6feaf0b5d0a265687c41284286c03b9160833880b77eda231513b3d36b2ab73d

Analysis

max time kernel
122s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Visual-C++/vcredist2005_x86.exe
Size

2.6MB
MD5

ce2922f83fb4b170affce0ea448b107b
SHA1

b8fab0bb7f62a24ddfe77b19cd9a1451abd7b847
SHA256

4ee4da0fe62d5fa1b5e80c6e6d88a4a2f8b3b140c35da51053d0d7b72a381d29
SHA512

e94b077e054bd8992374d359f3adc4d1d78d42118d878556715d77182f7d03635850b2b2f06c012ccb7c410e2b3c124cf6508473efe150d3c51a51857ce1c6b0
SSDEEP

49152:rqGRIgg2SirwkF9xdtb43lyGKCafpKkiwnaDahmPzpY4FPyaza:rxxLFfY/KCCpKk9aWMzZyau

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1636 MsiExec.exe

pid	process
1636	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vcredist2005_x86.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist2005_x86.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll	msiexec.exe

Drops file in Windows directory 57 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\mfc80FRA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522828.0\8.0.50727.6195.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240619122522813.2	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522625.0\msvcr80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522672.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522672.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522813.1\8.0.50727.6195.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522594.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240619122522828.1	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522625.0\msvcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\mfc80KOR.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240619122522594.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240619122522735.0	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44E5.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522672.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522625.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240619122522797.0	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522797.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522797.0\vcomp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522828.1\8.0.50727.6195.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\mfc80ITA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522797.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240619122522625.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240619122522813.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522672.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522672.0\mfc80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\mfc80CHS.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\mfc80ESP.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522625.0\msvcp80.dll	msiexec.exe
File created	C:\Windows\Installer\e583b33.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F85.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522594.0\ATL80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522625.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.manifest	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522813.1\8.0.50727.6195.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522828.0\8.0.50727.6195.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\mfc80ENU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522813.2\8.0.50727.6195.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240619122522813.1	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522813.0\8.0.50727.6195.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240619122522672.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240619122522828.0	msiexec.exe
File opened for modification	C:\Windows\Installer\e583b2f.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522594.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522813.0\8.0.50727.6195.policy	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522813.2\8.0.50727.6195.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522828.1\8.0.50727.6195.policy	msiexec.exe
File created	C:\Windows\Installer\e583b2f.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522672.0\mfcm80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240619122522735.0\mfc80JPN.dll	msiexec.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

1584 msiexec.exe

pid	process
1584	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe

Modifies registry class 45 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\c1c4f01781cc94c4c8fb1542c0981a2a\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\c1c4f01781cc94c4c8fb1542c0981a2a	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\c1c4f01781cc94c4c8fb1542c0981a2a	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\Language = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\c1c4f01781cc94c4c8fb1542c0981a2a\VC_Redist	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\ProductName = "Microsoft Visual C++ 2005 Redistributable"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\Version = "134278729"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\PackageCode = "84067013B7B56744BA0F51892982BC09"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2760 msiexec.exe
2760 msiexec.exe

pid	process
2760	msiexec.exe
2760	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	1584	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1584	msiexec.exe
Token: SeSecurityPrivilege	2760	msiexec.exe
Token: SeCreateTokenPrivilege	1584	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1584	msiexec.exe
Token: SeLockMemoryPrivilege	1584	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1584	msiexec.exe
Token: SeMachineAccountPrivilege	1584	msiexec.exe
Token: SeTcbPrivilege	1584	msiexec.exe
Token: SeSecurityPrivilege	1584	msiexec.exe
Token: SeTakeOwnershipPrivilege	1584	msiexec.exe
Token: SeLoadDriverPrivilege	1584	msiexec.exe
Token: SeSystemProfilePrivilege	1584	msiexec.exe
Token: SeSystemtimePrivilege	1584	msiexec.exe
Token: SeProfSingleProcessPrivilege	1584	msiexec.exe
Token: SeIncBasePriorityPrivilege	1584	msiexec.exe
Token: SeCreatePagefilePrivilege	1584	msiexec.exe
Token: SeCreatePermanentPrivilege	1584	msiexec.exe
Token: SeBackupPrivilege	1584	msiexec.exe
Token: SeRestorePrivilege	1584	msiexec.exe
Token: SeShutdownPrivilege	1584	msiexec.exe
Token: SeDebugPrivilege	1584	msiexec.exe
Token: SeAuditPrivilege	1584	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1584	msiexec.exe
Token: SeChangeNotifyPrivilege	1584	msiexec.exe
Token: SeRemoteShutdownPrivilege	1584	msiexec.exe
Token: SeUndockPrivilege	1584	msiexec.exe
Token: SeSyncAgentPrivilege	1584	msiexec.exe
Token: SeEnableDelegationPrivilege	1584	msiexec.exe
Token: SeManageVolumePrivilege	1584	msiexec.exe
Token: SeImpersonatePrivilege	1584	msiexec.exe
Token: SeCreateGlobalPrivilege	1584	msiexec.exe
Token: SeBackupPrivilege	1736	vssvc.exe
Token: SeRestorePrivilege	1736	vssvc.exe
Token: SeAuditPrivilege	1736	vssvc.exe
Token: SeBackupPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1584 msiexec.exe
1584 msiexec.exe

pid	process
1584	msiexec.exe
1584	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

vcredist2005_x86.exemsiexec.exe

description	pid	process	target process
PID 2736 wrote to memory of 1584	2736	vcredist2005_x86.exe	msiexec.exe
PID 2736 wrote to memory of 1584	2736	vcredist2005_x86.exe	msiexec.exe
PID 2736 wrote to memory of 1584	2736	vcredist2005_x86.exe	msiexec.exe
PID 2760 wrote to memory of 3644	2760	msiexec.exe	srtasks.exe
PID 2760 wrote to memory of 3644	2760	msiexec.exe	srtasks.exe
PID 2760 wrote to memory of 1636	2760	msiexec.exe	MsiExec.exe
PID 2760 wrote to memory of 1636	2760	msiexec.exe	MsiExec.exe
PID 2760 wrote to memory of 1636	2760	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Visual-C++\vcredist2005_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Visual-C++\vcredist2005_x86.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
2⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=1336 /prefetch:8
1⤵
PID:1312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3644

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 10E107E16844B06C83622CBC032A10F4
2⤵
- Loads dropped DLL
PID:1636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583b32.rbs

Filesize
73KB

MD5
a4dff0b05a516b7bdf17f8eee5b1a3cc

SHA1
32f0b19cebc29bb0eac4f55553b0c18c97c862ed

SHA256
6dee579a4c04ec968e095bb7565515408f86259dd2a3681a42ce3384d20a331c

SHA512
279d501492c840d41de2c412e95b0ac87dcda30aeee9f9b7ec40a9cd744ae9332c4b30ffe670ea3dbf6dbff1694ae66f1897518f5bd8316df648b0ff757591ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
247KB

MD5
cc064d4b81619991de8131a86ad77681

SHA1
88d80d86cc20c27d7d2a872af719300bd2bb73f9

SHA256
913ee5a1cae3e5a1872b3a5efaaa00c58e4beb692492b138f76967da671b0477

SHA512
5aff0eb26cfc187bf58721b2b6d73357d9f1e66d1ac5340ad9ddc08b40ad0eda27a144cb3b650604637a7476c282ded83ed890de98a73ccaf0cc021da3a9eb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
2.6MB

MD5
b20bbeb818222b657df49a9cfe4fed79

SHA1
3f6508e880b86502773a3275bc9527f046d45502

SHA256
91bdd063f6c53126737791c9eccf0b2f4cf44927831527245bc89a0be06c0cb4

SHA512
f534bc7bf1597e728940e6c3b77f864adfaa413bb1e080458326b692b0f96bddf4fbd294eeed36d7764a3578e6c8e919488bbf63b8fe2d4355ab3efd685424a4

Download Submit
C:\Windows\Installer\MSI3F85.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
64e058b9e96cea74a9d4aab4b0e53b7c

SHA1
5308fec26562ebe7034c3df85039b66c780b256f

SHA256
600278ff7b585a59c88aec8d046de03fa06adad91b8edb1dc253c83b7c3306ec

SHA512
aa88947b8a2603134bbad9a955ca9fa5eb8d88761b17e97b0bf6eaca82fdae9e68b885a975781122bad5effd004c0bb9c9f3dae3a248ae237f2bc4b46823189a

Download Submit
\??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9a9d77f8-5fae-4b74-b239-b0ae3a0ab320}_OnDiskSnapshotProp

Filesize
6KB

MD5
174d669bb1fd8a5a559051aa4f5143b5

SHA1
c599db72d6607574268d515f7b7d3eeeeffb24d3

SHA256
3e37e0d198cffdaf20fed0baf44f356ede58a549dfe476df05a27287850e994b

SHA512
96fa95aac94117ad5645abd7e18d6f16a97370323a2fcbf8d3e457e540df9623129f295280738b61174873c138b00fc3581d1c5fddbb0baaf0a34b9029c52ebb

Download Submit