Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
-
Size
96KB
-
MD5
42ad49ed99c0d41a820316309bc2c3b3
-
SHA1
f447a72b3cbea72e1b56fda8f44fd9f304b4474a
-
SHA256
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e
-
SHA512
4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75
-
SSDEEP
1536:kiqCWq/Gf2CJ7ZrhzZr98n+lW0D80D+7fxun:xqCWqu+q8nLLxun
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f76d2ca.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSID470.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID3A4.tmp msiexec.exe File created C:\Windows\Installer\f76d2cc.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f76d2c9.msi msiexec.exe File opened for modification C:\Windows\Installer\f76d2c9.msi msiexec.exe File created C:\Windows\Installer\f76d2ca.ipi msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 2500 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2584 msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2372 msiexec.exe 2372 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2584 msiexec.exe Token: SeIncreaseQuotaPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeSecurityPrivilege 2372 msiexec.exe Token: SeCreateTokenPrivilege 2584 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2584 msiexec.exe Token: SeLockMemoryPrivilege 2584 msiexec.exe Token: SeIncreaseQuotaPrivilege 2584 msiexec.exe Token: SeMachineAccountPrivilege 2584 msiexec.exe Token: SeTcbPrivilege 2584 msiexec.exe Token: SeSecurityPrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeLoadDriverPrivilege 2584 msiexec.exe Token: SeSystemProfilePrivilege 2584 msiexec.exe Token: SeSystemtimePrivilege 2584 msiexec.exe Token: SeProfSingleProcessPrivilege 2584 msiexec.exe Token: SeIncBasePriorityPrivilege 2584 msiexec.exe Token: SeCreatePagefilePrivilege 2584 msiexec.exe Token: SeCreatePermanentPrivilege 2584 msiexec.exe Token: SeBackupPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeShutdownPrivilege 2584 msiexec.exe Token: SeDebugPrivilege 2584 msiexec.exe Token: SeAuditPrivilege 2584 msiexec.exe Token: SeSystemEnvironmentPrivilege 2584 msiexec.exe Token: SeChangeNotifyPrivilege 2584 msiexec.exe Token: SeRemoteShutdownPrivilege 2584 msiexec.exe Token: SeUndockPrivilege 2584 msiexec.exe Token: SeSyncAgentPrivilege 2584 msiexec.exe Token: SeEnableDelegationPrivilege 2584 msiexec.exe Token: SeManageVolumePrivilege 2584 msiexec.exe Token: SeImpersonatePrivilege 2584 msiexec.exe Token: SeCreateGlobalPrivilege 2584 msiexec.exe Token: SeBackupPrivilege 2176 vssvc.exe Token: SeRestorePrivilege 2176 vssvc.exe Token: SeAuditPrivilege 2176 vssvc.exe Token: SeBackupPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2912 DrvInst.exe Token: SeRestorePrivilege 2912 DrvInst.exe Token: SeRestorePrivilege 2912 DrvInst.exe Token: SeRestorePrivilege 2912 DrvInst.exe Token: SeRestorePrivilege 2912 DrvInst.exe Token: SeRestorePrivilege 2912 DrvInst.exe Token: SeRestorePrivilege 2912 DrvInst.exe Token: SeLoadDriverPrivilege 2912 DrvInst.exe Token: SeLoadDriverPrivilege 2912 DrvInst.exe Token: SeLoadDriverPrivilege 2912 DrvInst.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2584 msiexec.exe 2584 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2500 2372 msiexec.exe 34 PID 2372 wrote to memory of 2500 2372 msiexec.exe 34 PID 2372 wrote to memory of 2500 2372 msiexec.exe 34 PID 2372 wrote to memory of 2500 2372 msiexec.exe 34 PID 2372 wrote to memory of 2500 2372 msiexec.exe 34 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2584
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 99B2C0DB85B691960F63B622B2DF15172⤵
- Loads dropped DLL
PID:2500
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "00000000000005C0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5508e8660b5b17d0f2c368262d1c8c486
SHA13755747d9d74d1bb4188c320e763e3bdff5aef55
SHA2567b3cf9bdc2c58662709ae009c8dad1129ef26b4de28b18bb7c5cec7ad5a641c9
SHA512b4c734797f686721ae78b93bb83491accaad5ae15ac1c7d3f9a77721cda092467424dfa33fa7e10dac33302fd4684cdd762a78efac8fbb2f466b3491e915a09a
-
Filesize
56KB
MD591de8a79098ac3d20726e1acb50cd05d
SHA19cb04003c75f0cb63fe0c6dcd22a0c64d63154be
SHA25654f8d71fb3117854743d594aa28427b943e5b2fb46f6003dbf4a9b562ebbfcea
SHA51270cf1fe2c4d9b68c12b30df9013c4a1fd5b5a9fef1de704a42535259d1196b35eca6191270b19dedc4d3699b8211868b6b31a5ae3cccdc24711fb335fc32edc3
-
Filesize
96KB
MD542ad49ed99c0d41a820316309bc2c3b3
SHA1f447a72b3cbea72e1b56fda8f44fd9f304b4474a
SHA25641ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e
SHA5124e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75