af4ec01deee4329e048b9a857295c73f70f8da95929a6eeb3de70ca528ffc831

Analysis

max time kernel
91s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 16:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

SInstall/Install.msi
Size

12.9MB
MD5

30dd26075a5ca7a4861e9214a99d0495
SHA1

c719f6d5be2f3edd98c0d15fb506b9e880da0494
SHA256

d2e7fb1c52b9edab4d7f24c3abfde4f40fc7b30fae146d54f7a19e8b8aca41a9
SHA512

2427b37738e3f472641b516efa661e4f8d351d93e39324f9ebffd0cdd3cea51d96fff7d473658989e0280fecc3b3e02eadece8c5a14fe5c5c7cf8ad906ee331f
SSDEEP

196608:ZM20xOGXi3lb4LU49Vqo/Uq1b4BATrwt0t1y5ur3Q9Jdj4IiV61flezGT8Dp:r0xfcbgh9VqB3BwwMr0/d0at8D

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1352	msiexec.exe
6	1352	msiexec.exe
7	1352	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{32E257F1-2375-44D4-9924-B4AF0EEF036A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F79.tmp	msiexec.exe
File created	C:\Windows\Installer\e58876d.msi	msiexec.exe
File created	C:\Windows\Installer\e58876b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58876b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000057e87298238d7ad50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000057e872980000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090057e87298000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d57e87298000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000057e8729800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1576	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5016	msiexec.exe
5016	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1352	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1352	msiexec.exe
Token: SeSecurityPrivilege	5016	msiexec.exe
Token: SeCreateTokenPrivilege	1352	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1352	msiexec.exe
Token: SeLockMemoryPrivilege	1352	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1352	msiexec.exe
Token: SeMachineAccountPrivilege	1352	msiexec.exe
Token: SeTcbPrivilege	1352	msiexec.exe
Token: SeSecurityPrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeLoadDriverPrivilege	1352	msiexec.exe
Token: SeSystemProfilePrivilege	1352	msiexec.exe
Token: SeSystemtimePrivilege	1352	msiexec.exe
Token: SeProfSingleProcessPrivilege	1352	msiexec.exe
Token: SeIncBasePriorityPrivilege	1352	msiexec.exe
Token: SeCreatePagefilePrivilege	1352	msiexec.exe
Token: SeCreatePermanentPrivilege	1352	msiexec.exe
Token: SeBackupPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeShutdownPrivilege	1352	msiexec.exe
Token: SeDebugPrivilege	1352	msiexec.exe
Token: SeAuditPrivilege	1352	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1352	msiexec.exe
Token: SeChangeNotifyPrivilege	1352	msiexec.exe
Token: SeRemoteShutdownPrivilege	1352	msiexec.exe
Token: SeUndockPrivilege	1352	msiexec.exe
Token: SeSyncAgentPrivilege	1352	msiexec.exe
Token: SeEnableDelegationPrivilege	1352	msiexec.exe
Token: SeManageVolumePrivilege	1352	msiexec.exe
Token: SeImpersonatePrivilege	1352	msiexec.exe
Token: SeCreateGlobalPrivilege	1352	msiexec.exe
Token: SeBackupPrivilege	4452	vssvc.exe
Token: SeRestorePrivilege	4452	vssvc.exe
Token: SeAuditPrivilege	4452	vssvc.exe
Token: SeBackupPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1352	msiexec.exe
1352	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4556	LogonUI.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4140	5016	msiexec.exe	110
PID 5016 wrote to memory of 4140	5016	msiexec.exe	110
PID 5016 wrote to memory of 1468	5016	msiexec.exe	112
PID 5016 wrote to memory of 1468	5016	msiexec.exe	112
PID 5016 wrote to memory of 1468	5016	msiexec.exe	112
PID 1468 wrote to memory of 3916	1468	MsiExec.exe	113
PID 1468 wrote to memory of 3916	1468	MsiExec.exe	113
PID 1468 wrote to memory of 3916	1468	MsiExec.exe	113
PID 3916 wrote to memory of 1576	3916	cmd.exe	115
PID 3916 wrote to memory of 1576	3916	cmd.exe	115
PID 3916 wrote to memory of 1576	3916	cmd.exe	115
PID 3916 wrote to memory of 964	3916	cmd.exe	116
PID 3916 wrote to memory of 964	3916	cmd.exe	116
PID 3916 wrote to memory of 964	3916	cmd.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SInstall\Install.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4140
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C041E47A59D294B23D1CCD5764798F6A
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Redist\Oun.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /RU "NT AUTHORITY\SYSTEM" /F /RL HIGHEST /sc onlogon /tn "\User" /tr "C:\ProgramData\Redist\Pun.bat"
      4⤵
      Creates scheduled task(s)
      PID:1576
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 0 -f
      4⤵
      PID:964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3908055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58876c.rbs

Filesize
8KB

MD5
5f05374d78b8442c06dacee0dcf457ef

SHA1
48dca725f84ba60d509e2f93fc6755b4a652ca88

SHA256
12358c19c82e653100c8daa40ea73649bd24edcf306aafc783cccf5c75cba88e

SHA512
bcabdafcafe493613c3d93e6c5620440cfb7ce003c9cd5876e23745b33c53526324c172255567fc625d0a5132e15dc8dc184ceff5837ab746ff5271e1ba1c297

Download Submit
C:\ProgramData\Redist\Oun.bat

Filesize
153B

MD5
fd54e5069171fa7cd80ab43dd1d5f385

SHA1
0df9b2617b18f6ca4cfb50bb0490bc2705b077a2

SHA256
2494d97e37f626f039570b249929a93f0a41adc68bfc611a01dea5112b3a69fe

SHA512
d3e5e8fdb2eeb9534df32230a93977ffd4b4963549279c036a08c4c2ba02b9a8482c0ab37623ac3d5ed84c258d0c0696eb6a7a276cd5c706852f3440016d4125

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
719B

MD5
28bc19a7cc607d718102b84fc9f09871

SHA1
39d1445b8267f6c64398dbdc3b36cb8bf61779ee

SHA256
2182af4e3be8732f98cb14244373d1eb042f40b516f2a4fae039b0c4f536159d

SHA512
dcc21b668fdb55133ca0fe88530be15a312f59b968842a2f9ab1a5530cdf0a74e5c01efdd5ba5832452a4b0e24a0b4088521b2bf8ccd33efdfbeec60c9eede50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A71F9E6AF1EDB5F61A1EABEAC6EE27B2_9B4D18436C08F7D6D25AE93D14833588

Filesize
727B

MD5
297729375e9d00759871d39f3d75d6cd

SHA1
e299466729ee761d52c3955d57af47b5f725d828

SHA256
d5e904af2a524fd8eabedc38bd67576701a2c752cb3e006322c075d1f5c9df60

SHA512
1270e950a0a316299c81f9809ab499b742f0546bfe37bf9427b6831680325c705a94b145d4c4ebacd3ba1ea51639853a1d30e0c43a7d29c6d846f850955ebaaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
446B

MD5
475fd99923a4917ffd32d00a6a03a71c

SHA1
1a00401a1ad48f2797e94e08da57031c5ab0ba4c

SHA256
933e972bfa8972b36cfcaea3a11fc988f221044846ec3b8dfbc6eec7410d0a96

SHA512
28e1e58d4c096828a72b3e5a8ffeb46ad409b8af4a71d5f88944dabf09ab05bbb2971a737665857967121938b6f193d44fdbe0ae8ed1e60bd6df7f956c315c4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A71F9E6AF1EDB5F61A1EABEAC6EE27B2_9B4D18436C08F7D6D25AE93D14833588

Filesize
486B

MD5
ae4a0bb97de54f3b94ebb15e41164d96

SHA1
8738c6dd5b182a8767ce5b5c653511d14bf2df79

SHA256
6938f6ceb12fa06de62f93bf10f77c2cfd7042b8bd5f94117c41f2a2482c31ee

SHA512
910a91aa3b45fff2229873de81563c196703aa7181e6cc5992fad8905b6946403a6e45261af7f7fdf316fe8a144f2237290625d5af369a3492929d0dd26a5c27

Download Submit
C:\Windows\Installer\e58876b.msi

Filesize
12.9MB

MD5
30dd26075a5ca7a4861e9214a99d0495

SHA1
c719f6d5be2f3edd98c0d15fb506b9e880da0494

SHA256
d2e7fb1c52b9edab4d7f24c3abfde4f40fc7b30fae146d54f7a19e8b8aca41a9

SHA512
2427b37738e3f472641b516efa661e4f8d351d93e39324f9ebffd0cdd3cea51d96fff7d473658989e0280fecc3b3e02eadece8c5a14fe5c5c7cf8ad906ee331f

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads