Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-03-2024 10:42
Behavioral task
behavioral1
Sample
reverse_tcp_uuid.msi
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
reverse_tcp_uuid.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
reverse_tcp_uuid.msi
-
Size
156KB
-
MD5
ea86d9f4827f1b24baf14d0a62111c81
-
SHA1
dfbe48a8b76917ff03cf74d0519dda2c1ab76dfb
-
SHA256
1b678899247d6239f5c03b9f017b6808524d3a5e9320e31f78a355017323db48
-
SHA512
ab86da16e79c4d000ec736528f7e58e5973f2ff9654c1bcb0ba9ef7ef1d14ce3134f5d0f31a5803da93a6676c0c3f35dee0559fe66dda60f16e0098e56ca0d10
-
SSDEEP
384:iHpe4ZvJXK7gzFM7WuMOxceoXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyuvDCUyWMDC
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
metasploit_stager
C2
1.14.247.162:40001
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\f764e01.msi msiexec.exe File opened for modification C:\Windows\Installer\f764e01.msi msiexec.exe File created C:\Windows\Installer\f764e02.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4EFA.tmp msiexec.exe File opened for modification C:\Windows\Installer\f764e02.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4F2B.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2808 MSI4F2B.tmp -
Loads dropped DLL 2 IoCs
pid Process 2160 msiexec.exe 2160 msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2160 msiexec.exe 2160 msiexec.exe 2160 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeShutdownPrivilege 2192 msiexec.exe Token: SeIncreaseQuotaPrivilege 2192 msiexec.exe Token: SeRestorePrivilege 2160 msiexec.exe Token: SeTakeOwnershipPrivilege 2160 msiexec.exe Token: SeSecurityPrivilege 2160 msiexec.exe Token: SeCreateTokenPrivilege 2192 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2192 msiexec.exe Token: SeLockMemoryPrivilege 2192 msiexec.exe Token: SeIncreaseQuotaPrivilege 2192 msiexec.exe Token: SeMachineAccountPrivilege 2192 msiexec.exe Token: SeTcbPrivilege 2192 msiexec.exe Token: SeSecurityPrivilege 2192 msiexec.exe Token: SeTakeOwnershipPrivilege 2192 msiexec.exe Token: SeLoadDriverPrivilege 2192 msiexec.exe Token: SeSystemProfilePrivilege 2192 msiexec.exe Token: SeSystemtimePrivilege 2192 msiexec.exe Token: SeProfSingleProcessPrivilege 2192 msiexec.exe Token: SeIncBasePriorityPrivilege 2192 msiexec.exe Token: SeCreatePagefilePrivilege 2192 msiexec.exe Token: SeCreatePermanentPrivilege 2192 msiexec.exe Token: SeBackupPrivilege 2192 msiexec.exe Token: SeRestorePrivilege 2192 msiexec.exe Token: SeShutdownPrivilege 2192 msiexec.exe Token: SeDebugPrivilege 2192 msiexec.exe Token: SeAuditPrivilege 2192 msiexec.exe Token: SeSystemEnvironmentPrivilege 2192 msiexec.exe Token: SeChangeNotifyPrivilege 2192 msiexec.exe Token: SeRemoteShutdownPrivilege 2192 msiexec.exe Token: SeUndockPrivilege 2192 msiexec.exe Token: SeSyncAgentPrivilege 2192 msiexec.exe Token: SeEnableDelegationPrivilege 2192 msiexec.exe Token: SeManageVolumePrivilege 2192 msiexec.exe Token: SeImpersonatePrivilege 2192 msiexec.exe Token: SeCreateGlobalPrivilege 2192 msiexec.exe Token: SeBackupPrivilege 3036 vssvc.exe Token: SeRestorePrivilege 3036 vssvc.exe Token: SeAuditPrivilege 3036 vssvc.exe Token: SeBackupPrivilege 2160 msiexec.exe Token: SeRestorePrivilege 2160 msiexec.exe Token: SeRestorePrivilege 2572 DrvInst.exe Token: SeRestorePrivilege 2572 DrvInst.exe Token: SeRestorePrivilege 2572 DrvInst.exe Token: SeRestorePrivilege 2572 DrvInst.exe Token: SeRestorePrivilege 2572 DrvInst.exe Token: SeRestorePrivilege 2572 DrvInst.exe Token: SeRestorePrivilege 2572 DrvInst.exe Token: SeLoadDriverPrivilege 2572 DrvInst.exe Token: SeLoadDriverPrivilege 2572 DrvInst.exe Token: SeLoadDriverPrivilege 2572 DrvInst.exe Token: SeRestorePrivilege 2160 msiexec.exe Token: SeTakeOwnershipPrivilege 2160 msiexec.exe Token: SeRestorePrivilege 2160 msiexec.exe Token: SeTakeOwnershipPrivilege 2160 msiexec.exe Token: SeRestorePrivilege 2160 msiexec.exe Token: SeTakeOwnershipPrivilege 2160 msiexec.exe Token: SeRestorePrivilege 2160 msiexec.exe Token: SeTakeOwnershipPrivilege 2160 msiexec.exe Token: SeRestorePrivilege 2160 msiexec.exe Token: SeTakeOwnershipPrivilege 2160 msiexec.exe Token: SeRestorePrivilege 2160 msiexec.exe Token: SeTakeOwnershipPrivilege 2160 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2192 msiexec.exe 2192 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2772 2160 msiexec.exe 32 PID 2160 wrote to memory of 2772 2160 msiexec.exe 32 PID 2160 wrote to memory of 2772 2160 msiexec.exe 32 PID 2160 wrote to memory of 2772 2160 msiexec.exe 32 PID 2160 wrote to memory of 2772 2160 msiexec.exe 32 PID 2160 wrote to memory of 2772 2160 msiexec.exe 32 PID 2160 wrote to memory of 2772 2160 msiexec.exe 32 PID 2160 wrote to memory of 2808 2160 msiexec.exe 33 PID 2160 wrote to memory of 2808 2160 msiexec.exe 33 PID 2160 wrote to memory of 2808 2160 msiexec.exe 33 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\reverse_tcp_uuid.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2192
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B19FDC4DDB15D020A051DFF15227C1A82⤵PID:2772
-
-
C:\Windows\Installer\MSI4F2B.tmp"C:\Windows\Installer\MSI4F2B.tmp"2⤵
- Executes dropped EXE
PID:2808
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000003A8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD532bca63e32bfa7abf23e77edd30478d6
SHA157beba1d54428d559fd3ed8d258a691990cd0245
SHA256c6b4471618c370d9216fc3632dc258ad460471e2385ded2f2929133e9b1e67ab
SHA5123a0f987a78316728da4ee30ea307919a2b73c9b85c0cbe24e179f4c6bb6255d89fc056f1d3f9f56bd6ff6ad40e22521fc581f08630a8759bed9cc3892c81b553