7ab156266c51905322bb36eb17ad85809c7b29eca210fd6e4de0c09454b33a0a

General

Target

setup.msi
Size

508KB
MD5

4c5d506168367113b3a4e6c66cd93b01
SHA1

6970b2b8c0bb82e481844707c8a2965bad815d65
SHA256

7ab156266c51905322bb36eb17ad85809c7b29eca210fd6e4de0c09454b33a0a
SHA512

986776eb27c27949ae21df8fce533a7a36031fbf1f281d1838a6e8ff0a28f349b4340bed7969572eea3f2943edc46d587cb35be4cc953ea3e4894e3216804c07
SSDEEP

6144:SveJGCndUlTIVOdtc+Hp1h/yQz+VPZspW0/9jKaSArZJsnPn:LGCndUlT4+Hp+Qz+lK1Zkv

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI8CB1.tmp	msiexec.exe
File created	C:\Windows\Installer\e578bc5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B482F960-1FAB-4A88-92B4-5D5007CE52B0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e578bc5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e578bc7.msi	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI8CB1.tmp

pid process

5000 MSI8CB1.tmp
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3036 msiexec.exe
3036 msiexec.exe

pid	process
5000	MSI8CB1.tmp

pid	process
3036	msiexec.exe
3036	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4144	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4144	msiexec.exe
Token: SeSecurityPrivilege	3036	msiexec.exe
Token: SeCreateTokenPrivilege	4144	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4144	msiexec.exe
Token: SeLockMemoryPrivilege	4144	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4144	msiexec.exe
Token: SeMachineAccountPrivilege	4144	msiexec.exe
Token: SeTcbPrivilege	4144	msiexec.exe
Token: SeSecurityPrivilege	4144	msiexec.exe
Token: SeTakeOwnershipPrivilege	4144	msiexec.exe
Token: SeLoadDriverPrivilege	4144	msiexec.exe
Token: SeSystemProfilePrivilege	4144	msiexec.exe
Token: SeSystemtimePrivilege	4144	msiexec.exe
Token: SeProfSingleProcessPrivilege	4144	msiexec.exe
Token: SeIncBasePriorityPrivilege	4144	msiexec.exe
Token: SeCreatePagefilePrivilege	4144	msiexec.exe
Token: SeCreatePermanentPrivilege	4144	msiexec.exe
Token: SeBackupPrivilege	4144	msiexec.exe
Token: SeRestorePrivilege	4144	msiexec.exe
Token: SeShutdownPrivilege	4144	msiexec.exe
Token: SeDebugPrivilege	4144	msiexec.exe
Token: SeAuditPrivilege	4144	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4144	msiexec.exe
Token: SeChangeNotifyPrivilege	4144	msiexec.exe
Token: SeRemoteShutdownPrivilege	4144	msiexec.exe
Token: SeUndockPrivilege	4144	msiexec.exe
Token: SeSyncAgentPrivilege	4144	msiexec.exe
Token: SeEnableDelegationPrivilege	4144	msiexec.exe
Token: SeManageVolumePrivilege	4144	msiexec.exe
Token: SeImpersonatePrivilege	4144	msiexec.exe
Token: SeCreateGlobalPrivilege	4144	msiexec.exe
Token: SeBackupPrivilege	1384	vssvc.exe
Token: SeRestorePrivilege	1384	vssvc.exe
Token: SeAuditPrivilege	1384	vssvc.exe
Token: SeBackupPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4144 msiexec.exe
4144 msiexec.exe

pid	process
4144	msiexec.exe
4144	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 3036 wrote to memory of 2136	3036	msiexec.exe	srtasks.exe
PID 3036 wrote to memory of 2136	3036	msiexec.exe	srtasks.exe
PID 3036 wrote to memory of 5000	3036	msiexec.exe	MSI8CB1.tmp
PID 3036 wrote to memory of 5000	3036	msiexec.exe	MSI8CB1.tmp

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4144

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2136

C:\Windows\Installer\MSI8CB1.tmp
"C:\Windows\Installer\MSI8CB1.tmp"
2⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578bc6.rbs
Filesize
7KB

MD5
70ae7de49bb8fdf6ef47789fb86bdb4c

SHA1
2f463098481b278278842f993152b2f4eb9104fc

SHA256
6c0c4647dd20abf67b2a8ad5e3b2480fccca637604981505d8a417997538908a

SHA512
95d62625fd527a9b0adc79ac07f509aded05933dabedfaaddea473e69103c11606ebede6108fe0a014a7d10dc39db264591ea6f887ae8dc1c4fb888b6fe9acb7

Download Submit
C:\Windows\Installer\MSI8CB1.tmp
Filesize
472KB

MD5
f3092d2e603cf154a7cebde8e5f07868

SHA1
b164271ad70aecb4757f986e96d8a11bbc49da3e

SHA256
068a7dd7731272b56a03d4431b3f49ff9d4c190127aab6c127b5d246d7c68edf

SHA512
328944764b3d35bc3876f53626a85a85c3786541629b20a1e029f0500ea099c4c70de561119f692446f15b6946bbcf99babb1d93400de16d3a1a7aa20748644c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
26.0MB

MD5
7eabf134211b6d438e000311b7702f6d

SHA1
ddbdd10d15b8e8fdecac647e5dbb10a4209aa524

SHA256
fd43f54b3961f31c3c07933fa5dfb6a0dd16fd0af5ec1541f7f095a0fb16187b

SHA512
c4be670759f1fb91000bb091d275919c08099612645f28d24cd4204fc071b07e5180b1c4ad803516c3571be1f9db2f81138bde53b5fa52cd701afb9815b8c95d

Download Submit
\??\Volume{38fd360b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8110915c-4ac1-438c-ad68-833908256657}_OnDiskSnapshotProp
Filesize
5KB

MD5
ae17e4e9709255871ef9962d45eeed08

SHA1
2885fdfc1045607a6d2dfc6e6bb5a7520f67fce0

SHA256
a79588e13cfec98f720d5e766c1113805bd3ed07fa529fe1396693f2893ac0de

SHA512
ef929ca4b04b75170c3fcf44957b4fe3aba2906a2a507f20f9fb888a2dce2208d0ca8095dc4305e047c243d76d80f93d1c5b4236d97c8927345e9d51775e6f9c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads