7ab156266c51905322bb36eb17ad85809c7b29eca210fd6e4de0c09454b33a0a

General

Target

setup.msi
Size

508KB
MD5

4c5d506168367113b3a4e6c66cd93b01
SHA1

6970b2b8c0bb82e481844707c8a2965bad815d65
SHA256

7ab156266c51905322bb36eb17ad85809c7b29eca210fd6e4de0c09454b33a0a
SHA512

986776eb27c27949ae21df8fce533a7a36031fbf1f281d1838a6e8ff0a28f349b4340bed7969572eea3f2943edc46d587cb35be4cc953ea3e4894e3216804c07
SSDEEP

6144:SveJGCndUlTIVOdtc+Hp1h/yQz+VPZspW0/9jKaSArZJsnPn:LGCndUlT4+Hp+Qz+lK1Zkv

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e575d24.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B482F960-1FAB-4A88-92B4-5D5007CE52B0}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9A9C9FBEE0CB206E.TMP	msiexec.exe
File created	C:\Windows\Installer\e575d26.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2DD5A008C8FDCF83.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e575d24.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF19D01B3F3DA037A8.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DB0.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF44C34247B18897BC.TMP	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI5DE0.tmp

pid process

1776 MSI5DE0.tmp

pid	process
1776	MSI5DE0.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000c993a456edcb2280000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000c993a450000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000c993a45000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0c993a45000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000c993a4500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2068 msiexec.exe
2068 msiexec.exe

pid	process
2068	msiexec.exe
2068	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4088	msiexec.exe
Token: SeSecurityPrivilege	2068	msiexec.exe
Token: SeCreateTokenPrivilege	4088	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4088	msiexec.exe
Token: SeLockMemoryPrivilege	4088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4088	msiexec.exe
Token: SeMachineAccountPrivilege	4088	msiexec.exe
Token: SeTcbPrivilege	4088	msiexec.exe
Token: SeSecurityPrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeLoadDriverPrivilege	4088	msiexec.exe
Token: SeSystemProfilePrivilege	4088	msiexec.exe
Token: SeSystemtimePrivilege	4088	msiexec.exe
Token: SeProfSingleProcessPrivilege	4088	msiexec.exe
Token: SeIncBasePriorityPrivilege	4088	msiexec.exe
Token: SeCreatePagefilePrivilege	4088	msiexec.exe
Token: SeCreatePermanentPrivilege	4088	msiexec.exe
Token: SeBackupPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeShutdownPrivilege	4088	msiexec.exe
Token: SeDebugPrivilege	4088	msiexec.exe
Token: SeAuditPrivilege	4088	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4088	msiexec.exe
Token: SeChangeNotifyPrivilege	4088	msiexec.exe
Token: SeRemoteShutdownPrivilege	4088	msiexec.exe
Token: SeUndockPrivilege	4088	msiexec.exe
Token: SeSyncAgentPrivilege	4088	msiexec.exe
Token: SeEnableDelegationPrivilege	4088	msiexec.exe
Token: SeManageVolumePrivilege	4088	msiexec.exe
Token: SeImpersonatePrivilege	4088	msiexec.exe
Token: SeCreateGlobalPrivilege	4088	msiexec.exe
Token: SeBackupPrivilege	3284	vssvc.exe
Token: SeRestorePrivilege	3284	vssvc.exe
Token: SeAuditPrivilege	3284	vssvc.exe
Token: SeBackupPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4088 msiexec.exe
4088 msiexec.exe

pid	process
4088	msiexec.exe
4088	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2068 wrote to memory of 4864	2068	msiexec.exe	srtasks.exe
PID 2068 wrote to memory of 4864	2068	msiexec.exe	srtasks.exe
PID 2068 wrote to memory of 1776	2068	msiexec.exe	MSI5DE0.tmp
PID 2068 wrote to memory of 1776	2068	msiexec.exe	MSI5DE0.tmp

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4088

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4864

C:\Windows\Installer\MSI5DE0.tmp
"C:\Windows\Installer\MSI5DE0.tmp"
2⤵
- Executes dropped EXE
PID:1776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3284

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575d25.rbs
Filesize
7KB

MD5
018116ebcb77f654e23d41907716235c

SHA1
e9d03bc2faa5aad22851c5cdc19c626bbcf5ffe1

SHA256
6dc5ae10e288467f71393fc3b6779f35495feb5a27fb4eb5e0b683e73142b28a

SHA512
ed208a9ca17fb0eb92b69be0d972a10059f344615ec838ca04557e4cc470a6f3e5a01456270af1c0cf7c2bb7298d93c1165fda15ba31db6fe71ee19d7cc0db98

Download Submit
C:\Windows\Installer\MSI5DE0.tmp
Filesize
472KB

MD5
f3092d2e603cf154a7cebde8e5f07868

SHA1
b164271ad70aecb4757f986e96d8a11bbc49da3e

SHA256
068a7dd7731272b56a03d4431b3f49ff9d4c190127aab6c127b5d246d7c68edf

SHA512
328944764b3d35bc3876f53626a85a85c3786541629b20a1e029f0500ea099c4c70de561119f692446f15b6946bbcf99babb1d93400de16d3a1a7aa20748644c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
12.8MB

MD5
0110b5cf55b79aea38607e7be904a6ab

SHA1
60df987ad765c0c5621714545c6d673a9efc1b61

SHA256
6d5ee7f054fa736f9be1c94c3175dc79fff09489eae502dc2e88d07e171c5a7e

SHA512
c5eb358e58340134566d40ab9615803bc2982b0f7f046ad86806b33141a80fdd8cc665709d9496cde27738b8dab09408662ea38899a54bd8b7b999a0f856d9a7

Download Submit
\??\Volume{453a990c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fa5f4e7f-9536-4a0b-8133-5ae42581a747}_OnDiskSnapshotProp
Filesize
6KB

MD5
1a0dbf36052d4dab778411a0f05b5494

SHA1
f5879c338a6854565dae061d90fdd05c23184353

SHA256
bc2641a4eec845a37508429f15920800e0d0767ebc0a35998b7c7d32e92a54e7

SHA512
0546efc1456413fcd42e347fc4af51299e3cd204b011aa75f825126615c31230d219c5589128b56dec1e11f11a4e3817f5738691dc9f429907b4d2f6344848d4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads