392062387237180f947774e21e0b154d46155416a7a81e780f0c79664cb9b570

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scribe_4.10.5.msi
Size

81.8MB
MD5

010394b91ce56a6835ba9f69375d7f81
SHA1

56cbb6c0e22b69e9f4a14ee16106a090ec75b4b1
SHA256

392062387237180f947774e21e0b154d46155416a7a81e780f0c79664cb9b570
SHA512

35986e0afb5016ab48477c296c1136e13cfec8cf45eb8d35d56ee7df463f8e13e7888861ce7e5e27a3fdaf31e64e6da8d12ae9b8e421e7ab1fcda9f6aca7098f
SSDEEP

1572864:kd8rwbiwRUE9g4rc636T/zCRHZ/DYdqgMtsBkmGFjXeYPtUyqSO:kuwbitognS6Tmld1nC9G1XeYg

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.scribehow.Scribe = "\"C:\\Program Files\\Scribe\\Scribe for Windows.exe\" \"%1\""	msiexec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	5016	msiexec.exe
4	5016	msiexec.exe
9	5016	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Scribe\PresentationNative_cor3.dll	msiexec.exe
File opened for modification	C:\Program Files\Scribe\ScribeAutoupdater.ini	msiexec.exe
File created	C:\Program Files\Scribe\av_libglesv2.dll	msiexec.exe
File created	C:\Program Files\Scribe\PenImc_cor3.dll	msiexec.exe
File created	C:\Program Files\Scribe\D3DCompiler_47_cor3.dll	msiexec.exe
File created	C:\Program Files\Scribe\libHarfBuzzSharp.dll	msiexec.exe
File created	C:\Program Files\Scribe\libSkiaSharp.dll	msiexec.exe
File created	C:\Program Files\Scribe\vcruntime140_cor3.dll	msiexec.exe
File created	C:\Program Files\Scribe\wpfgfx_cor3.dll	msiexec.exe
File created	C:\Program Files\Scribe\Scribe for Windows.exe	msiexec.exe
File created	C:\Program Files\Scribe\ScribeAutoupdater.exe	msiexec.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e583ef8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI411B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI498C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BE2.tmp	msiexec.exe
File created	C:\Windows\Installer\{176e06a6-757b-4ede-a909-74bb2379d675}\IdleIcon1.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48FD.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{176e06a6-757b-4ede-a909-74bb2379d675}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48AD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI491D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{176e06a6-757b-4ede-a909-74bb2379d675}\IdleIcon1.exe	msiexec.exe
File created	C:\Windows\Installer\e583efa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI529B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e583ef8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI493D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI49DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C8F.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
4332	MSI529B.tmp
4732	MSI5C31.tmp
4668	ScribeAutoupdater.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1612	sc.exe

Loads dropped DLL 25 IoCs

pid	Process
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3700	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
4616	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
512	powershell.exe
4400	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5016	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI529B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI5C31.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScribeAutoupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MSI529B.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MSI529B.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MSI529B.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MSI5C31.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MSI5C31.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSI529B.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MSI529B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSI5C31.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MSI5C31.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MSI5C31.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\scribehow\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6a60e671b757ede49a9047bb32976d57	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\Version = "67764229"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\SourceList\PackageName = "Scribe_4.10.5.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\scribehow\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scribehow\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scribehow\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\scribehow	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scribehow\URL Protocol = "scribehow"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\657FE1535FA37114687935BA16240704	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6a60e671b757ede49a9047bb32976d57\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scribehow	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scribehow\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\ProductName = "Scribe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scribehow\shell\open\command\ = "\"C:\\Program Files\\Scribe\\Scribe for Windows.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\PackageCode = "48D08FF42816D7548BF149ECA3CFB2A9"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\ProductIcon = "C:\\Windows\\Installer\\{176e06a6-757b-4ede-a909-74bb2379d675}\\IdleIcon1.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\657FE1535FA37114687935BA16240704\6a60e671b757ede49a9047bb32976d57	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\scribehow\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6a60e671b757ede49a9047bb32976d57\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
512	powershell.exe
512	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
628	msiexec.exe
628	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5016	msiexec.exe
Token: SeSecurityPrivilege	628	msiexec.exe
Token: SeCreateTokenPrivilege	5016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5016	msiexec.exe
Token: SeLockMemoryPrivilege	5016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5016	msiexec.exe
Token: SeMachineAccountPrivilege	5016	msiexec.exe
Token: SeTcbPrivilege	5016	msiexec.exe
Token: SeSecurityPrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeLoadDriverPrivilege	5016	msiexec.exe
Token: SeSystemProfilePrivilege	5016	msiexec.exe
Token: SeSystemtimePrivilege	5016	msiexec.exe
Token: SeProfSingleProcessPrivilege	5016	msiexec.exe
Token: SeIncBasePriorityPrivilege	5016	msiexec.exe
Token: SeCreatePagefilePrivilege	5016	msiexec.exe
Token: SeCreatePermanentPrivilege	5016	msiexec.exe
Token: SeBackupPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeShutdownPrivilege	5016	msiexec.exe
Token: SeDebugPrivilege	5016	msiexec.exe
Token: SeAuditPrivilege	5016	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5016	msiexec.exe
Token: SeChangeNotifyPrivilege	5016	msiexec.exe
Token: SeRemoteShutdownPrivilege	5016	msiexec.exe
Token: SeUndockPrivilege	5016	msiexec.exe
Token: SeSyncAgentPrivilege	5016	msiexec.exe
Token: SeEnableDelegationPrivilege	5016	msiexec.exe
Token: SeManageVolumePrivilege	5016	msiexec.exe
Token: SeImpersonatePrivilege	5016	msiexec.exe
Token: SeCreateGlobalPrivilege	5016	msiexec.exe
Token: SeCreateTokenPrivilege	5016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5016	msiexec.exe
Token: SeLockMemoryPrivilege	5016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5016	msiexec.exe
Token: SeMachineAccountPrivilege	5016	msiexec.exe
Token: SeTcbPrivilege	5016	msiexec.exe
Token: SeSecurityPrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeLoadDriverPrivilege	5016	msiexec.exe
Token: SeSystemProfilePrivilege	5016	msiexec.exe
Token: SeSystemtimePrivilege	5016	msiexec.exe
Token: SeProfSingleProcessPrivilege	5016	msiexec.exe
Token: SeIncBasePriorityPrivilege	5016	msiexec.exe
Token: SeCreatePagefilePrivilege	5016	msiexec.exe
Token: SeCreatePermanentPrivilege	5016	msiexec.exe
Token: SeBackupPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeShutdownPrivilege	5016	msiexec.exe
Token: SeDebugPrivilege	5016	msiexec.exe
Token: SeAuditPrivilege	5016	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5016	msiexec.exe
Token: SeChangeNotifyPrivilege	5016	msiexec.exe
Token: SeRemoteShutdownPrivilege	5016	msiexec.exe
Token: SeUndockPrivilege	5016	msiexec.exe
Token: SeSyncAgentPrivilege	5016	msiexec.exe
Token: SeEnableDelegationPrivilege	5016	msiexec.exe
Token: SeManageVolumePrivilege	5016	msiexec.exe
Token: SeImpersonatePrivilege	5016	msiexec.exe
Token: SeCreateGlobalPrivilege	5016	msiexec.exe
Token: SeCreateTokenPrivilege	5016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5016	msiexec.exe
Token: SeLockMemoryPrivilege	5016	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5016	msiexec.exe
5016	msiexec.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 3700	628	msiexec.exe	88
PID 628 wrote to memory of 3700	628	msiexec.exe	88
PID 628 wrote to memory of 3700	628	msiexec.exe	88
PID 3700 wrote to memory of 512	3700	MsiExec.exe	89
PID 3700 wrote to memory of 512	3700	MsiExec.exe	89
PID 3700 wrote to memory of 512	3700	MsiExec.exe	89
PID 628 wrote to memory of 412	628	msiexec.exe	103
PID 628 wrote to memory of 412	628	msiexec.exe	103
PID 628 wrote to memory of 3244	628	msiexec.exe	105
PID 628 wrote to memory of 3244	628	msiexec.exe	105
PID 628 wrote to memory of 3244	628	msiexec.exe	105
PID 3244 wrote to memory of 4400	3244	MsiExec.exe	106
PID 3244 wrote to memory of 4400	3244	MsiExec.exe	106
PID 3244 wrote to memory of 4400	3244	MsiExec.exe	106
PID 628 wrote to memory of 4616	628	msiexec.exe	109
PID 628 wrote to memory of 4616	628	msiexec.exe	109
PID 628 wrote to memory of 4616	628	msiexec.exe	109
PID 628 wrote to memory of 4332	628	msiexec.exe	110
PID 628 wrote to memory of 4332	628	msiexec.exe	110
PID 628 wrote to memory of 4332	628	msiexec.exe	110
PID 4332 wrote to memory of 1612	4332	MSI529B.tmp	111
PID 4332 wrote to memory of 1612	4332	MSI529B.tmp	111
PID 4332 wrote to memory of 1612	4332	MSI529B.tmp	111
PID 628 wrote to memory of 4732	628	msiexec.exe	113
PID 628 wrote to memory of 4732	628	msiexec.exe	113
PID 628 wrote to memory of 4732	628	msiexec.exe	113
PID 4732 wrote to memory of 4668	4732	MSI5C31.tmp	114
PID 4732 wrote to memory of 4668	4732	MSI5C31.tmp	114
PID 4732 wrote to memory of 4668	4732	MSI5C31.tmp	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scribe_4.10.5.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5016

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 32CA4B006436B2C2A3C290BF422167EA C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssB8E3.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiB8E0.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrB8E1.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrB8E2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:512
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:412
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1151C5156700F880D10E20260274B404
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4499.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4486.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4487.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4488.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4400
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4C1904C80A96EABB35CAABD451206381 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4616
- C:\Windows\Installer\MSI529B.tmp
  "C:\Windows\Installer\MSI529B.tmp" sc.exe Create ScribeAutoupdater DisplayName=ScribeAutoupdater binPath="\"C:\Program Files\Scribe\ScribeAutoupdater.exe\" /runservice" type=own start=demand
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" Create ScribeAutoupdater DisplayName=ScribeAutoupdater binPath="\"C:\Program Files\Scribe\ScribeAutoupdater.exe\" /runservice" type=own start=demand
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1612
- C:\Windows\Installer\MSI5C31.tmp
  "C:\Windows\Installer\MSI5C31.tmp" "C:\Program Files\Scribe\ScribeAutoupdater.exe" /configservice -name "ScribeAutoupdater"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Program Files\Scribe\ScribeAutoupdater.exe
    "C:\Program Files\Scribe\ScribeAutoupdater.exe" /configservice -name "ScribeAutoupdater"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583ef9.rbs

Filesize
231KB

MD5
d57265c2e1c6a2ee39844e8acba7cc6d

SHA1
80eea32cc54bd03019556e6a61febc72b6421d3b

SHA256
ff1ffc1959cbe168970c3c181ed491b7c676b257f6cc27c0f2de72ca0b9c7d72

SHA512
e78d11cc5fb2882abffe69e391fe6ff4992f49a10210d29cf3030b3e56d3e0747bc3165494c888675b5844c0b210c21e191dbc9e313bd71df335f11315386d59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_588C97C6118F65EF312BC66A3F7434EA

Filesize
1KB

MD5
4ca5fbf6d004e050953aeab38266f135

SHA1
c56e1507975dea123ceffd42ea8166974ff41058

SHA256
70c5737eeba324b3918073e78d4d56d9deb6418eda7f62edeff15932f4741691

SHA512
7eb168c3221cd12741c474065df9fdd12cbd99f2507cde3609456e20dd8e5b36e5ed922b5c0d09d36ad66b87d7ea1e9a838ec80f6dcb1123698bd9ebb2fa2789

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
f5c0fca7f73f3761d4f9e22bd7064fcd

SHA1
3d2cfe9146aa8def46ca4fd3cd3b8e06f0a4b3fe

SHA256
49970c9d701410b1deb989c99dc83d99690ec96eb38e50f01c57c7dbb59030dc

SHA512
246d94be668ef61d4903bbfd52c6134e42ace0fc672ff36411bf7431b62b761280d60372557507438b95f6a039e543ddd213e2264004429567fe0a6e3993940a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_588C97C6118F65EF312BC66A3F7434EA

Filesize
536B

MD5
c9da682f5b9218033a3840397a12b021

SHA1
7d2c78a854a6a397dbe9aab900c51a8318d6f14f

SHA256
cfbb9c71d08cdd6dc449a775774b498f8d5a8a7bcfdc931e2f2a236d6ac6a8d1

SHA512
aaf3723e9828da395649be2a0543c2cc94c4a9d6265948a3bd9c7453c393a54204bd2458b00a6643dbea9d9c6c2a8e4864bc491561c4f62fbaf3fbbf4a13cff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
9a9ab32cbbea92316a518d83974cf08c

SHA1
c42c124488baa24a29d82c7b6b41774955f03637

SHA256
e98a0d24d9d97c968d8608e176a0cec663a463cacfa337ffd7eced51fdec2f6f

SHA512
abc00265af622972246cf0e02e23905eea515b139f0371ffa974ae810b69ed19484c62fcb3c7b3cc1afd9382350aa944c6587490cddb562b66a7ec5de0fb80f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
3e73702332f1fcef1c29d9ec9639f0e0

SHA1
10542c39cc21a170f2f26d05afc9f3fbc5bfee24

SHA256
fa2b4814f2ecf532e7edc29ee5376b9be0063b046b25ebe6ce90010280734603

SHA512
1f4fabee62790d2450925ab488bc6492cc7d3fba99fee53513cd1f9a7de6349871c0b086ef3f05b78ceb0e6330347794c4ebbe1c6cd060c10ac6b9ed36567e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB71B.tmp

Filesize
738KB

MD5
ee45c6dffaf86ed2a76d8f969c390c08

SHA1
ff5b2942ffa7d28ed3f72208e8e76391b2991b5a

SHA256
118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca

SHA512
a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB884.tmp

Filesize
758KB

MD5
743c67416aa1d2568679f45ef36e0179

SHA1
dc7163deb7e0d0e493f0ced46fb2fd0b29e19910

SHA256
58800c0b1f916f5ac032ab6e9410d2e5d687eebc95c2955bded68ac97dacd639

SHA512
f35f5a19aa3fe6fc723b771e7199e35cff4de5ed26a5a0a86377288f9487875bbdb19231743f2a7a019642f59ab57ed7cc02e7b4b9a6ec3c11b595596aa6066c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC54B.tmp

Filesize
875KB

MD5
0100adb48a98b69b29b817fc65547aa8

SHA1
958c3a436211758373087efa732fa5e9fb16f5b3

SHA256
f754814bda0f682382da00f49f21eb66f47c02504e4fb9322bc8068f0f168b41

SHA512
00203279917359ba4838f7232d9cd8db479cf61506aa4dbbb08e6e53b0cfdc5c489928e97cd936df2b7d46d71073d78294085e3ad3e6974c07d242d8c0f9a6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC58A.tmp

Filesize
1.1MB

MD5
e6d26b10972bc3b58ccd535e1278cc32

SHA1
10996e7f0b267e7f0c6843f9860bc7da89e5d2c2

SHA256
3dbb46ee1950b828c53f2c5dee3371559327f8c6932e549c3543eaf16846a5de

SHA512
530836aef2da9287a08cfebfcb195cfd986ee6a8265e84fe372fb17e58a7b37814e529f49ef22bf204c860a1e451be78213d51a60356f501cf44ff10c0482eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtktbkmo.cro.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssB8E3.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrB8E1.ps1

Filesize
1KB

MD5
d80b7b237ba8af313dd12bf9f6af372f

SHA1
3ec20cc5411e3b927047cf06552067203abd8862

SHA256
a2bc34970de61ced4f2978bd71c78a092c528458b681ede5e1f5c195d14eb1ab

SHA512
6352ea735dc56053003c6b895a3bdc565c0b588cb6af39596745f6a7da31442358c167f3c2d6e3b65502f437b6c4475e9a1b0ef31694f658425c3ecd9eb734cc

Download Submit
C:\Windows\Installer\MSI4BB2.tmp

Filesize
215KB

MD5
fa6cf27d72756d6a0794c65d1133befa

SHA1
90949a22d68347f6834c581abc88faf63e7cb8c0

SHA256
d058a04e0b5550db64d816485d9d25411fba27d3b9a4ef1d2dfe47e98c4a054b

SHA512
6ecc9b610325f015659c2a79deaac50f879f0261236a54c76468150f5194ae8c1a7ff284d13818908fae26ea2a2077f982e97ecc5d7264d7c77d74610ad1dede

Download Submit
C:\Windows\Installer\MSI4BE2.tmp

Filesize
867KB

MD5
1f5b50d7a407dfc7a31a27eebd328d9e

SHA1
07c5a269617c58da000ebf721177001a26b75883

SHA256
c2f506d02738146c5a47fe43ca6049a979e1c327303bfdf66ab2493038d25f17

SHA512
1767d3d3a2c7b53f44fdd1f0e888c7099a806bb010e9b97a05bcfff221a5c70a70eb9026ee515a48dbbbce45619bb3a4ec1e24d0e00184df2b30851109c3a3af

Download Submit
C:\Windows\Installer\MSI529B.tmp

Filesize
416KB

MD5
a36a0d5453ac9d116c3e4681a169d733

SHA1
b0efa1c9b70ae523f7e08742a04be5ef1e4c0fec

SHA256
49ab423cafb4bfab3d3fdba43f8aec8bfcc8aa9c9cb2a352488aa24e6ad3fa55

SHA512
e0389be8f0333a814ec86849405ae8b796ba98deb41d3dec72e96d7762ff0e876ee064628c8bb9020b8718b27859b9ae49199ff34497769f2fd0a6e3d779f5fe

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
c029bd81eaf09906618cf0f3e4965c5c

SHA1
df10f291f984814862dcbfd42c1732be58d5a8ac

SHA256
b633151113f47117078e7571059f6a1045e908e3cd219e4ce8f6eb99c093dd74

SHA512
37c9844c4a5b498d7d00f8c6b9d45c742b997d5a0f302a2ac3181ca4d8aa42ea0e653857fb70f0d588ca7694a3eadccc429b448ac064254da3ebf85fc98d3727

Download Submit
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9c8986f2-61ea-4364-8a81-e5012a7b2cb0}_OnDiskSnapshotProp

Filesize
6KB

MD5
db3c193c71a7d406f745fc8d09f7deb9

SHA1
97989d9cb566470651aae97937bdca6b255b1ab0

SHA256
59286de3ace284b0e34be26ba3c291d9fe292efe0efa68d15d413bf47af311ee

SHA512
9ce1f9a84cff6f490e5843e3ec1cfc1d63a8583e6dddd10a9fb12b4be0522e37ceb8dcc1b031b390d8cdb92ed476d4f86f44924f605d9e52e05bf6c5ef0c74f3

Download Submit
memory/512-38-0x0000000005BC0000-0x0000000005F14000-memory.dmp

Filesize
3.3MB

Download
memory/512-39-0x0000000006190000-0x00000000061AE000-memory.dmp

Filesize
120KB

Download
memory/512-45-0x0000000006780000-0x00000000067A2000-memory.dmp

Filesize
136KB

Download
memory/512-44-0x0000000007480000-0x0000000007516000-memory.dmp

Filesize
600KB

Download
memory/512-43-0x00000000066E0000-0x00000000066FA000-memory.dmp

Filesize
104KB

Download
memory/512-42-0x0000000007B00000-0x000000000817A000-memory.dmp

Filesize
6.5MB

Download
memory/512-40-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/512-46-0x0000000008180000-0x0000000008724000-memory.dmp

Filesize
5.6MB

Download
memory/512-24-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

Filesize
216KB

Download
memory/512-28-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/512-27-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/512-26-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/512-25-0x00000000052E0000-0x0000000005908000-memory.dmp

Filesize
6.2MB

Download
memory/4400-130-0x0000000005DE0000-0x0000000006134000-memory.dmp

Filesize
3.3MB

Download