB0627BC3E}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F6EE9F4A-2D30-4A78-8720-90B6ED68763B}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{65CD17AF-CCEE-4CD6-B304-A3BD48237B67}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B23DEBC2-3C5C-47A6-8FF8-148132D193F4}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{EE02E74A-C645-4C6E-BD1C-4099501A9F52}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE02E74A-C645-4C6E-BD1C-4099501A9F52}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACC4DEAB-2CEA-4869-A2F7-5C7E5A6730B5}\ = "ISetupBasicFeature"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8F814097-CE38-493E-BFCC-CB3599998D05}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D86AEAFD-A3AD-4F9D-BDA5-D70696A1FEAB}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C0BA3C1-2B67-45EB-BF69-BED9658D28D2}\ProgID\ = "ISInstallDriver.InstallDriver.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE238E7E-00DB-4349-9949-2A10E52A6F68}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IDriver2.exe\AppID = "{D71CBC24-F638-4606-9023-E11891FA52D7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B23DEBC2-3C5C-47A6-8FF8-148132D193F4}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{AEED9AE1-AE66-4065-A274-DC7BBFEE354B}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2F653E7D-0010-4751-BD83-92EA472E641F}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92559C8C-F9C8-4BE7-BA9D-26AFEA5E4389}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF21D406-D32C-4413-81CE-B9AF860E1361}\ = "ISetupScriptEngine3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F814097-CE38-493E-BFCC-CB3599998D05}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F1F45426-4ECC-4E2F-A2AD-3424A424B336}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAD11E89-6394-4747-A64E-634E4FF7DDDA}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FCE0140-F00D-4466-80E3-07992FEB65C9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}\1.0\0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{79B85C96-90FF-4595-8C7C-918FFC07F09D}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8919C3B9-E8FF-43A7-86B3-FA09E0201947}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2057FC3B-B6A8-4669-B49B-393B0B0193A9}\ = "ISetupPropertyBag"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED3EBE1C-E2BF-460F-870E-F17D6EC454F8}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA5380BC-76C8-4AD6-A4C4-6F6CB5F32CAE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10A6F82A-09E1-4BD1-8231-4B9120AEDAFA}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD549FD5-6590-4F67-B60E-E7422ADAF1B3}\ = "ISetupScriptError"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28A18BE3-9194-44B1-A5BB-7245C5D344B2}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ISInstallDriver.InstallDriver.1\CLSID\ = "{9C0BA3C1-2B67-45EB-BF69-BED9658D28D2}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{738891D7-3A18-4839-A5E7-EFD2E7DE002A}\ = "ISetupUserInterface"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{10A6F82A-09E1-4BD1-8231-4B9120AEDAFA}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A10FDF47-9E29-401C-988C-A7A28434BCC2}\ = "ISetupFileService"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{610B9179-896D-41FC-9056-27616367AD91}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F653E7D-0010-4751-BD83-92EA472E641F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D71CBC24-F638-4606-9023-E11891FA52D7}\ = "InstallShield InstallDriver"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9C0BA3C1-2B67-45EB-BF69-BED9658D28D2}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A5CDB19F-95A7-4DFC-A65F-D01CB17BDAA2}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{3392A51F-A498-421A-A02A-6804C4270A21}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2B3ECF2E-3F2C-42BB-BA02-049A739F12C0}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{566BECBB-A8DF-43EA-8D44-77BCC7B72F21}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF2062B2-540A-4B48-A2C7-ABA0B49D44B9}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85D3BD85-0A91-438D-B2F9-BC4E31A5DB34}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D86AEAFD-A3AD-4F9D-BDA5-D70696A1FEAB}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E8176B8-C130-49DA-AB56-F3378E54ADFD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D3EF9D-0157-4C5F-A74B-BAEE5D6ED3AE}\ = "IMSIMsgHandler"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{30350C57-F1F4-4ADC-9ECB-FA66FD8A3BE6}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65CD17AF-CCEE-4CD6-B304-A3BD48237B67}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F6EE9F4A-2D30-4A78-8720-90B6ED68763B}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{023F4789-ADC1-4030-9DE3-7ED7F57EA2CA}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ABC466D7-B7AD-4872-8C72-ED582EF279CE}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8E161B8-9B5A-4DD2-9B93-1F558A7FAD69}\ = "ISetupShell2"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{566BECBB-A8DF-43EA-8D44-77BCC7B72F21}\ProxyStubClsid32	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2192	msiexec.exe
2192	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1220	swat4_spdemo_en.exe
Token: SeIncreaseQuotaPrivilege	1220	swat4_spdemo_en.exe
Token: SeSecurityPrivilege	2192	msiexec.exe
Token: SeCreateTokenPrivilege	1220	swat4_spdemo_en.exe
Token: SeAssignPrimaryTokenPrivilege	1220	swat4_spdemo_en.exe
Token: SeLockMemoryPrivilege	1220	swat4_spdemo_en.exe
Token: SeIncreaseQuotaPrivilege	1220	swat4_spdemo_en.exe
Token: SeMachineAccountPrivilege	1220	swat4_spdemo_en.exe
Token: SeTcbPrivilege	1220	swat4_spdemo_en.exe
Token: SeSecurityPrivilege	1220	swat4_spdemo_en.exe
Token: SeTakeOwnershipPrivilege	1220	swat4_spdemo_en.exe
Token: SeLoadDriverPrivilege	1220	swat4_spdemo_en.exe
Token: SeSystemProfilePrivilege	1220	swat4_spdemo_en.exe
Token: SeSystemtimePrivilege	1220	swat4_spdemo_en.exe
Token: SeProfSingleProcessPrivilege	1220	swat4_spdemo_en.exe
Token: SeIncBasePriorityPrivilege	1220	swat4_spdemo_en.exe
Token: SeCreatePagefilePrivilege	1220	swat4_spdemo_en.exe
Token: SeCreatePermanentPrivilege	1220	swat4_spdemo_en.exe
Token: SeBackupPrivilege	1220	swat4_spdemo_en.exe
Token: SeRestorePrivilege	1220	swat4_spdemo_en.exe
Token: SeShutdownPrivilege	1220	swat4_spdemo_en.exe
Token: SeDebugPrivilege	1220	swat4_spdemo_en.exe
Token: SeAuditPrivilege	1220	swat4_spdemo_en.exe
Token: SeSystemEnvironmentPrivilege	1220	swat4_spdemo_en.exe
Token: SeChangeNotifyPrivilege	1220	swat4_spdemo_en.exe
Token: SeRemoteShutdownPrivilege	1220	swat4_spdemo_en.exe
Token: SeUndockPrivilege	1220	swat4_spdemo_en.exe
Token: SeSyncAgentPrivilege	1220	swat4_spdemo_en.exe
Token: SeEnableDelegationPrivilege	1220	swat4_spdemo_en.exe
Token: SeManageVolumePrivilege	1220	swat4_spdemo_en.exe
Token: SeImpersonatePrivilege	1220	swat4_spdemo_en.exe
Token: SeCreateGlobalPrivilege	1220	swat4_spdemo_en.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeCreateTokenPrivilege	3004	IDriver.exe
Token: SeAssignPrimaryTokenPrivilege	3004	IDriver.exe
Token: SeLockMemoryPrivilege	3004	IDriver.exe
Token: SeIncreaseQuotaPrivilege	3004	IDriver.exe
Token: SeMachineAccountPrivilege	3004	IDriver.exe
Token: SeTcbPrivilege	3004	IDriver.exe
Token: SeSecurityPrivilege	3004	IDriver.exe
Token: SeTakeOwnershipPrivilege	3004	IDriver.exe
Token: SeLoadDriverPrivilege	3004	IDriver.exe
Token: SeSystemProfilePrivilege	3004	IDriver.exe
Token: SeSystemtimePrivilege	3004	IDriver.exe
Token: SeProfSingleProcessPrivilege	3004	IDriver.exe
Token: SeIncBasePriorityPrivilege	3004	IDriver.exe
Token: SeCreatePagefilePrivilege	3004	IDriver.exe
Token: SeCreatePermanentPrivilege	3004	IDriver.exe
Token: SeBackupPrivilege	3004	IDriver.exe
Token: SeRestorePrivilege	3004	IDriver.exe
Token: SeShutdownPrivilege	3004	IDriver.exe
Token: SeDebugPrivilege	3004	IDriver.exe
Token: SeAuditPrivilege	3004	IDriver.exe
Token: SeSystemEnvironmentPrivilege	3004	IDriver.exe
Token: SeChangeNotifyPrivilege	3004	IDriver.exe
Token: SeRemoteShutdownPrivilege	3004	IDriver.exe
Token: SeUndockPrivilege	3004	IDriver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1220	swat4_spdemo_en.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3504	2192	msiexec.exe	101
PID 2192 wrote to memory of 3504	2192	msiexec.exe	101
PID 2192 wrote to memory of 3504	2192	msiexec.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\swat4_spdemo_en.exe
"C:\Users\Admin\AppData\Local\Temp\swat4_spdemo_en.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1220

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD81DF51391C9640DEAFE67CD8B699EE C
  2⤵
  - Loads dropped DLL
  PID:3504

C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 1564
  2⤵
  - Program crash
  PID:5032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3648

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3004 -ip 3004
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575c3d.rbs

Filesize
51KB

MD5
0e10071c48a8102d5e8af76169170b01

SHA1
b103a5da20d959d95487eb307a69465cf31a9d6a

SHA256
3682662219b90da1268407ec8775772cb69efedbb42029266d664feda8d6b547

SHA512
c478807fa7f8eac1e77d9cea8a84a2408db9309ac41133bcb0e953871cfb8a6ed902048428558cf3b8b40a6686b6c2d4a442bccf854a476fbef8d639a3f1c5bf

Download Submit
C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IScrCnv.dll

Filesize
260KB

MD5
f6aabdf85821a9c61c61dec9408f40cc

SHA1
ddac695de73be7a67357aea89c7b9c2ca21fc4e1

SHA256
9ee23586d456db53d59fbaa8669e817461aeaf94f81237ead3f2c23cac8c40fa

SHA512
73d2e4352c4055c8d08ad5499fc4495ff6fa7613970f9c0a3cf73dae645fc9102e62cf9c7dd046d6bc3c909cbafd06a30812d1d9bcf8f34c4a253c09d628b538

Download Submit
C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\iusercnv.dll

Filesize
168KB

MD5
197c2ce7cf2a98ae895ece98d88b8245

SHA1
f734d8dc508138501e79b384fe1a689920c6ba93

SHA256
260924991dff4fbd2f691913007aee1f3136708671ef3309b4f9ec8687da6f1e

SHA512
a7ff5f0d56a13d340d9ec1b977f9e995bf7dc61f6bf4b8ecd7369793d39032a43e587146e6b9a9084be5a9cc709876bf971983a218c2af631d3950cd3391cd47

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe

Filesize
744KB

MD5
a9d3658c5be72816812a5a32e4560ba3

SHA1
649003292ee74d2407fae441fb92b605a0d91f90

SHA256
b2527d1e2297506796f898e90907fb4c8c7e063f2898194e74152fa9ca21923f

SHA512
b80283aafbe8cd59720979d51a5524a1d53b001e59c6fe9693c754b238101ac6058122130e0be97ce22dc4f7edce9cd84aa4fde869bf728cff8fba1733638c5b

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\ISRT.DLL

Filesize
400KB

MD5
db28ca3ba3c2045aa7b6e59aa9831c68

SHA1
55b44ea55f3a04b916339c81e1cc3f3db62d54cc

SHA256
ca41725fb64338211a9f9740f45f1b0c4d80e6c7e84a1d2e5580dcecbf87e489

SHA512
82c409611e61acad6b2986372ff72682e611b7ee5a88e74fec9c7864ce50c7494adba4165a44f2cc99b93daee33ad67320aed4fd5f85ef2fbc4779bf69f55efb

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\_ISRES1033.DLL

Filesize
528KB

MD5
1c1332bf83f505cb60e06c76fe111cdd

SHA1
3c80e9bd5a41ac3f8fa129d61261ea07db29f801

SHA256
9602fafb7de17b14a3474c64944db928ef6c23e20935c0e82e918fa2447cc979

SHA512
bd7cb4113f5b6067c55e7df1f6dac6b4058a0bdc9b0e7d6875f1718bdcc84d315ea8a2d373a45c47c82326a74cbce41a508f493eac59db99f7cd5e4f33ac575f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\iGdiCnv.dll

Filesize
176KB

MD5
afdfec6679ce99596261ff182afbe9e6

SHA1
3289711e3ce8bb72bd84bb0bc33f95d958648f4c

SHA256
81b931aaf908e1e372802db04dfbe5256209d488bfe88d58841fc13acadedfd6

SHA512
c8ce4617d03084f37b8766f0505922a8f380e0d2745658864197535c43c3b2f985c4a2bac2228752857782181cd41167bfa4b784c7ce3e8a94932d58d099753a

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\objpscnv.dll

Filesize
32KB

MD5
aba70b81a5811e7b140271595d66f06f

SHA1
42ef824151e67cf921d861d83872c9ef13b500e6

SHA256
26d4765c2461fccd669e455d33659397d6f82fe261ece256c3f19b831dcfa0ba

SHA512
8780d68124e309b8ec2dbbbac18be3291fefabfd6ed9154645eddfb4dd8076e2fda97168d7c5ea9b378b54ee900f75bd409736cfc1262e0d167e0ff62078de0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI66E8.tmp

Filesize
108KB

MD5
147c19d5e3eab8d42aee4c115b9356de

SHA1
33259c451d12ebf254fb10831f737bc9489dee04

SHA256
3086adadbf898a7f656223b3b6425e8fc9c8774f60883077500d1a378e731e71

SHA512
128c82534f36e6da35bc38b30ba14db4194138a5cb5405cc86c1e90e3bcb02a5aecb5831d6216c816bdd7830c0da1acbbd9feda84594782a3137885993cb5efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6727.tmp

Filesize
48KB

MD5
fa13aa9996fe8d85aa680e9f5e4f23e8

SHA1
cbc23243a9a595b6d91431c4c275c1ab2adc6642

SHA256
8f40c1dc28323a3c5310bf21372b9756ca547c20c7cf63197e071a9e1e66b31b

SHA512
9f4bd08583dbaadaec281d05d79c11a1dc1651d2d96cc4ecddd68e74178c3eec843e43bea14c546ba18b371177684dde0c21211e8fdb0369bbeeb5e31fdbe87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is45C4\0x0409.ini

Filesize
5KB

MD5
6c87581375d4e4789761b9833c2a1b4d

SHA1
310395fde36429b08b615831152399db7e4267a2

SHA256
43160e278e4302e378e754149c6394bc51d1969a7941687cfcc6c00b25151282

SHA512
ff499900dd9ae154825bb1b8a65f7c53367a4a75131ce1aa08ffbd0bbaae4d8e3a062455d74b8dce41fc89648bed33fb2ecd95e7ba57098caa7ca652f176dfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is45C4\ISScript10.Msi

Filesize
875KB

MD5
f93a766e58d9c06b5cfd7c095fdd4b97

SHA1
d02e24a8c14bc127ff1cbac8ef7c43830142d0e0

SHA256
c00e1e874d0093112e898c615b0f81fa8a0974c25cf01638fe6acb949b1940ed

SHA512
65089a6b7a916716866192781af098b8939ad8ef5881abfafbfebc53fd747c3af5b2451668f4e60ca6c3c15eacf485e009c260e710ab934537c4d98ab67d3bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is45C4\SWAT 4 Single Player Demo.msi

Filesize
155.4MB

MD5
39fdd248dd6540a63a84f9e18b2d6c20

SHA1
f4415a66f6064ca942004505301621e3ac7cc345

SHA256
8b56dc7825516fd9ed00c3869e56ff3f07ec6248a701b5930fa9f79cf6ff4997

SHA512
a2c7aae3962457ef708c224ff72b28cfcbf01c3b650996ec62669ea2afd077ec7590c3dc016865be1168d3a31a857d582afd42f950e9ce65c6a68333408c252f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is45C4\Setup.INI

Filesize
1KB

MD5
84a8c974c59231a84e0c741db73ed91c

SHA1
6eed5b21dbf679b07a2ee03f81f22209d32f0738

SHA256
6a75ae4f99b43d18fbfee8d4e35908c9665ee8bf1d6be5059c405f0a2f133fee

SHA512
aa3698d32c0c1ecdbae41585940a801c899fbab93ed99bd06caf9dc5ebd11779ee024c0b52f138e75b2f580099457ebc1ada798c0de439402d3105c65998e999

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is45C4\_ISMSIDEL.INI

Filesize
202B

MD5
be6177da1d703493bfb714ddeaa8e652

SHA1
14d74bba9e3c4f30dbf2d518da08a5ff67155422

SHA256
07b0d879f0283d45592ad471a815faf1318e9a516a2f2e38c10d75d03525dd37

SHA512
ed7a010e8d54c2cdfda8e9108f2358dc55f6719398671bd8582afd7128eb50dbf04e942b6b7deb8ae3e152b8f5904203a93e6afc42250959d78fc4f5e4698418

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F2CA85EF-D86E-4F4C-99E7-8ED7AA18E7B8}\EULA.rtf

Filesize
11KB

MD5
996be8935529d97b6c80624d33c12cae

SHA1
a13ce99c36cd8d4c5acdeb009e3616c5d706fef1

SHA256
d11964dab4728364d839f21df498ae9b4c6d8450323572b50c278b7281905afb

SHA512
c1b99c006cd1ceafbc69843ca1f580597d5414e2c3506db2c0f0a9514be871119cb1ea803a85fdb95705c34d71a2b06f2ccaf2757768553fad842a96fc1306ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F2CA85EF-D86E-4F4C-99E7-8ED7AA18E7B8}\ScriptHelper.dll

Filesize
48KB

MD5
ba48156a5d5ab3b51e3318e5e1d78c06

SHA1
84f1dfacc64651988b699c4c3c3c2c105c68b252

SHA256
7ffc6214b348692fefe341fec1a2afb7afe68f0ef7c84999d91c58a3438ac23c

SHA512
61d8e6927d424146598a910d23a837f174dbdf367605c108dbd2fcbc012e4c71f8f58a35dae677f15e4c68d7df51d27a306b2d0d23b181f4f66b966d4014b8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F2CA85EF-D86E-4F4C-99E7-8ED7AA18E7B8}\Swat4InstallerHeader.bmp

Filesize
86KB

MD5
daaa9912e7a552c2be93bd017a194025

SHA1
4d77a3f3324c74ecce421d028f73868f6b7cefb8

SHA256
1258d24fd03f061d43ddbb7ffce7bd075a86437522ec808277205bc09ea53646

SHA512
7b9da95d09f298635e3f14b3b1c6d1aeb5b227a3c7d0c3fa9096147f7e56700b4a96ea1334a5eac2723aeb6118d768d7f8855e862d3de0f9c14c7a0e50102c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F2CA85EF-D86E-4F4C-99E7-8ED7AA18E7B8}\_ISUSER.DLL

Filesize
256KB

MD5
7f7e52355174b392d84af36a422906db

SHA1
e3e541204d609b1094075898025f5e17cda8049f

SHA256
a657145af747382905b641d32627d33c5e0e635ab95909e37fefcf9e479ee89e

SHA512
a2db7824101bd9d9ee2548495bb52d07e9f1ee54ae6af0435afeb0dd713115a2636464a98171dfe4e0193315e86a811a926510ab74caaa3d915589085c1afd51

Download Submit
memory/3004-143-0x0000000002DC0000-0x0000000002E02000-memory.dmp

Filesize
264KB

Download
memory/3004-149-0x0000000003780000-0x00000000037AC000-memory.dmp

Filesize
176KB

Download
memory/3004-158-0x0000000004150000-0x00000000041B6000-memory.dmp

Filesize
408KB

Download
memory/3004-166-0x00000000041E0000-0x0000000004266000-memory.dmp

Filesize
536KB

Download
memory/3004-178-0x00000000042E0000-0x000000000430E000-memory.dmp

Filesize
184KB

Download
memory/3004-183-0x0000000003980000-0x000000000398D000-memory.dmp

Filesize
52KB

Download