754ce4b741550c9804841b872b0d5431ff9100be0744e897e63947d19d3a95e2

General

Target

73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
Size

5.8MB
MD5

483b57478ab379546ae9fbab1c0185fa
SHA1

e76211f214c1bcd7eb4ab21478d11a50c31d5da7
SHA256

73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3
SHA512

a06f6a98831454f70413efcb6ca97a96440c07bc65e42a8bbfa6c2a6ae7d5dc666d3b96455acdd98089867b9f5ed0cbd98c69bda1c088eb6f3a6c7d702bcb9c4
SSDEEP

98304:mihTySajXEjCVXrepfrULCZf7ACNQB0zmlwXU8ern7beyN:OjjIzULqpQBv17r3eyN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Loads dropped DLL 8 IoCs

Processes:

MsiExec.exe

pid process

3732 MsiExec.exe
3732 MsiExec.exe
3732 MsiExec.exe
3732 MsiExec.exe
3732 MsiExec.exe
3732 MsiExec.exe
3732 MsiExec.exe
3732 MsiExec.exe

pid	process
3732	MsiExec.exe
3732	MsiExec.exe
3732	MsiExec.exe
3732	MsiExec.exe
3732	MsiExec.exe
3732	MsiExec.exe
3732	MsiExec.exe
3732	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3328	msiexec.exe
Token: SeSecurityPrivilege	1016	msiexec.exe
Token: SeCreateTokenPrivilege	3328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3328	msiexec.exe
Token: SeLockMemoryPrivilege	3328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3328	msiexec.exe
Token: SeMachineAccountPrivilege	3328	msiexec.exe
Token: SeTcbPrivilege	3328	msiexec.exe
Token: SeSecurityPrivilege	3328	msiexec.exe
Token: SeTakeOwnershipPrivilege	3328	msiexec.exe
Token: SeLoadDriverPrivilege	3328	msiexec.exe
Token: SeSystemProfilePrivilege	3328	msiexec.exe
Token: SeSystemtimePrivilege	3328	msiexec.exe
Token: SeProfSingleProcessPrivilege	3328	msiexec.exe
Token: SeIncBasePriorityPrivilege	3328	msiexec.exe
Token: SeCreatePagefilePrivilege	3328	msiexec.exe
Token: SeCreatePermanentPrivilege	3328	msiexec.exe
Token: SeBackupPrivilege	3328	msiexec.exe
Token: SeRestorePrivilege	3328	msiexec.exe
Token: SeShutdownPrivilege	3328	msiexec.exe
Token: SeDebugPrivilege	3328	msiexec.exe
Token: SeAuditPrivilege	3328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3328	msiexec.exe
Token: SeChangeNotifyPrivilege	3328	msiexec.exe
Token: SeRemoteShutdownPrivilege	3328	msiexec.exe
Token: SeUndockPrivilege	3328	msiexec.exe
Token: SeSyncAgentPrivilege	3328	msiexec.exe
Token: SeEnableDelegationPrivilege	3328	msiexec.exe
Token: SeManageVolumePrivilege	3328	msiexec.exe
Token: SeImpersonatePrivilege	3328	msiexec.exe
Token: SeCreateGlobalPrivilege	3328	msiexec.exe
Token: SeCreateTokenPrivilege	3328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3328	msiexec.exe
Token: SeLockMemoryPrivilege	3328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3328	msiexec.exe
Token: SeMachineAccountPrivilege	3328	msiexec.exe
Token: SeTcbPrivilege	3328	msiexec.exe
Token: SeSecurityPrivilege	3328	msiexec.exe
Token: SeTakeOwnershipPrivilege	3328	msiexec.exe
Token: SeLoadDriverPrivilege	3328	msiexec.exe
Token: SeSystemProfilePrivilege	3328	msiexec.exe
Token: SeSystemtimePrivilege	3328	msiexec.exe
Token: SeProfSingleProcessPrivilege	3328	msiexec.exe
Token: SeIncBasePriorityPrivilege	3328	msiexec.exe
Token: SeCreatePagefilePrivilege	3328	msiexec.exe
Token: SeCreatePermanentPrivilege	3328	msiexec.exe
Token: SeBackupPrivilege	3328	msiexec.exe
Token: SeRestorePrivilege	3328	msiexec.exe
Token: SeShutdownPrivilege	3328	msiexec.exe
Token: SeDebugPrivilege	3328	msiexec.exe
Token: SeAuditPrivilege	3328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3328	msiexec.exe
Token: SeChangeNotifyPrivilege	3328	msiexec.exe
Token: SeRemoteShutdownPrivilege	3328	msiexec.exe
Token: SeUndockPrivilege	3328	msiexec.exe
Token: SeSyncAgentPrivilege	3328	msiexec.exe
Token: SeEnableDelegationPrivilege	3328	msiexec.exe
Token: SeManageVolumePrivilege	3328	msiexec.exe
Token: SeImpersonatePrivilege	3328	msiexec.exe
Token: SeCreateGlobalPrivilege	3328	msiexec.exe
Token: SeCreateTokenPrivilege	3328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3328	msiexec.exe
Token: SeLockMemoryPrivilege	3328	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

3328 msiexec.exe

pid	process
3328	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1016 wrote to memory of 3732	1016	msiexec.exe	MsiExec.exe
PID 1016 wrote to memory of 3732	1016	msiexec.exe	MsiExec.exe
PID 1016 wrote to memory of 3732	1016	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7093BFB822AC1C938D08D5CFD2CF34FB C
2⤵
- Loads dropped DLL
PID:3732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI5E77.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA1ED.tmp
Filesize
1.1MB

MD5
25e52c5776a81e0c5ccb9bdd4c808c90

SHA1
e42104ef61ae4760a41552292091eb6a5089ced4

SHA256
0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

SHA512
746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads