Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-10-2024 12:21
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
setup.msi
Resource
win10v2004-20241007-en
General
-
Target
setup.msi
-
Size
1.9MB
-
MD5
d76a468a9012e63f24b706c3517c877e
-
SHA1
1aa6752889be7d67dd3f152980ea04c063e04ad0
-
SHA256
bdd01ab5e2001be0ccda94e6f70c2ac850a8652b1eba734f285f24dd0f810255
-
SHA512
940c067eaab6df5d2e238fe9ef9a2e7f5566254912011468e81a21a27e2958785a0787de2f114a4e6333bdd1ed96704fa6ef5397048e3085f32ee454ee4768bf
-
SSDEEP
24576:Mt9cpVDhquBEEaNhnJztj98fF+SJaplcQA5LpzRtV:rpRhqREaNv0foSJYA5LpzLV
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2340 ICACLS.EXE 2420 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI6613.tmp msiexec.exe File opened for modification C:\Windows\Installer\f766549.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f766548.msi msiexec.exe File opened for modification C:\Windows\Installer\f766548.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f766549.ipi msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 604 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2132 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2188 msiexec.exe 2188 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 2132 msiexec.exe Token: SeIncreaseQuotaPrivilege 2132 msiexec.exe Token: SeRestorePrivilege 2188 msiexec.exe Token: SeTakeOwnershipPrivilege 2188 msiexec.exe Token: SeSecurityPrivilege 2188 msiexec.exe Token: SeCreateTokenPrivilege 2132 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2132 msiexec.exe Token: SeLockMemoryPrivilege 2132 msiexec.exe Token: SeIncreaseQuotaPrivilege 2132 msiexec.exe Token: SeMachineAccountPrivilege 2132 msiexec.exe Token: SeTcbPrivilege 2132 msiexec.exe Token: SeSecurityPrivilege 2132 msiexec.exe Token: SeTakeOwnershipPrivilege 2132 msiexec.exe Token: SeLoadDriverPrivilege 2132 msiexec.exe Token: SeSystemProfilePrivilege 2132 msiexec.exe Token: SeSystemtimePrivilege 2132 msiexec.exe Token: SeProfSingleProcessPrivilege 2132 msiexec.exe Token: SeIncBasePriorityPrivilege 2132 msiexec.exe Token: SeCreatePagefilePrivilege 2132 msiexec.exe Token: SeCreatePermanentPrivilege 2132 msiexec.exe Token: SeBackupPrivilege 2132 msiexec.exe Token: SeRestorePrivilege 2132 msiexec.exe Token: SeShutdownPrivilege 2132 msiexec.exe Token: SeDebugPrivilege 2132 msiexec.exe Token: SeAuditPrivilege 2132 msiexec.exe Token: SeSystemEnvironmentPrivilege 2132 msiexec.exe Token: SeChangeNotifyPrivilege 2132 msiexec.exe Token: SeRemoteShutdownPrivilege 2132 msiexec.exe Token: SeUndockPrivilege 2132 msiexec.exe Token: SeSyncAgentPrivilege 2132 msiexec.exe Token: SeEnableDelegationPrivilege 2132 msiexec.exe Token: SeManageVolumePrivilege 2132 msiexec.exe Token: SeImpersonatePrivilege 2132 msiexec.exe Token: SeCreateGlobalPrivilege 2132 msiexec.exe Token: SeBackupPrivilege 2720 vssvc.exe Token: SeRestorePrivilege 2720 vssvc.exe Token: SeAuditPrivilege 2720 vssvc.exe Token: SeBackupPrivilege 2188 msiexec.exe Token: SeRestorePrivilege 2188 msiexec.exe Token: SeRestorePrivilege 2500 DrvInst.exe Token: SeRestorePrivilege 2500 DrvInst.exe Token: SeRestorePrivilege 2500 DrvInst.exe Token: SeRestorePrivilege 2500 DrvInst.exe Token: SeRestorePrivilege 2500 DrvInst.exe Token: SeRestorePrivilege 2500 DrvInst.exe Token: SeRestorePrivilege 2500 DrvInst.exe Token: SeLoadDriverPrivilege 2500 DrvInst.exe Token: SeLoadDriverPrivilege 2500 DrvInst.exe Token: SeLoadDriverPrivilege 2500 DrvInst.exe Token: SeRestorePrivilege 2188 msiexec.exe Token: SeTakeOwnershipPrivilege 2188 msiexec.exe Token: SeRestorePrivilege 2188 msiexec.exe Token: SeTakeOwnershipPrivilege 2188 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2132 msiexec.exe 2132 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2188 wrote to memory of 604 2188 msiexec.exe 32 PID 2188 wrote to memory of 604 2188 msiexec.exe 32 PID 2188 wrote to memory of 604 2188 msiexec.exe 32 PID 2188 wrote to memory of 604 2188 msiexec.exe 32 PID 2188 wrote to memory of 604 2188 msiexec.exe 32 PID 2188 wrote to memory of 604 2188 msiexec.exe 32 PID 2188 wrote to memory of 604 2188 msiexec.exe 32 PID 604 wrote to memory of 2340 604 MsiExec.exe 33 PID 604 wrote to memory of 2340 604 MsiExec.exe 33 PID 604 wrote to memory of 2340 604 MsiExec.exe 33 PID 604 wrote to memory of 2340 604 MsiExec.exe 33 PID 604 wrote to memory of 1840 604 MsiExec.exe 35 PID 604 wrote to memory of 1840 604 MsiExec.exe 35 PID 604 wrote to memory of 1840 604 MsiExec.exe 35 PID 604 wrote to memory of 1840 604 MsiExec.exe 35 PID 604 wrote to memory of 1456 604 MsiExec.exe 37 PID 604 wrote to memory of 1456 604 MsiExec.exe 37 PID 604 wrote to memory of 1456 604 MsiExec.exe 37 PID 604 wrote to memory of 1456 604 MsiExec.exe 37 PID 604 wrote to memory of 2284 604 MsiExec.exe 39 PID 604 wrote to memory of 2284 604 MsiExec.exe 39 PID 604 wrote to memory of 2284 604 MsiExec.exe 39 PID 604 wrote to memory of 2284 604 MsiExec.exe 39 PID 604 wrote to memory of 2420 604 MsiExec.exe 41 PID 604 wrote to memory of 2420 604 MsiExec.exe 41 PID 604 wrote to memory of 2420 604 MsiExec.exe 41 PID 604 wrote to memory of 2420 604 MsiExec.exe 41 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2132
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2EF151A75629D05E815EF50F9F5996632⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9c00b5aa-2310-4dbd-951d-8e63654ba120\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2340
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1840
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf3⤵
- System Location Discovery: System Language Discovery
PID:1456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-9c00b5aa-2310-4dbd-951d-8e63654ba120\files"3⤵
- System Location Discovery: System Language Discovery
PID:2284
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9c00b5aa-2310-4dbd-951d-8e63654ba120\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2420
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E4" "00000000000002F8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5cf6b311fd9c673b2d5bb6bc1c218db91
SHA1be082798ac5755fecc898dea57e4a88784b51e9c
SHA2569959d65f822a4c092e085f31490e5ea2a6909ed92595fc19ee280ba8c0646092
SHA512e2298acf6046be3c9bd79667d3bd672b7134731b6ae5d2ed16b0278bef20720d67a99731f0b69d1f4dccc9d61b4aea726c7b6ab4d2429a0cedb1abd41535cd88
-
Filesize
380B
MD51764804454ab2c3f5195eda96d36106f
SHA112489536180f5c934fab4ea88f7c9db2ca677c46
SHA2560971f12972c05beea44445aebbfe05f58fa7db661e2da4b4a085d33af7bdba6a
SHA512b002ed11aee1b69ec19605b7de5b869170385ad426ade895e1a7b906df92f75c94daa30e523ebee2952305194c38ae96e52423142d76b752eb6ddb2843274dcb
-
Filesize
1KB
MD597000ab0cee0afe69b9479c188e178cb
SHA17dfd335a462f09e49076e3db8f5a7e51edc8a0bd
SHA256d2c89e36a2a3c575816d8457ab624c1ad79eb6a34c15b8ebcf866f58538d19db
SHA512fa5dc8ec2d5fbd34971458b50b6b46264ae10439ebf8b9f1892bbb84df0c346321e666f89be7d2803d56a2244f1b26df402544263c9a0727b7b093b7dcd68e3d
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108