036a82bb69b5354a85df9eac8c66a44ae82294a1aea105e2e51da1a4a87cdb84

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup (1).msi
Size

4.4MB
MD5

c4de73561e5d359aee3e8626434f95c7
SHA1

1020b4a315ddc4dfd4132315a98b0a15212068ed
SHA256

036a82bb69b5354a85df9eac8c66a44ae82294a1aea105e2e51da1a4a87cdb84
SHA512

25f6186f44f19bbf7dbca2df6c29753ee80281080d7e032faeae9d2d60cbcd3bf1268dd8fb4bd882bc18ee8b7ef61446a68fc290f1dbab900c4df9e869372c61
SSDEEP

98304:eVHYDgBzP/in0iuWhi+l4OLGIHi6h9iM:+ZzPqn0iZiuHfiM

Score

6^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2564	msiexec.exe
5	2564	msiexec.exe
6	2556	MsiExec.exe
7	2648	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\World Wide Solutions\World Wide Web\WorldWideWeb.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\World Wide Solutions\World Wide Web\WorldWideWeb.ini	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC59D.tmp	msiexec.exe
File created	C:\Windows\Installer\f76c2c4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSICBBA.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIC4F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC689.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c2c4.ipi	msiexec.exe
File created	C:\Windows\Installer\f76c2c3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c2c3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC679.tmp	msiexec.exe

Loads dropped DLL 13 IoCs

pid	Process
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2604	MsiExec.exe
2604	MsiExec.exe
2604	MsiExec.exe
2604	MsiExec.exe
2876	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2280	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
2648	msiexec.exe
2648	msiexec.exe
1404	taskmgr.exe
2280	powershell.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1404	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2564	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeSecurityPrivilege	2648	msiexec.exe
Token: SeCreateTokenPrivilege	2564	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2564	msiexec.exe
Token: SeLockMemoryPrivilege	2564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2564	msiexec.exe
Token: SeMachineAccountPrivilege	2564	msiexec.exe
Token: SeTcbPrivilege	2564	msiexec.exe
Token: SeSecurityPrivilege	2564	msiexec.exe
Token: SeTakeOwnershipPrivilege	2564	msiexec.exe
Token: SeLoadDriverPrivilege	2564	msiexec.exe
Token: SeSystemProfilePrivilege	2564	msiexec.exe
Token: SeSystemtimePrivilege	2564	msiexec.exe
Token: SeProfSingleProcessPrivilege	2564	msiexec.exe
Token: SeIncBasePriorityPrivilege	2564	msiexec.exe
Token: SeCreatePagefilePrivilege	2564	msiexec.exe
Token: SeCreatePermanentPrivilege	2564	msiexec.exe
Token: SeBackupPrivilege	2564	msiexec.exe
Token: SeRestorePrivilege	2564	msiexec.exe
Token: SeShutdownPrivilege	2564	msiexec.exe
Token: SeDebugPrivilege	2564	msiexec.exe
Token: SeAuditPrivilege	2564	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2564	msiexec.exe
Token: SeChangeNotifyPrivilege	2564	msiexec.exe
Token: SeRemoteShutdownPrivilege	2564	msiexec.exe
Token: SeUndockPrivilege	2564	msiexec.exe
Token: SeSyncAgentPrivilege	2564	msiexec.exe
Token: SeEnableDelegationPrivilege	2564	msiexec.exe
Token: SeManageVolumePrivilege	2564	msiexec.exe
Token: SeImpersonatePrivilege	2564	msiexec.exe
Token: SeCreateGlobalPrivilege	2564	msiexec.exe
Token: SeCreateTokenPrivilege	2564	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2564	msiexec.exe
Token: SeLockMemoryPrivilege	2564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2564	msiexec.exe
Token: SeMachineAccountPrivilege	2564	msiexec.exe
Token: SeTcbPrivilege	2564	msiexec.exe
Token: SeSecurityPrivilege	2564	msiexec.exe
Token: SeTakeOwnershipPrivilege	2564	msiexec.exe
Token: SeLoadDriverPrivilege	2564	msiexec.exe
Token: SeSystemProfilePrivilege	2564	msiexec.exe
Token: SeSystemtimePrivilege	2564	msiexec.exe
Token: SeProfSingleProcessPrivilege	2564	msiexec.exe
Token: SeIncBasePriorityPrivilege	2564	msiexec.exe
Token: SeCreatePagefilePrivilege	2564	msiexec.exe
Token: SeCreatePermanentPrivilege	2564	msiexec.exe
Token: SeBackupPrivilege	2564	msiexec.exe
Token: SeRestorePrivilege	2564	msiexec.exe
Token: SeShutdownPrivilege	2564	msiexec.exe
Token: SeDebugPrivilege	2564	msiexec.exe
Token: SeAuditPrivilege	2564	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2564	msiexec.exe
Token: SeChangeNotifyPrivilege	2564	msiexec.exe
Token: SeRemoteShutdownPrivilege	2564	msiexec.exe
Token: SeUndockPrivilege	2564	msiexec.exe
Token: SeSyncAgentPrivilege	2564	msiexec.exe
Token: SeEnableDelegationPrivilege	2564	msiexec.exe
Token: SeManageVolumePrivilege	2564	msiexec.exe
Token: SeImpersonatePrivilege	2564	msiexec.exe
Token: SeCreateGlobalPrivilege	2564	msiexec.exe
Token: SeCreateTokenPrivilege	2564	msiexec.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2564	msiexec.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
2564	msiexec.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2556	2648	msiexec.exe	29
PID 2648 wrote to memory of 2556	2648	msiexec.exe	29
PID 2648 wrote to memory of 2556	2648	msiexec.exe	29
PID 2648 wrote to memory of 2556	2648	msiexec.exe	29
PID 2648 wrote to memory of 2556	2648	msiexec.exe	29
PID 2648 wrote to memory of 2556	2648	msiexec.exe	29
PID 2648 wrote to memory of 2556	2648	msiexec.exe	29
PID 2648 wrote to memory of 2604	2648	msiexec.exe	34
PID 2648 wrote to memory of 2604	2648	msiexec.exe	34
PID 2648 wrote to memory of 2604	2648	msiexec.exe	34
PID 2648 wrote to memory of 2604	2648	msiexec.exe	34
PID 2648 wrote to memory of 2604	2648	msiexec.exe	34
PID 2648 wrote to memory of 2604	2648	msiexec.exe	34
PID 2648 wrote to memory of 2604	2648	msiexec.exe	34
PID 2604 wrote to memory of 2280	2604	MsiExec.exe	35
PID 2604 wrote to memory of 2280	2604	MsiExec.exe	35
PID 2604 wrote to memory of 2280	2604	MsiExec.exe	35
PID 2604 wrote to memory of 2280	2604	MsiExec.exe	35
PID 2648 wrote to memory of 2876	2648	msiexec.exe	37
PID 2648 wrote to memory of 2876	2648	msiexec.exe	37
PID 2648 wrote to memory of 2876	2648	msiexec.exe	37
PID 2648 wrote to memory of 2876	2648	msiexec.exe	37
PID 2648 wrote to memory of 2876	2648	msiexec.exe	37
PID 2648 wrote to memory of 2876	2648	msiexec.exe	37
PID 2648 wrote to memory of 2876	2648	msiexec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Setup (1).msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F853E1273F121B5EDC4927DCAA0081C9 C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D03CDBF32618348E99ADA85F298905AB
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssC94B.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiC938.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrC939.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrC93A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2280
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B1D76A176EBA4724659D9EB2549929D9 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1132

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1404

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "00000000000005DC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c2c5.rbs

Filesize
218KB

MD5
56d5c8f5ea26007d246dd3cb1eb87d33

SHA1
70e4163c93d2fdf8c26582be8068341d88e1a8b4

SHA256
fa129e6b633fa6ac7e649dfea8de37fe5346ad4391d0c11d2b121732f128405c

SHA512
14fd699f993bf6ccbf75e7929446f23a6c9f914bd9c51ad9633ca1e83ac29dd023a4be0637b085245504d137abd98f74b33dca723e424bed911a4c5104bb688a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Filesize
1KB

MD5
e94fb54871208c00df70f708ac47085b

SHA1
4efc31460c619ecae59c1bce2c008036d94c84b8

SHA256
7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

SHA512
2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c73827ff165e7fe5ac2b4f2cf98fa089

SHA1
d84b33e315ecb3da2f7ba841418ba176a530926e

SHA256
59baecae4491667695941e1277e29ec4af6ec681ab2f2515a3a6767126c8d5ac

SHA512
4158c6d64db2148e6fbc69af1c0126c5e0fb292b794841d3c76af996d3e1ea25704f08b5f3a1e4a3b70da095349edbdf10b792fbb49787b6e7b54afe99217628

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4371797ca5a034610cc07df3c5cfc02c

SHA1
4d311360256a6bff13f5c88b64fb532da856bc00

SHA256
3410b306be7a8f266bbeb04876ea5f9aea9535422b57bda0505f91be9f1e405a

SHA512
764c0f0df5f8d13636ee68e5a5b9edc3b9d97c7161d09cb1203a84b19b65e1ec9390b589785c7556b194963ddd2f4300be031f89e078f36835e460a014456c3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Filesize
264B

MD5
70d141f4c7308462714c809831d9c550

SHA1
3bb5bdacdced586dd6fa228b256aa8fa1e9fb0fd

SHA256
690d177750552989f9463660713fd7c32918d87fe26cca215eb667b90c013275

SHA512
5e5b69e552ae722e01eef5b17a3f68f3e470fcabec305abc8a0a3b4a1afdef54af190800b91d2afb5b9b302f3045928211a3578581ce540b2b761ce3069e67c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab90DC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9437.tmp

Filesize
819KB

MD5
3604517a3e6e69ba339239cf82fc94a5

SHA1
c4757e31f9c8a90ee5de233792da71c8915050c5

SHA256
bdd1d14c9cb54b19f6a7f37adbc7537ce8fd2f6fa59a74a4a90b08c7979708d2

SHA512
c22ffc410886fae221dfee6ab469e44694f87cecce14d505a059f5fe01c1b4e1ad93c15b78c7623e821a37737491e89c627ddae5d03c407a877835ab6d611619

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9A62.tmp

Filesize
1.1MB

MD5
cc048c7aadc4adf3a29d429f1f5eead0

SHA1
6b4d89df901427fe955be2d58ad91a6de30be9d6

SHA256
d23c6ac751423ff6961694437e67d7b608102bd351e3e0cd10d34d026a1a08ca

SHA512
0e67c0a4db70e19ead49f6c0fd41045f3fd9ee688d75a6da2916e347b70783843fa0e3d6cfc2b0bcd5e16a6045ba27707dff655556ebc725c126082e45cee2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar917B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssC94B.ps1

Filesize
35KB

MD5
ffb79f02b7a4c6ff5b9869fce3c1285b

SHA1
79c88af7d57430b8afcfaeeee452b9f93a004bc7

SHA256
3c98870e58cc784584fdf97f9a2c7e0ee311f10287873ccc46046c7b691e38b7

SHA512
6ff0768db251959f380feb03d0bc003d34982d9de76c76f89fdecb3c9fe18e95316fbdd77366043f0e7f57233e89267d56b9bc618d7f5c35f248cbcc71d7216d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrC939.ps1

Filesize
35KB

MD5
03d2b8bd9a2217a0a4ffd5a2acae8741

SHA1
f6f439e2036eb740d8cc1b4bd96b4a4df80a2339

SHA256
c847aa04bed0e2f97634215f7d8bebac5e51f6227cfd9655a3743a7dc1d8607d

SHA512
265f730f9a524eef0f99613da3376e49ce428cb5369a5517e0594d9f73ea7d5d0f05c2ffded9a3614cb2148c09c9f530e60c4e70cbf480635ff4bdbc372b8eb3

Download Submit
C:\Windows\Installer\MSIC689.tmp

Filesize
215KB

MD5
32fbe2ada353606f81f50faaf2e9f4ed

SHA1
bd696491057c8bee9979bd29e1ab9694eb5630b0

SHA256
18eaa658aa74d95a46b37a55a09ca64fcec3fd924787c7e1e32bdde14de556e5

SHA512
89b757348d844423b2287e9cb543f30d935637e3ba4f3a07bd8b6bed9dd9161efbcd1a8f4f62182980ee80737853ae3bb30d0ec630073f829403fcdf659a5227

Download Submit
\Windows\Installer\MSIC7C3.tmp

Filesize
758KB

MD5
419cea1c6064e430860508e269f0cd2f

SHA1
921841797df087a1adc93877467e30e00c7d1d7e

SHA256
10575139bca9cb43ea44a9883308fdd83cebe6df59f68036337ab72530f0a8f4

SHA512
c6597fff8febdc6aa26dc91147532af6892a49e789903fcfed57fe8131a43bbfaa59b93035a4b2bbfd580fcf098ddd478e2110890381269556f387c689fb3c35

Download Submit
memory/1404-222-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1404-221-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2280-306-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2280-305-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download