0318aede8bb0173e8c18d9539a7bee9cd0eb85a0e8927316b80c07f10a829083

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f.msi
Size

1.4MB
MD5

ec183d55d6c11480bc167da468a526fa
SHA1

e4315009a338b527d7b65bd557be404b9f55d284
SHA256

ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f
SHA512

03d6fa94994b642ed753827d13aafa4bc61580102c4fa1fb8861d391f8b3b62e0d90a1328b9f10af1c00a443f43a69a3085068356906e46bb53d70df30e29cf3
SSDEEP

24576:gfPxLNvYLSMvZCFlp8zBQSc0ZoCvqKwx0ECIgYmfLVYeBZr7AgrukBho6l:gf/vYpW8zBQSc0ZnSKeZKumZr7AZqhDl

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6254.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62E1.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4A88E1DD-9150-4E48-BE8A-4A9096C30BEC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6350.tmp	msiexec.exe
File created	C:\Windows\Installer\e576215.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576215.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI639F.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4068	MSI639F.tmp

Loads dropped DLL 10 IoCs

pid	Process
3184	MsiExec.exe
3184	MsiExec.exe
3184	MsiExec.exe
3184	MsiExec.exe
3184	MsiExec.exe
3184	MsiExec.exe
4088	MsiExec.exe
4088	MsiExec.exe
4952	rundll32.exe
3200	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000042283678384db7f50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000422836780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090042283678000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d42283678000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004228367800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3740	msiexec.exe
3740	msiexec.exe
4068	MSI639F.tmp
4068	MSI639F.tmp
4952	rundll32.exe
4952	rundll32.exe
4952	rundll32.exe
4952	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3772	msiexec.exe
Token: SeSecurityPrivilege	3740	msiexec.exe
Token: SeCreateTokenPrivilege	3772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3772	msiexec.exe
Token: SeLockMemoryPrivilege	3772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3772	msiexec.exe
Token: SeMachineAccountPrivilege	3772	msiexec.exe
Token: SeTcbPrivilege	3772	msiexec.exe
Token: SeSecurityPrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeLoadDriverPrivilege	3772	msiexec.exe
Token: SeSystemProfilePrivilege	3772	msiexec.exe
Token: SeSystemtimePrivilege	3772	msiexec.exe
Token: SeProfSingleProcessPrivilege	3772	msiexec.exe
Token: SeIncBasePriorityPrivilege	3772	msiexec.exe
Token: SeCreatePagefilePrivilege	3772	msiexec.exe
Token: SeCreatePermanentPrivilege	3772	msiexec.exe
Token: SeBackupPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeShutdownPrivilege	3772	msiexec.exe
Token: SeDebugPrivilege	3772	msiexec.exe
Token: SeAuditPrivilege	3772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3772	msiexec.exe
Token: SeChangeNotifyPrivilege	3772	msiexec.exe
Token: SeRemoteShutdownPrivilege	3772	msiexec.exe
Token: SeUndockPrivilege	3772	msiexec.exe
Token: SeSyncAgentPrivilege	3772	msiexec.exe
Token: SeEnableDelegationPrivilege	3772	msiexec.exe
Token: SeManageVolumePrivilege	3772	msiexec.exe
Token: SeImpersonatePrivilege	3772	msiexec.exe
Token: SeCreateGlobalPrivilege	3772	msiexec.exe
Token: SeCreateTokenPrivilege	3772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3772	msiexec.exe
Token: SeLockMemoryPrivilege	3772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3772	msiexec.exe
Token: SeMachineAccountPrivilege	3772	msiexec.exe
Token: SeTcbPrivilege	3772	msiexec.exe
Token: SeSecurityPrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeLoadDriverPrivilege	3772	msiexec.exe
Token: SeSystemProfilePrivilege	3772	msiexec.exe
Token: SeSystemtimePrivilege	3772	msiexec.exe
Token: SeProfSingleProcessPrivilege	3772	msiexec.exe
Token: SeIncBasePriorityPrivilege	3772	msiexec.exe
Token: SeCreatePagefilePrivilege	3772	msiexec.exe
Token: SeCreatePermanentPrivilege	3772	msiexec.exe
Token: SeBackupPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeShutdownPrivilege	3772	msiexec.exe
Token: SeDebugPrivilege	3772	msiexec.exe
Token: SeAuditPrivilege	3772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3772	msiexec.exe
Token: SeChangeNotifyPrivilege	3772	msiexec.exe
Token: SeRemoteShutdownPrivilege	3772	msiexec.exe
Token: SeUndockPrivilege	3772	msiexec.exe
Token: SeSyncAgentPrivilege	3772	msiexec.exe
Token: SeEnableDelegationPrivilege	3772	msiexec.exe
Token: SeManageVolumePrivilege	3772	msiexec.exe
Token: SeImpersonatePrivilege	3772	msiexec.exe
Token: SeCreateGlobalPrivilege	3772	msiexec.exe
Token: SeCreateTokenPrivilege	3772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3772	msiexec.exe
Token: SeLockMemoryPrivilege	3772	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3772	msiexec.exe
3772	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 3184	3740	msiexec.exe	90
PID 3740 wrote to memory of 3184	3740	msiexec.exe	90
PID 3740 wrote to memory of 3184	3740	msiexec.exe	90
PID 3740 wrote to memory of 1784	3740	msiexec.exe	101
PID 3740 wrote to memory of 1784	3740	msiexec.exe	101
PID 3740 wrote to memory of 4088	3740	msiexec.exe	103
PID 3740 wrote to memory of 4088	3740	msiexec.exe	103
PID 3740 wrote to memory of 4088	3740	msiexec.exe	103
PID 3740 wrote to memory of 4068	3740	msiexec.exe	104
PID 3740 wrote to memory of 4068	3740	msiexec.exe	104
PID 3740 wrote to memory of 4068	3740	msiexec.exe	104
PID 4952 wrote to memory of 3200	4952	rundll32.exe	106
PID 4952 wrote to memory of 3200	4952	rundll32.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4F99724F22942F318FAA040C8D9790F4 C
  2⤵
  - Loads dropped DLL
  PID:3184
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1784
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B17B66824E1982222488CC2F6D6AB727
  2⤵
  - Loads dropped DLL
  PID:4088
- C:\Windows\Installer\MSI639F.tmp
  "C:\Windows\Installer\MSI639F.tmp" C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\stat\falcon.dll, vgml
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4860

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\stat\falcon.dll, vgml
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\System32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_f70fbdc2.dll", vgml
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e576216.rbs

Filesize
1KB

MD5
7b5f8c7afcb532ab48d45d6b7fe9e4b4

SHA1
5535718d11e02ea00eeeb99c910da335c3ef8203

SHA256
7247e168d1aef453edd91565b2d35a0dc3444d5859b9d877b90e5e7df4c1e107

SHA512
677fa1afee07978a134fafc9f4ec216b885dda491f20687b880885999d5a4a1441b786241591c795f68f600c4bc2d8c60ee3a1d715fd9afed2450b36a0a4489d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI321C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3366.tmp

Filesize
64KB

MD5
689eeeb4882c9abef6130c7e01fefa55

SHA1
45c1b62ee8cf62ae4ffaaa33aea5b47b373372ac

SHA256
cb72f1067fbf62ed57ad7a33854f5cfb2f4cff21060e97abb7bba0436d9fd7ca

SHA512
70924ac8e561481acf54624902dda727d2c586317f1e7d0dc367af23a0b28380cfe791aeb21cf729a3ac5577dccdf8e1724fa38ab6d37811835b0139eb525830

Download Submit
C:\Users\Admin\AppData\Local\stat\falcon.dll

Filesize
469KB

MD5
e27c6586dba78d5d302589f3b231be40

SHA1
305031a6d93a744cf61552ab673ddb27843ee845

SHA256
3b63ea8b6f9b2aa847faa11f6cd3eb281abd9b9cceedb570713c4d78a47de567

SHA512
1f0c126e38eed21ee51e04ebe4717fcbb3545d9ccdcc24ba0125f82c5f9b94d1406cbf3ba9f58958e4f180bdd6931bc3a3cb5390de990f8265baabfd414f89c2

Download Submit
C:\Windows\Installer\MSI639F.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
4187b5b9dd5eab5cd3c2fdde9d85c787

SHA1
914bee4dcbac22cfa5963aa65923adeb188a544a

SHA256
5906d100964bc8daf85bd633afbf0a616887809767a6ff1c7a06a0e716d8b026

SHA512
690c9de974bee690eb7fc04b4d9dedac38c98b45c5ad666d77a779ef67519a2ea84a9af024134627c06ad255964f04dec2f476127af4690224cfaa64ac56fd03

Download Submit
\??\Volume{78362842-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{64ad5972-161d-4f1d-86b3-7b46d9b06a1c}_OnDiskSnapshotProp

Filesize
6KB

MD5
08867690f693adc77f49b4689ea9e8d0

SHA1
8f8815076b0416230dc500fdf0de41f74c6b89f7

SHA256
811999c390a0f574570f5a39f7a3b1b6eb149c3e498d90680821a67102190b0d

SHA512
ed54c48ff105474a176e1ce065c98dbccefbba54351aa3be51273b33287d3dd63b21229880aed3e10a4537d5968ea393a852f9ba0a7a87625fba5dd803bcaa40

Download Submit
memory/3200-64-0x000001DADA860000-0x000001DADA874000-memory.dmp

Filesize
80KB

Download
memory/3200-65-0x000001DADA860000-0x000001DADA874000-memory.dmp

Filesize
80KB

Download
memory/4952-47-0x00000236C3160000-0x00000236C3174000-memory.dmp

Filesize
80KB

Download
memory/4952-49-0x0000000180000000-0x000000018007B000-memory.dmp

Filesize
492KB

Download
memory/4952-52-0x00000236C3160000-0x00000236C3174000-memory.dmp

Filesize
80KB

Download