Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 10:00
Behavioral task
behavioral1
Sample
20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356.msi
Resource
win10v2004-20240508-en
General
-
Target
20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356.msi
-
Size
156KB
-
MD5
0372fb862dc13979b09b5505ca32e6e3
-
SHA1
25cfbfefb6d8dfaf42870bc970ae2c834da44a8c
-
SHA256
20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356
-
SHA512
8eecd57b5df14c261ca7f38c7428f03ade00e427274bce1c76c8eed255364a0310aae86cf978a3a2871deb76445b3eb02e45ae8bee461eb20eb9470b0c1003e9
-
SSDEEP
384:iHpe4ZvJXK7gzFM7Wu8wxukoXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyuZDCUyWMDC
Malware Config
Extracted
metasploit
metasploit_stager
1.14.247.162:40001
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8146.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8185.tmp msiexec.exe File created C:\Windows\Installer\e5780a9.msi msiexec.exe File opened for modification C:\Windows\Installer\e5780a9.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{705771E1-8028-4A2A-A93E-7DA02AB734CD} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI8185.tmppid process 4444 MSI8185.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2308 msiexec.exe 2308 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 4456 msiexec.exe Token: SeIncreaseQuotaPrivilege 4456 msiexec.exe Token: SeSecurityPrivilege 2308 msiexec.exe Token: SeCreateTokenPrivilege 4456 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4456 msiexec.exe Token: SeLockMemoryPrivilege 4456 msiexec.exe Token: SeIncreaseQuotaPrivilege 4456 msiexec.exe Token: SeMachineAccountPrivilege 4456 msiexec.exe Token: SeTcbPrivilege 4456 msiexec.exe Token: SeSecurityPrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeLoadDriverPrivilege 4456 msiexec.exe Token: SeSystemProfilePrivilege 4456 msiexec.exe Token: SeSystemtimePrivilege 4456 msiexec.exe Token: SeProfSingleProcessPrivilege 4456 msiexec.exe Token: SeIncBasePriorityPrivilege 4456 msiexec.exe Token: SeCreatePagefilePrivilege 4456 msiexec.exe Token: SeCreatePermanentPrivilege 4456 msiexec.exe Token: SeBackupPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeShutdownPrivilege 4456 msiexec.exe Token: SeDebugPrivilege 4456 msiexec.exe Token: SeAuditPrivilege 4456 msiexec.exe Token: SeSystemEnvironmentPrivilege 4456 msiexec.exe Token: SeChangeNotifyPrivilege 4456 msiexec.exe Token: SeRemoteShutdownPrivilege 4456 msiexec.exe Token: SeUndockPrivilege 4456 msiexec.exe Token: SeSyncAgentPrivilege 4456 msiexec.exe Token: SeEnableDelegationPrivilege 4456 msiexec.exe Token: SeManageVolumePrivilege 4456 msiexec.exe Token: SeImpersonatePrivilege 4456 msiexec.exe Token: SeCreateGlobalPrivilege 4456 msiexec.exe Token: SeBackupPrivilege 404 vssvc.exe Token: SeRestorePrivilege 404 vssvc.exe Token: SeAuditPrivilege 404 vssvc.exe Token: SeBackupPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeBackupPrivilege 764 srtasks.exe Token: SeRestorePrivilege 764 srtasks.exe Token: SeSecurityPrivilege 764 srtasks.exe Token: SeTakeOwnershipPrivilege 764 srtasks.exe Token: SeBackupPrivilege 764 srtasks.exe Token: SeRestorePrivilege 764 srtasks.exe Token: SeSecurityPrivilege 764 srtasks.exe Token: SeTakeOwnershipPrivilege 764 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4456 msiexec.exe 4456 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 2308 wrote to memory of 764 2308 msiexec.exe srtasks.exe PID 2308 wrote to memory of 764 2308 msiexec.exe srtasks.exe PID 2308 wrote to memory of 724 2308 msiexec.exe MsiExec.exe PID 2308 wrote to memory of 724 2308 msiexec.exe MsiExec.exe PID 2308 wrote to memory of 724 2308 msiexec.exe MsiExec.exe PID 2308 wrote to memory of 4444 2308 msiexec.exe MSI8185.tmp PID 2308 wrote to memory of 4444 2308 msiexec.exe MSI8185.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 080D15F2D5A9A07D209BE56A0B47E76E2⤵
-
C:\Windows\Installer\MSI8185.tmp"C:\Windows\Installer\MSI8185.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI8185.tmpFilesize
124KB
MD52dc392ce36491523764af744421ee210
SHA135fc5c27f6ca384810a059238f33044172cc14ce
SHA2564132c01b4a1b027c4fe418d786c6a9db7ac8f1fe4b7c905e05db577a7c651778
SHA5127061bb881eafc0e2f67ce30ecaa3ee31c17f69d57006c7a8a5daf1e383c61a8316fab3d75e33dda1d30949e6120a30f6b74847e85a8ae4bf001fd8b55054cc00
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD50a789b4fe9b1e58a19887514d80cd978
SHA1464200bee17387c250e5af8de0bf763bd14793ed
SHA256de39c8d7f747273563e94b4cec0c3bf4a591a09635f26dd7833f3ff1c4b32a6b
SHA51212e7a323fa9bf38990d6e1fe333efc51c528aef3ab60fc823e96649fb2ce5c9f464d173b8a8f86c5f4f9d6bd72f2905bcd137632f03ef310419b7a80e41b3a12
-
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{71827f8f-0dab-4553-8aac-ab4bd96c65a1}_OnDiskSnapshotPropFilesize
6KB
MD54989b7231dfd57626bae6c3b5e90f1f2
SHA1c6d39e9295e09f6d69de1ba7b1f297ad1e9b7ee0
SHA2560b5a5d15143113bd4f15a815a426bccac98a147fe74cb89d11d2c32c2913e8f1
SHA5123fbe5b806889bd60e450c64b7e74215a1ab741dbb70cde62d154ceddd91a02bc0a78a1fdbea4264e170f5722ddda4f12545c36dda5ed3256cf2572d3e7e0fda6
-
memory/4444-12-0x0000000140000000-0x0000000140004278-memory.dmpFilesize
16KB