Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-es -
resource tags
arch:x64arch:x86image:win10v2004-20240412-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
16-04-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
173_578.msi
Resource
win10v2004-20240412-es
General
-
Target
173_578.msi
-
Size
6.2MB
-
MD5
b84907202f1c6f8f7f79c6ed27840f08
-
SHA1
f44913b30c96e27ea90492479494a3420aa815c5
-
SHA256
9c4111bf5f23e222f40f611292b91e9cf5fbe161851c6a6d66ada2c183b689ac
-
SHA512
2755b21108c6c9fc7c0f73590c9c32ccaa9bc5a0c46b5d0083db35d36e41ca34b00a91fa386e32456f46de67b97119cfacaef4a294091b1a929f02fea9d3bd36
-
SSDEEP
98304:uY5A72J1AH4K3Yp058mR0e/KsutXH9ZgkeyC8Jn9fZz79kH4uSccnlenTbsOS+89:U2HAYiv8XrAylJ9fF7mY3nl6sjg
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{4433395F-681D-4D29-AC5B-870AC8B40C57} msiexec.exe File opened for modification C:\Windows\Installer\MSI668C.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5763ea.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6438.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e5763ea.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI65A0.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 1576 WebExperienceHostApp.exe 4972 chrome.exe -
Loads dropped DLL 7 IoCs
pid Process 4804 MsiExec.exe 4804 MsiExec.exe 1576 WebExperienceHostApp.exe 1576 WebExperienceHostApp.exe 1576 WebExperienceHostApp.exe 1576 WebExperienceHostApp.exe 4972 chrome.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008b5ebddfef16308e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008b5ebddf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008b5ebddf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8b5ebddf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008b5ebddf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2464 msiexec.exe 2464 msiexec.exe 4972 chrome.exe 4972 chrome.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeShutdownPrivilege 4924 msiexec.exe Token: SeIncreaseQuotaPrivilege 4924 msiexec.exe Token: SeSecurityPrivilege 2464 msiexec.exe Token: SeCreateTokenPrivilege 4924 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4924 msiexec.exe Token: SeLockMemoryPrivilege 4924 msiexec.exe Token: SeIncreaseQuotaPrivilege 4924 msiexec.exe Token: SeMachineAccountPrivilege 4924 msiexec.exe Token: SeTcbPrivilege 4924 msiexec.exe Token: SeSecurityPrivilege 4924 msiexec.exe Token: SeTakeOwnershipPrivilege 4924 msiexec.exe Token: SeLoadDriverPrivilege 4924 msiexec.exe Token: SeSystemProfilePrivilege 4924 msiexec.exe Token: SeSystemtimePrivilege 4924 msiexec.exe Token: SeProfSingleProcessPrivilege 4924 msiexec.exe Token: SeIncBasePriorityPrivilege 4924 msiexec.exe Token: SeCreatePagefilePrivilege 4924 msiexec.exe Token: SeCreatePermanentPrivilege 4924 msiexec.exe Token: SeBackupPrivilege 4924 msiexec.exe Token: SeRestorePrivilege 4924 msiexec.exe Token: SeShutdownPrivilege 4924 msiexec.exe Token: SeDebugPrivilege 4924 msiexec.exe Token: SeAuditPrivilege 4924 msiexec.exe Token: SeSystemEnvironmentPrivilege 4924 msiexec.exe Token: SeChangeNotifyPrivilege 4924 msiexec.exe Token: SeRemoteShutdownPrivilege 4924 msiexec.exe Token: SeUndockPrivilege 4924 msiexec.exe Token: SeSyncAgentPrivilege 4924 msiexec.exe Token: SeEnableDelegationPrivilege 4924 msiexec.exe Token: SeManageVolumePrivilege 4924 msiexec.exe Token: SeImpersonatePrivilege 4924 msiexec.exe Token: SeCreateGlobalPrivilege 4924 msiexec.exe Token: SeBackupPrivilege 4520 vssvc.exe Token: SeRestorePrivilege 4520 vssvc.exe Token: SeAuditPrivilege 4520 vssvc.exe Token: SeBackupPrivilege 2464 msiexec.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeTakeOwnershipPrivilege 2464 msiexec.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeTakeOwnershipPrivilege 2464 msiexec.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeTakeOwnershipPrivilege 2464 msiexec.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeTakeOwnershipPrivilege 2464 msiexec.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeTakeOwnershipPrivilege 2464 msiexec.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeTakeOwnershipPrivilege 2464 msiexec.exe Token: SeBackupPrivilege 4188 srtasks.exe Token: SeRestorePrivilege 4188 srtasks.exe Token: SeSecurityPrivilege 4188 srtasks.exe Token: SeTakeOwnershipPrivilege 4188 srtasks.exe Token: SeBackupPrivilege 4188 srtasks.exe Token: SeRestorePrivilege 4188 srtasks.exe Token: SeSecurityPrivilege 4188 srtasks.exe Token: SeTakeOwnershipPrivilege 4188 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4924 msiexec.exe 4924 msiexec.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2464 wrote to memory of 4188 2464 msiexec.exe 91 PID 2464 wrote to memory of 4188 2464 msiexec.exe 91 PID 2464 wrote to memory of 4804 2464 msiexec.exe 93 PID 2464 wrote to memory of 4804 2464 msiexec.exe 93 PID 2464 wrote to memory of 4804 2464 msiexec.exe 93 PID 2464 wrote to memory of 1576 2464 msiexec.exe 94 PID 2464 wrote to memory of 1576 2464 msiexec.exe 94 PID 1576 wrote to memory of 4972 1576 WebExperienceHostApp.exe 98 PID 1576 wrote to memory of 4972 1576 WebExperienceHostApp.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\173_578.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4924
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FCBC25B0DC9FBC156E09EEB8282790892⤵
- Loads dropped DLL
PID:4804
-
-
C:\Users\Admin\AppData\Local\applicativo_ecomecer\WebExperienceHostApp.exe"C:\Users\Admin\AppData\Local\applicativo_ecomecer\WebExperienceHostApp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\Music\Chrome\Application\118.0.5993.120\chrome.exeC:\Users\Admin\Music\Chrome\Application\118.0.5993.120\chrome.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4972
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5dbfc963b96888dae33e904ecda12c9b4
SHA1b09b1fc16da75c740075c90c8b161bc3a29c7fe8
SHA256b9d5f62bd39d89ec8de2fa8d948195dfa55fc42dd2fcca59addf462e3f411c03
SHA51279d18dc42b5908e2d998c4b192955d168ecd6c7b05a7144e1baafab11ac56c171d0302dc128dca0dd05c6348d310a9e6c44d1904c37d10a41be48333788842bd
-
Filesize
557KB
MD515dd460e592e59c2ce7f553328739dfc
SHA1ba2bab7649c7fbc18e3ff38b71368839a5588657
SHA256f7f46f09aa38b6faa5dbfd2b192eb9a5d63e9d5eec482624fc20e6686f59098d
SHA51231330db59f930c4e2923074ffc6ed051d68916b3f7efd09edd11b7e51a0f58bb6ddc576f306ff2195e717a1b5b44316a3a7b11fe4c9e17bec255ea8e8068f0de
-
Filesize
16.7MB
MD528449f3f408c004b390ff3f99e7002fe
SHA1de213821f765bb4ea3c1482582c284d2c138e0d8
SHA256deda8634aec245267f9d00adf216237267427226f595eb38ab330d8357f75059
SHA512dfea5643a678b2110cc3bdc9ff0cf37a04dde4f0b62068b52a3b1cf4793543f9b7b9b1cb4334648368a5b9224e601ef7b3d3d014ba454182bae6f4b819a26d43
-
Filesize
95KB
MD527f73c8daa6df0a0769fbc0f28d2e955
SHA1a4fd3745c70c8c10d0dccb9e2b56786d58ba7049
SHA256fff797e284cc21447515c478d1f97b89efb2a49a6ccef7d7f94b4df76b5789df
SHA512b9a0823e42a57187838d5b10c169e2cc3a586ac92eab82e4f915a83623131ba23e6d43c01e2356995ab7a94414dbb58d104bcc7966e5a5fc321f3ebd6cbd3663
-
Filesize
54KB
MD553ab9b8198e8ad8d3a043f40e72b1ab1
SHA151f27e895808a806d2ea7f22cd91c50c4c7cdf5f
SHA2561e9cd852ef2e7233e12090ed41ba99019d533cc07edadfe5095cd0ddacc4fc1e
SHA5127a7fe0ba46a92d0a5ce8a1abfbee97ba8f5ea3a7f8898d1de6024ecc3c3209f159fb76b11b08b7ecaa6f152dee974bd68316a06485e8ca6ee14ebc8c63dbc6fe
-
Filesize
2.9MB
MD569d0e8003fcf5e08d222bad92f3a2e62
SHA14a0fdb850a4ed7847c988643145e45cc358efb84
SHA256e2256280f85b90377a4a71cc3b292b993470f2a17d278fda33af737fcad25d26
SHA5124ea4c3cd191d88396e30cbc955972c82c5935e1c9b5cbe3d245c5e0faa4eba9a8e7f3fabfec5bb2c3dc1d715d428312ece36ad23f4527c9de783c26d0f277cf2
-
Filesize
26.1MB
MD5c3a0fda75879e496698d832aba178145
SHA14da561ee224b7d032ee8adfdbe0f52f9598340b7
SHA2562ad35932143cb98acab26a8c2511d5ffc27fd20a8764fccf23dc2d2a02cd2948
SHA512a306b44e9a5d71f7a92adf5d31b239abda990cd85f37b77a65e094e719d42f982ffd8af0c67644ef5dc05b392ef3deae63d4cd74018038897bfe78246d020716
-
Filesize
91KB
MD59f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
Filesize
23.7MB
MD5d9d9f9aead087f53d9d94c515b98cba1
SHA1781574e7b1b6319a3cc95f19650ecb9286c34061
SHA2563a6fbed666acc37882957c090e1607b91db49eccd70e5f4cd376a6882bf20b13
SHA51238d1d5f0fb24621519b95c918e4e5fee3a5d7977c6e45291075cfff1a6cd37587fd30a82fbde951d1341043a67c9021296d35c54377971aeb9e60caf9e657b8f
-
\??\Volume{dfbd5e8b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ce43801c-1048-46b2-8f34-effe631bc718}_OnDiskSnapshotProp
Filesize6KB
MD5b073f055fd8ae85526fe8d29c065f14a
SHA10a7b298bee95ea015d0fa31413341013e43c1b38
SHA256aa73f1ab62e78f562a96448de609c6ea620ebe881252caf0acfb9747bf9473a9
SHA5125aa1de342932fb52506b19067cfaafcd5950884a2ce137fed70411b014683415db9db13b620c85d9321f8304a8031251d361ce11f80f3e75a5f552b13432a381