Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 09:53
Static task
static1
Behavioral task
behavioral1
Sample
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
Resource
win7-20240708-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
-
Size
96KB
-
MD5
42ad49ed99c0d41a820316309bc2c3b3
-
SHA1
f447a72b3cbea72e1b56fda8f44fd9f304b4474a
-
SHA256
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e
-
SHA512
4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75
-
SSDEEP
1536:kiqCWq/Gf2CJ7ZrhzZr98n+lW0D80D+7fxun:xqCWqu+q8nLLxun
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f771a17.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1B00.tmp msiexec.exe File created C:\Windows\Installer\f771a16.msi msiexec.exe File opened for modification C:\Windows\Installer\f771a16.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1BBC.tmp msiexec.exe File created C:\Windows\Installer\f771a19.msi msiexec.exe File opened for modification C:\Windows\Installer\f771a17.ipi msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 1516 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2800 msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2672 msiexec.exe 2672 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2800 msiexec.exe Token: SeIncreaseQuotaPrivilege 2800 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeSecurityPrivilege 2672 msiexec.exe Token: SeCreateTokenPrivilege 2800 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2800 msiexec.exe Token: SeLockMemoryPrivilege 2800 msiexec.exe Token: SeIncreaseQuotaPrivilege 2800 msiexec.exe Token: SeMachineAccountPrivilege 2800 msiexec.exe Token: SeTcbPrivilege 2800 msiexec.exe Token: SeSecurityPrivilege 2800 msiexec.exe Token: SeTakeOwnershipPrivilege 2800 msiexec.exe Token: SeLoadDriverPrivilege 2800 msiexec.exe Token: SeSystemProfilePrivilege 2800 msiexec.exe Token: SeSystemtimePrivilege 2800 msiexec.exe Token: SeProfSingleProcessPrivilege 2800 msiexec.exe Token: SeIncBasePriorityPrivilege 2800 msiexec.exe Token: SeCreatePagefilePrivilege 2800 msiexec.exe Token: SeCreatePermanentPrivilege 2800 msiexec.exe Token: SeBackupPrivilege 2800 msiexec.exe Token: SeRestorePrivilege 2800 msiexec.exe Token: SeShutdownPrivilege 2800 msiexec.exe Token: SeDebugPrivilege 2800 msiexec.exe Token: SeAuditPrivilege 2800 msiexec.exe Token: SeSystemEnvironmentPrivilege 2800 msiexec.exe Token: SeChangeNotifyPrivilege 2800 msiexec.exe Token: SeRemoteShutdownPrivilege 2800 msiexec.exe Token: SeUndockPrivilege 2800 msiexec.exe Token: SeSyncAgentPrivilege 2800 msiexec.exe Token: SeEnableDelegationPrivilege 2800 msiexec.exe Token: SeManageVolumePrivilege 2800 msiexec.exe Token: SeImpersonatePrivilege 2800 msiexec.exe Token: SeCreateGlobalPrivilege 2800 msiexec.exe Token: SeBackupPrivilege 2960 vssvc.exe Token: SeRestorePrivilege 2960 vssvc.exe Token: SeAuditPrivilege 2960 vssvc.exe Token: SeBackupPrivilege 2672 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeRestorePrivilege 2596 DrvInst.exe Token: SeRestorePrivilege 2596 DrvInst.exe Token: SeRestorePrivilege 2596 DrvInst.exe Token: SeRestorePrivilege 2596 DrvInst.exe Token: SeRestorePrivilege 2596 DrvInst.exe Token: SeRestorePrivilege 2596 DrvInst.exe Token: SeRestorePrivilege 2596 DrvInst.exe Token: SeLoadDriverPrivilege 2596 DrvInst.exe Token: SeLoadDriverPrivilege 2596 DrvInst.exe Token: SeLoadDriverPrivilege 2596 DrvInst.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2800 msiexec.exe 2800 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2672 wrote to memory of 1516 2672 msiexec.exe 35 PID 2672 wrote to memory of 1516 2672 msiexec.exe 35 PID 2672 wrote to memory of 1516 2672 msiexec.exe 35 PID 2672 wrote to memory of 1516 2672 msiexec.exe 35 PID 2672 wrote to memory of 1516 2672 msiexec.exe 35 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2800
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 5CD0C7C02771DB7DD022DD29816E15812⤵
- Loads dropped DLL
PID:1516
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "00000000000002FC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5acb05524104afc6365ecb471918e6bbd
SHA1cf199824db58206a1d3fc4a56420a144298b9ab6
SHA256e174932f087f2c6d295161a5231093ecae58e262bbbeef19043698e41d26cce7
SHA5120ec2afc4d7656030ce008aee130460676657aefacad4aa1a5c69fa33f8c257534617be4b619d8e1d4631c97c32617e53904c5e93f6f79216a88e08bfb9f5cbd0
-
Filesize
96KB
MD542ad49ed99c0d41a820316309bc2c3b3
SHA1f447a72b3cbea72e1b56fda8f44fd9f304b4474a
SHA25641ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e
SHA5124e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75
-
Filesize
56KB
MD591de8a79098ac3d20726e1acb50cd05d
SHA19cb04003c75f0cb63fe0c6dcd22a0c64d63154be
SHA25654f8d71fb3117854743d594aa28427b943e5b2fb46f6003dbf4a9b562ebbfcea
SHA51270cf1fe2c4d9b68c12b30df9013c4a1fd5b5a9fef1de704a42535259d1196b35eca6191270b19dedc4d3699b8211868b6b31a5ae3cccdc24711fb335fc32edc3