Malware Analysis Report

2025-08-10 14:57

Sample ID 241112-pdfnssselg
Target 7z2401.msi
SHA256 1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99
Tags
discovery persistence privilege_escalation
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99

Threat Level: Shows suspicious behavior

The file 7z2401.msi was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence privilege_escalation

Enumerates connected drives

Drops file in Windows directory

Executes dropped EXE

Drops file in Program Files directory

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 12:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 12:12

Reported

2024-11-12 12:14

Platform

win11-20241007-en

Max time kernel

114s

Max time network

114s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7z2401.msi

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\7-Zip\Lang\hi.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ko.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\7zCon.sfx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\cs.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\el.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\he.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\mng2.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\sa.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\7z.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\fur.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\si.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\sl.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\kaa.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\kab.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ro.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\uk.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\7z.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\readme.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\be.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ka.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\mk.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\mr.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\7zG.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\gl.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\cy.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\pa-in.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ne.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\hy.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ug.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\zh-tw.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ja.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\7zFM.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\History.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\en.ttt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ga.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\it.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ms.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\pl.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\7-zip.chm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\bn.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\tt.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\uz.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\uz-cyrl.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\lij.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ps.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\es.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\tg.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\nb.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\bg.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\eu.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\io.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\lv.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ru.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ta.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\tr.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\nl.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\ca.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\da.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\fr.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\sq.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\7-Zip\Lang\sw.txt C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57f898.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF93DDB199761912F7.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57f89c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF1D727252D7C72043.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57f898.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF9A8B21FFEEE8378F.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{23170F69-40C1-2701-2401-000001000000} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF954.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF70EE675F0CA41614.TMP C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\7-Zip\7zFM.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\7-Zip\7zFM.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002fc80c284bade0450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002fc80c280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002fc80c28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2fc80c28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002fc80c2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Version = "402718720" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\Program = "Complete" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\Complete C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000\96F071321C0410724210000010000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\LanguageFiles = "Complete" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\ProductName = "7-Zip 24.01" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\PackageCode = "96F071321C0410724210000020000000" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\PackageName = "7z2401.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 3368 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4440 wrote to memory of 3368 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7z2401.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\7-Zip\7zFM.exe

"C:\Program Files (x86)\7-Zip\7zFM.exe"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

Network

Country Destination Domain Proto
GB 2.18.66.41:443 tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.137:443 www.bing.com tcp
US 8.8.8.8:53 137.128.123.92.in-addr.arpa udp
US 13.107.246.65:443 fp-afd-nocache.azureedge.net tcp
FR 152.199.21.118:443 static-ecst.licdn.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 20.189.173.13:443 browser.pipe.aria.microsoft.com tcp

Files

C:\Config.Msi\e57f899.rbs

MD5 e86a3b8f658a169016416939f83cd2c7
SHA1 63ec56b0462655fbd24f69597f11dd2faad25ecf
SHA256 c160ca82345a7413e51afb32e112f276cbaed2613cdc61227584ef846a339173
SHA512 0be8253b1a6d9cc351c8d2f70261a396bbb4e80182f90560b4fcfbac1940e82223e2fb2dda6e492aa9352fd76aabed1c6855b67fabbf4f451bc991807a12a82f

C:\Windows\Installer\e57f898.msi

MD5 a141303fe3fd74208c1c8a1121a7f67d
SHA1 b55c286e80a9e128fbf615da63169162c08aef94
SHA256 1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99
SHA512 2323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8

\??\Volume{280cc82f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4e9311c4-1ff2-46da-9548-1c8eea309690}_OnDiskSnapshotProp

MD5 2342c8e3719ac77bc2923278291f6e0e
SHA1 7296bbe9f2a23fcca3afcdb9862463ae7fac3fd7
SHA256 1080543268adf7e806e560cc6887552b8caf6608c2b47945c2e8033f1985f896
SHA512 a6a0f34d060072e0519223c89fe107ffa8b9222cb80a12a89eb800a0ee40f5bf5508577c34cdd15f326e73aad09e77a5c63209e1144e08211c53b7c019f42cab

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 6b41b5d80def31e3fdb78d38c6d92b4b
SHA1 eaef2e9e7a7fce39744871072ef1f62687d4eb45
SHA256 c2c3f611512a5815921a9f6f9b92bd46d0d4073217f2d21b1241fa3d0f607a4f
SHA512 d6a5e951ce88335eeb1ee68afc8c9e6ff6a63549709e1081dc41e9386f1b844920231756d479e76d489374723d79661842f4a2d4a1c7c99a30811382afb71ace

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 dc879a8af8313d9650b9b9a95ac476bd
SHA1 6ee2343088f99f9665169d9b5dbb60abfe6248cc
SHA256 7435b32ab904760596ee8cb89be798e88e7a97876f91f1a44ba06c1509e480ad
SHA512 2b4bc41f441f443aca620b1375f1d35ec69446d619666811901d070ed8a7f9882332a2d5e65d9f33076030208bae0d92c301e2947c7be3575e20b389a6e11548

C:\Program Files (x86)\7-Zip\7zFM.exe

MD5 52ae15f525a8732bcb89ba874461b05e
SHA1 265ec2444e7724374a9cbba01c4f4d89e58108fa
SHA256 1e6162ad80dc358bd58013500c18ce568ec97734eebb94acd70cb74bba5c0c91
SHA512 617d29d831943bb06a2f3846679cd47025a9979bd3331b221f2239f8ac6f7a255d642dd638be761f71b3f4994b6d84cc0b04a2baf072e1b596d18191a24154ac

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\963629fa-6b8f-4f25-9a9c-91284c3e8e63.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3