12edeb67e34dfcb6d9883d4019b184a0248e03ec73150221892094c5d48e065a

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 04:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bind_tcp_uuid.msi
Size

156KB
MD5

57d92f174aa5d1749dd20a5634e7ae0d
SHA1

02f6dba6c879fbf0cb814ad99f42336e230b6bd5
SHA256

12edeb67e34dfcb6d9883d4019b184a0248e03ec73150221892094c5d48e065a
SHA512

072591b275ce50fe519bb52ec4332ed3d63c043e2fff54c91fcf21f5593c71ccb9049eeef6cd01c535cad585e244d2ccd495f5b99e7e519ef64bcc8389c320a9
SSDEEP

384:iHpe4ZvJXK7gzFM7Wu8nGSt5oXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyuEDCUyWMDC

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{705771E1-8028-4A2A-A93E-7DA02AB734CD}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E0D.tmp	msiexec.exe
File created	C:\Windows\Installer\e576d31.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576d31.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4852	MSI6E0D.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000081a0e6b9f9d406b40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000081a0e6b90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090081a0e6b9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d81a0e6b9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000081a0e6b900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4120	msiexec.exe
4120	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1620	msiexec.exe
Token: SeSecurityPrivilege	4120	msiexec.exe
Token: SeCreateTokenPrivilege	1620	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1620	msiexec.exe
Token: SeLockMemoryPrivilege	1620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1620	msiexec.exe
Token: SeMachineAccountPrivilege	1620	msiexec.exe
Token: SeTcbPrivilege	1620	msiexec.exe
Token: SeSecurityPrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeLoadDriverPrivilege	1620	msiexec.exe
Token: SeSystemProfilePrivilege	1620	msiexec.exe
Token: SeSystemtimePrivilege	1620	msiexec.exe
Token: SeProfSingleProcessPrivilege	1620	msiexec.exe
Token: SeIncBasePriorityPrivilege	1620	msiexec.exe
Token: SeCreatePagefilePrivilege	1620	msiexec.exe
Token: SeCreatePermanentPrivilege	1620	msiexec.exe
Token: SeBackupPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeShutdownPrivilege	1620	msiexec.exe
Token: SeDebugPrivilege	1620	msiexec.exe
Token: SeAuditPrivilege	1620	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1620	msiexec.exe
Token: SeChangeNotifyPrivilege	1620	msiexec.exe
Token: SeRemoteShutdownPrivilege	1620	msiexec.exe
Token: SeUndockPrivilege	1620	msiexec.exe
Token: SeSyncAgentPrivilege	1620	msiexec.exe
Token: SeEnableDelegationPrivilege	1620	msiexec.exe
Token: SeManageVolumePrivilege	1620	msiexec.exe
Token: SeImpersonatePrivilege	1620	msiexec.exe
Token: SeCreateGlobalPrivilege	1620	msiexec.exe
Token: SeBackupPrivilege	5108	vssvc.exe
Token: SeRestorePrivilege	5108	vssvc.exe
Token: SeAuditPrivilege	5108	vssvc.exe
Token: SeBackupPrivilege	4120	msiexec.exe
Token: SeRestorePrivilege	4120	msiexec.exe
Token: SeRestorePrivilege	4120	msiexec.exe
Token: SeTakeOwnershipPrivilege	4120	msiexec.exe
Token: SeRestorePrivilege	4120	msiexec.exe
Token: SeTakeOwnershipPrivilege	4120	msiexec.exe
Token: SeRestorePrivilege	4120	msiexec.exe
Token: SeTakeOwnershipPrivilege	4120	msiexec.exe
Token: SeRestorePrivilege	4120	msiexec.exe
Token: SeTakeOwnershipPrivilege	4120	msiexec.exe
Token: SeRestorePrivilege	4120	msiexec.exe
Token: SeTakeOwnershipPrivilege	4120	msiexec.exe
Token: SeRestorePrivilege	4120	msiexec.exe
Token: SeTakeOwnershipPrivilege	4120	msiexec.exe
Token: SeBackupPrivilege	3340	srtasks.exe
Token: SeRestorePrivilege	3340	srtasks.exe
Token: SeSecurityPrivilege	3340	srtasks.exe
Token: SeTakeOwnershipPrivilege	3340	srtasks.exe
Token: SeBackupPrivilege	3340	srtasks.exe
Token: SeRestorePrivilege	3340	srtasks.exe
Token: SeSecurityPrivilege	3340	srtasks.exe
Token: SeTakeOwnershipPrivilege	3340	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1620	msiexec.exe
1620	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 3340	4120	msiexec.exe	96
PID 4120 wrote to memory of 3340	4120	msiexec.exe	96
PID 4120 wrote to memory of 4672	4120	msiexec.exe	98
PID 4120 wrote to memory of 4672	4120	msiexec.exe	98
PID 4120 wrote to memory of 4672	4120	msiexec.exe	98
PID 4120 wrote to memory of 4852	4120	msiexec.exe	99
PID 4120 wrote to memory of 4852	4120	msiexec.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bind_tcp_uuid.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3340
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BAD6DCB59ED0F952EFEA70344D383B5E
  2⤵
  PID:4672
- C:\Windows\Installer\MSI6E0D.tmp
  "C:\Windows\Installer\MSI6E0D.tmp"
  2⤵
  - Executes dropped EXE
  PID:4852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI6E0D.tmp

Filesize
124KB

MD5
33a3f72678e5b3d38986290ec0ff4caf

SHA1
6519df44932c7396f52041b003541e9d8a09959e

SHA256
f2867dc738920b89de225e1136b14bcdab65cc54ff4c8fa755a00cc54f6de041

SHA512
a3a058c72380f83625199d819fcd993dc7a5b59e9614fce19f4afecea481bcb7f387e9c929bc1eb4fd42ed03e36cb7087f6766ce8daf3a377043449aec36b24b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
5189cd81be550b7dce9d94043c014624

SHA1
d82daf0bf17522c871f3885cfea102e066bbe299

SHA256
f0b86319dc1f176aa8589e2e4db2e6c4e7594076ebf4652e1b30324532536df1

SHA512
6ac8d9720296156eeb9581865a784488893a39fddb000bbc8775f8e84708224054f280de7cb4b3570ba09babb28a28d7b21f9d34d32bc459916d8d277856cee1

Download Submit
\??\Volume{b9e6a081-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{765c6ca0-e224-4a3c-b1e9-8388a563afb8}_OnDiskSnapshotProp

Filesize
6KB

MD5
f41efd7a91c4e51531c028fc0c0308c7

SHA1
228ad53d7db2463f179154fc5e2e8e288c4b68bf

SHA256
1de0c5870260739bb14637f04bb07c7cf5bb272cd4fc9b7b03156fb1beba3627

SHA512
e76b3468f0c2e39c9e9e4db7ea2b7c5a79c1ae15690c8fbc0a3b3d74fd958f631c51e1aaea7a490a1807dedff8b70bf0d7290e7aaf509c8cb37e49869db01995

Download Submit
memory/4852-12-0x0000000140000000-0x0000000140004298-memory.dmp

Filesize
16KB

Download