7a23a713910c3c369b1e7cb85472709bbbe27227b5e3033ce5f2f83f8f571f0b

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MTK Setup Yan Sanayi 2023/MTKSetup.msi
Size

1006KB
MD5

cd159904e090b9335fd8d172e0c05e2c
SHA1

0bd03e10d9a2b9bbac01564443298995a6b54157
SHA256

36dc8011068857dee3ffbd9322bca6901623ffe7d49fa5b2d70d116fcb895e69
SHA512

b0e95fef2cdeecccde5ee90b5fa8c4a043cc543960f76e85b36c9cf5b0a7a08c2a3e9bcf6948512c6353ca1a56a85f62385e779b55b2db170a3aa68377c0e991
SSDEEP

12288:QEU5jYZDqa8S3de8uY6/yPMcBs2QfNANp7xJ9xQ5IooggnV0hcNpZlFTVkSdzNFB:QEt3dpBs2Qfu77xVGMbn6hiZPVk8DvD

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5902a6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5902a6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4EA.tmp	msiexec.exe
File created	C:\Windows\Fonts\pdf417_0.ttf	msiexec.exe
File created	C:\Windows\Fonts\code128.ttf	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI313.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42D.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8D4FF92D-A975-4ED4-B1E5-E6EF3D18F4BA}	msiexec.exe
File created	C:\Windows\Installer\e5902a8.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1584	MTK.exe

Loads dropped DLL 4 IoCs

pid	Process
1744	MsiExec.exe
1744	MsiExec.exe
2900	MsiExec.exe
2900	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000043e29724379355490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000043e297240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090043e29724000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d43e29724000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000043e2972400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2368	msiexec.exe
2368	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4164	msiexec.exe
Token: SeSecurityPrivilege	2368	msiexec.exe
Token: SeCreateTokenPrivilege	4164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4164	msiexec.exe
Token: SeLockMemoryPrivilege	4164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4164	msiexec.exe
Token: SeMachineAccountPrivilege	4164	msiexec.exe
Token: SeTcbPrivilege	4164	msiexec.exe
Token: SeSecurityPrivilege	4164	msiexec.exe
Token: SeTakeOwnershipPrivilege	4164	msiexec.exe
Token: SeLoadDriverPrivilege	4164	msiexec.exe
Token: SeSystemProfilePrivilege	4164	msiexec.exe
Token: SeSystemtimePrivilege	4164	msiexec.exe
Token: SeProfSingleProcessPrivilege	4164	msiexec.exe
Token: SeIncBasePriorityPrivilege	4164	msiexec.exe
Token: SeCreatePagefilePrivilege	4164	msiexec.exe
Token: SeCreatePermanentPrivilege	4164	msiexec.exe
Token: SeBackupPrivilege	4164	msiexec.exe
Token: SeRestorePrivilege	4164	msiexec.exe
Token: SeShutdownPrivilege	4164	msiexec.exe
Token: SeDebugPrivilege	4164	msiexec.exe
Token: SeAuditPrivilege	4164	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4164	msiexec.exe
Token: SeChangeNotifyPrivilege	4164	msiexec.exe
Token: SeRemoteShutdownPrivilege	4164	msiexec.exe
Token: SeUndockPrivilege	4164	msiexec.exe
Token: SeSyncAgentPrivilege	4164	msiexec.exe
Token: SeEnableDelegationPrivilege	4164	msiexec.exe
Token: SeManageVolumePrivilege	4164	msiexec.exe
Token: SeImpersonatePrivilege	4164	msiexec.exe
Token: SeCreateGlobalPrivilege	4164	msiexec.exe
Token: SeCreateTokenPrivilege	4164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4164	msiexec.exe
Token: SeLockMemoryPrivilege	4164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4164	msiexec.exe
Token: SeMachineAccountPrivilege	4164	msiexec.exe
Token: SeTcbPrivilege	4164	msiexec.exe
Token: SeSecurityPrivilege	4164	msiexec.exe
Token: SeTakeOwnershipPrivilege	4164	msiexec.exe
Token: SeLoadDriverPrivilege	4164	msiexec.exe
Token: SeSystemProfilePrivilege	4164	msiexec.exe
Token: SeSystemtimePrivilege	4164	msiexec.exe
Token: SeProfSingleProcessPrivilege	4164	msiexec.exe
Token: SeIncBasePriorityPrivilege	4164	msiexec.exe
Token: SeCreatePagefilePrivilege	4164	msiexec.exe
Token: SeCreatePermanentPrivilege	4164	msiexec.exe
Token: SeBackupPrivilege	4164	msiexec.exe
Token: SeRestorePrivilege	4164	msiexec.exe
Token: SeShutdownPrivilege	4164	msiexec.exe
Token: SeDebugPrivilege	4164	msiexec.exe
Token: SeAuditPrivilege	4164	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4164	msiexec.exe
Token: SeChangeNotifyPrivilege	4164	msiexec.exe
Token: SeRemoteShutdownPrivilege	4164	msiexec.exe
Token: SeUndockPrivilege	4164	msiexec.exe
Token: SeSyncAgentPrivilege	4164	msiexec.exe
Token: SeEnableDelegationPrivilege	4164	msiexec.exe
Token: SeManageVolumePrivilege	4164	msiexec.exe
Token: SeImpersonatePrivilege	4164	msiexec.exe
Token: SeCreateGlobalPrivilege	4164	msiexec.exe
Token: SeCreateTokenPrivilege	4164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4164	msiexec.exe
Token: SeLockMemoryPrivilege	4164	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4164	msiexec.exe
4164	msiexec.exe
4164	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1744	2368	msiexec.exe	84
PID 2368 wrote to memory of 1744	2368	msiexec.exe	84
PID 2368 wrote to memory of 1744	2368	msiexec.exe	84
PID 2368 wrote to memory of 3868	2368	msiexec.exe	95
PID 2368 wrote to memory of 3868	2368	msiexec.exe	95
PID 2368 wrote to memory of 2900	2368	msiexec.exe	97
PID 2368 wrote to memory of 2900	2368	msiexec.exe	97
PID 2368 wrote to memory of 2900	2368	msiexec.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\MTK Setup Yan Sanayi 2023\MTKSetup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 178D35CCF4B8C74AE45204011BF4929D C
  2⤵
  - Loads dropped DLL
  PID:1744
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 314B301AEA5555920754950188476C98
  2⤵
  - Loads dropped DLL
  PID:2900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4080

C:\Arcelik\MTKSetup\MTK.exe
"C:\Arcelik\MTKSetup\MTK.exe"
1⤵
- Executes dropped EXE
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Arcelik\MTKSetup\MTK.exe

Filesize
682KB

MD5
c7fd0f9c43da9d12ffd8b80b43e9b450

SHA1
dd11b5fa33a99bcca081fb6fd673aebcfd419dfb

SHA256
433f14bbe3d1e782f4256b9758dd935cc2505e0b77cfb7cbbaeca686f17834cb

SHA512
9d51e726df1970f57ede4a8ebdd4bc9316b60bfc4446d575c710533f0f58755177bb5954d5e7b09a78dc486e536d967d08249684e1cf8acac55e27652b9b2482

Download Submit
C:\Arcelik\MTKSetup\MalBarV3.mdb

Filesize
1.0MB

MD5
30a491b9dedaaa77785de6e1f2406b30

SHA1
0ffde5f1531c916147ef75ef4454d7bb3e463167

SHA256
394982e4bec75556ebdb05e93c9ec1188762a0afc8d02957eb26e226c40b5851

SHA512
b52e4b78922dff751ae7855c8b52de22498816ed456ff325d15e9d1c2beba92c01b8200b48dc1277084f018eda4b7dd29749c200445a1d460ad2137c139ccd66

Download Submit
C:\Config.Msi\e5902a7.rbs

Filesize
10KB

MD5
82e2b23288d08eaa55b0134b5d8c8f6d

SHA1
4d54aa8d888098a61256d3dd001a65d8b75dcb90

SHA256
c129a58779aed208b1d308382146db5095c00e8b7657cfdd4bba371534c0cfbc

SHA512
1deb8ddbff83d9026f07793a8bfa4db95bb125d8b81d6b4c6656e8b46d37f9c37c65b5406d69bb31950b6c269d37f3bd068187a629c544722da704c28199ae78

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI607F.tmp

Filesize
325KB

MD5
f048cf239cc583f8433634acf23cae55

SHA1
7d3a296a05267855cc637c5bf95fe687b7a765a2

SHA256
4d6efad25f62f4c34998385819e46569869b09de4d8b3f1e22dc9e8f032ed3bb

SHA512
a021d559150338ef823b8749d95ac262ec13d9c9ed80d2d0d67e0d7690ae61713219a5edf88d83832ad673f0d7a1d306b49af4f07020c98bac2cfb006bcf0c53

Download Submit
C:\WINDOWS\FONTS\CODE128.TTF

Filesize
7KB

MD5
f0d4d97f61210c7dc1de2fe571361500

SHA1
686c849654ef7087d8ccbbe02b9ca66c8b5b0239

SHA256
98812eacc3cc6d08903ec7e7f4d6a57f69416f4fab16b858c5bb21b5c9800ed8

SHA512
56f38497ae429acb72df3c91ffb249b2e45d02a3abe4564bb2851f3eb2c38e950308a5f50c4c93500a3f82d4c3302988885553c1eb35df3cd01e6f6607bc0700

Download Submit
C:\WINDOWS\FONTS\PDF417_0.TTF

Filesize
2KB

MD5
d56b3c76b3f093568e06f5c535e2f14f

SHA1
2c1d6575a1c2068cd6fb49ddf560a25effec85da

SHA256
e1eb26f197658a3f04ebde4a7e9cb4050d3cde438e40518f1cb9c8ea5f712868

SHA512
1938f3b6b8f1ca52e211d25df8e3c1670cd4aa5f8701f3491ae4d298a4cdf65ffb01c3571858fc4dd33e61158ea1eccc6d0895a5861b4351b460c078307188d2

Download Submit
C:\Windows\Installer\e5902a6.msi

Filesize
1006KB

MD5
cd159904e090b9335fd8d172e0c05e2c

SHA1
0bd03e10d9a2b9bbac01564443298995a6b54157

SHA256
36dc8011068857dee3ffbd9322bca6901623ffe7d49fa5b2d70d116fcb895e69

SHA512
b0e95fef2cdeecccde5ee90b5fa8c4a043cc543960f76e85b36c9cf5b0a7a08c2a3e9bcf6948512c6353ca1a56a85f62385e779b55b2db170a3aa68377c0e991

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
7fb1eac7c4e0fb24a82995b980e75b7a

SHA1
011d996716b5546a1508a58896841c3040430371

SHA256
f6dc4752d95e2e723499919411be31f5f9448f4d40fd7ecfe055f1244fce3cd3

SHA512
aa7ba7f8def2aa5ffa459f7a979bd7634f253294f55050ac0b4fb6cb0389d9113caee09b613f278aed8e58081414cfbbcaa73ef0974375e3dcda566cea5646af

Download Submit
\??\Volume{2497e243-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f51c8bf0-75e9-4fff-ac8f-d5537edaa7c7}_OnDiskSnapshotProp

Filesize
6KB

MD5
142fa080ed1305ab3e1fdf715da11236

SHA1
aab35d12d0993967fee483c70e3cc3e6613f5d17

SHA256
faa6f557ff0727c52f4f6c9e68c0cb9d6e084111f412f2a00ba5274ceef4878d

SHA512
17f8ffd4b5c90ebaf1bb72aff692676bb6073b8661eea18831a852f0f311d34db7881994b612287acc520b32eab68b704067c15eb4f0b12f83398cb0668f7246

Download Submit