fa8b7c248496f1cf913f9691091901c11877070110d240673b3dd947f46093fd

Analysis

max time kernel
79s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8b7c248496f1cf913f9691091901c11877070110d240673b3dd947f46093fd.msi
Size

2.9MB
MD5

3b99d6ddf8dda188ba5596d25eb5082d
SHA1

97f0218ba3529184dda5ffad538b2e511c9a11e2
SHA256

fa8b7c248496f1cf913f9691091901c11877070110d240673b3dd947f46093fd
SHA512

889577435fc8415b20d4632b6df5d78907dc6d66f26a33b9639009eadee6d80e6c477702e9b7e8a5b45dd911df82d274d27e4b5ea9f1478d2ed79f937f460db4
SSDEEP

49152:6/fZzerSX55NaiU0o8P5Ferq7I5RJK5k1Q/Y02gCQsG592CB6b0Wk:airSxdxFeb02b

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
20	3772	MsiExec.exe
22	3772	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WasabiWallet\jre\lib\jfr\default.jfc	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\legal\java.desktop\COPYRIGHT	msiexec.exe
File created	C:\Program Files\WasabiWallet\Avalonia.Fonts.Inter.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\legal\java.sql.rowset\COPYRIGHT	msiexec.exe
File created	C:\Program Files\WasabiWallet\Microsoft.CSharp.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\Microservices\Binaries\win64\Tor\LICENSE	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.IO.Compression.Native.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\Microsoft.Data.Sqlite.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Net.WebHeaderCollection.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\bin\freetype.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\lib\security\cacerts	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\legal\java.xml\dom.md	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.ObjectModel.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\MicroCom.Runtime.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\Avalonia.Controls.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\Avalonia.Markup.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\Microsoft.Extensions.Caching.Abstractions.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\bin\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\ReactiveUI.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\legal\jdk.jdwp.agent\LICENSE	msiexec.exe
File created	C:\Program Files\WasabiWallet\WalletWasabi.Daemon.pdb	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Linq.Queryable.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.IO.Pipelines.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\bin\fontmanager.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\WalletWasabi.Daemon.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\Avalonia.DesignerSupport.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Reflection.Emit.Lightweight.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\bin\java.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\lib\jvm.lib	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\legal\jdk.jsobject\COPYRIGHT	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Collections.Immutable.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\bin\rmi.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\bin\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Formats.Tar.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Security.Cryptography.Csp.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Runtime.Serialization.Formatters.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\bin\ktab.exe	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\lib\tzdb.dat	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Runtime.Serialization.Primitives.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\Avalonia.Xaml.Interactions.Events.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\e_sqlite3.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\bin\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\Microsoft.Extensions.Primitives.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Buffers.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Text.RegularExpressions.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Data.Common.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\legal\java.base\icu.md	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Reflection.TypeExtensions.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\legal\java.desktop\lcms.md	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.ComponentModel.DataAnnotations.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Runtime.InteropServices.RuntimeInformation.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\Microsoft.Extensions.Caching.Memory.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\legal\jdk.crypto.ec\LICENSE	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\legal\java.desktop\opengl.md	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\bin\server\jvm.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Memory.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Reflection.DispatchProxy.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Drawing.Primitives.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Text.Encoding.Extensions.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Xml.XmlSerializer.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.IO.Pipes.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.Xml.XDocument.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\System.IO.FileSystem.DriveInfo.dll	msiexec.exe
File created	C:\Program Files\WasabiWallet\jre\legal\java.xml\jcup.md	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5832e2.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5832e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5832e4.msi	msiexec.exe
File created	C:\Windows\Installer\e5832e6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI339F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI341D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI347C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3528.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3340.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FD1DF55A-A524-448D-9669-E90738865A64}	msiexec.exe
File created	C:\Windows\Installer\{7E27347D-8384-46CE-902E-1A7B1BB18ADF}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\e5832e2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7E27347D-8384-46CE-902E-1A7B1BB18ADF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C08.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{7E27347D-8384-46CE-902E-1A7B1BB18ADF}\icon.ico	msiexec.exe

Loads dropped DLL 18 IoCs

pid	Process
3772	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe
556	MsiExec.exe
556	MsiExec.exe
556	MsiExec.exe
556	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe
3772	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2960	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\ProductName = "Wasabi Wallet"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\SourceList\PackageName = "Wasabi.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\ZKsnacks\\Wasabi Wallet\\prerequisites\\Wasabi\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\SourceList\Media\2 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D74372E74838EC6409E2A1B7B11BA8FD\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\Version = "33554439"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\ZKsnacks\\Wasabi Wallet\\prerequisites\\Wasabi\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D74372E74838EC6409E2A1B7B11BA8FD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\PackageCode = "EC7E96F5076113C44B688E87C93CABE9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\ProductIcon = "C:\\Windows\\Installer\\{7E27347D-8384-46CE-902E-1A7B1BB18ADF}\\icon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\37708E8DFC8D13048B3BAA57A00F4B31	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\37708E8DFC8D13048B3BAA57A00F4B31\D74372E74838EC6409E2A1B7B11BA8FD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D74372E74838EC6409E2A1B7B11BA8FD\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2820	msiexec.exe
2820	msiexec.exe
2820	msiexec.exe
2820	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	2820	msiexec.exe
Token: SeCreateTokenPrivilege	2960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2960	msiexec.exe
Token: SeLockMemoryPrivilege	2960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2960	msiexec.exe
Token: SeMachineAccountPrivilege	2960	msiexec.exe
Token: SeTcbPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeLoadDriverPrivilege	2960	msiexec.exe
Token: SeSystemProfilePrivilege	2960	msiexec.exe
Token: SeSystemtimePrivilege	2960	msiexec.exe
Token: SeProfSingleProcessPrivilege	2960	msiexec.exe
Token: SeIncBasePriorityPrivilege	2960	msiexec.exe
Token: SeCreatePagefilePrivilege	2960	msiexec.exe
Token: SeCreatePermanentPrivilege	2960	msiexec.exe
Token: SeBackupPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeShutdownPrivilege	2960	msiexec.exe
Token: SeDebugPrivilege	2960	msiexec.exe
Token: SeAuditPrivilege	2960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2960	msiexec.exe
Token: SeChangeNotifyPrivilege	2960	msiexec.exe
Token: SeRemoteShutdownPrivilege	2960	msiexec.exe
Token: SeUndockPrivilege	2960	msiexec.exe
Token: SeSyncAgentPrivilege	2960	msiexec.exe
Token: SeEnableDelegationPrivilege	2960	msiexec.exe
Token: SeManageVolumePrivilege	2960	msiexec.exe
Token: SeImpersonatePrivilege	2960	msiexec.exe
Token: SeCreateGlobalPrivilege	2960	msiexec.exe
Token: SeCreateTokenPrivilege	2960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2960	msiexec.exe
Token: SeLockMemoryPrivilege	2960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2960	msiexec.exe
Token: SeMachineAccountPrivilege	2960	msiexec.exe
Token: SeTcbPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeLoadDriverPrivilege	2960	msiexec.exe
Token: SeSystemProfilePrivilege	2960	msiexec.exe
Token: SeSystemtimePrivilege	2960	msiexec.exe
Token: SeProfSingleProcessPrivilege	2960	msiexec.exe
Token: SeIncBasePriorityPrivilege	2960	msiexec.exe
Token: SeCreatePagefilePrivilege	2960	msiexec.exe
Token: SeCreatePermanentPrivilege	2960	msiexec.exe
Token: SeBackupPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeShutdownPrivilege	2960	msiexec.exe
Token: SeDebugPrivilege	2960	msiexec.exe
Token: SeAuditPrivilege	2960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2960	msiexec.exe
Token: SeChangeNotifyPrivilege	2960	msiexec.exe
Token: SeRemoteShutdownPrivilege	2960	msiexec.exe
Token: SeUndockPrivilege	2960	msiexec.exe
Token: SeSyncAgentPrivilege	2960	msiexec.exe
Token: SeEnableDelegationPrivilege	2960	msiexec.exe
Token: SeManageVolumePrivilege	2960	msiexec.exe
Token: SeImpersonatePrivilege	2960	msiexec.exe
Token: SeCreateGlobalPrivilege	2960	msiexec.exe
Token: SeCreateTokenPrivilege	2960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2960	msiexec.exe
Token: SeLockMemoryPrivilege	2960	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2960	msiexec.exe
688	msiexec.exe
688	msiexec.exe
2960	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 3772	2820	msiexec.exe	87
PID 2820 wrote to memory of 3772	2820	msiexec.exe	87
PID 2820 wrote to memory of 3772	2820	msiexec.exe	87
PID 2820 wrote to memory of 3972	2820	msiexec.exe	98
PID 2820 wrote to memory of 3972	2820	msiexec.exe	98
PID 2820 wrote to memory of 556	2820	msiexec.exe	100
PID 2820 wrote to memory of 556	2820	msiexec.exe	100
PID 2820 wrote to memory of 556	2820	msiexec.exe	100
PID 3772 wrote to memory of 688	3772	MsiExec.exe	102
PID 3772 wrote to memory of 688	3772	MsiExec.exe	102
PID 3772 wrote to memory of 688	3772	MsiExec.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fa8b7c248496f1cf913f9691091901c11877070110d240673b3dd947f46093fd.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 12639B2AA0A61F8EC2E874B9CC76255B C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\ZKsnacks\Wasabi Wallet\prerequisites\Wasabi\Wasabi.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:688
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F468A1630D59AAF801F56FF5E3F32C4A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5832e3.rbs

Filesize
1KB

MD5
e8e82312685e67c7d9ff336ff688419b

SHA1
8a0c068907ae65fae0ec2d06d198d02edc50e9c4

SHA256
bbff14f54625aa63b1b2a64394e52a19ebc46294f97ecc6b036d774046693dd3

SHA512
7110f29bf58ccf1739fe1e98002bb26533688405be5c907d297623a8cdab23003748a624e642df15b5b1e0658a4da438c4bcdfa8e6b84b8dceee9fad156a64ae

Download Submit
C:\Config.Msi\e5832e5.rbs

Filesize
114KB

MD5
619ccd9acc38d573e2b36ad148bf6c6f

SHA1
b5dd321ea3eb80eb0f5d2353c52d63b18c68fd40

SHA256
9ef937e3929c0f25e0535885ac0033a3d3c5c1973440bd20f54bf4eef2708230

SHA512
4eac4f6e63fcde54d94047b003561d6176433f654ccc927bed7cf0fd45719b6f2083fc65b1d86d66b7c1d6bff2fe4c77c36a3af737a8f271b3963cfa54c40ac5

Download Submit
C:\Program Files\WasabiWallet\jre\legal\jdk.charsets\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Program Files\WasabiWallet\jre\legal\jdk.net\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Program Files\WasabiWallet\wassabee.exe

Filesize
260KB

MD5
3d2774b383648deaa4bfe4638ce766a2

SHA1
b0604b1bf776deeebefe80d41e294181619a4020

SHA256
51fd5692565d4108eb6ae859b727686ef3ea6cad1b3d5b8509e55e642e1424ae

SHA512
dde12c3275e967fb3b92511684d682118a62fd176eb26aad77b92c8b369c8364f4bb3c5e763cc0d6bf450d9f8cfb9fa30b5bd377921c6b44fde0420be8e16929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC43A.tmp

Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDF0D.tmp

Filesize
877KB

MD5
a67acb81551a030e01cda17fa4732580

SHA1
9f6b54919ee967fddf20e74714049b8c13640083

SHA256
107fd7ee1eaf17c27b4ed25990acace2cb51f8d39f4dfc8ef5a3df03d02e1d34

SHA512
30cc0870797220e23af40d5f50a9ce823c1120fba821ff15e057587c2a91c7247058e9a8479088047b9dc908c5176793e6f3ccd066da30bd80e1179649b2f346

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
eab67f235d3c306f8ed8d711fdcd16ca

SHA1
50bc612b58131af476ac9a97b98a44068ccf1619

SHA256
25fa2c653f28e01b645025a15519bdd69fccfc6196833a68810f1e34e18ed0e2

SHA512
2911eff5466a8b0467a037212b0daca07b59613b7771c4b17e5a3e3707f2a48cabefad6c64d6fdacf00862620737272526cf1770c9ad96498560dde181f668c7

Download Submit
\??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dc4100b3-8b2a-4c42-98ef-474a8c7d5129}_OnDiskSnapshotProp

Filesize
6KB

MD5
b5e1ff2d9ec107607392127c508d425c

SHA1
a82d6cfd60107fa8ae5b0b327c7053673e674e09

SHA256
94f776d1021acd5b693f9b0c4ead7619a9bcacd48c294983d1c08b7e1720a524

SHA512
a56bc67d922c8cc43f4f9d2cc1b21499c1c76c442a23dd3f39be40d2cd9512b940116fa1ad63b214ac519a5b2b45b68c0376a0797dd49a4cb9a65a9232f4dd73

Download Submit