c9a959e0312e0a67a982fb135437ac2c627b81928f6db8240462c64566537ae6

Analysis

max time kernel
176s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unilock V2.0/Software/SoftWare20240119/Setup.msi
Size

33.3MB
MD5

b86aa933d5ba762a308fa2952913d927
SHA1

7235d8622845098c301a6b9bfbc6a312a2d872cb
SHA256

433fe22ec028157690b03152269c8e376e5d72a0897ed913af38b03996e2f5f4
SHA512

b9ac730dcda396b36061620602c190c10eeb0ec51f8d032b412768edbdc42fd4d5f5efc96a00c7b4abe695053d09e0571c24ba8cb88bb8334c30013ee2503e9c
SSDEEP

786432:mMPE9vEZuLd6S7ybqvRCkuNKvU1bqaod16CwhM5brGz6WG7tyt3u:MdOGvckuNKvU1bqaiLwo46WQYt

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIBA93.tmp	msiexec.exe
File created	C:\Windows\Installer\{642E4C7D-2D17-407C-A9F6-A7495769DD61}\_12178C54D1A7CE4FAB0E32.exe	msiexec.exe
File created	C:\Windows\Installer\e58b7e3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{642E4C7D-2D17-407C-A9F6-A7495769DD61}	msiexec.exe
File created	C:\Windows\Installer\{642E4C7D-2D17-407C-A9F6-A7495769DD61}\_B0F673151537466369C68C.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB83F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{642E4C7D-2D17-407C-A9F6-A7495769DD61}\_12178C54D1A7CE4FAB0E32.exe	msiexec.exe
File created	C:\Windows\Installer\e58b7e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58b7e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB93A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{642E4C7D-2D17-407C-A9F6-A7495769DD61}\_B0F673151537466369C68C.exe	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
672	CartManagement.exe

Loads dropped DLL 4 IoCs

pid	Process
4624	MsiExec.exe
4624	MsiExec.exe
3324	MsiExec.exe
3324	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003013bddf4a62308e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003013bddf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003013bddf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3013bddf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003013bddf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Unilock V2.0\\Software\\SoftWare20240119\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|TUnilockML81RA_TWD.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|TUnilockML81RA_TWD.dll\TUnilockML81RA_TWD,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2a0058006f00340048002400310061006600380065004000350062003f002100600057004e0047003e002c0060005800580070002e004c00310079006e0046006200670021006a007500740065007900760000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|TFramework.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D7C4E24671D2C7049A6F7A947596DD16	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7CF2562E7FBFE4C4C8759F96AF0E3A1B	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|System.Threading.Tasks.dll\System.Threading.Tasks,Version="4.0.10.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 2a0058006f00340048002400310061006600380065004000350062003f002100600057004e0047003e0064003800460028002d002a005f005e0055005a007b007300560067006300270068004e007000300000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|EPPlus.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|EPPlus.dll\EPPlus,Version="5.7.0.0",Culture="neutral",PublicKeyToken="EA159FDAA78159A1",ProcessorArchitecture="MSIL" = 2a0058006f00340048002400310061006600380065004000350062003f002100600057004e0047003e004600460061006d00340025007b002a0046006a007e0062004a007200430057004c0042006900660000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|Microsoft.IO.RecyclableMemoryStream.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|TCommon.dll\TCommon,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2a0058006f00340048002400310061006600380065004000350062003f002100600057004e0047003e004c0043003500420062006f005b005b006a005b0051006400560065002700520058002d004f005a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|System.ComponentModel.Annotations.dll\System.ComponentModel.Annotations,Version="4.2.1.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 2a0058006f00340048002400310061006600380065004000350062003f002100600057004e0047003e0040007900240079002e00520044005b0051003f00780067006d0078005b004f006b0052002700780000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|System.Data.SQLite.dll\System.Data.SQLite,Version="1.0.114.0",Culture="neutral",PublicKeyToken="DB937BC2D44FF139",ProcessorArchitecture="MSIL" = 2a0058006f00340048002400310061006600380065004000350062003f002100600057004e0047003e0053004c00260069006c002a006b007a0057004c0071007800280035006c00650075003f004000540000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|Microsoft.IO.RecyclableMemoryStream.dll\Microsoft.IO.RecyclableMemoryStream,Version="1.4.1.0",Culture="neutral",PublicKeyToken="31BF3856AD364E35",ProcessorArchitecture="MSIL = 2a0058006f00340048002400310061006600380065004000350062003f002100600057004e0047003e003f004e00750052003d0064003f007600590036004400760036004a006d003500340035007900770000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|System.Data.SQLite.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|CartManagement.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7CF2562E7FBFE4C4C8759F96AF0E3A1B\D7C4E24671D2C7049A6F7A947596DD16	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Unilock V2.0\\Software\\SoftWare20240119\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|System.ComponentModel.Annotations.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|TFramework.dll\TFramework,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2a0058006f00340048002400310061006600380065004000350062003f002100600057004e0047003e005a002c00390021004f00470038006c0048005b002e0030007100700037002600580050006100750000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|TCommon.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|CartManagement.exe\CartManagement,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2a0058006f00340048002400310061006600380065004000350062003f002100600057004e0047003e007b0065006a0041005a005b005e00400059005000580047005a004800570025007800250021002c0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D7C4E24671D2C7049A6F7A947596DD16\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Unilock\|Cart Management\|System.Threading.Tasks.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\ProductName = "Cart Management"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\PackageCode = "D0A09BBE1070267469F659867CFAAE69"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7C4E24671D2C7049A6F7A947596DD16\SourceList\PackageName = "Setup.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4736	msiexec.exe
4736	msiexec.exe
672	CartManagement.exe
672	CartManagement.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4748	msiexec.exe
Token: SeSecurityPrivilege	4736	msiexec.exe
Token: SeCreateTokenPrivilege	4748	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4748	msiexec.exe
Token: SeLockMemoryPrivilege	4748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4748	msiexec.exe
Token: SeMachineAccountPrivilege	4748	msiexec.exe
Token: SeTcbPrivilege	4748	msiexec.exe
Token: SeSecurityPrivilege	4748	msiexec.exe
Token: SeTakeOwnershipPrivilege	4748	msiexec.exe
Token: SeLoadDriverPrivilege	4748	msiexec.exe
Token: SeSystemProfilePrivilege	4748	msiexec.exe
Token: SeSystemtimePrivilege	4748	msiexec.exe
Token: SeProfSingleProcessPrivilege	4748	msiexec.exe
Token: SeIncBasePriorityPrivilege	4748	msiexec.exe
Token: SeCreatePagefilePrivilege	4748	msiexec.exe
Token: SeCreatePermanentPrivilege	4748	msiexec.exe
Token: SeBackupPrivilege	4748	msiexec.exe
Token: SeRestorePrivilege	4748	msiexec.exe
Token: SeShutdownPrivilege	4748	msiexec.exe
Token: SeDebugPrivilege	4748	msiexec.exe
Token: SeAuditPrivilege	4748	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4748	msiexec.exe
Token: SeChangeNotifyPrivilege	4748	msiexec.exe
Token: SeRemoteShutdownPrivilege	4748	msiexec.exe
Token: SeUndockPrivilege	4748	msiexec.exe
Token: SeSyncAgentPrivilege	4748	msiexec.exe
Token: SeEnableDelegationPrivilege	4748	msiexec.exe
Token: SeManageVolumePrivilege	4748	msiexec.exe
Token: SeImpersonatePrivilege	4748	msiexec.exe
Token: SeCreateGlobalPrivilege	4748	msiexec.exe
Token: SeCreateTokenPrivilege	4748	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4748	msiexec.exe
Token: SeLockMemoryPrivilege	4748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4748	msiexec.exe
Token: SeMachineAccountPrivilege	4748	msiexec.exe
Token: SeTcbPrivilege	4748	msiexec.exe
Token: SeSecurityPrivilege	4748	msiexec.exe
Token: SeTakeOwnershipPrivilege	4748	msiexec.exe
Token: SeLoadDriverPrivilege	4748	msiexec.exe
Token: SeSystemProfilePrivilege	4748	msiexec.exe
Token: SeSystemtimePrivilege	4748	msiexec.exe
Token: SeProfSingleProcessPrivilege	4748	msiexec.exe
Token: SeIncBasePriorityPrivilege	4748	msiexec.exe
Token: SeCreatePagefilePrivilege	4748	msiexec.exe
Token: SeCreatePermanentPrivilege	4748	msiexec.exe
Token: SeBackupPrivilege	4748	msiexec.exe
Token: SeRestorePrivilege	4748	msiexec.exe
Token: SeShutdownPrivilege	4748	msiexec.exe
Token: SeDebugPrivilege	4748	msiexec.exe
Token: SeAuditPrivilege	4748	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4748	msiexec.exe
Token: SeChangeNotifyPrivilege	4748	msiexec.exe
Token: SeRemoteShutdownPrivilege	4748	msiexec.exe
Token: SeUndockPrivilege	4748	msiexec.exe
Token: SeSyncAgentPrivilege	4748	msiexec.exe
Token: SeEnableDelegationPrivilege	4748	msiexec.exe
Token: SeManageVolumePrivilege	4748	msiexec.exe
Token: SeImpersonatePrivilege	4748	msiexec.exe
Token: SeCreateGlobalPrivilege	4748	msiexec.exe
Token: SeCreateTokenPrivilege	4748	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4748	msiexec.exe
Token: SeLockMemoryPrivilege	4748	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4748	msiexec.exe
4748	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4624	4736	msiexec.exe	89
PID 4736 wrote to memory of 4624	4736	msiexec.exe	89
PID 4736 wrote to memory of 4624	4736	msiexec.exe	89
PID 4736 wrote to memory of 5000	4736	msiexec.exe	99
PID 4736 wrote to memory of 5000	4736	msiexec.exe	99
PID 4736 wrote to memory of 3324	4736	msiexec.exe	101
PID 4736 wrote to memory of 3324	4736	msiexec.exe	101
PID 4736 wrote to memory of 3324	4736	msiexec.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Unilock V2.0\Software\SoftWare20240119\Setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 79208FE2679F04D5F58F57B82FE2015C C
  2⤵
  - Loads dropped DLL
  PID:4624
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CF82A970A9A9540ABCC8FD01332E7BE6
  2⤵
  - Loads dropped DLL
  PID:3324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2392

C:\Unilock\Cart Management\CartManagement.exe
"C:\Unilock\Cart Management\CartManagement.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58b7e2.rbs

Filesize
12KB

MD5
f34ef9472c59a2bc72d3fcc8798e9f65

SHA1
0f11bc3ee7da189c15538e4a213895eaf46cb441

SHA256
637565c41cc61146d0262530de0988544544124842b99d4d886cbc25cd2d4300

SHA512
b23206e96e04261eb506b928a3bdf523b4656eb8f455898d39d5eca52a969f2b44716d76a94460861ada9c62b118951c6fed849535f613f172ddbbbc9caa6ba5

Download Submit
C:\Unilock\Cart Management\CartManagement.exe

Filesize
37KB

MD5
e7dda9690827725769df39263a58f2b0

SHA1
72b329b9341184afc1ce4320776e9cf20dac385b

SHA256
ec9f0d1fe05a49d1e96968f1f4a431045d21aee83202e98f6775dfd2d170699d

SHA512
df00ae0eb515bb4cc6f54f75f0bad8d2f914a6f97999fbe6b4dbad2fd22de7f3e49c6f3bd1539324e265558a8660526c9dc9839e92cbff896bda97add3941c74

Download Submit
C:\Unilock\Cart Management\CartManagement.exe.config

Filesize
1KB

MD5
3564986df6fe400eee9c9d46dd234222

SHA1
4898c030bba3d335431a5f1ba38ce467622b1af5

SHA256
cb335aff7b69eaca60cb2221ab98786299eb49d4672ab27aa9955889a15244c3

SHA512
2ff9f38fa1e2b2565f89fea83184f1ed4bda4ae0f55f5695e759e32febee910e392c8a09fa09fe19205aaad8e81db583a5b70d22633658c7443ceeca93fbae4b

Download Submit
C:\Unilock\Cart Management\TCommon.dll

Filesize
3.9MB

MD5
90a1b3db7639a9f037fd3948b2a1cffe

SHA1
93edb084ebb632127c1165b4597495c552fe733d

SHA256
1c830f7f2e609a74078b5fbbfca3eae79e501cae0a02430f41047c3ba81df8a3

SHA512
63a7298ca6d2ab075a77714c2af0fb37ee5422526f929eb365b83d06aab206b4616687fb62505a772581b8b8288393089a5682b3b2274547daccc6db66823c84

Download Submit
C:\Unilock\Cart Management\TFramework.dll

Filesize
6KB

MD5
79916356288526596480d1a3e0b39cd4

SHA1
490ace646ea0387cf20e8cdada3d9e768e2698c4

SHA256
e8bc70d1d45bf8ab80498377427480d7581b8115aefc636032a7a3410569e0ea

SHA512
9cf8295795cb3a6db13433ad47ca92dc0555eacb48770179be2578443c0d5ad6c047467e23186d70c6ed18c472b8ab30813986087495a3ddb6c902dd4e7d19ce

Download Submit
C:\Unilock\Cart Management\TUnilockML81RA_TWD.dll

Filesize
33.2MB

MD5
5195785e202f29cba78e8cfeeaf605f2

SHA1
9015701cc63d7e0f52dea6cf45fea513eab47161

SHA256
f25c92b6cfe356d42576a18a467fa9ddedcbb90db412e7bd03a7c9c1e7b39dd6

SHA512
dde748daf3055728c5c672c57d4c2c818e1d2da1c2fe34bc1fd98fb5ee4a801abdd24054de8314e107792955089ab20c708d930ac600d974406d91286e185adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3E32.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Windows\Installer\e58b7e1.msi

Filesize
33.3MB

MD5
b86aa933d5ba762a308fa2952913d927

SHA1
7235d8622845098c301a6b9bfbc6a312a2d872cb

SHA256
433fe22ec028157690b03152269c8e376e5d72a0897ed913af38b03996e2f5f4

SHA512
b9ac730dcda396b36061620602c190c10eeb0ec51f8d032b412768edbdc42fd4d5f5efc96a00c7b4abe695053d09e0571c24ba8cb88bb8334c30013ee2503e9c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
86e9538ce56d5e049fc32165aa5802a3

SHA1
a7fdd88d1899bf67b325d83ffe45ad0b5d5996d9

SHA256
67aa5133885b65529731a421742dc794e54ee470072e2e7c86089d744d557853

SHA512
7cb8c69e74293ce83264f55103a31d22076429a44cbdfc50547fa568d5e8341bfc5e29e4b1c9bf1554f2a7a9229346b86696c89da516625d56233ec982059319

Download Submit
\??\Volume{dfbd1330-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{109d2c1f-7749-47c0-87b1-eee147fbfab1}_OnDiskSnapshotProp

Filesize
6KB

MD5
53de3ffab24b9bd87136bb9901419c16

SHA1
5dbfd82646a467cf0f121c2d375d35ca6960dddb

SHA256
f172a30a1555c30c1f6188dc0fb9f7de5d7fda4ff5cf94c3d7a52c813f3469a2

SHA512
ce1a897b4e864d2524eb9183e797098df0041bc951cb64e9453c075554f42c2240fd4abb58e0206b7f2c9d9195eab8cbb577b8486fee5470a1d87375b68fded9

Download Submit
memory/672-71-0x00007FFAB6700000-0x00007FFAB71C1000-memory.dmp

Filesize
10.8MB

Download
memory/672-72-0x0000016FF76D0000-0x0000016FF9808000-memory.dmp

Filesize
33.2MB

Download
memory/672-69-0x0000016FDB060000-0x0000016FDB070000-memory.dmp

Filesize
64KB

Download
memory/672-74-0x0000016FF5980000-0x0000016FF5D6C000-memory.dmp

Filesize
3.9MB

Download
memory/672-75-0x0000016FDB470000-0x0000016FDB480000-memory.dmp

Filesize
64KB

Download
memory/672-77-0x0000016FFCDC0000-0x0000016FFCDC8000-memory.dmp

Filesize
32KB

Download
memory/672-79-0x00007FFAB6700000-0x00007FFAB71C1000-memory.dmp

Filesize
10.8MB

Download