df18843616643f53a613fd536eb4ff05a068de16b2902f48234706a2cfedc374

Analysis

max time kernel
53s
max time network
63s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
22-08-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SDCardFormatterv5_WinEN/SD Card Formatter 5.0.2 Setup EN.exe
Size

6.8MB
MD5

fe107d7154caab6c0c9b923b026b5ecb
SHA1

ec2897db596e234abca3932ba47e065fb3110f9c
SHA256

cffd14249bc58b3a9f7bca75b32f5f6bbbe12283c93c74133908be2f99c047c3
SHA512

aad70ca57f903d59aaa8061e3da508c99d5b3bdcbfaba107337c578df4f86da720a1d6806a3188da8ec179f2bf1a74d9208a018b87d0094493030d33ca10c0fd
SSDEEP

196608:flq+1Nnnajel1vEEBhR/OjON1Xy6VY91Shpnx/uwk7:XnaiD849OjOJXu91SlWD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1920	SD Card Formatter.exe

Loads dropped DLL 3 IoCs

pid	Process
1504	MsiExec.exe
2176	MsiExec.exe
1504	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
14	1040	MSIEXEC.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SDA\SD Card Formatter\format_sd.exe	msiexec.exe
File created	C:\Program Files (x86)\SDA\SD Card Formatter\SD Card Formatter.exe	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DF4DE74A72AC8D6C06.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D02212EA-E02A-4521-9036-5367734FC66E}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD3F994B4233DAC99.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D02212EA-E02A-4521-9036-5367734FC66E}\NewShortcut1_69C2B9A012C943F8B6BC658D1AC73474.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D02212EA-E02A-4521-9036-5367734FC66E}\NewShortcut11_9F21041712364E7FBB19D6D84D3AFF1D.exe	msiexec.exe
File created	C:\Windows\Installer\e57e9f4.msi	msiexec.exe
File created	C:\Windows\Installer\e57e9f2.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{D02212EA-E02A-4521-9036-5367734FC66E}\NewShortcut11_9F21041712364E7FBB19D6D84D3AFF1D.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBCF23B3375035D3F.TMP	msiexec.exe
File created	C:\Windows\Installer\{D02212EA-E02A-4521-9036-5367734FC66E}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D02212EA-E02A-4521-9036-5367734FC66E}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D02212EA-E02A-4521-9036-5367734FC66E}\NewShortcut1_69C2B9A012C943F8B6BC658D1AC73474.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5BB17DDBE7336282.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e9f2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF06B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF127.tmp	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SD Card Formatter 5.0.2 Setup EN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SD Card Formatter.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fd384c3a7d3ca1330000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fd384c3a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fd384c3a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfd384c3a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fd384c3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AE21220DA20E12540963357637F46CE6\AlwaysInstall	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{2FF5D07D-7CA7-4BD6-8D3E-053A26A24C99}\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\SourceList\PackageName = "SD Card Formatter Setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\ProductIcon = "C:\\Windows\\Installer\\{D02212EA-E02A-4521-9036-5367734FC66E}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\40458F508929DEE4DAE1CC0072E5334B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\Version = "83886082"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\AuthorizedLUAApp = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\40458F508929DEE4DAE1CC0072E5334B\AE21220DA20E12540963357637F46CE6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AE21220DA20E12540963357637F46CE6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\ProductName = "SD Card Formatter"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\PackageCode = "D70D5FF27AC76DB4D8E350A3622AC499"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{2FF5D07D-7CA7-4BD6-8D3E-053A26A24C99}\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE21220DA20E12540963357637F46CE6\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4896	msiexec.exe
4896	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1040	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1040	MSIEXEC.EXE
Token: SeSecurityPrivilege	4896	msiexec.exe
Token: SeCreateTokenPrivilege	1040	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1040	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1040	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1040	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1040	MSIEXEC.EXE
Token: SeTcbPrivilege	1040	MSIEXEC.EXE
Token: SeSecurityPrivilege	1040	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1040	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1040	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1040	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1040	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1040	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1040	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1040	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1040	MSIEXEC.EXE
Token: SeBackupPrivilege	1040	MSIEXEC.EXE
Token: SeRestorePrivilege	1040	MSIEXEC.EXE
Token: SeShutdownPrivilege	1040	MSIEXEC.EXE
Token: SeDebugPrivilege	1040	MSIEXEC.EXE
Token: SeAuditPrivilege	1040	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1040	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1040	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1040	MSIEXEC.EXE
Token: SeUndockPrivilege	1040	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1040	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1040	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1040	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1040	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1040	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1040	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1040	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1040	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1040	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1040	MSIEXEC.EXE
Token: SeTcbPrivilege	1040	MSIEXEC.EXE
Token: SeSecurityPrivilege	1040	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1040	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1040	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1040	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1040	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1040	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1040	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1040	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1040	MSIEXEC.EXE
Token: SeBackupPrivilege	1040	MSIEXEC.EXE
Token: SeRestorePrivilege	1040	MSIEXEC.EXE
Token: SeShutdownPrivilege	1040	MSIEXEC.EXE
Token: SeDebugPrivilege	1040	MSIEXEC.EXE
Token: SeAuditPrivilege	1040	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1040	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1040	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1040	MSIEXEC.EXE
Token: SeUndockPrivilege	1040	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1040	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1040	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1040	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1040	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1040	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1040	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1040	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1040	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1040	MSIEXEC.EXE
1040	MSIEXEC.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1920	SD Card Formatter.exe
1920	SD Card Formatter.exe
1920	SD Card Formatter.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 1040	4628	SD Card Formatter 5.0.2 Setup EN.exe	82
PID 4628 wrote to memory of 1040	4628	SD Card Formatter 5.0.2 Setup EN.exe	82
PID 4628 wrote to memory of 1040	4628	SD Card Formatter 5.0.2 Setup EN.exe	82
PID 4896 wrote to memory of 1504	4896	msiexec.exe	86
PID 4896 wrote to memory of 1504	4896	msiexec.exe	86
PID 4896 wrote to memory of 1504	4896	msiexec.exe	86
PID 4896 wrote to memory of 2412	4896	msiexec.exe	90
PID 4896 wrote to memory of 2412	4896	msiexec.exe	90
PID 4896 wrote to memory of 2176	4896	msiexec.exe	92
PID 4896 wrote to memory of 2176	4896	msiexec.exe	92
PID 4896 wrote to memory of 2176	4896	msiexec.exe	92
PID 1504 wrote to memory of 1920	1504	MsiExec.exe	94
PID 1504 wrote to memory of 1920	1504	MsiExec.exe	94
PID 1504 wrote to memory of 1920	1504	MsiExec.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SDCardFormatterv5_WinEN\SD Card Formatter 5.0.2 Setup EN.exe
"C:\Users\Admin\AppData\Local\Temp\SDCardFormatterv5_WinEN\SD Card Formatter 5.0.2 Setup EN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{2FF5D07D-7CA7-4BD6-8D3E-053A26A24C99}\SD Card Formatter Setup.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\SDCardFormatterv5_WinEN" SETUPEXENAME="SD Card Formatter 5.0.2 Setup EN.exe"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8A4D095BD589D551D87057F22BF795B6 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Program Files (x86)\SDA\SD Card Formatter\SD Card Formatter.exe
    "C:\Program Files (x86)\SDA\SD Card Formatter\SD Card Formatter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1920
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2412
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4E36A7D6F88CEC246352E1BF677EFBF9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e9f3.rbs

Filesize
9KB

MD5
5a9cf0217f45ef798b2ac67703a550ed

SHA1
a406da83d7b6ba8220ec3ee8a1960b8ce8420b42

SHA256
edf6df6fa68e3a50b7dc939739e469e3813307027dd02e0cb68354eb152d32e5

SHA512
5d1661d81cc5ed3361593190c1ed9063364d671f666793a5529f5ac5f903d575168bc6d275fc3d748bfa58aaa4c27b9041cc74af4bb5d0e50ddfb6e74c037532

Download Submit
C:\Program Files (x86)\SDA\SD Card Formatter\SD Card Formatter.exe

Filesize
3.5MB

MD5
be4c31541957e8e31f3b9d3794bd1ad5

SHA1
03f85b4f8bbac114c192a308acf3ad2b55ac8f86

SHA256
ea210d7ff1d49bf61c55d6ca208277f5fdac8710296714323a37893b97caa0f2

SHA512
1d68bcecd1ca7b1e4dd404be511184390c3f5de97879091aede312541119ca632378d41aeaabb9c3df6c22c46f9d67a77f587effccc70a88759c26ab393a1bb1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SD Association\SD Card Formatter\SD Card Formatter.lnk

Filesize
2KB

MD5
d84c87e7dadf5aa5a6844ae880e83498

SHA1
8c13f5ae3b6bd1ec58e306ef5ea0904e9ee57853

SHA256
69b35a7c42d6f07873f79b3591696cc7415d776666073250f0f80df15ecbb4eb

SHA512
d0dbe5b8fff2794e1a2dd892ce93616df209e344bbb5296df59dec98d8fd479d8f2b5da5ebcab1f4c2251521e59a8d167c66260812d34d39cb880dc4cf223b5a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SD Association\SD Card Formatter\SD Card Formatter.lnk~RFe57f27e.TMP

Filesize
2KB

MD5
f305f139b1434fe26232ea4c95796dd7

SHA1
40f900a0547429506c4166e059f070b781fd708e

SHA256
008119d761e7210bd38fb47c57dfea8120ee85078e0fce595f79e08c368bfc56

SHA512
bacb975625d4c7d0b7718414ebfd46e1e31de581f8829488dfeab489e17e32bd4fe5a7e485c01fdc56fe0c16054b37cfdca364eadf6a9b1195e75ac3df22cc88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
e2604a85305d6ed6ed4596963997e924

SHA1
953d6bf3f425c22ed18c4e6bfbbf098d2310ba5d

SHA256
e314629074c0653d64db6fe5cbaf22b1702566dcb033ccc21bb4fd0066392610

SHA512
ab0cb67a7ce11e7d20028dd77d7912e43e1d9d5c5b5e2e2166a2fc039b215d0ce12acce97b8eb0c00364372ced890520aec27ef9a96fad37c1eb212b046a65ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_13C665649EC7F70E2E63F7F28DC6D0C6

Filesize
471B

MD5
4fa747886c5eb4bfcf1febfe36cc01af

SHA1
a6931255c6a7da25e9b3b37b6f271246b3342727

SHA256
c34887642565230b0c56f4cc86353652283b124625be2bb3d08f470ba69d645f

SHA512
47af9530ec3792c46eabb45c9dc535c22204feff4c860d391abbe8b8f881706bec038c992f2c02cffe829e7d0016ab9549ad6ab741a014c66b117b6da2633569

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
10976fcdd1bc7268d20d30e41b755fd9

SHA1
26a50cad82a1a77ab41513ba3a9af2a089477280

SHA256
589cf2d9e99e9ea89f0b355407daefb905a60efc824075ecfa0fa7be2059bc35

SHA512
53e97ad1eed5c95b0b8bdf214a132f59b19405e93301bd715a1b4f9e7deb1b01d3593922d8c1e94cf75216248e6c3a61db387b026731189c44621d1b10a51578

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_13C665649EC7F70E2E63F7F28DC6D0C6

Filesize
408B

MD5
cb3d09b5f48030a597f73de8522dc67f

SHA1
626385d9bf655a237dbcbbdc290acb9e0a2adf19

SHA256
3cfdc9ccdf905ba4122e34b26751e40b4e02e8783068a673feb3d3f7ee930668

SHA512
0ef0fead2488aa2700fa3679207f3ad050e93bdf1161be94a0bdb42407a70b671883d086206528a0bc511d8af396c7d646ad25822cbc0d7bfcc3bc5e9b9d23f6

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{2FF5D07D-7CA7-4BD6-8D3E-053A26A24C99}\SD Card Formatter Setup.msi

Filesize
4.1MB

MD5
07bfa577fc716b47d583dd96c3ea84e8

SHA1
f1fe68dfb27e08af14dc6a55887bcd377690d563

SHA256
a61acf097056004158ba0b12ce38f6f48118b1e2d8ef94722d818a1a2788d351

SHA512
bc386973230c61c6c783b8b156939e15f724c7c8a2dfa222dfade1109460a42be7d0b7a975447fe71258c8c43b89345a8912c624a5a48553ab0f8a96cf01ab73

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA817.tmp

Filesize
153KB

MD5
c90f51e8f8c547ce8a48c22ecdcf5304

SHA1
b7a5831e3678693ebb254b5720a58020c0772551

SHA256
226f3e224bfc7d77afff0f3d9048d1727eea7aa5e2e443f8cc55baa7dc5c6473

SHA512
ae667b38251f4ec2062a42f8238ac8391a2aed0a2833a5320d3b296347a689e59a4f442add547b6a202aea4ddcab16e3db823452e18714c69585efed0c4e9903

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFE18.tmp

Filesize
103KB

MD5
04289ede648990e01435a99f616c8fdf

SHA1
bc81ff546d812d0f88ed7a98717e77d5e34b61fb

SHA256
6629a2fe72efaded5d12e072a18b0cf065b2c9600a6401645ca1d7804f7edd14

SHA512
cacbadaa96d1f6200fa02ff0c643324c870f95b587e27460af0da525105815380fede9d8d196fbdcabfaa007c404b7487e43407b46585b919f6fa68ea8de358d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6338FD6F-EAD3-4CFB-9F51-FDC5403B4BC1}\0x0409.ini

Filesize
21KB

MD5
8586214463bd73e1c2716113e5bd3e13

SHA1
f02e3a76fd177964a846d4aa0a23f738178db2be

SHA256
089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54

SHA512
309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6338FD6F-EAD3-4CFB-9F51-FDC5403B4BC1}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9114.tmp

Filesize
5KB

MD5
8336066b51c5388ac78a6f303bc3b81d

SHA1
f133ed15f406350757637af8ca803f3f3d3b0798

SHA256
cbc5fecbe82ef986de124fb6f0d00921c015d6508b64bdf2cd8bb9a1a0256752

SHA512
e7b79f56d035888e04a7a1fd0bbcbb4c361077411033febfff8f863b71c2ccf41f433f0691fd21ec7d76b4bd5ab3e23c2c0c9d3656e9b8082ed0de97a4845066

Download Submit
C:\Windows\Installer\MSIF06B.tmp

Filesize
105KB

MD5
29e4cb02681bf0780985a429b48903ca

SHA1
474acf63ad259fa06164916259a40ffe8909f622

SHA256
3dd81287d4318c25ed9f0afa740c3ca59b746d9a587735e1e33107c14e1b40e0

SHA512
5c491bf4357bb1cee86ff0eb9662f6046c32b7e8b8fb406f12e4f866885a25994c34e8f46315f98f116be27a6a7a06c21ca52b030aacb1c1216910ac339500a1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
0e552f5cc7f58eb45d0b6790defafe83

SHA1
47885763e3df0281ff25333c39cfcc6e66bd8a94

SHA256
660b80bfacb8fda4c8bfd6da29ba4574e233056f7a513f3d8fd051e8992099b8

SHA512
562dba39a1f0c135f57aa5a94db53af46896fcc5eb2feb784803fa0607e973d47e8bf697b5a72184c9af820b6131860edef5b52818c97cd0dfb7cc671b916e5e

Download Submit
\??\Volume{3a4c38fd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a8a68fa2-1f6c-411b-a103-8b2bdb3ae484}_OnDiskSnapshotProp

Filesize
6KB

MD5
6dc90426f2e77279510cd4fbba3656af

SHA1
ce46d99cc223eb0ff60f94614c5b16b4a9689998

SHA256
e9b7be5593a31e3b84ee363222dd3cff52807284949bb7fe24bb6edcf17328eb

SHA512
363166e0c2aaac8da0b9188698ed0cb64c8b9ea8e956eee01828e4432ee8041d295c3c6d0f1d5cab3bb47abc85de3da9a8695ea09c6adc4507353f3f5cfe60da

Download Submit