0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8

Analysis

max time kernel
123s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8.msi
Size

3.1MB
MD5

d0f6a028fd07c851683f066ff7e1fd5d
SHA1

31a979b820d541059ac4672ff37851014fabb059
SHA256

0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8
SHA512

b59fdf602d477a178d4dad95fcce4d7fa442d529ca6b7d931c47633280d728c9199c54be041d89ba494f11da179f899337b0f10756a09c85e1f8f578ffb3eb8b
SSDEEP

49152:ipRh803EQqONeQDE5y6QHS+mrKcunU/qwYWS42CQlmI/pxpcx9O3cJa5tEvb:ipNEQqOAdfKcunUiwS42AI/pxKUtab

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2812	ICACLS.EXE
1440	ICACLS.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysDll32 = "C:\\Windows\\SysWOW64\\rundll32.exe /sta {3FEE3C07-4C58-4181-AFFD-C6D138E1301C} \"Applications\""	WINDBVER.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2544 set thread context of 1756	2544	rundll32.exe	59

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID98E.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76d23d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d23d.msi	msiexec.exe
File created	C:\Windows\Installer\f76d23e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSID9AE.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\f76d23e.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1708	cmdfmt.exe
1756	WINDBVER.EXE

Loads dropped DLL 14 IoCs

pid	Process
1876	MsiExec.exe
1876	MsiExec.exe
1876	MsiExec.exe
1876	MsiExec.exe
1876	MsiExec.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1876	MsiExec.exe
2544	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1868	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPAND.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdfmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDBVER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
560	timeout.exe
1820	timeout.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\ProgID\ = "DataContainer.DataInfoStorage"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\VERSION	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\VERSION\ = "1.0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\Implemented Categories	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\InprocServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\ProgID	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\TypeLib	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\ = "DataContainer.DataInfoStorage"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\InprocServer32	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\Programmable	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{3FEE3C07-4C58-4181-AFFD-C6D138E1301C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\MonitorConfigs\\MonitorSettings.dll"	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2260	msiexec.exe
2260	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1868	msiexec.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeTakeOwnershipPrivilege	2260	msiexec.exe
Token: SeSecurityPrivilege	2260	msiexec.exe
Token: SeCreateTokenPrivilege	1868	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1868	msiexec.exe
Token: SeLockMemoryPrivilege	1868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1868	msiexec.exe
Token: SeMachineAccountPrivilege	1868	msiexec.exe
Token: SeTcbPrivilege	1868	msiexec.exe
Token: SeSecurityPrivilege	1868	msiexec.exe
Token: SeTakeOwnershipPrivilege	1868	msiexec.exe
Token: SeLoadDriverPrivilege	1868	msiexec.exe
Token: SeSystemProfilePrivilege	1868	msiexec.exe
Token: SeSystemtimePrivilege	1868	msiexec.exe
Token: SeProfSingleProcessPrivilege	1868	msiexec.exe
Token: SeIncBasePriorityPrivilege	1868	msiexec.exe
Token: SeCreatePagefilePrivilege	1868	msiexec.exe
Token: SeCreatePermanentPrivilege	1868	msiexec.exe
Token: SeBackupPrivilege	1868	msiexec.exe
Token: SeRestorePrivilege	1868	msiexec.exe
Token: SeShutdownPrivilege	1868	msiexec.exe
Token: SeDebugPrivilege	1868	msiexec.exe
Token: SeAuditPrivilege	1868	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1868	msiexec.exe
Token: SeChangeNotifyPrivilege	1868	msiexec.exe
Token: SeRemoteShutdownPrivilege	1868	msiexec.exe
Token: SeUndockPrivilege	1868	msiexec.exe
Token: SeSyncAgentPrivilege	1868	msiexec.exe
Token: SeEnableDelegationPrivilege	1868	msiexec.exe
Token: SeManageVolumePrivilege	1868	msiexec.exe
Token: SeImpersonatePrivilege	1868	msiexec.exe
Token: SeCreateGlobalPrivilege	1868	msiexec.exe
Token: SeBackupPrivilege	2432	vssvc.exe
Token: SeRestorePrivilege	2432	vssvc.exe
Token: SeAuditPrivilege	2432	vssvc.exe
Token: SeBackupPrivilege	2260	msiexec.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeLoadDriverPrivilege	2912	DrvInst.exe
Token: SeLoadDriverPrivilege	2912	DrvInst.exe
Token: SeLoadDriverPrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeTakeOwnershipPrivilege	2260	msiexec.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeTakeOwnershipPrivilege	2260	msiexec.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeTakeOwnershipPrivilege	2260	msiexec.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeTakeOwnershipPrivilege	2260	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1868	msiexec.exe
1868	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1708	cmdfmt.exe
1980	rundll32.exe
2544	rundll32.exe
1756	WINDBVER.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1876	2260	msiexec.exe	35
PID 2260 wrote to memory of 1876	2260	msiexec.exe	35
PID 2260 wrote to memory of 1876	2260	msiexec.exe	35
PID 2260 wrote to memory of 1876	2260	msiexec.exe	35
PID 2260 wrote to memory of 1876	2260	msiexec.exe	35
PID 2260 wrote to memory of 1876	2260	msiexec.exe	35
PID 2260 wrote to memory of 1876	2260	msiexec.exe	35
PID 1876 wrote to memory of 1440	1876	MsiExec.exe	36
PID 1876 wrote to memory of 1440	1876	MsiExec.exe	36
PID 1876 wrote to memory of 1440	1876	MsiExec.exe	36
PID 1876 wrote to memory of 1440	1876	MsiExec.exe	36
PID 1876 wrote to memory of 2976	1876	MsiExec.exe	38
PID 1876 wrote to memory of 2976	1876	MsiExec.exe	38
PID 1876 wrote to memory of 2976	1876	MsiExec.exe	38
PID 1876 wrote to memory of 2976	1876	MsiExec.exe	38
PID 1876 wrote to memory of 1708	1876	MsiExec.exe	40
PID 1876 wrote to memory of 1708	1876	MsiExec.exe	40
PID 1876 wrote to memory of 1708	1876	MsiExec.exe	40
PID 1876 wrote to memory of 1708	1876	MsiExec.exe	40
PID 1876 wrote to memory of 1104	1876	MsiExec.exe	41
PID 1876 wrote to memory of 1104	1876	MsiExec.exe	41
PID 1876 wrote to memory of 1104	1876	MsiExec.exe	41
PID 1876 wrote to memory of 1104	1876	MsiExec.exe	41
PID 1104 wrote to memory of 316	1104	wscript.exe	42
PID 1104 wrote to memory of 316	1104	wscript.exe	42
PID 1104 wrote to memory of 316	1104	wscript.exe	42
PID 1104 wrote to memory of 316	1104	wscript.exe	42
PID 1876 wrote to memory of 2812	1876	MsiExec.exe	44
PID 1876 wrote to memory of 2812	1876	MsiExec.exe	44
PID 1876 wrote to memory of 2812	1876	MsiExec.exe	44
PID 1876 wrote to memory of 2812	1876	MsiExec.exe	44
PID 316 wrote to memory of 1980	316	cmd.exe	46
PID 316 wrote to memory of 1980	316	cmd.exe	46
PID 316 wrote to memory of 1980	316	cmd.exe	46
PID 316 wrote to memory of 1980	316	cmd.exe	46
PID 316 wrote to memory of 1980	316	cmd.exe	46
PID 316 wrote to memory of 1980	316	cmd.exe	46
PID 316 wrote to memory of 1980	316	cmd.exe	46
PID 1980 wrote to memory of 916	1980	rundll32.exe	47
PID 1980 wrote to memory of 916	1980	rundll32.exe	47
PID 1980 wrote to memory of 916	1980	rundll32.exe	47
PID 1980 wrote to memory of 916	1980	rundll32.exe	47
PID 916 wrote to memory of 2512	916	cmd.exe	49
PID 916 wrote to memory of 2512	916	cmd.exe	49
PID 916 wrote to memory of 2512	916	cmd.exe	49
PID 916 wrote to memory of 2512	916	cmd.exe	49
PID 2512 wrote to memory of 560	2512	cmd.exe	50
PID 2512 wrote to memory of 560	2512	cmd.exe	50
PID 2512 wrote to memory of 560	2512	cmd.exe	50
PID 2512 wrote to memory of 560	2512	cmd.exe	50
PID 916 wrote to memory of 2440	916	cmd.exe	51
PID 916 wrote to memory of 2440	916	cmd.exe	51
PID 916 wrote to memory of 2440	916	cmd.exe	51
PID 916 wrote to memory of 2440	916	cmd.exe	51
PID 2440 wrote to memory of 964	2440	cmd.exe	52
PID 2440 wrote to memory of 964	2440	cmd.exe	52
PID 2440 wrote to memory of 964	2440	cmd.exe	52
PID 2440 wrote to memory of 964	2440	cmd.exe	52
PID 1980 wrote to memory of 2548	1980	rundll32.exe	53
PID 1980 wrote to memory of 2548	1980	rundll32.exe	53
PID 1980 wrote to memory of 2548	1980	rundll32.exe	53
PID 1980 wrote to memory of 2548	1980	rundll32.exe	53
PID 2548 wrote to memory of 1028	2548	cmd.exe	55
PID 2548 wrote to memory of 1028	2548	cmd.exe	55

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B1D7E9B2B681C715FCC015A8DF032949
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1440
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files\cmdfmt.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files\cmdfmt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" Sleep.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k rundll32 Endpoint.dll, RunDllEntryPointW
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 Endpoint.dll, RunDllEntryPointW
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cd C:\Users\Admin\AppData\Roaming\MonitorConfigs&&cmd /c timeout 1&&cmd /c reg.exe import add.txt
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c timeout 1
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c reg.exe import add.txt
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe import add.txt
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cd C:\Users\Admin\AppData\Roaming\MonitorConfigs&&cmd /c timeout 1&&cmd /c rundll32.exe /sta {3FEE3C07-4C58-4181-AFFD-C6D138E1301C}
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c timeout 1
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c rundll32.exe /sta {3FEE3C07-4C58-4181-AFFD-C6D138E1301C}
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe /sta {3FEE3C07-4C58-4181-AFFD-C6D138E1301C}
        8⤵
        Suspicious use of SetThreadContext
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\MComponents\WINDBVER.EXE
        
        C:\Users\Admin\AppData\Roaming\MComponents\WINDBVER.EXE
        9⤵
        Adds Run key to start application
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1756
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E4" "0000000000000318"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files.cab

Filesize
2.9MB

MD5
e63dce70e5a313b358a42000d9fd4490

SHA1
eccc857dd0b2114b4e153ea03fc72c5f214ea5d9

SHA256
e22ec082c88d575ce3a754a75b630bb349aff82a7519b495bb3c1d3862dbe4b3

SHA512
740f75390b74f9c75784cd177ce31b1a778aefff5b33071307e9689062d59b3d68104c5ff4a02291f299228107b2659337bc673b2dd427fb2fb976f9da331369

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files\Endpoint.dll

Filesize
40KB

MD5
b90d516f11011015872e9da93348be53

SHA1
0d091c0b3113012e5930e83e3967430409f5b5f5

SHA256
dbc74e253a3a21162168bb22f11f9411b87163fa69a6c0d531f2707f4488ae8d

SHA512
072ee865ab745e971c8586da2f5ee46bf6784dfb92deb1ae459b87f6c6ba37c7f2c4c82fe4dc34bc37bcb19c96e6dfd115618916bf60be9abf2a759a37964e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files\MonitorConfig.dll

Filesize
3.7MB

MD5
70be95b1770e535345ab8bee4b82a185

SHA1
364d70673c497061f4810b66241c7f6e35447121

SHA256
11a362125f664bb830b5673db23b49bb3505e8ecc096ce1a174f8c57406a2f76

SHA512
0d69827cb6d58c9b974bb5cdd6c961499ea604ad5e41246cd12b077481db963f28cfe0fb5d3a63c1bcade1ae66e7defb7d4f76585e87a645c992b6c20e92b1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files\MonitorSettings.dll

Filesize
624KB

MD5
2d987a96075127bd1548c5f79c5783f1

SHA1
d53967348052e73d4ade6c2bdfa438fe50fec106

SHA256
d309954c3abe64cdd0fefc09575c31eb87b7bb728472a713251b760d80149439

SHA512
00103e47cc02a2a58ae099fcd2d2d064a2e8556def1b55b0574ab325f2727a95960c851dd25c4c4ccea193efbb0f426963f2cb1fd3c13b6ce9f41dc8adbb9df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files\Sleep.vbs

Filesize
148B

MD5
fad2def6a99554607507c273f73df2b1

SHA1
44263a830695cbfaeaefaf3910240af3ac6d240b

SHA256
4b4288f0ffdfe0c347795f554f7699b7773d374b0720cbbfd228f1435edf8987

SHA512
f06b82977755c62d63c8d5598a74bce0fbd06592497b66ce9076383f2f0597780945c3ea7a78c6b222a3dadcb18b9b5d2047cc492c90347e2e6948fde5ccf8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files\add.txt

Filesize
1015B

MD5
59674adb9f1670ca428fdbe5614b1fcc

SHA1
2ab3f3606a8c81ba50abf9ffe5405660d7390a1f

SHA256
39dc2fda7eddb7b30bbab8171b3e41d640ec56c8821e24b0d63da6c0893794c6

SHA512
2738e5b39e4de423daa33274f736dd5df4013dee6c83ea6a2c4b3bd5e62e09ca9f5d18c96fe4559ba3dbe588d8bd56fda2b4ce2e6920dd6347bff3230cad76dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files\cmdfmt.exe

Filesize
2.0MB

MD5
3c06138c0e9b9706281dea5b5037bfbb

SHA1
608a2ee6adf4c3ccfb3ea25edf393f5745cb7b57

SHA256
82f93f71f45c1d2ea20697d01d3f5ae50761942a956384e217ba898efa63ec47

SHA512
bf1f360f99f0f38ef66d97d42ba689936b22c38e092533e14723974ab2f2b9ffac61446400f3379f97c7edd982c6cec62400670682855ef5482d3bcf6c567131

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files\data.bin

Filesize
30KB

MD5
73a5552a933e15b0a6fe13bb573e90d3

SHA1
5eb98f8a26d30db716a67f152efb8281b330f194

SHA256
8778bb953ffead733b53de1b4ac040061fd93e5bee5223893ca4e1dc7b0fea02

SHA512
ac08e2cd25a622dce54a0911f832604cda335837aec6f7d324fb486fa104b3ef1466affaedf85541719418fec76d9de89f61fa5cd7d0694e99f7278018179cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\files\save.txt

Filesize
13.4MB

MD5
dfb972051b71220c2f87b0ae4a3b7c52

SHA1
37a9a86e2187c8311b60ff18805e5826b0627b26

SHA256
5531867074b664aecc155df32101b761e3b065a23bfb36c84c4dc246bf405fe7

SHA512
c78d65495116d53f611253780f748286d881bad0da7712a1446d8f5e4635b6a99572e0fc597f64771e66c4040b2d6817a75a8b0521f73627e579efe2e208cdd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\msiwrapper.ini

Filesize
1KB

MD5
eb4b00b8e4c72517bd2befb27669488d

SHA1
ebde657d4d1a19555456a87daecab3fa7fed41c7

SHA256
95ab05e8f651ee23c37646d642398cdf777922245eab46708766d2107e884d0b

SHA512
72a3beb693e1a72e0601c3026fe133d29faef90855d673b9000475d06bbb770d21c84edeeb154e156166dcb7b04dfed6d26560c1a79b064e5faffa1eff3f19f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c6b0ef62-253f-4389-9791-2b9975efa840\msiwrapper.ini

Filesize
1KB

MD5
d7c314ec39e281d36bd3da5e50082b29

SHA1
7a17e2c5282ac66713e40be9cad5129772ea4cef

SHA256
41495430916a8968738825d8464f26d562139717aee6a9b99f9d7ac759701ccd

SHA512
182b42a1db2868dbd1ef47840b037ee1fca2e297a57b8b90ff14cb0ba39db382142fa25d4f844b94aaeed3b0fdc44538adb8316871f89fb023dec057716c1d92

Download Submit
C:\Users\Admin\AppData\Roaming\MonitorConfigs\add.txt

Filesize
1KB

MD5
e35a486d96c64f2ffe8ed9d715f7946a

SHA1
88a77d3540b854c3cfc514a7e731c2e08c8706de

SHA256
9999f791a8407965d30378185949f6dd29f4606048693874bae1599f5ac28ab4

SHA512
631984f9595454dee6bc7936574f017ca0be87f4d596ea5c16d9efc4b5ec33623c0306ebaf31da89b3d937d2be78898a71ad923bd589eb07f3bef4b8f9e03c1e

Download Submit
C:\Windows\Installer\MSID2F8.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
memory/1756-149-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-156-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-145-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-146-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-150-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1756-172-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-153-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-144-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-158-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-159-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-167-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-169-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/1756-170-0x0000000000400000-0x000000000115C000-memory.dmp

Filesize
13.4MB

Download
memory/2544-132-0x0000000002AE0000-0x0000000002E99000-memory.dmp

Filesize
3.7MB

Download