Overview
overview
8Static
static
8OFFICE2016...ui.msi
windows7-x64
6OFFICE2016...ui.msi
windows10-2004-x64
6OFFICE2016...es.dll
windows7-x64
1OFFICE2016...es.dll
windows10-2004-x64
1OFFICE2016...es.dll
windows7-x64
1OFFICE2016...es.dll
windows10-2004-x64
1OFFICE2016...es.dll
windows7-x64
1OFFICE2016...es.dll
windows10-2004-x64
1OFFICE2016...es.dll
windows7-x64
1OFFICE2016...es.dll
windows10-2004-x64
1OFFICE2016...es.dll
windows7-x64
1OFFICE2016...es.dll
windows10-2004-x64
1OFFICE2016...ct.dll
windows7-x64
1OFFICE2016...ct.dll
windows10-2004-x64
3OFFICE2016...ca.dll
windows7-x64
1OFFICE2016...ca.dll
windows10-2004-x64
1OFFICE2016...es.dll
windows7-x64
1OFFICE2016...es.dll
windows10-2004-x64
1OFFICE2016...es.dll
windows7-x64
1OFFICE2016...es.dll
windows10-2004-x64
1OFFICE2016...es.dll
windows7-x64
1OFFICE2016...es.dll
windows10-2004-x64
1OFFICE2016...es.dll
windows7-x64
1OFFICE2016...es.dll
windows10-2004-x64
1OFFICE2016...ui.msi
windows7-x64
6OFFICE2016...ui.msi
windows10-2004-x64
6OFFICE2016...ui.msi
windows7-x64
6OFFICE2016...ui.msi
windows10-2004-x64
OFFICE2016...ui.msi
windows7-x64
6OFFICE2016...ui.msi
windows10-2004-x64
6OFFICE2016/leame.htm
windows7-x64
1OFFICE2016/leame.htm
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 23:00
Behavioral task
behavioral1
Sample
OFFICE2016/access.es-es/accessmui.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
OFFICE2016/access.es-es/accessmui.msi
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
OFFICE2016/admin/en-us/octres.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
OFFICE2016/admin/en-us/octres.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
OFFICE2016/admin/es-es/octres.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
OFFICE2016/admin/es-es/octres.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
OFFICE2016/admin/fr-fr/octres.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
OFFICE2016/admin/fr-fr/octres.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
OFFICE2016/admin/it-it/octres.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
OFFICE2016/admin/it-it/octres.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
OFFICE2016/admin/ja-jp/octres.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
OFFICE2016/admin/ja-jp/octres.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
OFFICE2016/admin/oct.dll
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
OFFICE2016/admin/oct.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
OFFICE2016/admin/octca.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
OFFICE2016/admin/octca.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
OFFICE2016/admin/pt-br/octres.dll
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
OFFICE2016/admin/pt-br/octres.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
OFFICE2016/admin/ru-ru/octres.dll
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
OFFICE2016/admin/ru-ru/octres.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
OFFICE2016/admin/zh-cn/octres.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
OFFICE2016/admin/zh-cn/octres.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral23
Sample
OFFICE2016/admin/zh-tw/octres.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
OFFICE2016/admin/zh-tw/octres.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
OFFICE2016/dcf.es-es/dcfmui.msi
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
OFFICE2016/dcf.es-es/dcfmui.msi
Resource
win10v2004-20240412-en
Behavioral task
behavioral27
Sample
OFFICE2016/excel.es-es/excelmui.msi
Resource
win7-20240220-en
Behavioral task
behavioral28
Sample
OFFICE2016/excel.es-es/excelmui.msi
Resource
win10v2004-20240412-en
Behavioral task
behavioral29
Sample
OFFICE2016/groove.es-es/groovemui.msi
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
OFFICE2016/groove.es-es/groovemui.msi
Resource
win10v2004-20240412-en
Behavioral task
behavioral31
Sample
OFFICE2016/leame.htm
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
OFFICE2016/leame.htm
Resource
win10v2004-20240226-en
General
-
Target
OFFICE2016/access.es-es/accessmui.msi
-
Size
2.3MB
-
MD5
98ef1950d6bb20c2f2295f748d955d33
-
SHA1
77354d86de152b784e0874378e6a0c1926c5b0b8
-
SHA256
cda2daa7883bf165df5b28ab39a88775f115f5eb3186d838a59284d7dca84e1e
-
SHA512
6aa11d19ae305f331894828db20b131ef0ad0ed2183f6444dc9a97451faef70fd5730e3d7eb14ef407dc07709e2b69e9b9fa174111c41d506275e219a4292c3c
-
SSDEEP
49152:JhIu+svi4ut1yFXyzEKqle+93GwtF2Vb1eksj:JhIuFvPut1WKM3Gw7Yb
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 5 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\e57bb03.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIBBAF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBCAA.tmp msiexec.exe File created C:\Windows\Installer\e57bb03.msi msiexec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 4272 MsiExec.exe 4272 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003013bddf4a62308e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003013bddf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003013bddf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3013bddf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003013bddf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 4708 msiexec.exe Token: SeIncreaseQuotaPrivilege 4708 msiexec.exe Token: SeSecurityPrivilege 984 msiexec.exe Token: SeCreateTokenPrivilege 4708 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4708 msiexec.exe Token: SeLockMemoryPrivilege 4708 msiexec.exe Token: SeIncreaseQuotaPrivilege 4708 msiexec.exe Token: SeMachineAccountPrivilege 4708 msiexec.exe Token: SeTcbPrivilege 4708 msiexec.exe Token: SeSecurityPrivilege 4708 msiexec.exe Token: SeTakeOwnershipPrivilege 4708 msiexec.exe Token: SeLoadDriverPrivilege 4708 msiexec.exe Token: SeSystemProfilePrivilege 4708 msiexec.exe Token: SeSystemtimePrivilege 4708 msiexec.exe Token: SeProfSingleProcessPrivilege 4708 msiexec.exe Token: SeIncBasePriorityPrivilege 4708 msiexec.exe Token: SeCreatePagefilePrivilege 4708 msiexec.exe Token: SeCreatePermanentPrivilege 4708 msiexec.exe Token: SeBackupPrivilege 4708 msiexec.exe Token: SeRestorePrivilege 4708 msiexec.exe Token: SeShutdownPrivilege 4708 msiexec.exe Token: SeDebugPrivilege 4708 msiexec.exe Token: SeAuditPrivilege 4708 msiexec.exe Token: SeSystemEnvironmentPrivilege 4708 msiexec.exe Token: SeChangeNotifyPrivilege 4708 msiexec.exe Token: SeRemoteShutdownPrivilege 4708 msiexec.exe Token: SeUndockPrivilege 4708 msiexec.exe Token: SeSyncAgentPrivilege 4708 msiexec.exe Token: SeEnableDelegationPrivilege 4708 msiexec.exe Token: SeManageVolumePrivilege 4708 msiexec.exe Token: SeImpersonatePrivilege 4708 msiexec.exe Token: SeCreateGlobalPrivilege 4708 msiexec.exe Token: SeBackupPrivilege 3100 vssvc.exe Token: SeRestorePrivilege 3100 vssvc.exe Token: SeAuditPrivilege 3100 vssvc.exe Token: SeBackupPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeBackupPrivilege 4744 srtasks.exe Token: SeRestorePrivilege 4744 srtasks.exe Token: SeSecurityPrivilege 4744 srtasks.exe Token: SeTakeOwnershipPrivilege 4744 srtasks.exe Token: SeBackupPrivilege 4744 srtasks.exe Token: SeRestorePrivilege 4744 srtasks.exe Token: SeSecurityPrivilege 4744 srtasks.exe Token: SeTakeOwnershipPrivilege 4744 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 4708 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
msiexec.exedescription pid process target process PID 984 wrote to memory of 4744 984 msiexec.exe srtasks.exe PID 984 wrote to memory of 4744 984 msiexec.exe srtasks.exe PID 984 wrote to memory of 4272 984 msiexec.exe MsiExec.exe PID 984 wrote to memory of 4272 984 msiexec.exe MsiExec.exe PID 984 wrote to memory of 4272 984 msiexec.exe MsiExec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\OFFICE2016\access.es-es\accessmui.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CC9D646725A060D8ED37205F33E29A4E2⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIBBAF.tmpFilesize
95KB
MD5acfd123d0e36411b9c1f556853dd9ea5
SHA1812025408e21687dcd6e8eeb1667025a7b7abcbf
SHA256d89dd83af50bfc6e325e2b4e7eecd982ec3ddee9ccb9cfef86d8a5593907c317
SHA512e01da6d2867ca5a029d60bac781cef6639485255ce515bc8e094a43fa107b0d8c120b7bb3de75457407479de71585dfd9475b1b1f39d2d82d303586ccdb9024d
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD5276adba531968e9ef9925522768d065b
SHA1703ef2e93ebecddebaf746cd1231537d3e268638
SHA25675349f85e59548676cfdcbdfffe829df08663cab3d977464e0b3ddd1f346d573
SHA512720548fae3fcff98cd90dabc979179beb0402a56650da8b71db1d1809f1319f800789d526c28717a737b979b10617b36b40f404e20b7e2223ade47ed7ea43ae0
-
\??\Volume{dfbd1330-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3b010053-62cb-46af-83c6-bd431d0a039c}_OnDiskSnapshotPropFilesize
6KB
MD5362aa263f28d173e4332577caffc3bcb
SHA143ee9af7b85dbffc51d9b5b3846365a09bd1caa1
SHA25693ab90ee24d2ad3bca9cbfb1283240056b3be3406e2e3d1b90394c7b3a557503
SHA512b9fcb963ee9404c18d040d854aa5cc098317ad9c3f6b53dc2aec1d67d012733ca4c5bddc10431f9d1094b35d67df066194e59e7fc6297f43ffb2ab88a3842f70