Analysis
-
max time kernel
90s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-05-2024 00:13
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
setup.msi
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
setup.msi
Resource
win11-20240508-en
General
-
Target
setup.msi
-
Size
508KB
-
MD5
4c5d506168367113b3a4e6c66cd93b01
-
SHA1
6970b2b8c0bb82e481844707c8a2965bad815d65
-
SHA256
7ab156266c51905322bb36eb17ad85809c7b29eca210fd6e4de0c09454b33a0a
-
SHA512
986776eb27c27949ae21df8fce533a7a36031fbf1f281d1838a6e8ff0a28f349b4340bed7969572eea3f2943edc46d587cb35be4cc953ea3e4894e3216804c07
-
SSDEEP
6144:SveJGCndUlTIVOdtc+Hp1h/yQz+VPZspW0/9jKaSArZJsnPn:LGCndUlT4+Hp+Qz+lK1Zkv
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e575d24.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{B482F960-1FAB-4A88-92B4-5D5007CE52B0} msiexec.exe File created C:\Windows\SystemTemp\~DF9A9C9FBEE0CB206E.TMP msiexec.exe File created C:\Windows\Installer\e575d26.msi msiexec.exe File created C:\Windows\SystemTemp\~DF2DD5A008C8FDCF83.TMP msiexec.exe File opened for modification C:\Windows\Installer\e575d24.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF19D01B3F3DA037A8.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI5DE0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5DB0.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF44C34247B18897BC.TMP msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI5DE0.tmppid process 1776 MSI5DE0.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000c993a456edcb2280000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000c993a450000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000c993a45000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0c993a45000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000c993a4500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2068 msiexec.exe 2068 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4088 msiexec.exe Token: SeIncreaseQuotaPrivilege 4088 msiexec.exe Token: SeSecurityPrivilege 2068 msiexec.exe Token: SeCreateTokenPrivilege 4088 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4088 msiexec.exe Token: SeLockMemoryPrivilege 4088 msiexec.exe Token: SeIncreaseQuotaPrivilege 4088 msiexec.exe Token: SeMachineAccountPrivilege 4088 msiexec.exe Token: SeTcbPrivilege 4088 msiexec.exe Token: SeSecurityPrivilege 4088 msiexec.exe Token: SeTakeOwnershipPrivilege 4088 msiexec.exe Token: SeLoadDriverPrivilege 4088 msiexec.exe Token: SeSystemProfilePrivilege 4088 msiexec.exe Token: SeSystemtimePrivilege 4088 msiexec.exe Token: SeProfSingleProcessPrivilege 4088 msiexec.exe Token: SeIncBasePriorityPrivilege 4088 msiexec.exe Token: SeCreatePagefilePrivilege 4088 msiexec.exe Token: SeCreatePermanentPrivilege 4088 msiexec.exe Token: SeBackupPrivilege 4088 msiexec.exe Token: SeRestorePrivilege 4088 msiexec.exe Token: SeShutdownPrivilege 4088 msiexec.exe Token: SeDebugPrivilege 4088 msiexec.exe Token: SeAuditPrivilege 4088 msiexec.exe Token: SeSystemEnvironmentPrivilege 4088 msiexec.exe Token: SeChangeNotifyPrivilege 4088 msiexec.exe Token: SeRemoteShutdownPrivilege 4088 msiexec.exe Token: SeUndockPrivilege 4088 msiexec.exe Token: SeSyncAgentPrivilege 4088 msiexec.exe Token: SeEnableDelegationPrivilege 4088 msiexec.exe Token: SeManageVolumePrivilege 4088 msiexec.exe Token: SeImpersonatePrivilege 4088 msiexec.exe Token: SeCreateGlobalPrivilege 4088 msiexec.exe Token: SeBackupPrivilege 3284 vssvc.exe Token: SeRestorePrivilege 3284 vssvc.exe Token: SeAuditPrivilege 3284 vssvc.exe Token: SeBackupPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe Token: SeTakeOwnershipPrivilege 2068 msiexec.exe Token: SeRestorePrivilege 2068 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4088 msiexec.exe 4088 msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
msiexec.exedescription pid process target process PID 2068 wrote to memory of 4864 2068 msiexec.exe srtasks.exe PID 2068 wrote to memory of 4864 2068 msiexec.exe srtasks.exe PID 2068 wrote to memory of 1776 2068 msiexec.exe MSI5DE0.tmp PID 2068 wrote to memory of 1776 2068 msiexec.exe MSI5DE0.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\Installer\MSI5DE0.tmp"C:\Windows\Installer\MSI5DE0.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e575d25.rbsFilesize
7KB
MD5018116ebcb77f654e23d41907716235c
SHA1e9d03bc2faa5aad22851c5cdc19c626bbcf5ffe1
SHA2566dc5ae10e288467f71393fc3b6779f35495feb5a27fb4eb5e0b683e73142b28a
SHA512ed208a9ca17fb0eb92b69be0d972a10059f344615ec838ca04557e4cc470a6f3e5a01456270af1c0cf7c2bb7298d93c1165fda15ba31db6fe71ee19d7cc0db98
-
C:\Windows\Installer\MSI5DE0.tmpFilesize
472KB
MD5f3092d2e603cf154a7cebde8e5f07868
SHA1b164271ad70aecb4757f986e96d8a11bbc49da3e
SHA256068a7dd7731272b56a03d4431b3f49ff9d4c190127aab6c127b5d246d7c68edf
SHA512328944764b3d35bc3876f53626a85a85c3786541629b20a1e029f0500ea099c4c70de561119f692446f15b6946bbcf99babb1d93400de16d3a1a7aa20748644c
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
12.8MB
MD50110b5cf55b79aea38607e7be904a6ab
SHA160df987ad765c0c5621714545c6d673a9efc1b61
SHA2566d5ee7f054fa736f9be1c94c3175dc79fff09489eae502dc2e88d07e171c5a7e
SHA512c5eb358e58340134566d40ab9615803bc2982b0f7f046ad86806b33141a80fdd8cc665709d9496cde27738b8dab09408662ea38899a54bd8b7b999a0f856d9a7
-
\??\Volume{453a990c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fa5f4e7f-9536-4a0b-8133-5ae42581a747}_OnDiskSnapshotPropFilesize
6KB
MD51a0dbf36052d4dab778411a0f05b5494
SHA1f5879c338a6854565dae061d90fdd05c23184353
SHA256bc2641a4eec845a37508429f15920800e0d0767ebc0a35998b7c7d32e92a54e7
SHA5120546efc1456413fcd42e347fc4af51299e3cd204b011aa75f825126615c31230d219c5589128b56dec1e11f11a4e3817f5738691dc9f429907b4d2f6344848d4