ec40da7be23e50181fb692525cc62f6cd5f5caa74f653fabaf5d57df1201263b

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TwDush.msi
Size

66.4MB
MD5

9800a890a4819b574c5aa5ca9e063d96
SHA1

ede8c738d4e58c770f0ba7792e330756aaf28c7f
SHA256

ec40da7be23e50181fb692525cc62f6cd5f5caa74f653fabaf5d57df1201263b
SHA512

ae52316d3f17cab0370ce6a772861ae5ca5a556f140955c93edf91852695964b57b108c1b85a342d2c52ae8090a6c3d97e7fe5a1c4bd87435135572ab5ca12cf
SSDEEP

1572864:vXU1B6zASrGGq3ymZM4yLpQBoxFlfAwwsUZWOVH:vXU1B6ASrGGqCcM/DxFBDwhZzH

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe	mvlKSjKRHbPQ.exe
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic	PtsxcsyatT16.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\MOELauncherSetup_V0TKW.exe	msiexec.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe	msiexec.exe
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.xml	mvlKSjKRHbPQ.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe	mvlKSjKRHbPQ.exe
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe	mvlKSjKRHbPQ.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe	msiexec.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe	msiexec.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.xml	mvlKSjKRHbPQ.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe	mvlKSjKRHbPQ.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76a6f9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a6f9.msi	msiexec.exe
File created	C:\Windows\Installer\f76a6fa.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA850.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a6fc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a6fa.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
528	mvlKSjKRHbPQ.exe
2028	PtsxcsyatT16.exe
1988	ToDesk.exe

Loads dropped DLL 9 IoCs

pid	Process
1240	MsiExec.exe
1240	MsiExec.exe
1240	MsiExec.exe
1240	MsiExec.exe
1240	MsiExec.exe
2028	PtsxcsyatT16.exe
2028	PtsxcsyatT16.exe
2028	PtsxcsyatT16.exe
2028	PtsxcsyatT16.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2380	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvlKSjKRHbPQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PtsxcsyatT16.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	PtsxcsyatT16.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	PtsxcsyatT16.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	PtsxcsyatT16.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	PtsxcsyatT16.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Version = "134807556"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\PackageName = "TwDush.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E5A40D8B63096B4BAF3DA1D70837CE3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\PackageCode = "B4C280FC3A938F442BA728B9CF74E9DC"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E5A40D8B63096B4BAF3DA1D70837CE3\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\376C3C4D8C5B1874EB9AE27A958B6EEA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\376C3C4D8C5B1874EB9AE27A958B6EEA\8E5A40D8B63096B4BAF3DA1D70837CE3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\ProductName = "PlanAnalyzerOptimistic"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2012	msiexec.exe
2012	msiexec.exe
2028	PtsxcsyatT16.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeCreateTokenPrivilege	2380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2380	msiexec.exe
Token: SeLockMemoryPrivilege	2380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2380	msiexec.exe
Token: SeMachineAccountPrivilege	2380	msiexec.exe
Token: SeTcbPrivilege	2380	msiexec.exe
Token: SeSecurityPrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeLoadDriverPrivilege	2380	msiexec.exe
Token: SeSystemProfilePrivilege	2380	msiexec.exe
Token: SeSystemtimePrivilege	2380	msiexec.exe
Token: SeProfSingleProcessPrivilege	2380	msiexec.exe
Token: SeIncBasePriorityPrivilege	2380	msiexec.exe
Token: SeCreatePagefilePrivilege	2380	msiexec.exe
Token: SeCreatePermanentPrivilege	2380	msiexec.exe
Token: SeBackupPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeShutdownPrivilege	2380	msiexec.exe
Token: SeDebugPrivilege	2380	msiexec.exe
Token: SeAuditPrivilege	2380	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2380	msiexec.exe
Token: SeChangeNotifyPrivilege	2380	msiexec.exe
Token: SeRemoteShutdownPrivilege	2380	msiexec.exe
Token: SeUndockPrivilege	2380	msiexec.exe
Token: SeSyncAgentPrivilege	2380	msiexec.exe
Token: SeEnableDelegationPrivilege	2380	msiexec.exe
Token: SeManageVolumePrivilege	2380	msiexec.exe
Token: SeImpersonatePrivilege	2380	msiexec.exe
Token: SeCreateGlobalPrivilege	2380	msiexec.exe
Token: SeBackupPrivilege	2860	vssvc.exe
Token: SeRestorePrivilege	2860	vssvc.exe
Token: SeAuditPrivilege	2860	vssvc.exe
Token: SeBackupPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2720	DrvInst.exe
Token: SeRestorePrivilege	2720	DrvInst.exe
Token: SeRestorePrivilege	2720	DrvInst.exe
Token: SeRestorePrivilege	2720	DrvInst.exe
Token: SeRestorePrivilege	2720	DrvInst.exe
Token: SeRestorePrivilege	2720	DrvInst.exe
Token: SeRestorePrivilege	2720	DrvInst.exe
Token: SeLoadDriverPrivilege	2720	DrvInst.exe
Token: SeLoadDriverPrivilege	2720	DrvInst.exe
Token: SeLoadDriverPrivilege	2720	DrvInst.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2380	msiexec.exe
2380	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1240	2012	msiexec.exe	34
PID 2012 wrote to memory of 1240	2012	msiexec.exe	34
PID 2012 wrote to memory of 1240	2012	msiexec.exe	34
PID 2012 wrote to memory of 1240	2012	msiexec.exe	34
PID 2012 wrote to memory of 1240	2012	msiexec.exe	34
PID 2012 wrote to memory of 1240	2012	msiexec.exe	34
PID 2012 wrote to memory of 1240	2012	msiexec.exe	34
PID 1240 wrote to memory of 528	1240	MsiExec.exe	35
PID 1240 wrote to memory of 528	1240	MsiExec.exe	35
PID 1240 wrote to memory of 528	1240	MsiExec.exe	35
PID 1240 wrote to memory of 528	1240	MsiExec.exe	35
PID 1240 wrote to memory of 2028	1240	MsiExec.exe	37
PID 1240 wrote to memory of 2028	1240	MsiExec.exe	37
PID 1240 wrote to memory of 2028	1240	MsiExec.exe	37
PID 1240 wrote to memory of 2028	1240	MsiExec.exe	37
PID 1240 wrote to memory of 1988	1240	MsiExec.exe	38
PID 1240 wrote to memory of 1988	1240	MsiExec.exe	38
PID 1240 wrote to memory of 1988	1240	MsiExec.exe	38
PID 1240 wrote to memory of 1988	1240	MsiExec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TwDush.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7C0DC154DC099864EA127D99817B10F M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe
    "C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe" x "C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe" -o"C:\Program Files\PlanAnalyzerOptimistic\" -pyjlAFQsGZRtyUdVIXREr -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:528
- - C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe
    "C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe" -number 132 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2028
- - C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe
    "C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe"
    3⤵
    - Executes dropped EXE
    PID:1988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "0000000000000070"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76a6fb.rbs

Filesize
7KB

MD5
64165913ce08744a488915251f506571

SHA1
a2a7c628ef6d6569cbcb6f3f413aff0b0dd8d93b

SHA256
ddf864c614e18ec2b2567163e31955eccbbdba8ccdf845ed68791705cd5fe7ce

SHA512
4b9e6caa68598e19f57ceb1a4cf184ece5eb1a333aa55c33b95895c44b6b3429a5e6cb7620a2f3a37c3793699703a8d5b3ceea98198a7fb8c1c8a6f4e7755e01

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\MOELauncherSetup_V0TKW.exe

Filesize
35.6MB

MD5
f0b4afeb9a9582a84c04d33b4f9c93e5

SHA1
0b9229e8e3879fc4d1310ba493280894cac1f259

SHA256
d71c5c27f6e68be09e40921321a2c6d3b95f65787c33dcc2d66e6939a798a3c9

SHA512
d4c3593590a5574bbfc1270d3aca3b419ea5126735206b5e2104e42fda961844ba90073ebacd917b9b0152c103670d1a64b88c76b03b358feae73794418abe51

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe

Filesize
2.9MB

MD5
772375794abfe39763f2057e845ff14b

SHA1
08ada20435475025e8b22d4a7460725fdcb0c3d5

SHA256
c31afb76379f0adaaa98d52f7a6dca18cd9f374672e1e85c6c4f7214080e2248

SHA512
ab67f8af704b0bf8902120b23fd2d31a1b12f05dc64f17b0f5fafb1c96bbf93481d4e147967a891028c2f4f0c5dc0b1eb135c003a2bc33ca4e118c60b70a2ad2

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe

Filesize
48.3MB

MD5
1193d280fe00a77b753b8c196969fddf

SHA1
2ba757374129b149823d67a99e907989732c31dc

SHA256
56e4cbc58c71fbab44bef5bb191659e92fa6713b6e1834465464f4dea44498ad

SHA512
dd62534de37eae14cce7e83ccdf2e9f1fd6d87ea104c25bb107af4826a128ee40507958ce37c3df937ea238f1370a5e3f3cdcf701d015f6e2d31e45d4c0d1327

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe

Filesize
1.7MB

MD5
2b86a11112da3cafddcd7ee308cea7c9

SHA1
994cce38475425226d857550c86f1651fcfdc2dc

SHA256
5f80ac378a228c920d0dd85c05c986c06ef3bc05b0b98a85df03428a00c6f9e3

SHA512
da141c69561b862dec313b23a636a34ce831c18973c71c1450372350b1aba9be8291b3ecaa909166bb25f4bfbbd0477c6ff2711bb7475ca8c333a9c677ad56a2

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
memory/1240-12-0x0000000000390000-0x0000000000392000-memory.dmp

Filesize
8KB

Download
memory/2028-43-0x000000000A770000-0x000000000A79A000-memory.dmp

Filesize
168KB

Download