087bb1a7c20287d9c92c7be7819e67219cf783bacf5b4a890744e90f72a4398a

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-de
resource tags

arch:x64arch:x86image:win7-20240221-delocale:de-deos:windows7-x64systemwindows
submitted
30/04/2024, 08:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

au.msi
Size

179KB
MD5

7264bfe110bc600c7233a249f705cc9f
SHA1

17fcf2bf1defa8a6f2fd9c82ed69be4002922171
SHA256

087bb1a7c20287d9c92c7be7819e67219cf783bacf5b4a890744e90f72a4398a
SHA512

3c6938af67999ae0d1110c32041ce759a7f3855dfb7cd46a52ccddf301bce8ab4e8e2331fbf5e2c61283f1378807d93a3d1ae18f0a0c834da12180f11669335c
SSDEEP

3072:xEw1mQzm9iiFya9Yqrulom5gYVq0h8RNRkk:+w1mQ69ilGYCunhVq0qIk

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2072	msiexec.exe
5	2072	msiexec.exe
7	2072	msiexec.exe
9	2072	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF	DrvInst.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f7667e8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7667e7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6911.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\volsnap.PNF	DrvInst.exe
File created	C:\Windows\Installer\f7667e7.msi	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\LanguageList = 640065002d0044004500000064006500000065006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2460	msiexec.exe
2460	msiexec.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2072	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeSecurityPrivilege	2460	msiexec.exe
Token: SeCreateTokenPrivilege	2072	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2072	msiexec.exe
Token: SeLockMemoryPrivilege	2072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2072	msiexec.exe
Token: SeMachineAccountPrivilege	2072	msiexec.exe
Token: SeTcbPrivilege	2072	msiexec.exe
Token: SeSecurityPrivilege	2072	msiexec.exe
Token: SeTakeOwnershipPrivilege	2072	msiexec.exe
Token: SeLoadDriverPrivilege	2072	msiexec.exe
Token: SeSystemProfilePrivilege	2072	msiexec.exe
Token: SeSystemtimePrivilege	2072	msiexec.exe
Token: SeProfSingleProcessPrivilege	2072	msiexec.exe
Token: SeIncBasePriorityPrivilege	2072	msiexec.exe
Token: SeCreatePagefilePrivilege	2072	msiexec.exe
Token: SeCreatePermanentPrivilege	2072	msiexec.exe
Token: SeBackupPrivilege	2072	msiexec.exe
Token: SeRestorePrivilege	2072	msiexec.exe
Token: SeShutdownPrivilege	2072	msiexec.exe
Token: SeDebugPrivilege	2072	msiexec.exe
Token: SeAuditPrivilege	2072	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2072	msiexec.exe
Token: SeChangeNotifyPrivilege	2072	msiexec.exe
Token: SeRemoteShutdownPrivilege	2072	msiexec.exe
Token: SeUndockPrivilege	2072	msiexec.exe
Token: SeSyncAgentPrivilege	2072	msiexec.exe
Token: SeEnableDelegationPrivilege	2072	msiexec.exe
Token: SeManageVolumePrivilege	2072	msiexec.exe
Token: SeImpersonatePrivilege	2072	msiexec.exe
Token: SeCreateGlobalPrivilege	2072	msiexec.exe
Token: SeBackupPrivilege	3056	vssvc.exe
Token: SeRestorePrivilege	3056	vssvc.exe
Token: SeAuditPrivilege	3056	vssvc.exe
Token: SeBackupPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	1088	DrvInst.exe
Token: SeRestorePrivilege	1088	DrvInst.exe
Token: SeRestorePrivilege	1088	DrvInst.exe
Token: SeRestorePrivilege	1088	DrvInst.exe
Token: SeRestorePrivilege	1088	DrvInst.exe
Token: SeRestorePrivilege	1088	DrvInst.exe
Token: SeRestorePrivilege	1088	DrvInst.exe
Token: SeLoadDriverPrivilege	1088	DrvInst.exe
Token: SeLoadDriverPrivilege	1088	DrvInst.exe
Token: SeLoadDriverPrivilege	1088	DrvInst.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2072	msiexec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\au.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2072

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000390" "000000000000051C"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\45781A86D7D79A4E3FE6F4DF8CDF171D_E0B7CDE0B6AB7ABECB214E5A7A028B64

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7

Filesize
1KB

MD5
63f207bab54520e443af5f5d879666ca

SHA1
ae4d1aa61e3de3db80c8c7f41e9bce526fb05693

SHA256
b674ab1941b315b897fb0d0cf91facfe75f268af88a8473795e3588b278b7eee

SHA512
77a6db3c7dbb138e5d5bb2fc001c56797a399c0cd22195c9878865d16f38fea5712cd892b04ac97c8fdee82990244ad7a9822d3eecf5102c4c49b27dd250f089

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5

Filesize
565B

MD5
76efe9d42ed530662390f3faf183eacb

SHA1
597c5c20ff9a1b1f56f19df562026de3b275f165

SHA256
3cc89d374677a26732b2b504764cf2d54ff0c0faf614837d453c9acffd9ad76d

SHA512
436f1840421ae23041c3640fba35a977a4c6ea8fbc7dad2375ae8ec680d6cdc46369a8206afc1e60dd8d65e6eed93fb04389cd4af69c0eabd1c1bd67d580d0d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\45781A86D7D79A4E3FE6F4DF8CDF171D_E0B7CDE0B6AB7ABECB214E5A7A028B64

Filesize
408B

MD5
76e79529341de5a4efbf3e652eb1d586

SHA1
6124df92b15fa96a27f21012c134d419e31ca2f9

SHA256
2a00dfc2b42b02e832f7f3da1e9067ae506d264b63837548aa29c62f8d56c04b

SHA512
d4d5b10ebd5f22305e1cbe0e826cde9739d56e9c9c0e7ba871e658f89beba358fe8d024bd6768aec3474ace6fd4037cf0ee8155f949d6a829ff2d8853c56743e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e69c7c84bbc5973bbfe84c9d27c01bd

SHA1
e6ab7d2c5cb846da9a1a3494b7aab47b48dbc167

SHA256
b7cfe81bf06457c9659cfeb4ab6513072f98fe23db0bd3acce43f11b0ea28e8d

SHA512
e84ee778d6eb1cb0d8e012b07bf0ff729179cef2d2480ac47c33b72d8eadcaf2bbf5ea4e6f0a69bc3121926edcd5edf1a16e805c407354f95887164779a0ff16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A92F33496848CFF4F115ED04BCDD933A_6C14F82F698E40985D569864739DB21B

Filesize
408B

MD5
e1fe1d27d3aa00e091d067958f5bfa28

SHA1
bf5360a6bec212183bbd64198f922a05dd4a641e

SHA256
db49a2e771a1b0e7450bf7083f7040f6ef40024912d05260d64dd0ec75068f47

SHA512
01fee1bb17f4218083158db133b2ff0f859474cdacb805ecc26bed7f78368fc8a2809645c61079157d18294bb0dca94d8db6f7d4d0ff73070505c889ee6b97c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7

Filesize
188B

MD5
297f0d7da68ae71331594a989e5551ef

SHA1
05e802beb6578035ed436c52de2116d9168da6b0

SHA256
46858bbcc6135dbcaed9654f1bd94030cb39dcd76c7dc073ad7d5fb2e2d29ec8

SHA512
1d9c05462a4d208a006eb5ac2b10e63397db6f4fc6ac195d26fc4ec7ea733db562dcd0f5a0ff679dbf0060e07714588a68cca751c8ce71edea99193871f6dc2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5

Filesize
212B

MD5
2ec91352165a2ee15b1f5d61f34feb08

SHA1
df889015c316244cc69db5a8d1c037f04a595a28

SHA256
475f7ff1dc93c8fb43d26c8fc4545406f4173b3a72555a9cf9e06b6c2e3f87f1

SHA512
97f62101e1b840b7ffad4c9da9e77814888f8cf831db0536a5d740d2bedc7d5b053d4a3a269b9ebc03881eaaf78638200e82f545332862e49ac03b1491e42eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F1A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF

Filesize
5KB

MD5
d700ec0e99f3c18f78ff27d7a1fb90a3

SHA1
c3c04b3ecffec472995899de2c9b17ef19ee22d8

SHA256
a08e2e90193f4f8654ea813aa4355af00a8e634a29150812dc5e8cfe4916eb2f

SHA512
f222db9d8c1a6f882541d54959a8e78a59f1f4d8e96b985ff453b2003848ff0915cadf21ba90a3a0e38bf5c4e0f97c0d2e3c7a580b75b8d64eb61397167f2b1e

Download Submit