latrodectus | dfff1a07429ff9585f3dab9c78b501174e7c326e1fb95c5234368071b5426768

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

medk.msi
Size

2.0MB
MD5

8cb04bf931a19fa0ae1bd7235180dd4a
SHA1

dfc980a827dbde294ae9fa6e63545d1d57344e96
SHA256

dfff1a07429ff9585f3dab9c78b501174e7c326e1fb95c5234368071b5426768
SHA512

58f1661d689aaa9391f04e086db490693f83b70e068ca10b20cff6f87979a8804aa9f054ac961af06c4b7b17fd88b1912774b2eb3d16b9df8e7a4ed9bb3c0a29
SSDEEP

49152:F943YhW8zBQSc0ZnSKBZKumZr7Apj3Y+7jHplNa:6YY0Zn3K/Al3dXHpra

Score

10^/10

latrodectus discovery loader persistence privilege_escalation

Malware Config

Extracted

Family

latrodectus

https://rolefenik.com/test/

https://ergiholim.com/test/

Signatures

Detects Latrodectus 3 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral1/memory/2336-73-0x000007FFFFF80000-0x000007FFFFF95000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/1212-80-0x0000000002F80000-0x0000000002F95000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/1212-81-0x0000000002F80000-0x0000000002F95000-memory.dmp	family_latrodectus_1_4

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	2336	rundll32.exe
7	2336	rundll32.exe
9	2336	rundll32.exe
10	2336	rundll32.exe
15	2336	rundll32.exe
18	2336	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76730e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7514.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7573.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f767311.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76730e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI734C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73CA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73FA.tmp	msiexec.exe
File created	C:\Windows\Installer\f767311.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1116	MSI7573.tmp

Loads dropped DLL 11 IoCs

pid	Process
2988	MsiExec.exe
2988	MsiExec.exe
2988	MsiExec.exe
2860	rundll32.exe
2860	rundll32.exe
2860	rundll32.exe
2860	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1884	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI7573.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2444	msiexec.exe
2444	msiexec.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1884	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeSecurityPrivilege	2444	msiexec.exe
Token: SeCreateTokenPrivilege	1884	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1884	msiexec.exe
Token: SeLockMemoryPrivilege	1884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1884	msiexec.exe
Token: SeMachineAccountPrivilege	1884	msiexec.exe
Token: SeTcbPrivilege	1884	msiexec.exe
Token: SeSecurityPrivilege	1884	msiexec.exe
Token: SeTakeOwnershipPrivilege	1884	msiexec.exe
Token: SeLoadDriverPrivilege	1884	msiexec.exe
Token: SeSystemProfilePrivilege	1884	msiexec.exe
Token: SeSystemtimePrivilege	1884	msiexec.exe
Token: SeProfSingleProcessPrivilege	1884	msiexec.exe
Token: SeIncBasePriorityPrivilege	1884	msiexec.exe
Token: SeCreatePagefilePrivilege	1884	msiexec.exe
Token: SeCreatePermanentPrivilege	1884	msiexec.exe
Token: SeBackupPrivilege	1884	msiexec.exe
Token: SeRestorePrivilege	1884	msiexec.exe
Token: SeShutdownPrivilege	1884	msiexec.exe
Token: SeDebugPrivilege	1884	msiexec.exe
Token: SeAuditPrivilege	1884	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1884	msiexec.exe
Token: SeChangeNotifyPrivilege	1884	msiexec.exe
Token: SeRemoteShutdownPrivilege	1884	msiexec.exe
Token: SeUndockPrivilege	1884	msiexec.exe
Token: SeSyncAgentPrivilege	1884	msiexec.exe
Token: SeEnableDelegationPrivilege	1884	msiexec.exe
Token: SeManageVolumePrivilege	1884	msiexec.exe
Token: SeImpersonatePrivilege	1884	msiexec.exe
Token: SeCreateGlobalPrivilege	1884	msiexec.exe
Token: SeBackupPrivilege	2196	vssvc.exe
Token: SeRestorePrivilege	2196	vssvc.exe
Token: SeAuditPrivilege	2196	vssvc.exe
Token: SeBackupPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	1676	DrvInst.exe
Token: SeRestorePrivilege	1676	DrvInst.exe
Token: SeRestorePrivilege	1676	DrvInst.exe
Token: SeRestorePrivilege	1676	DrvInst.exe
Token: SeRestorePrivilege	1676	DrvInst.exe
Token: SeRestorePrivilege	1676	DrvInst.exe
Token: SeRestorePrivilege	1676	DrvInst.exe
Token: SeLoadDriverPrivilege	1676	DrvInst.exe
Token: SeLoadDriverPrivilege	1676	DrvInst.exe
Token: SeLoadDriverPrivilege	1676	DrvInst.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1884	msiexec.exe
1884	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2988	2444	msiexec.exe	32
PID 2444 wrote to memory of 2988	2444	msiexec.exe	32
PID 2444 wrote to memory of 2988	2444	msiexec.exe	32
PID 2444 wrote to memory of 2988	2444	msiexec.exe	32
PID 2444 wrote to memory of 2988	2444	msiexec.exe	32
PID 2444 wrote to memory of 2988	2444	msiexec.exe	32
PID 2444 wrote to memory of 2988	2444	msiexec.exe	32
PID 2444 wrote to memory of 1116	2444	msiexec.exe	33
PID 2444 wrote to memory of 1116	2444	msiexec.exe	33
PID 2444 wrote to memory of 1116	2444	msiexec.exe	33
PID 2444 wrote to memory of 1116	2444	msiexec.exe	33
PID 2444 wrote to memory of 1116	2444	msiexec.exe	33
PID 2444 wrote to memory of 1116	2444	msiexec.exe	33
PID 2444 wrote to memory of 1116	2444	msiexec.exe	33
PID 2860 wrote to memory of 2336	2860	rundll32.exe	35
PID 2860 wrote to memory of 2336	2860	rundll32.exe	35
PID 2860 wrote to memory of 2336	2860	rundll32.exe	35
PID 2860 wrote to memory of 2336	2860	rundll32.exe	35
PID 2336 wrote to memory of 1212	2336	rundll32.exe	21

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\medk.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1884
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\tab.dll, Object
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\tab.dll, Object
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2336

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 575389D48199E917FCCF76C4A4548C85
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\Installer\MSI7573.tmp
  "C:\Windows\Installer\MSI7573.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\tab.dll, Object
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004CC" "00000000000005D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f767312.rbs

Filesize
1KB

MD5
0763c08bae8d12bdf3f1eb07db05660e

SHA1
c73edab6755ba4a7d645ff514723014f89d3b412

SHA256
25fbbb29b0c25c6c3e0d85c69668059e61e3065a0db53830e8943414a22d0707

SHA512
2c35a2ded8015a14abcc588f966edfc45dd98e46a90a6584f64e17eaf227408d55726505946f41fcacdcdc2b38a29b92feb52a45a023ce9feeec95be031ae19b

Download Submit
C:\Users\Admin\AppData\Roaming\tab.dll

Filesize
1.6MB

MD5
4f4a164b5f9ef20be601531a727179a2

SHA1
1601622dc7caef28ce413e1d73b4d4596aabfc50

SHA256
0f23855e56eb6ec760717be43280eeeeaec1aeef939f9ae6a41daf1b8e3bd306

SHA512
de09d9f0048a19c7efa7ffae01f58c41e619e09e6ec56e4b818b58846672a0772c58913ba5ad4c86b746d91399894a21bf51225c1737a0652b1c85ffa3307030

Download Submit
C:\Windows\Installer\MSI734C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI7573.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
memory/1116-38-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/1212-79-0x0000000002F80000-0x0000000002F95000-memory.dmp

Filesize
84KB

Download
memory/1212-80-0x0000000002F80000-0x0000000002F95000-memory.dmp

Filesize
84KB

Download
memory/1212-81-0x0000000002F80000-0x0000000002F95000-memory.dmp

Filesize
84KB

Download
memory/2336-75-0x000007FFFFF60000-0x000007FFFFF61000-memory.dmp

Filesize
4KB

Download
memory/2336-77-0x000007FFFFF40000-0x000007FFFFF41000-memory.dmp

Filesize
4KB

Download
memory/2336-76-0x000007FFFFF50000-0x000007FFFFF51000-memory.dmp

Filesize
4KB

Download
memory/2336-74-0x000007FFFFF70000-0x000007FFFFF71000-memory.dmp

Filesize
4KB

Download
memory/2336-73-0x000007FFFFF80000-0x000007FFFFF95000-memory.dmp

Filesize
84KB

Download
memory/2336-72-0x000007FFFFFA0000-0x000007FFFFFA1000-memory.dmp

Filesize
4KB

Download
memory/2336-48-0x0000000001E10000-0x0000000001E5C000-memory.dmp

Filesize
304KB

Download
memory/2336-84-0x0000000001E10000-0x0000000001E5C000-memory.dmp

Filesize
304KB

Download