Malware Analysis Report

2024-12-07 11:16

Sample ID 241113-ws29nsznep
Target WinDirStat-x64.msi
SHA256 ef11b9f1ac15cb15b8d7ecb634120583d326789b4f7e567e3a7a2209f7bd7f64
Tags
persistence privilege_escalation
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

ef11b9f1ac15cb15b8d7ecb634120583d326789b4f7e567e3a7a2209f7bd7f64

Threat Level: Shows suspicious behavior

The file WinDirStat-x64.msi was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence privilege_escalation

Enumerates connected drives

Blocklisted process makes network request

Drops file in Windows directory

Drops file in Program Files directory

Event Triggered Execution: Installer Packages

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 18:11

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 18:11

Reported

2024-11-13 18:42

Platform

win10v2004-20241007-en

Max time kernel

1151s

Max time network

1151s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinDirStat-x64.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WinDirStat\WinDirStat.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{A5AEAE5C-1EDA-41FA-A90B-D62AF6B99BE1}\WinDirStat.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{A5AEAE5C-1EDA-41FA-A90B-D62AF6B99BE1}\WinDirStat.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{A5AEAE5C-1EDA-41FA-A90B-D62AF6B99BE1} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI29BB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5828a3.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5828a1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5828a1.msi C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\WinDirStat\command\ = "\"C:\\Program Files\\WinDirStat\\WinDirStat.exe\" \"0|%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Drive\shell\WinDirStat\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5EAEA5AADE1AF149AB06DA26F9BB91E\FT_Core C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Directory\shell\WinDirStat\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Drive\shell\WinDirStat C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\WinDirStat\command\ = "\"C:\\Program Files\\WinDirStat\\WinDirStat.exe\" \"0|%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\ProductName = "WinDirStat" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BFCC112E607D91942BFFF0F724E62AB7 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\PackageName = "WinDirStat-x64.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\WinDirStat\ = "WinDirStat" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\Version = "33554435" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\PackageCode = "C64C8261722223F47B24DE9609F88787" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\WinDirStat\Icon = "C:\\Program Files\\WinDirStat\\WinDirStat.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\WinDirStat\ = "WinDirStat" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5EAEA5AADE1AF149AB06DA26F9BB91E C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5EAEA5AADE1AF149AB06DA26F9BB91E\FT_ContextMenu = "FT_Core" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BFCC112E607D91942BFFF0F724E62AB7\C5EAEA5AADE1AF149AB06DA26F9BB91E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Directory\shell\WinDirStat C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\WinDirStat\Icon = "C:\\Program Files\\WinDirStat\\WinDirStat.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\ProductIcon = "C:\\Windows\\Installer\\{A5AEAE5C-1EDA-41FA-A90B-D62AF6B99BE1}\\WinDirStat.ico" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 1844 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4860 wrote to memory of 1844 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinDirStat-x64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 crl.certum.pl udp
GB 92.123.26.177:80 crl.certum.pl tcp
US 8.8.8.8:53 217.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ccsca2021.ocsp-certum.com udp
US 8.8.8.8:53 177.26.123.92.in-addr.arpa udp
GB 92.123.26.217:80 ccsca2021.ocsp-certum.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\856FDBDDFEAC90A3D62D621EBF196637

MD5 445f0441da9707a5811fb8a9756cbd6f
SHA1 265415df1e41b607269aa68e0f72a9c0a4938365
SHA256 8864d36b04f7f3a2ac334150f2d50f19821c0a4e5d50018b0d536fd45755a3a0
SHA512 10ade1a1f865efa7e17038c5fe96157d51e8d6555940c40e15c7db7fdc0a69d552c8c196c75add7c020523568f1c790aeaae89297b1e13169676a998b8cdd9c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E4160FB650E5091C535216313A4ECD3_9C2BA0D68BBB93342E457B5FC2988A9F

MD5 e869079c10b3555bb27b975dbfedc64b
SHA1 8c7bc49f7ac27d3d58900984dc28b2345ff8affb
SHA256 be00c6c9bd6a3eb69a35d1c3387116bee18472b42391835ef002690373ec5bce
SHA512 b0afd58cdbf95a2db12c3b47b2bdc66f3b811538cd07e5b1288eb433e11deeca42a51eca4f2ff95877fc53b472ac1a49ac2c95916d5fbb29a16765c9a3f4d012

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4

MD5 758232876e6f4371d149edb501ed6439
SHA1 93ac6d9dedcb3f22198483e3f6e0cfa457a8dadf
SHA256 6dea3e36a78ce4a7e17424e432dd1c4dfe77a6e4c6a211ff9e6cc8664bd34a7e
SHA512 56762563a9466892fb5ca78c04bda960331be1d972b86a0f8348574697a2ab183385e4922271c39759ec4e9e0b1f92a27f491f76da0916e51bedcf9a41374226

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E4160FB650E5091C535216313A4ECD3_9C2BA0D68BBB93342E457B5FC2988A9F

MD5 f89b48470f017c95ff4fd71803293563
SHA1 e494ada746728491cfc226ba72283d8b4703aa3b
SHA256 182c0acd2e02a7fd71e5f58832703f03f45d2e8548f13f51df72b2218fd0ef56
SHA512 d99d8d635f98f97f3e2583eeec892a839f9f1bf889557352faaa25c28af7ea75e03373e04da7c2aee53b76a09931acebd2002f8eed675ce61b60646f8990dc32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4

MD5 a13b64ef1ec830837e32cfb21c64c1b5
SHA1 1132fe0719c5dc80c639dbc4a8ab5dcd601a5ce1
SHA256 b9a2023f924c90deee566ddc433a1dcaf66faa5687e1bcf1116354d932bfba27
SHA512 a2e75ceb88a7e747388be48f5e36746dad748e5779099e1060c15ecf4ebd8acb8b22de9f1bdcf7daee18b82eb52065f7254e6ea7446562a587078b8b24dabc36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\856FDBDDFEAC90A3D62D621EBF196637

MD5 e4af6debfb86571bcbfbcee68daba556
SHA1 2cecb6f0737f325e633426e9eae8a87e82e52045
SHA256 13943eb10c5a474e425c87df08683d23444349344f48f66d2ac12768d28c93b4
SHA512 b7c0de5825c8898bebe7200425a85ea2c21e80ae815989432d68049014ae62f34475a9bc39cedd6384cc6fa039eee8b6371a481d3aae280e230408081032428b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061

MD5 1a9bf8cfc0882c14b34312a3158587db
SHA1 76262f7cbf530b0b88703aa4d416006768380495
SHA256 4d04da705855d23ecdb4f81c734fa1dc20bf6b889eb7cb8db3ad16c7c830ce83
SHA512 74f58a8993bbde7004fe0dae81f890b65d10dc74951ee37a22acb2952c93cdfd541875b89369185aef89e7e0b8291e71747ae6f431495aa07f80d7b3f031e78c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061

MD5 1cac1e4e7d31694844cc433b5a9ee960
SHA1 bc577524fe91b7d24dfa23f8d961f605cf26dcf1
SHA256 955b65a318980d65cc55ee2b3488ea9096c053515cbe3d918e06ab6f1404ed7f
SHA512 70b6e306e62637acead2fcee242337fef7285afdf25fad07e1606a42ae45343dcee71fcb9b326793540bdb7468c9b05c18fdbf9355083dc2e01496d8b1e0d5b9

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat.lnk~RFe582a66.TMP

MD5 6667878fb8360d15e2939e44611762a4
SHA1 761a8ac850a32c62f1b10a04665b5e46021a500e
SHA256 3db298e20fefa13f9d6b1c99fa105524266ddfabf5df3580dc0295b68be5ba3a
SHA512 79e9b9b3dc607a76670be139e8deaac4d674a340d26a8b733b635a9c70d4d76ddb5f1127ad3d64c3f5bb8ec213988cb2fd3a64df59ff80204a491f7014260e1a

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat.lnk

MD5 86b3dc29fae11e564454d3556531e34a
SHA1 dc92c7cef24c98a3af6d2d0e20eef23491828088
SHA256 6d7b6b9fc8253c86312e8477e329a3f82a91ccce14a248edbacac675bab9c423
SHA512 21087c02cd2d7af0c610fa085e62aee5a209689833ab05ace9ef8e5a517571fc5335731cbffa764bddf3b2925160c5aa8aa4ac7fefd3c736382a831f476ef29f

C:\Config.Msi\e5828a2.rbs

MD5 4571a0de623b498c3857abe9e88e0a05
SHA1 53be4f4b91876a3135d2686157af73323aa7cf57
SHA256 d2f48bf9222f6779f9e524b8242ef18ee2dca90f5b26c77d58670561c27c5512
SHA512 78ff7360e4e53a692288c7b20fa3905920db0d826a74f8d884c1a4ffb82c88159fdb76bc6c3149afb27513642acec1aab22654353a962e726beec3259b2d6ccf

C:\Windows\Installer\e5828a1.msi

MD5 5ee636d9fac960438a2fb3d7ee497ada
SHA1 86b3c750357cc4e3ab823a9c28e72c94dc705688
SHA256 ef11b9f1ac15cb15b8d7ecb634120583d326789b4f7e567e3a7a2209f7bd7f64
SHA512 0e2ee022b381c3468c804c7344ff16310bbb31164e6e3bac7939a32215e114bd90e02106fd290fa6d1f41b8eb4129956700080825644c6e6f977e68c50e8a05e

\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e6799392-b663-40df-a1b5-912b4f14745e}_OnDiskSnapshotProp

MD5 c205ca7d57cb6bef85bdda205a4238b9
SHA1 cebcebb0555cda75dc982de6968f63b6fbfd7db1
SHA256 6d0fc1704faea39e4e6e34dccb057f301bbbb9e7e366d50ab7922a3a07c0cade
SHA512 cf730ae55e176b134cc45aafc0797d235f89cc5848fdbc30cf75cf390dd2db8b4cfb0f0aa0d293acce152f5d3107a14ecb90042dbf8fe304738020c5a1d4711e

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 6613ec83ed5a085b7d6e0516b36603b7
SHA1 8a508d902783b98c386151e27b3f9c316b08fc7d
SHA256 319bd8e880366749971bdf1a0cc06064d25493f702397a6cc5ce699794c6e390
SHA512 9257384e557171bf9a64c7dab2aa1037f8dfb62b71bc7122e40b6c00e878e073d2ce4356146883a9ae4db76c35ba76f776eec16d831448412b265abd9fa7fdfb

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 18:11

Reported

2024-11-13 18:12

Platform

win7-20240903-en

Max time kernel

3s

Max time network

3s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinDirStat-x64.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinDirStat-x64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 repository.certum.pl udp
GB 92.123.26.144:80 repository.certum.pl tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab650C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar651E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b