48d75213df96f594a6d84b0c9346338d7569ff5a9558174998dca5f2f43919af

Analysis

max time kernel
148s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OFFICE2016/groove.es-es/groovemui.msi
Size

2.3MB
MD5

e50796bc085e0be45df6f0f61819ac16
SHA1

cd7d5515646fb357e879def013d2ff49149c6a90
SHA256

8c0411e735d2e7feb7b6000bb572f5c2b7dba6b5eb88f4507687812c9400f823
SHA512

c9d804399ef5a7d54c50a09905d10383eb89b4726b95fafe84d03633ea50062db575afb337cf810ca3fa13a0d7fb42647bcb17b728b6244b3e8e1dc3db88a0b2
SSDEEP

49152:ZhIu+svi4ut1yFXyzEKqle+93GwtF2VbJPkXt:ZhIuFvPut1WKM3Gw7Yb

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSICE8C.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cd43.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cd43.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDA0.tmp	msiexec.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

1340 MsiExec.exe
1340 MsiExec.exe

pid	process
1340	MsiExec.exe
1340	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008b5ebddfef16308e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008b5ebddf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008b5ebddf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8b5ebddf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008b5ebddf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	3224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3224	msiexec.exe
Token: SeSecurityPrivilege	3012	msiexec.exe
Token: SeCreateTokenPrivilege	3224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3224	msiexec.exe
Token: SeLockMemoryPrivilege	3224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3224	msiexec.exe
Token: SeMachineAccountPrivilege	3224	msiexec.exe
Token: SeTcbPrivilege	3224	msiexec.exe
Token: SeSecurityPrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeLoadDriverPrivilege	3224	msiexec.exe
Token: SeSystemProfilePrivilege	3224	msiexec.exe
Token: SeSystemtimePrivilege	3224	msiexec.exe
Token: SeProfSingleProcessPrivilege	3224	msiexec.exe
Token: SeIncBasePriorityPrivilege	3224	msiexec.exe
Token: SeCreatePagefilePrivilege	3224	msiexec.exe
Token: SeCreatePermanentPrivilege	3224	msiexec.exe
Token: SeBackupPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeShutdownPrivilege	3224	msiexec.exe
Token: SeDebugPrivilege	3224	msiexec.exe
Token: SeAuditPrivilege	3224	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3224	msiexec.exe
Token: SeChangeNotifyPrivilege	3224	msiexec.exe
Token: SeRemoteShutdownPrivilege	3224	msiexec.exe
Token: SeUndockPrivilege	3224	msiexec.exe
Token: SeSyncAgentPrivilege	3224	msiexec.exe
Token: SeEnableDelegationPrivilege	3224	msiexec.exe
Token: SeManageVolumePrivilege	3224	msiexec.exe
Token: SeImpersonatePrivilege	3224	msiexec.exe
Token: SeCreateGlobalPrivilege	3224	msiexec.exe
Token: SeBackupPrivilege	4172	vssvc.exe
Token: SeRestorePrivilege	4172	vssvc.exe
Token: SeAuditPrivilege	4172	vssvc.exe
Token: SeBackupPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeBackupPrivilege	2376	srtasks.exe
Token: SeRestorePrivilege	2376	srtasks.exe
Token: SeSecurityPrivilege	2376	srtasks.exe
Token: SeTakeOwnershipPrivilege	2376	srtasks.exe
Token: SeBackupPrivilege	2376	srtasks.exe
Token: SeRestorePrivilege	2376	srtasks.exe
Token: SeSecurityPrivilege	2376	srtasks.exe
Token: SeTakeOwnershipPrivilege	2376	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

3224 msiexec.exe

pid	process
3224	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 3012 wrote to memory of 2376	3012	msiexec.exe	srtasks.exe
PID 3012 wrote to memory of 2376	3012	msiexec.exe	srtasks.exe
PID 3012 wrote to memory of 1340	3012	msiexec.exe	MsiExec.exe
PID 3012 wrote to memory of 1340	3012	msiexec.exe	MsiExec.exe
PID 3012 wrote to memory of 1340	3012	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\OFFICE2016\groove.es-es\groovemui.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6096BA716831C5C1EE8DC03C11DDDAFB
  2⤵
  - Loads dropped DLL
  PID:1340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSICDA0.tmp

Filesize
95KB

MD5
acfd123d0e36411b9c1f556853dd9ea5

SHA1
812025408e21687dcd6e8eeb1667025a7b7abcbf

SHA256
d89dd83af50bfc6e325e2b4e7eecd982ec3ddee9ccb9cfef86d8a5593907c317

SHA512
e01da6d2867ca5a029d60bac781cef6639485255ce515bc8e094a43fa107b0d8c120b7bb3de75457407479de71585dfd9475b1b1f39d2d82d303586ccdb9024d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
0ee104e7209e5364a284e55e73602ef3

SHA1
3744f02ce72266d015c53f5ea2a3b4d0e03dc143

SHA256
bed701b5fe388efc74ec138d0630c908aa89635a74a99010482cd3982563914c

SHA512
17546139d6eaf21dc639769ef5265546578708948b988d036fd415dd527e4bf0d2c912d7b9015161cf925a99308bb0549c81406cf954cb1a6cfccc342c591028

Download Submit
\??\Volume{dfbd5e8b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4b3f1d8f-c03b-4d00-98ed-3d021f4a5603}_OnDiskSnapshotProp

Filesize
6KB

MD5
cb658914d4d96e560ea44127b788db42

SHA1
4ec69539f6e8891cfab02f029747883aad6d1abc

SHA256
94d411fb9b4ec7ad10f491a828d63a2877b9026794308afb0496413d7434beb7

SHA512
795a166c8588de3cff55aaf7015c00a46d83088bee07f94effb23e21fc8d5a6442490c1abce148f81c33a9b4664b3d40457bc9ac0a1f8dd0d2e5ea2a9cc9482e

Download Submit