48d75213df96f594a6d84b0c9346338d7569ff5a9558174998dca5f2f43919af

Analysis

max time kernel
150s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OFFICE2016/access.es-es/accessmui.msi
Size

2.3MB
MD5

98ef1950d6bb20c2f2295f748d955d33
SHA1

77354d86de152b784e0874378e6a0c1926c5b0b8
SHA256

cda2daa7883bf165df5b28ab39a88775f115f5eb3186d838a59284d7dca84e1e
SHA512

6aa11d19ae305f331894828db20b131ef0ad0ed2183f6444dc9a97451faef70fd5730e3d7eb14ef407dc07709e2b69e9b9fa174111c41d506275e219a4292c3c
SSDEEP

49152:JhIu+svi4ut1yFXyzEKqle+93GwtF2Vb1eksj:JhIuFvPut1WKM3Gw7Yb

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e57bb03.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBAF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCAA.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bb03.msi	msiexec.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

4272 MsiExec.exe
4272 MsiExec.exe

pid	process
4272	MsiExec.exe
4272	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003013bddf4a62308e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003013bddf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003013bddf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3013bddf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003013bddf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	4708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4708	msiexec.exe
Token: SeSecurityPrivilege	984	msiexec.exe
Token: SeCreateTokenPrivilege	4708	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4708	msiexec.exe
Token: SeLockMemoryPrivilege	4708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4708	msiexec.exe
Token: SeMachineAccountPrivilege	4708	msiexec.exe
Token: SeTcbPrivilege	4708	msiexec.exe
Token: SeSecurityPrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeLoadDriverPrivilege	4708	msiexec.exe
Token: SeSystemProfilePrivilege	4708	msiexec.exe
Token: SeSystemtimePrivilege	4708	msiexec.exe
Token: SeProfSingleProcessPrivilege	4708	msiexec.exe
Token: SeIncBasePriorityPrivilege	4708	msiexec.exe
Token: SeCreatePagefilePrivilege	4708	msiexec.exe
Token: SeCreatePermanentPrivilege	4708	msiexec.exe
Token: SeBackupPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeShutdownPrivilege	4708	msiexec.exe
Token: SeDebugPrivilege	4708	msiexec.exe
Token: SeAuditPrivilege	4708	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4708	msiexec.exe
Token: SeChangeNotifyPrivilege	4708	msiexec.exe
Token: SeRemoteShutdownPrivilege	4708	msiexec.exe
Token: SeUndockPrivilege	4708	msiexec.exe
Token: SeSyncAgentPrivilege	4708	msiexec.exe
Token: SeEnableDelegationPrivilege	4708	msiexec.exe
Token: SeManageVolumePrivilege	4708	msiexec.exe
Token: SeImpersonatePrivilege	4708	msiexec.exe
Token: SeCreateGlobalPrivilege	4708	msiexec.exe
Token: SeBackupPrivilege	3100	vssvc.exe
Token: SeRestorePrivilege	3100	vssvc.exe
Token: SeAuditPrivilege	3100	vssvc.exe
Token: SeBackupPrivilege	984	msiexec.exe
Token: SeRestorePrivilege	984	msiexec.exe
Token: SeRestorePrivilege	984	msiexec.exe
Token: SeTakeOwnershipPrivilege	984	msiexec.exe
Token: SeRestorePrivilege	984	msiexec.exe
Token: SeTakeOwnershipPrivilege	984	msiexec.exe
Token: SeRestorePrivilege	984	msiexec.exe
Token: SeTakeOwnershipPrivilege	984	msiexec.exe
Token: SeBackupPrivilege	4744	srtasks.exe
Token: SeRestorePrivilege	4744	srtasks.exe
Token: SeSecurityPrivilege	4744	srtasks.exe
Token: SeTakeOwnershipPrivilege	4744	srtasks.exe
Token: SeBackupPrivilege	4744	srtasks.exe
Token: SeRestorePrivilege	4744	srtasks.exe
Token: SeSecurityPrivilege	4744	srtasks.exe
Token: SeTakeOwnershipPrivilege	4744	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4708 msiexec.exe

pid	process
4708	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 984 wrote to memory of 4744	984	msiexec.exe	srtasks.exe
PID 984 wrote to memory of 4744	984	msiexec.exe	srtasks.exe
PID 984 wrote to memory of 4272	984	msiexec.exe	MsiExec.exe
PID 984 wrote to memory of 4272	984	msiexec.exe	MsiExec.exe
PID 984 wrote to memory of 4272	984	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\OFFICE2016\access.es-es\accessmui.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4708

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CC9D646725A060D8ED37205F33E29A4E
2⤵
- Loads dropped DLL
PID:4272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIBBAF.tmp
Filesize
95KB

MD5
acfd123d0e36411b9c1f556853dd9ea5

SHA1
812025408e21687dcd6e8eeb1667025a7b7abcbf

SHA256
d89dd83af50bfc6e325e2b4e7eecd982ec3ddee9ccb9cfef86d8a5593907c317

SHA512
e01da6d2867ca5a029d60bac781cef6639485255ce515bc8e094a43fa107b0d8c120b7bb3de75457407479de71585dfd9475b1b1f39d2d82d303586ccdb9024d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
276adba531968e9ef9925522768d065b

SHA1
703ef2e93ebecddebaf746cd1231537d3e268638

SHA256
75349f85e59548676cfdcbdfffe829df08663cab3d977464e0b3ddd1f346d573

SHA512
720548fae3fcff98cd90dabc979179beb0402a56650da8b71db1d1809f1319f800789d526c28717a737b979b10617b36b40f404e20b7e2223ade47ed7ea43ae0

Download Submit
\??\Volume{dfbd1330-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3b010053-62cb-46af-83c6-bd431d0a039c}_OnDiskSnapshotProp
Filesize
6KB

MD5
362aa263f28d173e4332577caffc3bcb

SHA1
43ee9af7b85dbffc51d9b5b3846365a09bd1caa1

SHA256
93ab90ee24d2ad3bca9cbfb1283240056b3be3406e2e3d1b90394c7b3a557503

SHA512
b9fcb963ee9404c18d040d854aa5cc098317ad9c3f6b53dc2aec1d67d012733ca4c5bddc10431f9d1094b35d67df066194e59e7fc6297f43ffb2ab88a3842f70

Download Submit