e2cad949f6cc9e2c9cea1a67fafa8dfabdf00269266edc5470dc52f3d1732d88

Analysis

max time kernel
136s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 08:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Install.msi
Size

69.9MB
MD5

b51388e010257246e9205c9b2397b6c4
SHA1

241e60ed5f9eeee2433d5cf8bb36373dece27600
SHA256

e2cad949f6cc9e2c9cea1a67fafa8dfabdf00269266edc5470dc52f3d1732d88
SHA512

4eba416f75e823979b2d5afdf1e1ebb476531fe86e337e164494715289492678d4789dc977c60396eab958c9c28e4dcf0a0cb4aa7567e06b356a1582d70866d4
SSDEEP

1572864:pG+zyyai+KWz0seQNc9PUOY3jOqtX4TZsgi9ywU9aY2aFe4+S96rbsyGVBLp:5bJWzzcMOqtElwEaY2UB+S94O

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7E3B.tmp	msiexec.exe
File created	C:\Windows\Installer\e577ca2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e577ca2.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D9D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DFC.tmp	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
4820	MsiExec.exe
4820	MsiExec.exe
4820	MsiExec.exe
4820	MsiExec.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
2696	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004dd597242da055490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004dd597240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004dd59724000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4dd59724000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004dd5972400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2696	msiexec.exe
Token: SeSecurityPrivilege	2816	msiexec.exe
Token: SeCreateTokenPrivilege	2696	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2696	msiexec.exe
Token: SeLockMemoryPrivilege	2696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2696	msiexec.exe
Token: SeMachineAccountPrivilege	2696	msiexec.exe
Token: SeTcbPrivilege	2696	msiexec.exe
Token: SeSecurityPrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeLoadDriverPrivilege	2696	msiexec.exe
Token: SeSystemProfilePrivilege	2696	msiexec.exe
Token: SeSystemtimePrivilege	2696	msiexec.exe
Token: SeProfSingleProcessPrivilege	2696	msiexec.exe
Token: SeIncBasePriorityPrivilege	2696	msiexec.exe
Token: SeCreatePagefilePrivilege	2696	msiexec.exe
Token: SeCreatePermanentPrivilege	2696	msiexec.exe
Token: SeBackupPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeShutdownPrivilege	2696	msiexec.exe
Token: SeDebugPrivilege	2696	msiexec.exe
Token: SeAuditPrivilege	2696	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2696	msiexec.exe
Token: SeChangeNotifyPrivilege	2696	msiexec.exe
Token: SeRemoteShutdownPrivilege	2696	msiexec.exe
Token: SeUndockPrivilege	2696	msiexec.exe
Token: SeSyncAgentPrivilege	2696	msiexec.exe
Token: SeEnableDelegationPrivilege	2696	msiexec.exe
Token: SeManageVolumePrivilege	2696	msiexec.exe
Token: SeImpersonatePrivilege	2696	msiexec.exe
Token: SeCreateGlobalPrivilege	2696	msiexec.exe
Token: SeBackupPrivilege	3140	vssvc.exe
Token: SeRestorePrivilege	3140	vssvc.exe
Token: SeAuditPrivilege	3140	vssvc.exe
Token: SeBackupPrivilege	2816	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeBackupPrivilege	4736	srtasks.exe
Token: SeRestorePrivilege	4736	srtasks.exe
Token: SeSecurityPrivilege	4736	srtasks.exe
Token: SeTakeOwnershipPrivilege	4736	srtasks.exe
Token: SeBackupPrivilege	4736	srtasks.exe
Token: SeRestorePrivilege	4736	srtasks.exe
Token: SeSecurityPrivilege	4736	srtasks.exe
Token: SeTakeOwnershipPrivilege	4736	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2696	msiexec.exe
2696	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4736	2816	msiexec.exe	97
PID 2816 wrote to memory of 4736	2816	msiexec.exe	97
PID 2816 wrote to memory of 4820	2816	msiexec.exe	99
PID 2816 wrote to memory of 4820	2816	msiexec.exe	99
PID 2816 wrote to memory of 4820	2816	msiexec.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Install.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2696

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 94CD0AEED978106D3C78159CC612599B
  2⤵
  - Loads dropped DLL
  PID:4820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI7D0F.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
a9a92f5f5da9fe2e66c77b0dbfacda7f

SHA1
96d228b61353f3675c5378c0e02a71146cbe205b

SHA256
e402b54cd96c7cd0901fd244343a993fb88bc2c37add6992354da35e4a82aac4

SHA512
7aac820414058cf5d547af40d04266250fdbd73761977e8d659504b26cc89d3cbfb0a3b19f7298377d44abf2ff820823f994f8599fc592871ec2a2a33f7781fc

Download Submit
\??\Volume{2497d54d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{61fa7db6-b131-4539-a4a4-debee06e50ef}_OnDiskSnapshotProp

Filesize
6KB

MD5
92d7af3bde7aca082587a461cb9d56c2

SHA1
668c92f4fc19e99cc9d3a3c5eee4751383d61307

SHA256
f76612cef7108015ba8c19f21a99dff4a0b89c669c1eab3f3956169d8299f55f

SHA512
5f66caa96f057d756ea80ceef5d0d279b2aedf3ba8f6f9964737963806833f5c039c9cbe76561cb7db0919d490bfe594b319f12ad9cda96419ad4339a8306996

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads