Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 04:34
Behavioral task
behavioral1
Sample
reverse_tcp_uuid.msi
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
reverse_tcp_uuid.msi
Resource
win10v2004-20240426-en
General
-
Target
reverse_tcp_uuid.msi
-
Size
156KB
-
MD5
ea86d9f4827f1b24baf14d0a62111c81
-
SHA1
dfbe48a8b76917ff03cf74d0519dda2c1ab76dfb
-
SHA256
1b678899247d6239f5c03b9f017b6808524d3a5e9320e31f78a355017323db48
-
SHA512
ab86da16e79c4d000ec736528f7e58e5973f2ff9654c1bcb0ba9ef7ef1d14ce3134f5d0f31a5803da93a6676c0c3f35dee0559fe66dda60f16e0098e56ca0d10
-
SSDEEP
384:iHpe4ZvJXK7gzFM7WuMOxceoXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyuvDCUyWMDC
Malware Config
Extracted
metasploit
metasploit_stager
1.14.247.162:40001
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e5793b4.msi msiexec.exe File opened for modification C:\Windows\Installer\e5793b4.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{705771E1-8028-4A2A-A93E-7DA02AB734CD} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI948F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI94BF.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI94BF.tmppid process 2220 MSI94BF.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000073c7eb973396fb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000073c7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900073c7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d073c7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000073c7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 4540 msiexec.exe 4540 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 3972 msiexec.exe Token: SeIncreaseQuotaPrivilege 3972 msiexec.exe Token: SeSecurityPrivilege 4540 msiexec.exe Token: SeCreateTokenPrivilege 3972 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3972 msiexec.exe Token: SeLockMemoryPrivilege 3972 msiexec.exe Token: SeIncreaseQuotaPrivilege 3972 msiexec.exe Token: SeMachineAccountPrivilege 3972 msiexec.exe Token: SeTcbPrivilege 3972 msiexec.exe Token: SeSecurityPrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeLoadDriverPrivilege 3972 msiexec.exe Token: SeSystemProfilePrivilege 3972 msiexec.exe Token: SeSystemtimePrivilege 3972 msiexec.exe Token: SeProfSingleProcessPrivilege 3972 msiexec.exe Token: SeIncBasePriorityPrivilege 3972 msiexec.exe Token: SeCreatePagefilePrivilege 3972 msiexec.exe Token: SeCreatePermanentPrivilege 3972 msiexec.exe Token: SeBackupPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeShutdownPrivilege 3972 msiexec.exe Token: SeDebugPrivilege 3972 msiexec.exe Token: SeAuditPrivilege 3972 msiexec.exe Token: SeSystemEnvironmentPrivilege 3972 msiexec.exe Token: SeChangeNotifyPrivilege 3972 msiexec.exe Token: SeRemoteShutdownPrivilege 3972 msiexec.exe Token: SeUndockPrivilege 3972 msiexec.exe Token: SeSyncAgentPrivilege 3972 msiexec.exe Token: SeEnableDelegationPrivilege 3972 msiexec.exe Token: SeManageVolumePrivilege 3972 msiexec.exe Token: SeImpersonatePrivilege 3972 msiexec.exe Token: SeCreateGlobalPrivilege 3972 msiexec.exe Token: SeBackupPrivilege 5056 vssvc.exe Token: SeRestorePrivilege 5056 vssvc.exe Token: SeAuditPrivilege 5056 vssvc.exe Token: SeBackupPrivilege 4540 msiexec.exe Token: SeRestorePrivilege 4540 msiexec.exe Token: SeRestorePrivilege 4540 msiexec.exe Token: SeTakeOwnershipPrivilege 4540 msiexec.exe Token: SeRestorePrivilege 4540 msiexec.exe Token: SeTakeOwnershipPrivilege 4540 msiexec.exe Token: SeRestorePrivilege 4540 msiexec.exe Token: SeTakeOwnershipPrivilege 4540 msiexec.exe Token: SeRestorePrivilege 4540 msiexec.exe Token: SeTakeOwnershipPrivilege 4540 msiexec.exe Token: SeRestorePrivilege 4540 msiexec.exe Token: SeTakeOwnershipPrivilege 4540 msiexec.exe Token: SeRestorePrivilege 4540 msiexec.exe Token: SeTakeOwnershipPrivilege 4540 msiexec.exe Token: SeBackupPrivilege 1936 srtasks.exe Token: SeRestorePrivilege 1936 srtasks.exe Token: SeSecurityPrivilege 1936 srtasks.exe Token: SeTakeOwnershipPrivilege 1936 srtasks.exe Token: SeBackupPrivilege 1936 srtasks.exe Token: SeRestorePrivilege 1936 srtasks.exe Token: SeSecurityPrivilege 1936 srtasks.exe Token: SeTakeOwnershipPrivilege 1936 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3972 msiexec.exe 3972 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 4540 wrote to memory of 1936 4540 msiexec.exe srtasks.exe PID 4540 wrote to memory of 1936 4540 msiexec.exe srtasks.exe PID 4540 wrote to memory of 2220 4540 msiexec.exe MSI94BF.tmp PID 4540 wrote to memory of 2220 4540 msiexec.exe MSI94BF.tmp PID 4540 wrote to memory of 3296 4540 msiexec.exe MsiExec.exe PID 4540 wrote to memory of 3296 4540 msiexec.exe MsiExec.exe PID 4540 wrote to memory of 3296 4540 msiexec.exe MsiExec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\reverse_tcp_uuid.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3972
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\Installer\MSI94BF.tmp"C:\Windows\Installer\MSI94BF.tmp"2⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2EA01EBC43F48F7CB2DA08CFEB6B1DD32⤵PID:3296
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI94BF.tmpFilesize
124KB
MD532bca63e32bfa7abf23e77edd30478d6
SHA157beba1d54428d559fd3ed8d258a691990cd0245
SHA256c6b4471618c370d9216fc3632dc258ad460471e2385ded2f2929133e9b1e67ab
SHA5123a0f987a78316728da4ee30ea307919a2b73c9b85c0cbe24e179f4c6bb6255d89fc056f1d3f9f56bd6ff6ad40e22521fc581f08630a8759bed9cc3892c81b553
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD52df9707a09d91b6b64e0d68a8c0f25b5
SHA1c2159e49013da398ceaf44d2f8c58b7a43825f76
SHA256cb5a67e6e2097df0b7d2500d9024960e448846b3a141f4af5bb30a8eaf4f28fb
SHA5122bace93a116e96df546a4a06df3c9edc5f6948261c68fc1f420dc18a5070be96b248ce92d9bf15d516bf8923577b9c78366e0eb2a93dcb7b1976d11760991739
-
\??\Volume{b97e3c07-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{13c69b2e-ab28-42be-8ba8-6ab293908ebe}_OnDiskSnapshotPropFilesize
6KB
MD50df33975e3eb22f2dbaf95d70e0784de
SHA17f90e892adbae73bc48d62c1ef7e0b33b11f3e70
SHA256602d5ad4925735a45f61efeb0bbe071094d07db1efd504a3955a403197682cbe
SHA512c17222c556cbf8f216318c7d1d6819ee27be4c44323526f098a18e658aa1217e8ac4d68ad3616f545596c9788120ce8446373788f33702fd309054a25ed03fb8
-
memory/2220-12-0x0000000140000000-0x00000001400042A0-memory.dmpFilesize
16KB