7ab156266c51905322bb36eb17ad85809c7b29eca210fd6e4de0c09454b33a0a

General

Target

setup.msi
Size

508KB
MD5

4c5d506168367113b3a4e6c66cd93b01
SHA1

6970b2b8c0bb82e481844707c8a2965bad815d65
SHA256

7ab156266c51905322bb36eb17ad85809c7b29eca210fd6e4de0c09454b33a0a
SHA512

986776eb27c27949ae21df8fce533a7a36031fbf1f281d1838a6e8ff0a28f349b4340bed7969572eea3f2943edc46d587cb35be4cc953ea3e4894e3216804c07
SSDEEP

6144:SveJGCndUlTIVOdtc+Hp1h/yQz+VPZspW0/9jKaSArZJsnPn:LGCndUlT4+Hp+Qz+lK1Zkv

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI6D21.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D70.tmp	msiexec.exe
File created	C:\Windows\Installer\e576c95.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576c95.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B482F960-1FAB-4A88-92B4-5D5007CE52B0}	msiexec.exe
File created	C:\Windows\Installer\e576c97.msi	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI6D70.tmp

pid process

2916 MSI6D70.tmp

pid	process
2916	MSI6D70.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003d697fb93d0c6eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003d697fb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003d697fb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3d697fb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003d697fb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3428 msiexec.exe
3428 msiexec.exe

pid	process
3428	msiexec.exe
3428	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3032	msiexec.exe
Token: SeSecurityPrivilege	3428	msiexec.exe
Token: SeCreateTokenPrivilege	3032	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3032	msiexec.exe
Token: SeLockMemoryPrivilege	3032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3032	msiexec.exe
Token: SeMachineAccountPrivilege	3032	msiexec.exe
Token: SeTcbPrivilege	3032	msiexec.exe
Token: SeSecurityPrivilege	3032	msiexec.exe
Token: SeTakeOwnershipPrivilege	3032	msiexec.exe
Token: SeLoadDriverPrivilege	3032	msiexec.exe
Token: SeSystemProfilePrivilege	3032	msiexec.exe
Token: SeSystemtimePrivilege	3032	msiexec.exe
Token: SeProfSingleProcessPrivilege	3032	msiexec.exe
Token: SeIncBasePriorityPrivilege	3032	msiexec.exe
Token: SeCreatePagefilePrivilege	3032	msiexec.exe
Token: SeCreatePermanentPrivilege	3032	msiexec.exe
Token: SeBackupPrivilege	3032	msiexec.exe
Token: SeRestorePrivilege	3032	msiexec.exe
Token: SeShutdownPrivilege	3032	msiexec.exe
Token: SeDebugPrivilege	3032	msiexec.exe
Token: SeAuditPrivilege	3032	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3032	msiexec.exe
Token: SeChangeNotifyPrivilege	3032	msiexec.exe
Token: SeRemoteShutdownPrivilege	3032	msiexec.exe
Token: SeUndockPrivilege	3032	msiexec.exe
Token: SeSyncAgentPrivilege	3032	msiexec.exe
Token: SeEnableDelegationPrivilege	3032	msiexec.exe
Token: SeManageVolumePrivilege	3032	msiexec.exe
Token: SeImpersonatePrivilege	3032	msiexec.exe
Token: SeCreateGlobalPrivilege	3032	msiexec.exe
Token: SeBackupPrivilege	4564	vssvc.exe
Token: SeRestorePrivilege	4564	vssvc.exe
Token: SeAuditPrivilege	4564	vssvc.exe
Token: SeBackupPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3032 msiexec.exe
3032 msiexec.exe

pid	process
3032	msiexec.exe
3032	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 3428 wrote to memory of 1144	3428	msiexec.exe	srtasks.exe
PID 3428 wrote to memory of 1144	3428	msiexec.exe	srtasks.exe
PID 3428 wrote to memory of 2916	3428	msiexec.exe	MSI6D70.tmp
PID 3428 wrote to memory of 2916	3428	msiexec.exe	MSI6D70.tmp

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1144

C:\Windows\Installer\MSI6D70.tmp
"C:\Windows\Installer\MSI6D70.tmp"
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e576c96.rbs

Filesize
7KB

MD5
d05734ad4b4c9c20d5a4b428b5c670b6

SHA1
23a8d5ba18f5e47e276dbd73c959b82af271495c

SHA256
ac848146011e26046a6af69909f7949efc031e2acdf3d68aebf322a6b55aa617

SHA512
38a30d6bdd284598c6f1740336660d87dbe71769921fc6434bbd71e1b69c83b50f36715c940f88426a68808fb8b33252be95e9fa6b641ccc92922d01fb9c3419

Download Submit
C:\Windows\Installer\MSI6D70.tmp

Filesize
472KB

MD5
f3092d2e603cf154a7cebde8e5f07868

SHA1
b164271ad70aecb4757f986e96d8a11bbc49da3e

SHA256
068a7dd7731272b56a03d4431b3f49ff9d4c190127aab6c127b5d246d7c68edf

SHA512
328944764b3d35bc3876f53626a85a85c3786541629b20a1e029f0500ea099c4c70de561119f692446f15b6946bbcf99babb1d93400de16d3a1a7aa20748644c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
b2f23d3ac86da3d6ac8b2a3ebdb7a5c0

SHA1
ee20f8338216e4f7cb9d2baf5f477da9e7c111b2

SHA256
75721ed71500ed4d878c736be7be39dd30f9fd80e00f00ed885faea219eeaa09

SHA512
ea145400ccf2fc1bd2d162217b85eea84e4a6e0b63f25eea5819ea37d09eb28c7637ab8b893c56ce7ee8d6d37d61d2d293febb00df0de3f1d2d1b1a16dbb884a

Download Submit
\??\Volume{b97f693d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e48d220a-1607-4e8a-bf8d-9f56e84cb05f}_OnDiskSnapshotProp

Filesize
6KB

MD5
b32fd9b4c62d2fbee323682e3b0cfc3a

SHA1
e5b796d913a9f2e611854eb15b7ce91ebf0a9ae1

SHA256
6f9eac406b526621b2254c62ab3085f02a632e3a7c1fd7b67cb67582e603db03

SHA512
d5bfce249e0247d97f620e891899ac97a243fed070a64feab2b22ebad93fa9011b8f02554b067f7bb539d90e515ee7f684f04b5e77389e667891af90dc100fc3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads