Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 04:34
Behavioral task
behavioral1
Sample
reverse_tcp.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
reverse_tcp.msi
Resource
win10v2004-20240508-en
General
-
Target
reverse_tcp.msi
-
Size
156KB
-
MD5
0372fb862dc13979b09b5505ca32e6e3
-
SHA1
25cfbfefb6d8dfaf42870bc970ae2c834da44a8c
-
SHA256
20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356
-
SHA512
8eecd57b5df14c261ca7f38c7428f03ade00e427274bce1c76c8eed255364a0310aae86cf978a3a2871deb76445b3eb02e45ae8bee461eb20eb9470b0c1003e9
-
SSDEEP
384:iHpe4ZvJXK7gzFM7Wu8wxukoXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyuZDCUyWMDC
Malware Config
Extracted
metasploit
metasploit_stager
1.14.247.162:40001
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{705771E1-8028-4A2A-A93E-7DA02AB734CD} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI88C7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8907.tmp msiexec.exe File created C:\Windows\Installer\e5787cd.msi msiexec.exe File opened for modification C:\Windows\Installer\e5787cd.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI8907.tmppid process 3632 MSI8907.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3936 msiexec.exe 3936 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 1484 msiexec.exe Token: SeIncreaseQuotaPrivilege 1484 msiexec.exe Token: SeSecurityPrivilege 3936 msiexec.exe Token: SeCreateTokenPrivilege 1484 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1484 msiexec.exe Token: SeLockMemoryPrivilege 1484 msiexec.exe Token: SeIncreaseQuotaPrivilege 1484 msiexec.exe Token: SeMachineAccountPrivilege 1484 msiexec.exe Token: SeTcbPrivilege 1484 msiexec.exe Token: SeSecurityPrivilege 1484 msiexec.exe Token: SeTakeOwnershipPrivilege 1484 msiexec.exe Token: SeLoadDriverPrivilege 1484 msiexec.exe Token: SeSystemProfilePrivilege 1484 msiexec.exe Token: SeSystemtimePrivilege 1484 msiexec.exe Token: SeProfSingleProcessPrivilege 1484 msiexec.exe Token: SeIncBasePriorityPrivilege 1484 msiexec.exe Token: SeCreatePagefilePrivilege 1484 msiexec.exe Token: SeCreatePermanentPrivilege 1484 msiexec.exe Token: SeBackupPrivilege 1484 msiexec.exe Token: SeRestorePrivilege 1484 msiexec.exe Token: SeShutdownPrivilege 1484 msiexec.exe Token: SeDebugPrivilege 1484 msiexec.exe Token: SeAuditPrivilege 1484 msiexec.exe Token: SeSystemEnvironmentPrivilege 1484 msiexec.exe Token: SeChangeNotifyPrivilege 1484 msiexec.exe Token: SeRemoteShutdownPrivilege 1484 msiexec.exe Token: SeUndockPrivilege 1484 msiexec.exe Token: SeSyncAgentPrivilege 1484 msiexec.exe Token: SeEnableDelegationPrivilege 1484 msiexec.exe Token: SeManageVolumePrivilege 1484 msiexec.exe Token: SeImpersonatePrivilege 1484 msiexec.exe Token: SeCreateGlobalPrivilege 1484 msiexec.exe Token: SeBackupPrivilege 4740 vssvc.exe Token: SeRestorePrivilege 4740 vssvc.exe Token: SeAuditPrivilege 4740 vssvc.exe Token: SeBackupPrivilege 3936 msiexec.exe Token: SeRestorePrivilege 3936 msiexec.exe Token: SeRestorePrivilege 3936 msiexec.exe Token: SeTakeOwnershipPrivilege 3936 msiexec.exe Token: SeRestorePrivilege 3936 msiexec.exe Token: SeTakeOwnershipPrivilege 3936 msiexec.exe Token: SeRestorePrivilege 3936 msiexec.exe Token: SeTakeOwnershipPrivilege 3936 msiexec.exe Token: SeRestorePrivilege 3936 msiexec.exe Token: SeTakeOwnershipPrivilege 3936 msiexec.exe Token: SeRestorePrivilege 3936 msiexec.exe Token: SeTakeOwnershipPrivilege 3936 msiexec.exe Token: SeRestorePrivilege 3936 msiexec.exe Token: SeTakeOwnershipPrivilege 3936 msiexec.exe Token: SeBackupPrivilege 1164 srtasks.exe Token: SeRestorePrivilege 1164 srtasks.exe Token: SeSecurityPrivilege 1164 srtasks.exe Token: SeTakeOwnershipPrivilege 1164 srtasks.exe Token: SeBackupPrivilege 1164 srtasks.exe Token: SeRestorePrivilege 1164 srtasks.exe Token: SeSecurityPrivilege 1164 srtasks.exe Token: SeTakeOwnershipPrivilege 1164 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1484 msiexec.exe 1484 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 3936 wrote to memory of 1164 3936 msiexec.exe srtasks.exe PID 3936 wrote to memory of 1164 3936 msiexec.exe srtasks.exe PID 3936 wrote to memory of 676 3936 msiexec.exe MsiExec.exe PID 3936 wrote to memory of 676 3936 msiexec.exe MsiExec.exe PID 3936 wrote to memory of 676 3936 msiexec.exe MsiExec.exe PID 3936 wrote to memory of 3632 3936 msiexec.exe MSI8907.tmp PID 3936 wrote to memory of 3632 3936 msiexec.exe MSI8907.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\reverse_tcp.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1484
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8B56ED9BD5E5D9C851FCEE732DD266D32⤵PID:676
-
C:\Windows\Installer\MSI8907.tmp"C:\Windows\Installer\MSI8907.tmp"2⤵
- Executes dropped EXE
PID:3632
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI8907.tmpFilesize
124KB
MD52dc392ce36491523764af744421ee210
SHA135fc5c27f6ca384810a059238f33044172cc14ce
SHA2564132c01b4a1b027c4fe418d786c6a9db7ac8f1fe4b7c905e05db577a7c651778
SHA5127061bb881eafc0e2f67ce30ecaa3ee31c17f69d57006c7a8a5daf1e383c61a8316fab3d75e33dda1d30949e6120a30f6b74847e85a8ae4bf001fd8b55054cc00
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD570231927785fbdc31278b209ab78fa6f
SHA10823f9f1d13ed778310b9b112f35311a0a416131
SHA256170cf04a9ae74195c89a71fe78d10af438fe11f9e40e6a625ddda1ca95e6bbd4
SHA5125bf85b648335bed1c7a9be2b87a0c2cd60e0712cb5464dad4511816e8a754f9b917a8dc20cb36b304ae979378e53f748681c2d58b520f66732abf340b468b693
-
\??\Volume{5110105b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5443e4bb-5daa-4a30-9fd1-c722b64beb93}_OnDiskSnapshotPropFilesize
6KB
MD50b90e7996504dd14ef475e529ce56a71
SHA119bfb57ab598be8f05d0ab9c9cf1f39c49d5d02c
SHA25616ba25bcc882a6723380ef4b9fed50dbb5187e5049dcc9e64d67f05d2497adc6
SHA5127c4cce995d60e7034afdd9746f24a8125a0cdbe716dd805e0543cd276982e334ca47b515185de339d23f9b3a38524b547f3819d50d7f6acb8fd1218f804bc4b8
-
memory/3632-12-0x0000000140000000-0x0000000140004278-memory.dmpFilesize
16KB