7a077a21c426d36fd136f7cb31cef1055e7992216d07c1aa9bc5ee2fd720999a

Analysis

max time kernel
130s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

psqlodbc_x86.msi
Size

4.2MB
MD5

28d14596c0c5ce8aab6c350075184d45
SHA1

03544fc6e333958e461bfada8fcc7c74f958ac91
SHA256

7a077a21c426d36fd136f7cb31cef1055e7992216d07c1aa9bc5ee2fd720999a
SHA512

ede6abd39eda4ea52d1d0b979d94a2c4fe244ddeb157705f962e65014ae97ad8cf90237155478cc1132abe528f6c6301e67b2457afeb2296474011a5cea57585
SSDEEP

98304:VHSqDGkjh7F421XMqCUoIcD8wtEDrkptE4:MqDqb6BcD8w6Dg

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\psqlODBC\1600\bin\psqlodbc35w.dll	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\psqlodbc35w.pdb	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\libcrypto-3.dll	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\libpq.dll	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\pgenlista.dll	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\pgenlista.pdb	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\psqlodbc30a.dll	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\psqlodbc30a.pdb	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\vcruntime140.dll	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\msvcp140.dll	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\pgenlist.dll	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\libssl-3.dll	msiexec.exe
File created	C:\Program Files (x86)\psqlODBC\1600\bin\pgenlist.pdb	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2F581E5C-6F60-4A6B-831C-16B3C959ABED}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI578C.tmp	msiexec.exe
File created	C:\Windows\Installer\e59552d.msi	msiexec.exe
File created	C:\Windows\Installer\e59552b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59552b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000db5049eb9f24a4820000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000db5049eb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900db5049eb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ddb5049eb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000db5049eb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5E185F206F6B6A438C1613B9C95BADE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5E185F206F6B6A438C1613B9C95BADE\docs = "\x06psqlodbc"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\SourceList\PackageName = "psqlodbc_x86.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\PackageCode = "8F85B707B7165F74AA95A5D2573E3293"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\835ACB422A57F7A42B639CE9CF1254ED	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\835ACB422A57F7A42B639CE9CF1254ED\C5E185F206F6B6A438C1613B9C95BADE	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5E185F206F6B6A438C1613B9C95BADE\binaries = "psqlodbc"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5E185F206F6B6A438C1613B9C95BADE\psqlodbc	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\ProductName = "psqlODBC"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\Version = "268435456"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5E185F206F6B6A438C1613B9C95BADE\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3200	msiexec.exe
3200	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4824	msiexec.exe
Token: SeSecurityPrivilege	3200	msiexec.exe
Token: SeCreateTokenPrivilege	4824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4824	msiexec.exe
Token: SeLockMemoryPrivilege	4824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4824	msiexec.exe
Token: SeMachineAccountPrivilege	4824	msiexec.exe
Token: SeTcbPrivilege	4824	msiexec.exe
Token: SeSecurityPrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeLoadDriverPrivilege	4824	msiexec.exe
Token: SeSystemProfilePrivilege	4824	msiexec.exe
Token: SeSystemtimePrivilege	4824	msiexec.exe
Token: SeProfSingleProcessPrivilege	4824	msiexec.exe
Token: SeIncBasePriorityPrivilege	4824	msiexec.exe
Token: SeCreatePagefilePrivilege	4824	msiexec.exe
Token: SeCreatePermanentPrivilege	4824	msiexec.exe
Token: SeBackupPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeShutdownPrivilege	4824	msiexec.exe
Token: SeDebugPrivilege	4824	msiexec.exe
Token: SeAuditPrivilege	4824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4824	msiexec.exe
Token: SeChangeNotifyPrivilege	4824	msiexec.exe
Token: SeRemoteShutdownPrivilege	4824	msiexec.exe
Token: SeUndockPrivilege	4824	msiexec.exe
Token: SeSyncAgentPrivilege	4824	msiexec.exe
Token: SeEnableDelegationPrivilege	4824	msiexec.exe
Token: SeManageVolumePrivilege	4824	msiexec.exe
Token: SeImpersonatePrivilege	4824	msiexec.exe
Token: SeCreateGlobalPrivilege	4824	msiexec.exe
Token: SeBackupPrivilege	64	vssvc.exe
Token: SeRestorePrivilege	64	vssvc.exe
Token: SeAuditPrivilege	64	vssvc.exe
Token: SeBackupPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4824	msiexec.exe
4824	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 404	3200	msiexec.exe	102
PID 3200 wrote to memory of 404	3200	msiexec.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\psqlodbc_x86.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59552c.rbs

Filesize
10KB

MD5
78815db71e732a233a02efc8e96585e4

SHA1
152f62ec9f7e93033f3c25e063130ad47bf49e68

SHA256
d72684a1ff43e9f617da1c02a1dcebfe9525838f941eb88fffdbb01997ba9ed0

SHA512
a1ada36d08da47814df5ae8f70b2bc0750dc8cd2c6db38afb8ff63d7aae90240bad74c2fc2eb74cefcfb34e299758c1cee238bbbfa3b8d6414bb9c5a0b1031d0

Download Submit
C:\Windows\Installer\e59552b.msi

Filesize
4.2MB

MD5
28d14596c0c5ce8aab6c350075184d45

SHA1
03544fc6e333958e461bfada8fcc7c74f958ac91

SHA256
7a077a21c426d36fd136f7cb31cef1055e7992216d07c1aa9bc5ee2fd720999a

SHA512
ede6abd39eda4ea52d1d0b979d94a2c4fe244ddeb157705f962e65014ae97ad8cf90237155478cc1132abe528f6c6301e67b2457afeb2296474011a5cea57585

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
20.0MB

MD5
9905a66dc40171c0cc940c2cda875d94

SHA1
ff532c3cb3c63e0bf7fc28f25c897a2fb78ac0df

SHA256
f8756f9eafeb029eea49eed8ff49f83138179e8d2afc3bf6b572ce8cb35ecc4f

SHA512
84724f50a86b24b1fdcde6f450e294957c6254929100fbfaea7067987af1b42be9e5e305b614c1682e57f596f9d96831839fddf2d7913be4f6cade941129c4d2

Download Submit
\??\Volume{eb4950db-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{58c65c1e-4c44-4c5e-93c2-575374837838}_OnDiskSnapshotProp

Filesize
6KB

MD5
867f4dabb7b897327e6a3a8a61cd5cb6

SHA1
b01e7c79873bf57b85e56f09a0a2eac79c63af69

SHA256
b2437a230af6d8d99ea3219bd113e02eba4cde0e91d0b781b474c2a7a15fc584

SHA512
87f2f7af256fecbe4cd62e72f22bac884b399c0f3e9e067775be873d7d6fb04ec726dc17f3d7bb43d45a7c23e2a0f1ec51b5bbf91c40fb2522140e2294f060bf

Download Submit