3a950d7e6736f17c3df90844c76d934dc66c17ec76841a4ad58de07af7955f0f

Analysis

max time kernel
598s
max time network
604s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
11-03-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cisa.msi
Size

1.5MB
MD5

c4e8f3e02fd50a4051f11048f1355726
SHA1

c82bf39c9f4797f346447aecc1070fb8c892010f
SHA256

3a950d7e6736f17c3df90844c76d934dc66c17ec76841a4ad58de07af7955f0f
SHA512

e44d8330c4ffdae01614ed5d11c2f112cff9b39bae793242f983d039e1404d371a2697a77fa65b740e43548ab1b203607a6d82b05ff3df741be02bd99a136592
SSDEEP

24576:QjGxLNvYLSMvZCFlp8zBQSc0ZoCvqKwx0ECIgYmfLVYeBZr7A0r7Jh3OnJ3qXIoj:QjivYpW8zBQSc0ZnSKeZKumZr7A+D3O2

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
13	5100	rundll32.exe
15	5100	rundll32.exe
16	5100	rundll32.exe
19	5100	rundll32.exe
20	5100	rundll32.exe
21	5100	rundll32.exe
22	5100	rundll32.exe
23	5100	rundll32.exe
24	5100	rundll32.exe
25	5100	rundll32.exe
26	5100	rundll32.exe
27	5100	rundll32.exe
28	5100	rundll32.exe
29	5100	rundll32.exe
30	5100	rundll32.exe
31	5100	rundll32.exe
32	5100	rundll32.exe
33	5100	rundll32.exe
34	5100	rundll32.exe
35	5100	rundll32.exe
36	5100	rundll32.exe
37	5100	rundll32.exe
38	5100	rundll32.exe
39	5100	rundll32.exe
40	5100	rundll32.exe
41	5100	rundll32.exe
42	5100	rundll32.exe
43	5100	rundll32.exe
44	5100	rundll32.exe
45	5100	rundll32.exe
46	5100	rundll32.exe
47	5100	rundll32.exe
48	5100	rundll32.exe
49	5100	rundll32.exe
50	5100	rundll32.exe
51	5100	rundll32.exe
52	5100	rundll32.exe
53	5100	rundll32.exe
54	5100	rundll32.exe
55	5100	rundll32.exe
56	5100	rundll32.exe
57	5100	rundll32.exe
58	5100	rundll32.exe
59	5100	rundll32.exe
60	5100	rundll32.exe
61	5100	rundll32.exe
62	5100	rundll32.exe
63	5100	rundll32.exe
64	5100	rundll32.exe
65	5100	rundll32.exe
66	5100	rundll32.exe
67	5100	rundll32.exe
68	5100	rundll32.exe
69	5100	rundll32.exe
70	5100	rundll32.exe
71	5100	rundll32.exe
72	5100	rundll32.exe
73	5100	rundll32.exe
74	5100	rundll32.exe
75	5100	rundll32.exe
76	5100	rundll32.exe
77	5100	rundll32.exe
78	5100	rundll32.exe
79	5100	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B1F.tmp	msiexec.exe
File created	C:\Windows\Installer\e585724.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI57C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e585724.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5957.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A38F5F69-A209-49ED-8CCE-91613AA34EAF}	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3280	MSI5B1F.tmp

Loads dropped DLL 10 IoCs

pid	Process
4124	MsiExec.exe
4124	MsiExec.exe
4124	MsiExec.exe
4124	MsiExec.exe
4124	MsiExec.exe
4124	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
3960	rundll32.exe
5100	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
32	msiexec.exe
32	msiexec.exe
3280	MSI5B1F.tmp
3280	MSI5B1F.tmp
3960	rundll32.exe
3960	rundll32.exe
3960	rundll32.exe
3960	rundll32.exe
5100	rundll32.exe
5100	rundll32.exe
5100	rundll32.exe
5100	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3608	msiexec.exe
Token: SeSecurityPrivilege	32	msiexec.exe
Token: SeCreateTokenPrivilege	3608	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3608	msiexec.exe
Token: SeLockMemoryPrivilege	3608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3608	msiexec.exe
Token: SeMachineAccountPrivilege	3608	msiexec.exe
Token: SeTcbPrivilege	3608	msiexec.exe
Token: SeSecurityPrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeLoadDriverPrivilege	3608	msiexec.exe
Token: SeSystemProfilePrivilege	3608	msiexec.exe
Token: SeSystemtimePrivilege	3608	msiexec.exe
Token: SeProfSingleProcessPrivilege	3608	msiexec.exe
Token: SeIncBasePriorityPrivilege	3608	msiexec.exe
Token: SeCreatePagefilePrivilege	3608	msiexec.exe
Token: SeCreatePermanentPrivilege	3608	msiexec.exe
Token: SeBackupPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeShutdownPrivilege	3608	msiexec.exe
Token: SeDebugPrivilege	3608	msiexec.exe
Token: SeAuditPrivilege	3608	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3608	msiexec.exe
Token: SeChangeNotifyPrivilege	3608	msiexec.exe
Token: SeRemoteShutdownPrivilege	3608	msiexec.exe
Token: SeUndockPrivilege	3608	msiexec.exe
Token: SeSyncAgentPrivilege	3608	msiexec.exe
Token: SeEnableDelegationPrivilege	3608	msiexec.exe
Token: SeManageVolumePrivilege	3608	msiexec.exe
Token: SeImpersonatePrivilege	3608	msiexec.exe
Token: SeCreateGlobalPrivilege	3608	msiexec.exe
Token: SeCreateTokenPrivilege	3608	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3608	msiexec.exe
Token: SeLockMemoryPrivilege	3608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3608	msiexec.exe
Token: SeMachineAccountPrivilege	3608	msiexec.exe
Token: SeTcbPrivilege	3608	msiexec.exe
Token: SeSecurityPrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeLoadDriverPrivilege	3608	msiexec.exe
Token: SeSystemProfilePrivilege	3608	msiexec.exe
Token: SeSystemtimePrivilege	3608	msiexec.exe
Token: SeProfSingleProcessPrivilege	3608	msiexec.exe
Token: SeIncBasePriorityPrivilege	3608	msiexec.exe
Token: SeCreatePagefilePrivilege	3608	msiexec.exe
Token: SeCreatePermanentPrivilege	3608	msiexec.exe
Token: SeBackupPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeShutdownPrivilege	3608	msiexec.exe
Token: SeDebugPrivilege	3608	msiexec.exe
Token: SeAuditPrivilege	3608	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3608	msiexec.exe
Token: SeChangeNotifyPrivilege	3608	msiexec.exe
Token: SeRemoteShutdownPrivilege	3608	msiexec.exe
Token: SeUndockPrivilege	3608	msiexec.exe
Token: SeSyncAgentPrivilege	3608	msiexec.exe
Token: SeEnableDelegationPrivilege	3608	msiexec.exe
Token: SeManageVolumePrivilege	3608	msiexec.exe
Token: SeImpersonatePrivilege	3608	msiexec.exe
Token: SeCreateGlobalPrivilege	3608	msiexec.exe
Token: SeCreateTokenPrivilege	3608	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3608	msiexec.exe
Token: SeLockMemoryPrivilege	3608	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3608	msiexec.exe
3608	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 4124	32	msiexec.exe	75
PID 32 wrote to memory of 4124	32	msiexec.exe	75
PID 32 wrote to memory of 4124	32	msiexec.exe	75
PID 32 wrote to memory of 3128	32	msiexec.exe	78
PID 32 wrote to memory of 3128	32	msiexec.exe	78
PID 32 wrote to memory of 4328	32	msiexec.exe	80
PID 32 wrote to memory of 4328	32	msiexec.exe	80
PID 32 wrote to memory of 4328	32	msiexec.exe	80
PID 32 wrote to memory of 3280	32	msiexec.exe	81
PID 32 wrote to memory of 3280	32	msiexec.exe	81
PID 32 wrote to memory of 3280	32	msiexec.exe	81
PID 3960 wrote to memory of 5100	3960	rundll32.exe	83
PID 3960 wrote to memory of 5100	3960	rundll32.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cisa.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ACA2E2E1D1F9B5CF172604C69E30BAF4 C
  2⤵
  - Loads dropped DLL
  PID:4124
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3128
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8E89A1215A954B225AE9EF27591DCD7C
  2⤵
  - Loads dropped DLL
  PID:4328
- C:\Windows\Installer\MSI5B1F.tmp
  "C:\Windows\Installer\MSI5B1F.tmp" C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\stat\falcon.dll, vgml
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3792

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\stat\falcon.dll, vgml
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\System32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_8721231e.dll", vgml
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585725.rbs

Filesize
1KB

MD5
67fbc46e36dafb6a9a0c3d66088409f2

SHA1
1725b50d51cb193a061bab9479217ec6367752a5

SHA256
03a88f94f03202f1374b39ff138055b4def49d45309124c305566e84aa9b0389

SHA512
43a4b2c958fdc4d651b0ac64fa811ffd69e406d44e852e553377df14d1e4eeeb360c00ca16ab9811922e47f13412e345b1dcc37820d1fed97aa691cc002fea1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE35B.tmp

Filesize
361KB

MD5
07b6e0402ba97d8385c69569512f454d

SHA1
d45a087809c996ebf82c64adbaceb2c591065d81

SHA256
a111c0edf3acf7741e2dd88e3d48204b9a7b9d21fc6389642300b6c394470974

SHA512
0052bac2f1a022a397de1ba573e7b48d71d79154bf19dffac14868a3497336ed7a48bd42bdc0641cdfb152b383eb2adb84070ab43a747b32b32c18fb247835a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE511.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\stat\falcon.dll

Filesize
694KB

MD5
da8ae8e1de522b20a462239c6893613e

SHA1
7f65ef885815d81d220f9f42877ff0d696b0134c

SHA256
aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c

SHA512
d2dca9ba9272a0bdfa88f7520545e21a1f4d18dcacec36b072369cee8e28ba635a0214b47caef74b6f7fcd06e120d898da997e71c8955c72510972c66d2a855d

Download Submit
C:\Windows\Installer\MSI5B1F.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
1.1MB

MD5
c714b434b4a625109810ba1b550e3aa8

SHA1
7f1b6f0f59fc56bf4f1d72a61f269e5fe5475007

SHA256
f43ed0830543ea335430fa4ed352e77236a53f40477374915911b931d04c65ef

SHA512
33017335db35ce45fef264eed068d1b67e9457984d13c62bfc6dd09ccc045a036683c6dfca8c9bc66969dff8b00c9bb9a9e52ead040c0439d6820eab9c4b1c39

Download Submit
\??\Volume{357a2a78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9f20e2b7-3813-4e2b-b394-47ffdb3eaa11}_OnDiskSnapshotProp

Filesize
5KB

MD5
a272918add43b9440b924d599267094d

SHA1
72e3df4b023a0bb3c836288eb8b350d673ae7476

SHA256
292897b8f4960a470bed5f9279e0c6eccd7d3312024a52a9cf3f70232bbb55c0

SHA512
13d638d9c5a9143accf88018eae083341d8e6f2636ec77b32c41c95780df9535c6e8eda5bc3fdf952ee4d11f7cd8a45ea70d069bd62832a4c4b41570bd08df2f

Download Submit
\Users\Admin\AppData\Local\Temp\MSIE35B.tmp

Filesize
64KB

MD5
689eeeb4882c9abef6130c7e01fefa55

SHA1
45c1b62ee8cf62ae4ffaaa33aea5b47b373372ac

SHA256
cb72f1067fbf62ed57ad7a33854f5cfb2f4cff21060e97abb7bba0436d9fd7ca

SHA512
70924ac8e561481acf54624902dda727d2c586317f1e7d0dc367af23a0b28380cfe791aeb21cf729a3ac5577dccdf8e1724fa38ab6d37811835b0139eb525830

Download Submit
\Windows\Installer\MSI57C0.tmp

Filesize
287KB

MD5
dc820e54cc5e0e73ae9e74dbc4799890

SHA1
6986ad79a19530148b0b52efae95646c80fe66d9

SHA256
95a558ab5017519e39572c2acb62f7a96d11ed57727791177da1338007c0e653

SHA512
ac8b06ac34e5494aa0fb57b5414c687867ec6b773fe38134971d3ba72f4f3c2ae14a8e5326176b6ee2d9356399fc1576c2a846208369f0fc87a4436a1e4c2be5

Download Submit
memory/3960-57-0x0000000180000000-0x00000001800B5000-memory.dmp

Filesize
724KB

Download
memory/3960-60-0x00000268C3350000-0x00000268C3364000-memory.dmp

Filesize
80KB

Download
memory/3960-55-0x00000268C3350000-0x00000268C3364000-memory.dmp

Filesize
80KB

Download
memory/5100-72-0x0000019486650000-0x0000019486664000-memory.dmp

Filesize
80KB

Download
memory/5100-73-0x0000019486650000-0x0000019486664000-memory.dmp

Filesize
80KB

Download