Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 03:41
Static task
static1
Behavioral task
behavioral1
Sample
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
Resource
win7-20240705-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
-
Size
96KB
-
MD5
42ad49ed99c0d41a820316309bc2c3b3
-
SHA1
f447a72b3cbea72e1b56fda8f44fd9f304b4474a
-
SHA256
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e
-
SHA512
4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75
-
SSDEEP
1536:kiqCWq/Gf2CJ7ZrhzZr98n+lW0D80D+7fxun:xqCWqu+q8nLLxun
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f771516.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI16DC.tmp msiexec.exe File created C:\Windows\Installer\f771519.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f771516.msi msiexec.exe File created C:\Windows\Installer\f771517.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI16BC.tmp msiexec.exe File opened for modification C:\Windows\Installer\f771517.ipi msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 2448 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3016 msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2408 msiexec.exe 2408 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3016 msiexec.exe Token: SeIncreaseQuotaPrivilege 3016 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeSecurityPrivilege 2408 msiexec.exe Token: SeCreateTokenPrivilege 3016 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3016 msiexec.exe Token: SeLockMemoryPrivilege 3016 msiexec.exe Token: SeIncreaseQuotaPrivilege 3016 msiexec.exe Token: SeMachineAccountPrivilege 3016 msiexec.exe Token: SeTcbPrivilege 3016 msiexec.exe Token: SeSecurityPrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeLoadDriverPrivilege 3016 msiexec.exe Token: SeSystemProfilePrivilege 3016 msiexec.exe Token: SeSystemtimePrivilege 3016 msiexec.exe Token: SeProfSingleProcessPrivilege 3016 msiexec.exe Token: SeIncBasePriorityPrivilege 3016 msiexec.exe Token: SeCreatePagefilePrivilege 3016 msiexec.exe Token: SeCreatePermanentPrivilege 3016 msiexec.exe Token: SeBackupPrivilege 3016 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeShutdownPrivilege 3016 msiexec.exe Token: SeDebugPrivilege 3016 msiexec.exe Token: SeAuditPrivilege 3016 msiexec.exe Token: SeSystemEnvironmentPrivilege 3016 msiexec.exe Token: SeChangeNotifyPrivilege 3016 msiexec.exe Token: SeRemoteShutdownPrivilege 3016 msiexec.exe Token: SeUndockPrivilege 3016 msiexec.exe Token: SeSyncAgentPrivilege 3016 msiexec.exe Token: SeEnableDelegationPrivilege 3016 msiexec.exe Token: SeManageVolumePrivilege 3016 msiexec.exe Token: SeImpersonatePrivilege 3016 msiexec.exe Token: SeCreateGlobalPrivilege 3016 msiexec.exe Token: SeBackupPrivilege 1368 vssvc.exe Token: SeRestorePrivilege 1368 vssvc.exe Token: SeAuditPrivilege 1368 vssvc.exe Token: SeBackupPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeLoadDriverPrivilege 2616 DrvInst.exe Token: SeLoadDriverPrivilege 2616 DrvInst.exe Token: SeLoadDriverPrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3016 msiexec.exe 3016 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2448 2408 msiexec.exe 34 PID 2408 wrote to memory of 2448 2408 msiexec.exe 34 PID 2408 wrote to memory of 2448 2408 msiexec.exe 34 PID 2408 wrote to memory of 2448 2408 msiexec.exe 34 PID 2408 wrote to memory of 2448 2408 msiexec.exe 34 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3016
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 56B629DEB185B2D746DBA51851C2864D2⤵
- Loads dropped DLL
PID:2448
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000324" "00000000000003C0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD53559fb64cc308644926fe54559242e34
SHA1dbf0fe1b28516a31d172723ec3a87c78f56237fc
SHA2561f0a0f83038ca65c731e75fdece4b08a99cd92bfe6bb6e227e36355a949b1bd8
SHA512541c0c0fd7d4d94f65443a9e72c3d22986bbb8b5355ba3a984d701ad0298ec3ddd6493eabd85899160fae9fe76bb82f6fe9b2162b44189cc5a1d88515b35f488
-
Filesize
56KB
MD591de8a79098ac3d20726e1acb50cd05d
SHA19cb04003c75f0cb63fe0c6dcd22a0c64d63154be
SHA25654f8d71fb3117854743d594aa28427b943e5b2fb46f6003dbf4a9b562ebbfcea
SHA51270cf1fe2c4d9b68c12b30df9013c4a1fd5b5a9fef1de704a42535259d1196b35eca6191270b19dedc4d3699b8211868b6b31a5ae3cccdc24711fb335fc32edc3
-
Filesize
96KB
MD542ad49ed99c0d41a820316309bc2c3b3
SHA1f447a72b3cbea72e1b56fda8f44fd9f304b4474a
SHA25641ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e
SHA5124e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75