Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/11/2024, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
NexusFN Installer.msi
Resource
win11-20241023-en
General
-
Target
NexusFN Installer.msi
-
Size
126.7MB
-
MD5
83338d9ea82fff1be02b65eee8cc2905
-
SHA1
bda5f18fefd43976fe83d0ced884d048e75a7644
-
SHA256
370aa26e8145e8c211bb9ceefcce57004795d79e6d5c5e0ab2d4bf56252e2e2a
-
SHA512
ee29c9b92ca90c7f8b709efcb0bc82759ac7b73524ad13f5e9d29d12ac40d910ae17e66cac7f15350302a39ec7a317799f7c535b067f722f0a212b72a0f7c857
-
SSDEEP
3145728:AjqcoCtwCBRaaTjQE2P/C1DmefJhuQ+H4UZPNXg7MNnKR//Cly3H:2WEBrTjH2P/CzJK4yNXg7MNnKxCly
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\SystemTemp\~DF91749D374A04B235.TMP msiexec.exe File created C:\Windows\Installer\e57fc03.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIBA.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{9E1680FF-4C43-4747-8CB7-63B423248401} msiexec.exe File created C:\Windows\SystemTemp\~DF802FB735CED20B67.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF66B48AAD6A0C47AF.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF18B3052CBCD5977F.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIFCA0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFD8C.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e57fc03.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFD7B.tmp msiexec.exe File created C:\Windows\Installer\e57fc05.msi msiexec.exe -
Loads dropped DLL 10 IoCs
pid Process 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 3544 MsiExec.exe 3544 MsiExec.exe 3544 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000ffe3df86b77af750000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000ffe3df80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000ffe3df8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0ffe3df8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000ffe3df800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5024 msiexec.exe 5024 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 912 msiexec.exe Token: SeIncreaseQuotaPrivilege 912 msiexec.exe Token: SeSecurityPrivilege 5024 msiexec.exe Token: SeCreateTokenPrivilege 912 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 912 msiexec.exe Token: SeLockMemoryPrivilege 912 msiexec.exe Token: SeIncreaseQuotaPrivilege 912 msiexec.exe Token: SeMachineAccountPrivilege 912 msiexec.exe Token: SeTcbPrivilege 912 msiexec.exe Token: SeSecurityPrivilege 912 msiexec.exe Token: SeTakeOwnershipPrivilege 912 msiexec.exe Token: SeLoadDriverPrivilege 912 msiexec.exe Token: SeSystemProfilePrivilege 912 msiexec.exe Token: SeSystemtimePrivilege 912 msiexec.exe Token: SeProfSingleProcessPrivilege 912 msiexec.exe Token: SeIncBasePriorityPrivilege 912 msiexec.exe Token: SeCreatePagefilePrivilege 912 msiexec.exe Token: SeCreatePermanentPrivilege 912 msiexec.exe Token: SeBackupPrivilege 912 msiexec.exe Token: SeRestorePrivilege 912 msiexec.exe Token: SeShutdownPrivilege 912 msiexec.exe Token: SeDebugPrivilege 912 msiexec.exe Token: SeAuditPrivilege 912 msiexec.exe Token: SeSystemEnvironmentPrivilege 912 msiexec.exe Token: SeChangeNotifyPrivilege 912 msiexec.exe Token: SeRemoteShutdownPrivilege 912 msiexec.exe Token: SeUndockPrivilege 912 msiexec.exe Token: SeSyncAgentPrivilege 912 msiexec.exe Token: SeEnableDelegationPrivilege 912 msiexec.exe Token: SeManageVolumePrivilege 912 msiexec.exe Token: SeImpersonatePrivilege 912 msiexec.exe Token: SeCreateGlobalPrivilege 912 msiexec.exe Token: SeCreateTokenPrivilege 912 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 912 msiexec.exe Token: SeLockMemoryPrivilege 912 msiexec.exe Token: SeIncreaseQuotaPrivilege 912 msiexec.exe Token: SeMachineAccountPrivilege 912 msiexec.exe Token: SeTcbPrivilege 912 msiexec.exe Token: SeSecurityPrivilege 912 msiexec.exe Token: SeTakeOwnershipPrivilege 912 msiexec.exe Token: SeLoadDriverPrivilege 912 msiexec.exe Token: SeSystemProfilePrivilege 912 msiexec.exe Token: SeSystemtimePrivilege 912 msiexec.exe Token: SeProfSingleProcessPrivilege 912 msiexec.exe Token: SeIncBasePriorityPrivilege 912 msiexec.exe Token: SeCreatePagefilePrivilege 912 msiexec.exe Token: SeCreatePermanentPrivilege 912 msiexec.exe Token: SeBackupPrivilege 912 msiexec.exe Token: SeRestorePrivilege 912 msiexec.exe Token: SeShutdownPrivilege 912 msiexec.exe Token: SeDebugPrivilege 912 msiexec.exe Token: SeAuditPrivilege 912 msiexec.exe Token: SeSystemEnvironmentPrivilege 912 msiexec.exe Token: SeChangeNotifyPrivilege 912 msiexec.exe Token: SeRemoteShutdownPrivilege 912 msiexec.exe Token: SeUndockPrivilege 912 msiexec.exe Token: SeSyncAgentPrivilege 912 msiexec.exe Token: SeEnableDelegationPrivilege 912 msiexec.exe Token: SeManageVolumePrivilege 912 msiexec.exe Token: SeImpersonatePrivilege 912 msiexec.exe Token: SeCreateGlobalPrivilege 912 msiexec.exe Token: SeCreateTokenPrivilege 912 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 912 msiexec.exe Token: SeLockMemoryPrivilege 912 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 912 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5024 wrote to memory of 4988 5024 msiexec.exe 82 PID 5024 wrote to memory of 4988 5024 msiexec.exe 82 PID 5024 wrote to memory of 4988 5024 msiexec.exe 82 PID 5024 wrote to memory of 3744 5024 msiexec.exe 87 PID 5024 wrote to memory of 3744 5024 msiexec.exe 87 PID 5024 wrote to memory of 3544 5024 msiexec.exe 89 PID 5024 wrote to memory of 3544 5024 msiexec.exe 89 PID 5024 wrote to memory of 3544 5024 msiexec.exe 89 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\NexusFN Installer.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:912
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C3A05C8188ED527C8369309853E8B067 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4988
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3744
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E71B830D028B0B46993E3CCFF3C332172⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3544
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5f3a5cd8f973dbb7178968177a0b1d258
SHA1aa6908cae0767c725fd1b9bd05031bce7e67f644
SHA2567c50ad35fc022d600b074ebec5d74a6330e9c2fc6036790a914d80c838b2a74a
SHA51234e2f5a40c5f7c2a5e05df137f59dd8ec3d566afef72198996d4b7e7889874630c651d78df58efe8ca268a94bf966c8febc7afac9563063e57a33ff9515fb6b4
-
Filesize
936KB
MD513056f6fc48a93c1268d690e554f4571
SHA1b83de3638e8551a315bb51703762a9820a7e0688
SHA256aeda49baf2d79da2f7a9266f1fb7884111c2620e187090321f5278af5131c996
SHA512ca828b4248e399178a8614f941332d159a30bad0156df0d5f4c4ca9d74d0ccb61fac59f34c945f5f914e22ec639bd97718f76d21b452825b07fe4041d1a44824
-
Filesize
24.6MB
MD5a2f7be335b99a874dab06f836706e355
SHA19380c51e6e1fff96cbb5b5600277580b855581f6
SHA2566d6ebcdb954ca9dc3e0fca9f7b02858dd823a029bffa0c964cfa213d46de1ec5
SHA512635bed2780e9002380398d2f2dbf81e0f4380da4dda268fcd1b8311c9cda41a2bd18316c425f472acfcf7f150a168f597720dc4c3c5cc4b70c4723eac83fadc3
-
\??\Volume{f83dfe0f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{429e9764-b627-4a65-b388-262107925287}_OnDiskSnapshotProp
Filesize6KB
MD5df4dd1aa5d4418d1f7cba24c6c9a8f9f
SHA1bde9a68766be33028681ebf3a1818e7b663174fb
SHA2566cb43c2193a565da59bd07ddbe8307387e471f96cc2a1852a75281a05a34d53e
SHA51297d2dda6eeb26287b316f6d54ba4eb7fc65f3da31c806833c9410afc341f7522f172956281424fa828961349ab608ded5120208923946e3a4da41e829420146c