32bd3d0af943aafb44165de5791d6e3338eb5b3e93548383c6d04fada69f7411

Analysis

max time kernel
90s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 13:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

WPS_Office_PPT_PDF-_Setup.msi
Size

235.0MB
MD5

c133af8d7143792b5aa031cbb309911c
SHA1

37b422febc70760fd4fced0274d95318a6c618c3
SHA256

32bd3d0af943aafb44165de5791d6e3338eb5b3e93548383c6d04fada69f7411
SHA512

af6e21fc6b1e1bc05aaa9d34896c3142b793c4a070a6112b5d123108322f56a4ec3009d868aeacf9accd72dc2d4bfc8b9f55140f7915840c73dae6fd1f09190f
SSDEEP

6291456:Sn1t4VK0dF9sQyMGulGZ0PbOs9mGUdCqGFGwhJHDO:s1t4kOXRa0Cs9/UdCqkX

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wps\wps\wps\WPS_Setup_17147.exe	msiexec.exe
File created	C:\Program Files (x86)\wps\wps\wps\Apack.dll	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1F00.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1326.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{811E1289-42B2-41E1-AF41-0044B4531853}	msiexec.exe
File created	C:\Windows\Installer\e5810c4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5810c4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI125A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1809.tmp	msiexec.exe

Loads dropped DLL 10 IoCs

pid	Process
732	MsiExec.exe
732	MsiExec.exe
732	MsiExec.exe
732	MsiExec.exe
732	MsiExec.exe
732	MsiExec.exe
3688	MsiExec.exe
3688	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1252	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000080ecc9f1fa88237c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000080ecc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090080ecc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d80ecc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000080ecc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
468	msiexec.exe
468	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1252	msiexec.exe
Token: SeSecurityPrivilege	468	msiexec.exe
Token: SeCreateTokenPrivilege	1252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1252	msiexec.exe
Token: SeLockMemoryPrivilege	1252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1252	msiexec.exe
Token: SeMachineAccountPrivilege	1252	msiexec.exe
Token: SeTcbPrivilege	1252	msiexec.exe
Token: SeSecurityPrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeLoadDriverPrivilege	1252	msiexec.exe
Token: SeSystemProfilePrivilege	1252	msiexec.exe
Token: SeSystemtimePrivilege	1252	msiexec.exe
Token: SeProfSingleProcessPrivilege	1252	msiexec.exe
Token: SeIncBasePriorityPrivilege	1252	msiexec.exe
Token: SeCreatePagefilePrivilege	1252	msiexec.exe
Token: SeCreatePermanentPrivilege	1252	msiexec.exe
Token: SeBackupPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeShutdownPrivilege	1252	msiexec.exe
Token: SeDebugPrivilege	1252	msiexec.exe
Token: SeAuditPrivilege	1252	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1252	msiexec.exe
Token: SeChangeNotifyPrivilege	1252	msiexec.exe
Token: SeRemoteShutdownPrivilege	1252	msiexec.exe
Token: SeUndockPrivilege	1252	msiexec.exe
Token: SeSyncAgentPrivilege	1252	msiexec.exe
Token: SeEnableDelegationPrivilege	1252	msiexec.exe
Token: SeManageVolumePrivilege	1252	msiexec.exe
Token: SeImpersonatePrivilege	1252	msiexec.exe
Token: SeCreateGlobalPrivilege	1252	msiexec.exe
Token: SeCreateTokenPrivilege	1252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1252	msiexec.exe
Token: SeLockMemoryPrivilege	1252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1252	msiexec.exe
Token: SeMachineAccountPrivilege	1252	msiexec.exe
Token: SeTcbPrivilege	1252	msiexec.exe
Token: SeSecurityPrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeLoadDriverPrivilege	1252	msiexec.exe
Token: SeSystemProfilePrivilege	1252	msiexec.exe
Token: SeSystemtimePrivilege	1252	msiexec.exe
Token: SeProfSingleProcessPrivilege	1252	msiexec.exe
Token: SeIncBasePriorityPrivilege	1252	msiexec.exe
Token: SeCreatePagefilePrivilege	1252	msiexec.exe
Token: SeCreatePermanentPrivilege	1252	msiexec.exe
Token: SeBackupPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeShutdownPrivilege	1252	msiexec.exe
Token: SeDebugPrivilege	1252	msiexec.exe
Token: SeAuditPrivilege	1252	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1252	msiexec.exe
Token: SeChangeNotifyPrivilege	1252	msiexec.exe
Token: SeRemoteShutdownPrivilege	1252	msiexec.exe
Token: SeUndockPrivilege	1252	msiexec.exe
Token: SeSyncAgentPrivilege	1252	msiexec.exe
Token: SeEnableDelegationPrivilege	1252	msiexec.exe
Token: SeManageVolumePrivilege	1252	msiexec.exe
Token: SeImpersonatePrivilege	1252	msiexec.exe
Token: SeCreateGlobalPrivilege	1252	msiexec.exe
Token: SeCreateTokenPrivilege	1252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1252	msiexec.exe
Token: SeLockMemoryPrivilege	1252	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1252	msiexec.exe
1252	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 732	468	msiexec.exe	86
PID 468 wrote to memory of 732	468	msiexec.exe	86
PID 468 wrote to memory of 732	468	msiexec.exe	86
PID 468 wrote to memory of 4520	468	msiexec.exe	98
PID 468 wrote to memory of 4520	468	msiexec.exe	98
PID 468 wrote to memory of 3688	468	msiexec.exe	100
PID 468 wrote to memory of 3688	468	msiexec.exe	100
PID 468 wrote to memory of 3688	468	msiexec.exe	100
PID 468 wrote to memory of 4796	468	msiexec.exe	101
PID 468 wrote to memory of 4796	468	msiexec.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS_Office_PPT_PDF-_Setup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C4C9609B0C2B73053A767CB3D6764C19 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:732
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4520
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3E76BB7EDBCBF30A710A5EFB8EAAFCFD
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3688
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 6C91DCCDB2EE541AF576F257B6B579EF
  2⤵
  - Loads dropped DLL
  PID:4796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5810c5.rbs

Filesize
26KB

MD5
5b95844b25edd54f3fe37b5e6c524b8e

SHA1
468a9305568362e24ed0ddb0689e6e96f20e27a1

SHA256
307d1a0c5947df687ca3745c44f5447e413d3ab8215918f4a008239418b22a43

SHA512
af82c02b3fe4b790316d38450b0ee70e380a726cf361f24790d2e1317480a3088338cbdb2cd94538a779f81297f0f6430c1ced0d2704ab86ea59e4874cff3a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBCF7.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI1F00.tmp

Filesize
25KB

MD5
81902d13c01fd8a187f3a7f2b72d5dd0

SHA1
0ac01518c5588eb2788730c78f0c581f79cf2ed4

SHA256
eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

SHA512
04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
9af17681170b1334108ffb08b10bc40d

SHA1
069b4a578a17a2bc8a91e200277c1a74bcd502fb

SHA256
f849c5415b2a715a22f9f08b566d0cb2c4e9a18e753ce590b2488133f08ee20c

SHA512
3b4629ffca9fc39aac00154eb5f467990208456105b132d143483655f00252f1d652e3c83d7cd7438179ef359756026d4c9950cf800817de17df506ea02dfe82

Download Submit
\??\Volume{f1c9ec80-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e8d64bab-fc9e-4dd9-af77-1179a29fff3c}_OnDiskSnapshotProp

Filesize
6KB

MD5
e1f8182920904aa71ec070e7fc5e1316

SHA1
bbed1120be7ffac7faf0951a5638b9d7f709bb26

SHA256
1f3ccb288e6585b948836d2e94484f6a1aebacbf8b2840ead3a59257e555154e

SHA512
8cbe8bcf38b2e5e025a1cb8a7e2d46210977365592d934489620fb199585b19e4f76d7839a4ccab45f59cb51003d8b6f00b014fd998d9326df64a8db248080ad

Download Submit