4cd523e39fb0a0dc879beaada00cdaf371d2b035387be1556edb4ae3f44eb666

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 14:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35857d1db3f83fe2c0ee0a3502276e7352beaa242d9a31573e639bf175379c81.msi
Size

256KB
MD5

96cc7a1ea5b7605f2d9d092de5daca2c
SHA1

4be0d077730f5aa522ce3be9cb990a6f652d1385
SHA256

35857d1db3f83fe2c0ee0a3502276e7352beaa242d9a31573e639bf175379c81
SHA512

db685089473c0a0e59964f4f8c7fea32f4f725864042136c56393b38828f3df8707683eceecdba4682da6d2b8f76724039cf75c4226d310d88013c662c8c81e2
SSDEEP

3072:KEhM5rlsiqb4GeL8t6AqHH6NB4G3o5k8JCOCY2mf7AAYz+H3CMIjWtxyc:KEgqJ8GI8IHe3PO86QjWyc

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4792	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI56F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5749.tmp	msiexec.exe
File created	C:\Windows\Installer\e57564e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57564e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	MSI5749.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003d697fb93d0c6eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003d697fb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003d697fb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3d697fb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003d697fb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2436	msiexec.exe
2436	msiexec.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	2436	msiexec.exe
Token: SeCreateTokenPrivilege	1496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1496	msiexec.exe
Token: SeLockMemoryPrivilege	1496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1496	msiexec.exe
Token: SeMachineAccountPrivilege	1496	msiexec.exe
Token: SeTcbPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeLoadDriverPrivilege	1496	msiexec.exe
Token: SeSystemProfilePrivilege	1496	msiexec.exe
Token: SeSystemtimePrivilege	1496	msiexec.exe
Token: SeProfSingleProcessPrivilege	1496	msiexec.exe
Token: SeIncBasePriorityPrivilege	1496	msiexec.exe
Token: SeCreatePagefilePrivilege	1496	msiexec.exe
Token: SeCreatePermanentPrivilege	1496	msiexec.exe
Token: SeBackupPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeShutdownPrivilege	1496	msiexec.exe
Token: SeDebugPrivilege	1496	msiexec.exe
Token: SeAuditPrivilege	1496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1496	msiexec.exe
Token: SeChangeNotifyPrivilege	1496	msiexec.exe
Token: SeRemoteShutdownPrivilege	1496	msiexec.exe
Token: SeUndockPrivilege	1496	msiexec.exe
Token: SeSyncAgentPrivilege	1496	msiexec.exe
Token: SeEnableDelegationPrivilege	1496	msiexec.exe
Token: SeManageVolumePrivilege	1496	msiexec.exe
Token: SeImpersonatePrivilege	1496	msiexec.exe
Token: SeCreateGlobalPrivilege	1496	msiexec.exe
Token: SeBackupPrivilege	60	vssvc.exe
Token: SeRestorePrivilege	60	vssvc.exe
Token: SeAuditPrivilege	60	vssvc.exe
Token: SeBackupPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeBackupPrivilege	2968	srtasks.exe
Token: SeRestorePrivilege	2968	srtasks.exe
Token: SeSecurityPrivilege	2968	srtasks.exe
Token: SeTakeOwnershipPrivilege	2968	srtasks.exe
Token: SeBackupPrivilege	2968	srtasks.exe
Token: SeRestorePrivilege	2968	srtasks.exe
Token: SeSecurityPrivilege	2968	srtasks.exe
Token: SeTakeOwnershipPrivilege	2968	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1496	msiexec.exe
1496	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2968	2436	msiexec.exe	97
PID 2436 wrote to memory of 2968	2436	msiexec.exe	97
PID 2436 wrote to memory of 3780	2436	msiexec.exe	99
PID 2436 wrote to memory of 3780	2436	msiexec.exe	99
PID 2436 wrote to memory of 3780	2436	msiexec.exe	99
PID 3780 wrote to memory of 4792	3780	MSI5749.tmp	100
PID 3780 wrote to memory of 4792	3780	MSI5749.tmp	100
PID 3780 wrote to memory of 4792	3780	MSI5749.tmp	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\35857d1db3f83fe2c0ee0a3502276e7352beaa242d9a31573e639bf175379c81.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\Installer\MSI5749.tmp
  "C:\Windows\Installer\MSI5749.tmp" /s
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Temp\ps5796.tmp.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575651.rbs

Filesize
681B

MD5
aae1de9c28cf77e418a8eef75b0aa960

SHA1
79aa2354bdbfa75ac38d05784f3c571d4ef29926

SHA256
27409fc03679083fc69f8c3f0c61b80f2752dd796943b35f9e2fe73caa78d234

SHA512
c16c008f6f8fef12654030a5a8347e64b3da788a281535318a406c7be796cd620cb497b10bc214dff475cccff0448801a77e7b396ad10c8b3a865ff21d4d1356

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kw201s1m.ifj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ps5796.tmp.ps1

Filesize
9KB

MD5
95ce686a4b4af92d3bccfcbcb88fa906

SHA1
f64f3404156517bd395b76e81bc3ea4a105f8803

SHA256
69b95d9529eee369d4db70963f865dd680639f1485804569b8223a333a9d3d0b

SHA512
a0b3b19da6c974e1ef9cbea3b19e56e2a75e45bf2035db3e2df85bb54aea0c544470d7c441cd281b237d733050d90b7e0d8ee49e42758bcb8ff1ec26ad5c47ab

Download Submit
C:\Windows\Installer\MSI5749.tmp

Filesize
229KB

MD5
4d2b758fa811b3600a949947ce87bdb2

SHA1
f23600fae23ac1e44baae99e8aef64c8190954ef

SHA256
8d8b98411a960cd4e60c3cc2dec3260268fb65973aab7d6129265f5f69bb11df

SHA512
2d4f21e3f35a33b28d397885fe2a04ce1db3e8f75ac10ed926e89b121366102c0ca6cbfa95744ab2123859a53ec618e48eb2a079a742fb230c7c577c8d4f3453

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
b871838bd09486ab3a8cb26f07ccad7a

SHA1
318121fe879750a0f79a61bfbaff90ceddd44228

SHA256
1296ccb717ed3d65119839faf9b83bd719e0ebd6f71a5702dea21e911c975253

SHA512
fc1f7a72cd413f92d6d103a3a7f88566b2725c6e23575ee4d545acbbe850e0db04e135adb4557417f71538def9f6d0634be27501f1fb74c70cdf531d2f585452

Download Submit
\??\Volume{b97f693d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b3888cad-c592-43f9-b3d2-8fe6c6371239}_OnDiskSnapshotProp

Filesize
6KB

MD5
3dee3ed430a484cd146518fc8bc52efc

SHA1
9ca08691f5deb6b46ea78fadfaa350bd6e527538

SHA256
e8f1ddcab416813746953b9318f607827d5dda2f5fddfc63688324ea33c46eea

SHA512
5d0b0c9b8252a71a3038891241091ba13703c83d9ceaaed43da14bfd6b781522ed569917fb06c7b25c4fad7db3d24ea35d1578362e6f80e1464ab191a54d587b

Download Submit
memory/4792-38-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download
memory/4792-27-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/4792-28-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/4792-39-0x0000000005C60000-0x0000000005C7E000-memory.dmp

Filesize
120KB

Download
memory/4792-40-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

Filesize
304KB

Download
memory/4792-26-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/4792-42-0x00000000073A0000-0x0000000007A1A000-memory.dmp

Filesize
6.5MB

Download
memory/4792-43-0x0000000006190000-0x00000000061AA000-memory.dmp

Filesize
104KB

Download
memory/4792-44-0x0000000007FD0000-0x0000000008574000-memory.dmp

Filesize
5.6MB

Download
memory/4792-45-0x0000000007060000-0x00000000070F2000-memory.dmp

Filesize
584KB

Download
memory/4792-46-0x0000000007100000-0x000000000710A000-memory.dmp

Filesize
40KB

Download
memory/4792-25-0x0000000004D80000-0x00000000053A8000-memory.dmp

Filesize
6.2MB

Download
memory/4792-24-0x0000000002350000-0x0000000002386000-memory.dmp

Filesize
216KB

Download