Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23-05-2024 00:13
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
setup.msi
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
setup.msi
Resource
win11-20240508-en
General
-
Target
setup.msi
-
Size
508KB
-
MD5
4c5d506168367113b3a4e6c66cd93b01
-
SHA1
6970b2b8c0bb82e481844707c8a2965bad815d65
-
SHA256
7ab156266c51905322bb36eb17ad85809c7b29eca210fd6e4de0c09454b33a0a
-
SHA512
986776eb27c27949ae21df8fce533a7a36031fbf1f281d1838a6e8ff0a28f349b4340bed7969572eea3f2943edc46d587cb35be4cc953ea3e4894e3216804c07
-
SSDEEP
6144:SveJGCndUlTIVOdtc+Hp1h/yQz+VPZspW0/9jKaSArZJsnPn:LGCndUlT4+Hp+Qz+lK1Zkv
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI8CB1.tmp msiexec.exe File created C:\Windows\Installer\e578bc5.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{B482F960-1FAB-4A88-92B4-5D5007CE52B0} msiexec.exe File opened for modification C:\Windows\Installer\MSI8C81.tmp msiexec.exe File opened for modification C:\Windows\Installer\e578bc5.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e578bc7.msi msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI8CB1.tmppid process 5000 MSI8CB1.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3036 msiexec.exe 3036 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4144 msiexec.exe Token: SeIncreaseQuotaPrivilege 4144 msiexec.exe Token: SeSecurityPrivilege 3036 msiexec.exe Token: SeCreateTokenPrivilege 4144 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4144 msiexec.exe Token: SeLockMemoryPrivilege 4144 msiexec.exe Token: SeIncreaseQuotaPrivilege 4144 msiexec.exe Token: SeMachineAccountPrivilege 4144 msiexec.exe Token: SeTcbPrivilege 4144 msiexec.exe Token: SeSecurityPrivilege 4144 msiexec.exe Token: SeTakeOwnershipPrivilege 4144 msiexec.exe Token: SeLoadDriverPrivilege 4144 msiexec.exe Token: SeSystemProfilePrivilege 4144 msiexec.exe Token: SeSystemtimePrivilege 4144 msiexec.exe Token: SeProfSingleProcessPrivilege 4144 msiexec.exe Token: SeIncBasePriorityPrivilege 4144 msiexec.exe Token: SeCreatePagefilePrivilege 4144 msiexec.exe Token: SeCreatePermanentPrivilege 4144 msiexec.exe Token: SeBackupPrivilege 4144 msiexec.exe Token: SeRestorePrivilege 4144 msiexec.exe Token: SeShutdownPrivilege 4144 msiexec.exe Token: SeDebugPrivilege 4144 msiexec.exe Token: SeAuditPrivilege 4144 msiexec.exe Token: SeSystemEnvironmentPrivilege 4144 msiexec.exe Token: SeChangeNotifyPrivilege 4144 msiexec.exe Token: SeRemoteShutdownPrivilege 4144 msiexec.exe Token: SeUndockPrivilege 4144 msiexec.exe Token: SeSyncAgentPrivilege 4144 msiexec.exe Token: SeEnableDelegationPrivilege 4144 msiexec.exe Token: SeManageVolumePrivilege 4144 msiexec.exe Token: SeImpersonatePrivilege 4144 msiexec.exe Token: SeCreateGlobalPrivilege 4144 msiexec.exe Token: SeBackupPrivilege 1384 vssvc.exe Token: SeRestorePrivilege 1384 vssvc.exe Token: SeAuditPrivilege 1384 vssvc.exe Token: SeBackupPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4144 msiexec.exe 4144 msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
msiexec.exedescription pid process target process PID 3036 wrote to memory of 2136 3036 msiexec.exe srtasks.exe PID 3036 wrote to memory of 2136 3036 msiexec.exe srtasks.exe PID 3036 wrote to memory of 5000 3036 msiexec.exe MSI8CB1.tmp PID 3036 wrote to memory of 5000 3036 msiexec.exe MSI8CB1.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\Installer\MSI8CB1.tmp"C:\Windows\Installer\MSI8CB1.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e578bc6.rbsFilesize
7KB
MD570ae7de49bb8fdf6ef47789fb86bdb4c
SHA12f463098481b278278842f993152b2f4eb9104fc
SHA2566c0c4647dd20abf67b2a8ad5e3b2480fccca637604981505d8a417997538908a
SHA51295d62625fd527a9b0adc79ac07f509aded05933dabedfaaddea473e69103c11606ebede6108fe0a014a7d10dc39db264591ea6f887ae8dc1c4fb888b6fe9acb7
-
C:\Windows\Installer\MSI8CB1.tmpFilesize
472KB
MD5f3092d2e603cf154a7cebde8e5f07868
SHA1b164271ad70aecb4757f986e96d8a11bbc49da3e
SHA256068a7dd7731272b56a03d4431b3f49ff9d4c190127aab6c127b5d246d7c68edf
SHA512328944764b3d35bc3876f53626a85a85c3786541629b20a1e029f0500ea099c4c70de561119f692446f15b6946bbcf99babb1d93400de16d3a1a7aa20748644c
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
26.0MB
MD57eabf134211b6d438e000311b7702f6d
SHA1ddbdd10d15b8e8fdecac647e5dbb10a4209aa524
SHA256fd43f54b3961f31c3c07933fa5dfb6a0dd16fd0af5ec1541f7f095a0fb16187b
SHA512c4be670759f1fb91000bb091d275919c08099612645f28d24cd4204fc071b07e5180b1c4ad803516c3571be1f9db2f81138bde53b5fa52cd701afb9815b8c95d
-
\??\Volume{38fd360b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8110915c-4ac1-438c-ad68-833908256657}_OnDiskSnapshotPropFilesize
5KB
MD5ae17e4e9709255871ef9962d45eeed08
SHA12885fdfc1045607a6d2dfc6e6bb5a7520f67fce0
SHA256a79588e13cfec98f720d5e766c1113805bd3ed07fa529fe1396693f2893ac0de
SHA512ef929ca4b04b75170c3fcf44957b4fe3aba2906a2a507f20f9fb888a2dce2208d0ca8095dc4305e047c243d76d80f93d1c5b4236d97c8927345e9d51775e6f9c