ff37bfe914dd0d8b5c7e6553f4204b8a65d4a9f9f1909ff7a3cf121070d05a20

Analysis

max time kernel
1559s
max time network
1572s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows_exporter-Agent.msi
Size

10.1MB
MD5

7096892e6330a1630ac9c588aa01e3a2
SHA1

3adbaa05e9def1d97823615f2f47669bcb1d8395
SHA256

822166c33ce415436a287f4f5bf34c9737da5201cda3b6a31ffc5b2be5023679
SHA512

73462b1b03ee2b81eb421e13fc466224666db2c6312e4424cf6451001f2d94ea5006f71957ab1a5c9617a862bb44f27f919dffc370637345a5b17fe7f885e540
SSDEEP

196608:djo2fy0hWWpfeZdkW2ijrtlT95y0DalZEM/Jbr1ZOONCbLmUo2hWN:dES/UWQdz24R2JbrzOsamU+N

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files\windows_exporter\windows_exporter.exe msiexec.exe

description	ioc	process
File created	C:\Program Files\windows_exporter\windows_exporter.exe	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exeDrvInst.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIFA7A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76f23b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF42E.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76f23b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF663.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\wix{EDD0CDE3-4519-4C1A-9FB4-C8C067615698}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\f76f23e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC4F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76f23c.ipi	msiexec.exe
File created	C:\Windows\Installer\f76f23c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF46E.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

windows_exporter.exe

pid process

2660 windows_exporter.exe
Loads dropped DLL 7 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

1956 MsiExec.exe
1956 MsiExec.exe
1956 MsiExec.exe
1564 MsiExec.exe
1564 MsiExec.exe
460
460
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

2176 msiexec.exe

pid	process
2660	windows_exporter.exe

pid	process
1956	MsiExec.exe
1956	MsiExec.exe
1956	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe
460
460

pid	process
2176	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exewindows_exporter.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windows_exporter.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-421 = "Russian Daylight Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	windows_exporter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\PackageCode = "6FA1BA3026A692E4D854A8349C0710FE"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\PackageName = "windows_exporter-Agent.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B5BE6A662CF141B43A26C5EE6C143380\3EDC0DDE9154A1C4F94B8C0C76166589	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3EDC0DDE9154A1C4F94B8C0C76166589	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3EDC0DDE9154A1C4F94B8C0C76166589\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\ProductName = "windows_exporter"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\Version = "1310720"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B5BE6A662CF141B43A26C5EE6C143380	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exewindows_exporter.exe

pid process

2428 msiexec.exe
2428 msiexec.exe
2660 windows_exporter.exe

pid	process
2428	msiexec.exe
2428	msiexec.exe
2660	windows_exporter.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	2176	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2176	msiexec.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeSecurityPrivilege	2428	msiexec.exe
Token: SeCreateTokenPrivilege	2176	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2176	msiexec.exe
Token: SeLockMemoryPrivilege	2176	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2176	msiexec.exe
Token: SeMachineAccountPrivilege	2176	msiexec.exe
Token: SeTcbPrivilege	2176	msiexec.exe
Token: SeSecurityPrivilege	2176	msiexec.exe
Token: SeTakeOwnershipPrivilege	2176	msiexec.exe
Token: SeLoadDriverPrivilege	2176	msiexec.exe
Token: SeSystemProfilePrivilege	2176	msiexec.exe
Token: SeSystemtimePrivilege	2176	msiexec.exe
Token: SeProfSingleProcessPrivilege	2176	msiexec.exe
Token: SeIncBasePriorityPrivilege	2176	msiexec.exe
Token: SeCreatePagefilePrivilege	2176	msiexec.exe
Token: SeCreatePermanentPrivilege	2176	msiexec.exe
Token: SeBackupPrivilege	2176	msiexec.exe
Token: SeRestorePrivilege	2176	msiexec.exe
Token: SeShutdownPrivilege	2176	msiexec.exe
Token: SeDebugPrivilege	2176	msiexec.exe
Token: SeAuditPrivilege	2176	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2176	msiexec.exe
Token: SeChangeNotifyPrivilege	2176	msiexec.exe
Token: SeRemoteShutdownPrivilege	2176	msiexec.exe
Token: SeUndockPrivilege	2176	msiexec.exe
Token: SeSyncAgentPrivilege	2176	msiexec.exe
Token: SeEnableDelegationPrivilege	2176	msiexec.exe
Token: SeManageVolumePrivilege	2176	msiexec.exe
Token: SeImpersonatePrivilege	2176	msiexec.exe
Token: SeCreateGlobalPrivilege	2176	msiexec.exe
Token: SeBackupPrivilege	3068	vssvc.exe
Token: SeRestorePrivilege	3068	vssvc.exe
Token: SeAuditPrivilege	3068	vssvc.exe
Token: SeBackupPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	2516	DrvInst.exe
Token: SeRestorePrivilege	2516	DrvInst.exe
Token: SeRestorePrivilege	2516	DrvInst.exe
Token: SeRestorePrivilege	2516	DrvInst.exe
Token: SeRestorePrivilege	2516	DrvInst.exe
Token: SeRestorePrivilege	2516	DrvInst.exe
Token: SeRestorePrivilege	2516	DrvInst.exe
Token: SeLoadDriverPrivilege	2516	DrvInst.exe
Token: SeLoadDriverPrivilege	2516	DrvInst.exe
Token: SeLoadDriverPrivilege	2516	DrvInst.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	2428	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2176 msiexec.exe
2176 msiexec.exe

pid	process
2176	msiexec.exe
2176	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2428 wrote to memory of 1956	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1956	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1956	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1956	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1956	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1956	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1956	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1564	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1564	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1564	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1564	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1564	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1564	2428	msiexec.exe	MsiExec.exe
PID 2428 wrote to memory of 1564	2428	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\windows_exporter-Agent.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2176

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56B2C14E6E63F31B545927A1DF4DC48E
  2⤵
  - Loads dropped DLL
  PID:1956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6AD1585F5717C555EE1B7229951B718 M Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  PID:1564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A8" "00000000000003A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:828

C:\Program Files\windows_exporter\windows_exporter.exe
"C:\Program Files\windows_exporter\windows_exporter.exe" --log.format logger:eventlog?name=windows_exporter
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76f23d.rbs

Filesize
329KB

MD5
e918bafb08b9b364e71038d94af19024

SHA1
d6779406cf547b0f5059c49c5800ee1e1ed482be

SHA256
484ba580a0aef0a7ccb0fec7e38ffd1bb7d414c4c97384913901fbcfe302c0f0

SHA512
e8c4719ea929b7f72d7e88d7b3262c9ab6cc9bd11d027aec3bdd97c91f02d169fb25369094a2782de5fde7beb4c60557ded0b83166e919f2d35c61d14eb573ae

Download Submit
C:\Windows\Installer\MSIF663.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\f76f23b.msi

Filesize
10.1MB

MD5
7096892e6330a1630ac9c588aa01e3a2

SHA1
3adbaa05e9def1d97823615f2f47669bcb1d8395

SHA256
822166c33ce415436a287f4f5bf34c9737da5201cda3b6a31ffc5b2be5023679

SHA512
73462b1b03ee2b81eb421e13fc466224666db2c6312e4424cf6451001f2d94ea5006f71957ab1a5c9617a862bb44f27f919dffc370637345a5b17fe7f885e540

Download Submit
\Program Files\windows_exporter\windows_exporter.exe

Filesize
19.5MB

MD5
8a41cd83c16f6e9d060036ffee985f88

SHA1
0f90cc3cc01f3b96c74314dc562675948f5c89b1

SHA256
e99bcd3b0b4cc65c7ac40e95eb8a43c0ffa769fcb6b733a9ebc6c9f9d4ff69eb

SHA512
6eadb6dc7e8c79e8df88100643d86780a14bdcfd3617adfd4959c118493e1bb92bbf15b0969c645bb9502e1ca4caec9c866be309a565f784ac6085ef9f9c6d19

Download Submit
\Windows\Installer\MSIF46E.tmp

Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit