Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 11:42
Behavioral task
behavioral1
Sample
kips.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
kips.msi
Resource
win10v2004-20240226-en
General
-
Target
kips.msi
-
Size
156KB
-
MD5
644e282d7104e80e9c767ebd3e23504b
-
SHA1
641dccafd79592638a907b513d68783d7806b778
-
SHA256
b875cc8967f0e9fc08d3cdaf19bd860b1137c46ff2b267550cb358b75e04debe
-
SHA512
17e26a16cfc806b97f31c096f094b6bdf3ec117d5d6fa717ccd6ac2a9a549ac3097b9844b28eb82ed56634f0fc296c1cd7a055a5fb6594292228a094e36356e9
-
SSDEEP
1536:Ek7KbqJYPlY+7MfOtvSiGf1hbBrBH7e9zZ2Mb+KR0Nc8QsJq3UDj0D:v7KbHlY+7fvSp9hVF4Ee0Nc8QsC
Malware Config
Extracted
metasploit
windows/reverse_tcp
20.117.115.123:443
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f764395.msi msiexec.exe File opened for modification C:\Windows\Installer\f764395.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4491.tmp msiexec.exe File opened for modification C:\Windows\Installer\f764396.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f764396.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4470.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI4491.tmppid process 2764 MSI4491.tmp -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1248 msiexec.exe 1248 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 2012 msiexec.exe Token: SeIncreaseQuotaPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 1248 msiexec.exe Token: SeTakeOwnershipPrivilege 1248 msiexec.exe Token: SeSecurityPrivilege 1248 msiexec.exe Token: SeCreateTokenPrivilege 2012 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2012 msiexec.exe Token: SeLockMemoryPrivilege 2012 msiexec.exe Token: SeIncreaseQuotaPrivilege 2012 msiexec.exe Token: SeMachineAccountPrivilege 2012 msiexec.exe Token: SeTcbPrivilege 2012 msiexec.exe Token: SeSecurityPrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeLoadDriverPrivilege 2012 msiexec.exe Token: SeSystemProfilePrivilege 2012 msiexec.exe Token: SeSystemtimePrivilege 2012 msiexec.exe Token: SeProfSingleProcessPrivilege 2012 msiexec.exe Token: SeIncBasePriorityPrivilege 2012 msiexec.exe Token: SeCreatePagefilePrivilege 2012 msiexec.exe Token: SeCreatePermanentPrivilege 2012 msiexec.exe Token: SeBackupPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeShutdownPrivilege 2012 msiexec.exe Token: SeDebugPrivilege 2012 msiexec.exe Token: SeAuditPrivilege 2012 msiexec.exe Token: SeSystemEnvironmentPrivilege 2012 msiexec.exe Token: SeChangeNotifyPrivilege 2012 msiexec.exe Token: SeRemoteShutdownPrivilege 2012 msiexec.exe Token: SeUndockPrivilege 2012 msiexec.exe Token: SeSyncAgentPrivilege 2012 msiexec.exe Token: SeEnableDelegationPrivilege 2012 msiexec.exe Token: SeManageVolumePrivilege 2012 msiexec.exe Token: SeImpersonatePrivilege 2012 msiexec.exe Token: SeCreateGlobalPrivilege 2012 msiexec.exe Token: SeBackupPrivilege 2492 vssvc.exe Token: SeRestorePrivilege 2492 vssvc.exe Token: SeAuditPrivilege 2492 vssvc.exe Token: SeBackupPrivilege 1248 msiexec.exe Token: SeRestorePrivilege 1248 msiexec.exe Token: SeRestorePrivilege 328 DrvInst.exe Token: SeRestorePrivilege 328 DrvInst.exe Token: SeRestorePrivilege 328 DrvInst.exe Token: SeRestorePrivilege 328 DrvInst.exe Token: SeRestorePrivilege 328 DrvInst.exe Token: SeRestorePrivilege 328 DrvInst.exe Token: SeRestorePrivilege 328 DrvInst.exe Token: SeLoadDriverPrivilege 328 DrvInst.exe Token: SeLoadDriverPrivilege 328 DrvInst.exe Token: SeLoadDriverPrivilege 328 DrvInst.exe Token: SeRestorePrivilege 1248 msiexec.exe Token: SeTakeOwnershipPrivilege 1248 msiexec.exe Token: SeRestorePrivilege 1248 msiexec.exe Token: SeTakeOwnershipPrivilege 1248 msiexec.exe Token: SeRestorePrivilege 1248 msiexec.exe Token: SeTakeOwnershipPrivilege 1248 msiexec.exe Token: SeRestorePrivilege 1248 msiexec.exe Token: SeTakeOwnershipPrivilege 1248 msiexec.exe Token: SeRestorePrivilege 1248 msiexec.exe Token: SeTakeOwnershipPrivilege 1248 msiexec.exe Token: SeRestorePrivilege 1248 msiexec.exe Token: SeTakeOwnershipPrivilege 1248 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2012 msiexec.exe 2012 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exedescription pid process target process PID 1248 wrote to memory of 2712 1248 msiexec.exe MsiExec.exe PID 1248 wrote to memory of 2712 1248 msiexec.exe MsiExec.exe PID 1248 wrote to memory of 2712 1248 msiexec.exe MsiExec.exe PID 1248 wrote to memory of 2712 1248 msiexec.exe MsiExec.exe PID 1248 wrote to memory of 2712 1248 msiexec.exe MsiExec.exe PID 1248 wrote to memory of 2712 1248 msiexec.exe MsiExec.exe PID 1248 wrote to memory of 2712 1248 msiexec.exe MsiExec.exe PID 1248 wrote to memory of 2764 1248 msiexec.exe MSI4491.tmp PID 1248 wrote to memory of 2764 1248 msiexec.exe MSI4491.tmp PID 1248 wrote to memory of 2764 1248 msiexec.exe MSI4491.tmp PID 1248 wrote to memory of 2764 1248 msiexec.exe MSI4491.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\kips.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2012
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\Installer\MSI4491.tmp"C:\Windows\Installer\MSI4491.tmp"2⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DCAA5117F55C24464E88FC32D09122592⤵PID:2712
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "0000000000000594"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI4491.tmpFilesize
124KB
MD5551c34337558b28644fe337efae1087a
SHA1148598b0c0ee4d4e0261a38a6da1d966d26c6f7d
SHA25668160a1cb0a93125b27203bdd900b79f59b261f24097552197d5621cae57ffa5
SHA512d637b5e259c01c24ba9a5d12618133ec13bc89cf542afa448965f50c84b5c97f1d2ff8aeccc546b15b34dae9e6c9ecfc0b11005c73417820011ca10847901668
-
memory/2764-13-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB