793a6b5980872bc0c16c53ee550f860b90e8955fbbf2f0bd15734e05e9b4c3b8

Resubmissions

29-10-2024 07:28

241029-jawmysxfmk 6

29-10-2024 07:21

241029-h6xz8avnek 6

Analysis

max time kernel
134s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Koalageddon-2.0.1.msi
Size

46.4MB
MD5

155295f8dbaae190dd34adadecfb302e
SHA1

c720229eb480dadd40649a2447b3e618a83d568c
SHA256

793a6b5980872bc0c16c53ee550f860b90e8955fbbf2f0bd15734e05e9b4c3b8
SHA512

cd6d4405bf387faa538426a2cfefdecd4c7f3a649f4cfce1eab85cea22a345f304525d222a48785528b7e19f83b76a536a1895e3f32ea8153d93ddae29850dd7
SSDEEP

786432:EdQiEpqgLHk81Ywf/9gK7rhd8cHcSQAw8Luh1CKGSsKN4PgGagUiNaLFRB3p/n4U:GXEvE81vCjSE8yhAc1TgUiNaLFRdlx0e

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\Koalageddon\runtime\lib\jawt.lib	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\lib\psfont.properties.ja	msiexec.exe
File created	C:\Program Files\Koalageddon\app\ui-graphics-desktop-1.3.0-59b535876d1f4c2a8ec6f15bf7e16c47.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\app\ktor-network-tls-jvm-2.2.3-508820c2e5acebb83259e0899f99ed.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\conf\sound.properties	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-profile-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\app\kotlinx-serialization-json-jvm-1.4.1-9cd33c9b12c371a5d8934c97466eb70.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.management\LICENSE	msiexec.exe
File created	C:\Program Files\Koalageddon\app\ktor-serialization-kotlinx-jvm-2.2.3-1aecfb974fda437e5d23d62c859f6444.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\lib\security\default.policy	msiexec.exe
File created	C:\Program Files\Koalageddon\app\Utilities-1.9-1743ef7c86228a5fc7415c35d339dfdb.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\app\ui-text-desktop-1.3.0-66c6ff6b69306fe56b8e9748469ef7ab.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.security.sasl\COPYRIGHT	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.base\COPYRIGHT	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\java.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\conf\security\policy\README.txt	msiexec.exe
File created	C:\Program Files\Koalageddon\app\ui-desktop-1.3.0-a7e94e2d777927f3ad9a25ad39acfba2.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.base\wepoll.md	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.xml\bcel.md	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\mlib_image.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\freetype.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\jdk.unsupported\LICENSE	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\app\kaverit-jvm-2.3.0-17af38bb801a1e7f9991de1afdb3b4ed.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\verify.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-synch-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.datatransfer\LICENSE	msiexec.exe
File created	C:\Program Files\Koalageddon\app\kotlin-stdlib-jdk8-1.8.0-34246294df79630616b9b6352ffcece.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.transaction.xa\LICENSE	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-handle-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\app\PeParser-3.1-c48591bef4ad95be5953db6129e5721.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\app\ui-unit-desktop-1.3.0-fa0f4cc64687b48417c78a5bf14718.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.xml\xalan.md	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\awt.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\app\PropertyLoader-1.0-fa4ec16cd0863af4cf71a88731eba37.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-private-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\lib\tzmappings	msiexec.exe
File created	C:\Program Files\Koalageddon\app\ktor-events-jvm-2.2.3-735dd3b1c28f8e74b5ca8d7d8be79.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\app\Koalageddon.cfg	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.management\COPYRIGHT	msiexec.exe
File created	C:\Program Files\Koalageddon\app\material-desktop-1.3.0-805f648b10fd38a6131dee330734127.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\app\bcprov-jdk15on-1.66-fd57b228172782ae6a73d22a7ac9b45.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\lib\security\blocked.certs	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.base\public_suffix.md	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\ucrtbase.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\app\atomicfu-jvm-0.17.2-d6b6f3a195696acf1828b1f125125ed7.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\app\ktor-http-jvm-2.2.3-15a672e4d075b69214c65d1ffea69e.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\server\jvm.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.base\asm.md	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\jdk.crypto.ec\LICENSE	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.desktop\giflib.md	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C71B00F0-5060-3665-A444-1BFFD31FA5F7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI30FF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\JpARPPRODUCTICON	msiexec.exe
File opened for modification	C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\icon_1862387937	msiexec.exe
File opened for modification	C:\Windows\Installer\e582e8d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F0A.tmp	msiexec.exe
File created	C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\JpARPPRODUCTICON	msiexec.exe
File created	C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\icon_1862387937	msiexec.exe
File created	C:\Windows\Installer\e582e8f.msi	msiexec.exe
File created	C:\Windows\Installer\e582e8d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid process

3328 MsiExec.exe
1380 MsiExec.exe
3824 MsiExec.exe
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

536 msiexec.exe

pid	process
3328	MsiExec.exe
1380	MsiExec.exe
3824	MsiExec.exe

pid	process
536	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exeMsiExec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\ProductName = "Koalageddon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\550FE40B7A8BE324E8F68353EA49C3E4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F00B17C060556634A44B1FF3DF15A7F\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\PackageCode = "EFEAD4423A6F1324DB76D9F43705B59D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Version = "33554433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\ProductIcon = "C:\\Windows\\Installer\\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\\JpARPPRODUCTICON"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\550FE40B7A8BE324E8F68353EA49C3E4\0F00B17C060556634A44B1FF3DF15A7F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\PackageName = "Koalageddon-2.0.1.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F00B17C060556634A44B1FF3DF15A7F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Assignment = "1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

4688 msiexec.exe
4688 msiexec.exe

pid	process
4688	msiexec.exe
4688	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	536	msiexec.exe
Token: SeIncreaseQuotaPrivilege	536	msiexec.exe
Token: SeSecurityPrivilege	4688	msiexec.exe
Token: SeCreateTokenPrivilege	536	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	536	msiexec.exe
Token: SeLockMemoryPrivilege	536	msiexec.exe
Token: SeIncreaseQuotaPrivilege	536	msiexec.exe
Token: SeMachineAccountPrivilege	536	msiexec.exe
Token: SeTcbPrivilege	536	msiexec.exe
Token: SeSecurityPrivilege	536	msiexec.exe
Token: SeTakeOwnershipPrivilege	536	msiexec.exe
Token: SeLoadDriverPrivilege	536	msiexec.exe
Token: SeSystemProfilePrivilege	536	msiexec.exe
Token: SeSystemtimePrivilege	536	msiexec.exe
Token: SeProfSingleProcessPrivilege	536	msiexec.exe
Token: SeIncBasePriorityPrivilege	536	msiexec.exe
Token: SeCreatePagefilePrivilege	536	msiexec.exe
Token: SeCreatePermanentPrivilege	536	msiexec.exe
Token: SeBackupPrivilege	536	msiexec.exe
Token: SeRestorePrivilege	536	msiexec.exe
Token: SeShutdownPrivilege	536	msiexec.exe
Token: SeDebugPrivilege	536	msiexec.exe
Token: SeAuditPrivilege	536	msiexec.exe
Token: SeSystemEnvironmentPrivilege	536	msiexec.exe
Token: SeChangeNotifyPrivilege	536	msiexec.exe
Token: SeRemoteShutdownPrivilege	536	msiexec.exe
Token: SeUndockPrivilege	536	msiexec.exe
Token: SeSyncAgentPrivilege	536	msiexec.exe
Token: SeEnableDelegationPrivilege	536	msiexec.exe
Token: SeManageVolumePrivilege	536	msiexec.exe
Token: SeImpersonatePrivilege	536	msiexec.exe
Token: SeCreateGlobalPrivilege	536	msiexec.exe
Token: SeCreateTokenPrivilege	536	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	536	msiexec.exe
Token: SeLockMemoryPrivilege	536	msiexec.exe
Token: SeIncreaseQuotaPrivilege	536	msiexec.exe
Token: SeMachineAccountPrivilege	536	msiexec.exe
Token: SeTcbPrivilege	536	msiexec.exe
Token: SeSecurityPrivilege	536	msiexec.exe
Token: SeTakeOwnershipPrivilege	536	msiexec.exe
Token: SeLoadDriverPrivilege	536	msiexec.exe
Token: SeSystemProfilePrivilege	536	msiexec.exe
Token: SeSystemtimePrivilege	536	msiexec.exe
Token: SeProfSingleProcessPrivilege	536	msiexec.exe
Token: SeIncBasePriorityPrivilege	536	msiexec.exe
Token: SeCreatePagefilePrivilege	536	msiexec.exe
Token: SeCreatePermanentPrivilege	536	msiexec.exe
Token: SeBackupPrivilege	536	msiexec.exe
Token: SeRestorePrivilege	536	msiexec.exe
Token: SeShutdownPrivilege	536	msiexec.exe
Token: SeDebugPrivilege	536	msiexec.exe
Token: SeAuditPrivilege	536	msiexec.exe
Token: SeSystemEnvironmentPrivilege	536	msiexec.exe
Token: SeChangeNotifyPrivilege	536	msiexec.exe
Token: SeRemoteShutdownPrivilege	536	msiexec.exe
Token: SeUndockPrivilege	536	msiexec.exe
Token: SeSyncAgentPrivilege	536	msiexec.exe
Token: SeEnableDelegationPrivilege	536	msiexec.exe
Token: SeManageVolumePrivilege	536	msiexec.exe
Token: SeImpersonatePrivilege	536	msiexec.exe
Token: SeCreateGlobalPrivilege	536	msiexec.exe
Token: SeCreateTokenPrivilege	536	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	536	msiexec.exe
Token: SeLockMemoryPrivilege	536	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

536 msiexec.exe
536 msiexec.exe

pid	process
536	msiexec.exe
536	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4688 wrote to memory of 3328	4688	msiexec.exe	MsiExec.exe
PID 4688 wrote to memory of 3328	4688	msiexec.exe	MsiExec.exe
PID 4688 wrote to memory of 3328	4688	msiexec.exe	MsiExec.exe
PID 4688 wrote to memory of 1380	4688	msiexec.exe	MsiExec.exe
PID 4688 wrote to memory of 1380	4688	msiexec.exe	MsiExec.exe
PID 4688 wrote to memory of 1560	4688	msiexec.exe	srtasks.exe
PID 4688 wrote to memory of 1560	4688	msiexec.exe	srtasks.exe
PID 4688 wrote to memory of 3824	4688	msiexec.exe	MsiExec.exe
PID 4688 wrote to memory of 3824	4688	msiexec.exe	MsiExec.exe
PID 4688 wrote to memory of 3824	4688	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Koalageddon-2.0.1.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:536

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E89E1BA75BCED028310FDE04DA4C6EBD C
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3328

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding F6ACF243DF499EF5FDADA1E1CD14E072 C
2⤵
- Loads dropped DLL
PID:1380

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1560

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D99D14A8B313F9D71338A415DF586AAB
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582e8e.rbs

Filesize
56KB

MD5
6cc7b5f9934222667a33320dff252687

SHA1
0bcf814bd326a66da6b6c4109db3c757c4fa9ce9

SHA256
2b335c0fa9489e097064fa6e42e1a0de10fe91b901650c05de1201b43d07c9b9

SHA512
91939aae253ff4ec9eac486926427487c20ee937117240099e63d670c8058c04ce6f1de772fb6073c8e9612265c7638ca2d84d4b6ea8dd358e3abf5eb8bc4f73

Download Submit
C:\Program Files\Koalageddon\Koalageddon.exe

Filesize
448KB

MD5
f3fee249c9335225e3af98f11d805f34

SHA1
1d5065a559c156c11caf81ebfa9f3366caba76b2

SHA256
edfc0e68e302b33410c0bcddca6bd2112f0816861cc9360e22b80c0004852e24

SHA512
f0652631f55e2530ff6e4b5462a48df7109a1969f14af8c9778b413fea84a0113e30c9281ff772921a981d45e8dcb9150d141cbc9b33d0fb98d3fec7a62e4896

Download Submit
C:\Program Files\Koalageddon\runtime\legal\java.prefs\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Program Files\Koalageddon\runtime\legal\jdk.unsupported\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC35.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIECE1.tmp

Filesize
104KB

MD5
e76ab52d50197baddbc0d921e1d8eea5

SHA1
3789e237ad3b07ef43f4014e99099a0b43b1392d

SHA256
6e3dae02524f00ee37f33123f7fac943ed2a8617988ec4a667fcddb7764c634c

SHA512
f21b9b45a3b8b079c26568962559d56377fe0cbefde287f4fb763c8fd85df72220858bca598dcbaaa47c0fa23ea9c4ed90375a40d6a55ca062dc373cfbe80c6e

Download Submit
C:\Windows\Installer\MSI2F0A.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\e582e8d.msi

Filesize
46.4MB

MD5
155295f8dbaae190dd34adadecfb302e

SHA1
c720229eb480dadd40649a2447b3e618a83d568c

SHA256
793a6b5980872bc0c16c53ee550f860b90e8955fbbf2f0bd15734e05e9b4c3b8

SHA512
cd6d4405bf387faa538426a2cfefdecd4c7f3a649f4cfce1eab85cea22a345f304525d222a48785528b7e19f83b76a536a1895e3f32ea8153d93ddae29850dd7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
3fca7e2ac8c7ca56ce91edd9aa560d08

SHA1
05952459be8848bccf8e8a2b6fdb87d84b6828f3

SHA256
d411ee3745826f51815226fed38c2fb4029ee12db46c87d73bad27eda5907c10

SHA512
cc8024d43bbea441f0091cb0a576028eb9ed208aec52f2e3e265cf02b1d22437d86986d413bd10c1153a43b2aec6e76ba79f956e6423b088bdafaed74d66d01e

Download Submit
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{23b604f6-a3ae-4e01-b06d-0cd13ea44874}_OnDiskSnapshotProp

Filesize
6KB

MD5
83f88802be5028f01d87de46a470405c

SHA1
722f67485f7a9787ec2e116e5d9aa36702f3325c

SHA256
9064378b517d48b370d1dbb4c200fe52f8268a5e9b223c42ad0e89d95ee09a82

SHA512
32cfad974b4cc09e5560093d37d72765428d48d7ac619837614cb8730645e6d61e7c981c11e162a38b6b279dedaf30b82ccb5a0de705d36e24d2d9c85d15c05e

Download Submit