Analysis Overview
SHA256
ef11b9f1ac15cb15b8d7ecb634120583d326789b4f7e567e3a7a2209f7bd7f64
Threat Level: Shows suspicious behavior
The file WinDirStat-x64.msi was found to be: Shows suspicious behavior.
Malicious Activity Summary
Enumerates connected drives
Blocklisted process makes network request
Drops file in Windows directory
Drops file in Program Files directory
Event Triggered Execution: Installer Packages
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:11
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:11
Reported
2024-11-13 18:42
Platform
win10v2004-20241007-en
Max time kernel
1151s
Max time network
1151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WinDirStat\WinDirStat.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\{A5AEAE5C-1EDA-41FA-A90B-D62AF6B99BE1}\WinDirStat.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{A5AEAE5C-1EDA-41FA-A90B-D62AF6B99BE1}\WinDirStat.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{A5AEAE5C-1EDA-41FA-A90B-D62AF6B99BE1} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI29BB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5828a3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5828a1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5828a1.msi | C:\Windows\system32\msiexec.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\WinDirStat\command\ = "\"C:\\Program Files\\WinDirStat\\WinDirStat.exe\" \"0|%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Drive\shell\WinDirStat\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5EAEA5AADE1AF149AB06DA26F9BB91E\FT_Core | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Directory\shell\WinDirStat\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Drive\shell\WinDirStat | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\WinDirStat\command\ = "\"C:\\Program Files\\WinDirStat\\WinDirStat.exe\" \"0|%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\ProductName = "WinDirStat" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BFCC112E607D91942BFFF0F724E62AB7 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\PackageName = "WinDirStat-x64.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\WinDirStat\ = "WinDirStat" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\Version = "33554435" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\PackageCode = "C64C8261722223F47B24DE9609F88787" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\WinDirStat\Icon = "C:\\Program Files\\WinDirStat\\WinDirStat.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\WinDirStat\ = "WinDirStat" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5EAEA5AADE1AF149AB06DA26F9BB91E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C5EAEA5AADE1AF149AB06DA26F9BB91E\FT_ContextMenu = "FT_Core" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BFCC112E607D91942BFFF0F724E62AB7\C5EAEA5AADE1AF149AB06DA26F9BB91E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Directory\shell\WinDirStat | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\WinDirStat\Icon = "C:\\Program Files\\WinDirStat\\WinDirStat.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C5EAEA5AADE1AF149AB06DA26F9BB91E\ProductIcon = "C:\\Windows\\Installer\\{A5AEAE5C-1EDA-41FA-A90B-D62AF6B99BE1}\\WinDirStat.ico" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4860 wrote to memory of 1844 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\srtasks.exe |
| PID 4860 wrote to memory of 1844 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\srtasks.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinDirStat-x64.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.certum.pl | udp |
| GB | 92.123.26.177:80 | crl.certum.pl | tcp |
| US | 8.8.8.8:53 | 217.26.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ccsca2021.ocsp-certum.com | udp |
| US | 8.8.8.8:53 | 177.26.123.92.in-addr.arpa | udp |
| GB | 92.123.26.217:80 | ccsca2021.ocsp-certum.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\856FDBDDFEAC90A3D62D621EBF196637
| MD5 | 445f0441da9707a5811fb8a9756cbd6f |
| SHA1 | 265415df1e41b607269aa68e0f72a9c0a4938365 |
| SHA256 | 8864d36b04f7f3a2ac334150f2d50f19821c0a4e5d50018b0d536fd45755a3a0 |
| SHA512 | 10ade1a1f865efa7e17038c5fe96157d51e8d6555940c40e15c7db7fdc0a69d552c8c196c75add7c020523568f1c790aeaae89297b1e13169676a998b8cdd9c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E4160FB650E5091C535216313A4ECD3_9C2BA0D68BBB93342E457B5FC2988A9F
| MD5 | e869079c10b3555bb27b975dbfedc64b |
| SHA1 | 8c7bc49f7ac27d3d58900984dc28b2345ff8affb |
| SHA256 | be00c6c9bd6a3eb69a35d1c3387116bee18472b42391835ef002690373ec5bce |
| SHA512 | b0afd58cdbf95a2db12c3b47b2bdc66f3b811538cd07e5b1288eb433e11deeca42a51eca4f2ff95877fc53b472ac1a49ac2c95916d5fbb29a16765c9a3f4d012 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4
| MD5 | 758232876e6f4371d149edb501ed6439 |
| SHA1 | 93ac6d9dedcb3f22198483e3f6e0cfa457a8dadf |
| SHA256 | 6dea3e36a78ce4a7e17424e432dd1c4dfe77a6e4c6a211ff9e6cc8664bd34a7e |
| SHA512 | 56762563a9466892fb5ca78c04bda960331be1d972b86a0f8348574697a2ab183385e4922271c39759ec4e9e0b1f92a27f491f76da0916e51bedcf9a41374226 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E4160FB650E5091C535216313A4ECD3_9C2BA0D68BBB93342E457B5FC2988A9F
| MD5 | f89b48470f017c95ff4fd71803293563 |
| SHA1 | e494ada746728491cfc226ba72283d8b4703aa3b |
| SHA256 | 182c0acd2e02a7fd71e5f58832703f03f45d2e8548f13f51df72b2218fd0ef56 |
| SHA512 | d99d8d635f98f97f3e2583eeec892a839f9f1bf889557352faaa25c28af7ea75e03373e04da7c2aee53b76a09931acebd2002f8eed675ce61b60646f8990dc32 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4
| MD5 | a13b64ef1ec830837e32cfb21c64c1b5 |
| SHA1 | 1132fe0719c5dc80c639dbc4a8ab5dcd601a5ce1 |
| SHA256 | b9a2023f924c90deee566ddc433a1dcaf66faa5687e1bcf1116354d932bfba27 |
| SHA512 | a2e75ceb88a7e747388be48f5e36746dad748e5779099e1060c15ecf4ebd8acb8b22de9f1bdcf7daee18b82eb52065f7254e6ea7446562a587078b8b24dabc36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\856FDBDDFEAC90A3D62D621EBF196637
| MD5 | e4af6debfb86571bcbfbcee68daba556 |
| SHA1 | 2cecb6f0737f325e633426e9eae8a87e82e52045 |
| SHA256 | 13943eb10c5a474e425c87df08683d23444349344f48f66d2ac12768d28c93b4 |
| SHA512 | b7c0de5825c8898bebe7200425a85ea2c21e80ae815989432d68049014ae62f34475a9bc39cedd6384cc6fa039eee8b6371a481d3aae280e230408081032428b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061
| MD5 | 1a9bf8cfc0882c14b34312a3158587db |
| SHA1 | 76262f7cbf530b0b88703aa4d416006768380495 |
| SHA256 | 4d04da705855d23ecdb4f81c734fa1dc20bf6b889eb7cb8db3ad16c7c830ce83 |
| SHA512 | 74f58a8993bbde7004fe0dae81f890b65d10dc74951ee37a22acb2952c93cdfd541875b89369185aef89e7e0b8291e71747ae6f431495aa07f80d7b3f031e78c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061
| MD5 | 1cac1e4e7d31694844cc433b5a9ee960 |
| SHA1 | bc577524fe91b7d24dfa23f8d961f605cf26dcf1 |
| SHA256 | 955b65a318980d65cc55ee2b3488ea9096c053515cbe3d918e06ab6f1404ed7f |
| SHA512 | 70b6e306e62637acead2fcee242337fef7285afdf25fad07e1606a42ae45343dcee71fcb9b326793540bdb7468c9b05c18fdbf9355083dc2e01496d8b1e0d5b9 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat.lnk~RFe582a66.TMP
| MD5 | 6667878fb8360d15e2939e44611762a4 |
| SHA1 | 761a8ac850a32c62f1b10a04665b5e46021a500e |
| SHA256 | 3db298e20fefa13f9d6b1c99fa105524266ddfabf5df3580dc0295b68be5ba3a |
| SHA512 | 79e9b9b3dc607a76670be139e8deaac4d674a340d26a8b733b635a9c70d4d76ddb5f1127ad3d64c3f5bb8ec213988cb2fd3a64df59ff80204a491f7014260e1a |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat.lnk
| MD5 | 86b3dc29fae11e564454d3556531e34a |
| SHA1 | dc92c7cef24c98a3af6d2d0e20eef23491828088 |
| SHA256 | 6d7b6b9fc8253c86312e8477e329a3f82a91ccce14a248edbacac675bab9c423 |
| SHA512 | 21087c02cd2d7af0c610fa085e62aee5a209689833ab05ace9ef8e5a517571fc5335731cbffa764bddf3b2925160c5aa8aa4ac7fefd3c736382a831f476ef29f |
C:\Config.Msi\e5828a2.rbs
| MD5 | 4571a0de623b498c3857abe9e88e0a05 |
| SHA1 | 53be4f4b91876a3135d2686157af73323aa7cf57 |
| SHA256 | d2f48bf9222f6779f9e524b8242ef18ee2dca90f5b26c77d58670561c27c5512 |
| SHA512 | 78ff7360e4e53a692288c7b20fa3905920db0d826a74f8d884c1a4ffb82c88159fdb76bc6c3149afb27513642acec1aab22654353a962e726beec3259b2d6ccf |
C:\Windows\Installer\e5828a1.msi
| MD5 | 5ee636d9fac960438a2fb3d7ee497ada |
| SHA1 | 86b3c750357cc4e3ab823a9c28e72c94dc705688 |
| SHA256 | ef11b9f1ac15cb15b8d7ecb634120583d326789b4f7e567e3a7a2209f7bd7f64 |
| SHA512 | 0e2ee022b381c3468c804c7344ff16310bbb31164e6e3bac7939a32215e114bd90e02106fd290fa6d1f41b8eb4129956700080825644c6e6f977e68c50e8a05e |
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e6799392-b663-40df-a1b5-912b4f14745e}_OnDiskSnapshotProp
| MD5 | c205ca7d57cb6bef85bdda205a4238b9 |
| SHA1 | cebcebb0555cda75dc982de6968f63b6fbfd7db1 |
| SHA256 | 6d0fc1704faea39e4e6e34dccb057f301bbbb9e7e366d50ab7922a3a07c0cade |
| SHA512 | cf730ae55e176b134cc45aafc0797d235f89cc5848fdbc30cf75cf390dd2db8b4cfb0f0aa0d293acce152f5d3107a14ecb90042dbf8fe304738020c5a1d4711e |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 6613ec83ed5a085b7d6e0516b36603b7 |
| SHA1 | 8a508d902783b98c386151e27b3f9c316b08fc7d |
| SHA256 | 319bd8e880366749971bdf1a0cc06064d25493f702397a6cc5ce699794c6e390 |
| SHA512 | 9257384e557171bf9a64c7dab2aa1037f8dfb62b71bc7122e40b6c00e878e073d2ce4356146883a9ae4db76c35ba76f776eec16d831448412b265abd9fa7fdfb |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:11
Reported
2024-11-13 18:12
Platform
win7-20240903-en
Max time kernel
3s
Max time network
3s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WinDirStat-x64.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| GB | 92.123.26.144:80 | repository.certum.pl | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab650C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar651E.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |