8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tn5250.msi
Size

2.0MB
MD5

df00268606a3e3488d08a5e2cec0c100
SHA1

7f6b44e59134341a7cad154d223a5121de42b5e9
SHA256

8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8
SHA512

9f5cd01d31fcf2616d2384270ccc5d914f071dd7ae5b7ba45a7e605053907db021ba28365e4396aef495373453f2126e884eff6604f5caa93086c994dce4e7ac
SSDEEP

49152:45kVY5AyE3D2aXE739bH/fwmOua7IX9qNGnHt6q+tMp:7Y5AJCWcNbHbOH7ItqN0Htj+

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1128	msiexec.exe
13	2780	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.277	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.870	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1025	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1026	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.274	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.278	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.285	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\license.txt	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\mtn5250.chm	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.385	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.871	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\readme.txt	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1047	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.037	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.273	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.280	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.284	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.297	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.500	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.875	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f773543.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f773543.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3881.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{1607BB80-6FC9-4111-96E0-F5BD60334441}\controlPanelIcon.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{1607BB80-6FC9-4111-96E0-F5BD60334441}\controlPanelIcon.exe	msiexec.exe
File created	C:\Windows\Installer\f773546.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f773544.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI36AC.tmp	msiexec.exe
File created	C:\Windows\Installer\f773544.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	tn5250.exe
2268	tn5250.exe

Loads dropped DLL 4 IoCs

pid	Process
2788	MsiExec.exe
2788	MsiExec.exe
2788	MsiExec.exe
2052	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1128	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\08BB70619CF61114690E5FDB06334414\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EFA965DEA46E0C94DBEB74AA1A71BD6E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\08BB70619CF61114690E5FDB06334414	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\ProductName = "Mocha TN5250 for Windows 7/8/10/11"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EFA965DEA46E0C94DBEB74AA1A71BD6E\08BB70619CF61114690E5FDB06334414	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\PackageName = "tn5250.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\PackageCode = "3659D57DB5B13764D96BE8F330FF495D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Version = "67174400"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\ProductIcon = "C:\\Windows\\Installer\\{1607BB80-6FC9-4111-96E0-F5BD60334441}\\controlPanelIcon.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2780	msiexec.exe
2780	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeSecurityPrivilege	2780	msiexec.exe
Token: SeCreateTokenPrivilege	1128	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1128	msiexec.exe
Token: SeLockMemoryPrivilege	1128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1128	msiexec.exe
Token: SeMachineAccountPrivilege	1128	msiexec.exe
Token: SeTcbPrivilege	1128	msiexec.exe
Token: SeSecurityPrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeLoadDriverPrivilege	1128	msiexec.exe
Token: SeSystemProfilePrivilege	1128	msiexec.exe
Token: SeSystemtimePrivilege	1128	msiexec.exe
Token: SeProfSingleProcessPrivilege	1128	msiexec.exe
Token: SeIncBasePriorityPrivilege	1128	msiexec.exe
Token: SeCreatePagefilePrivilege	1128	msiexec.exe
Token: SeCreatePermanentPrivilege	1128	msiexec.exe
Token: SeBackupPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeShutdownPrivilege	1128	msiexec.exe
Token: SeDebugPrivilege	1128	msiexec.exe
Token: SeAuditPrivilege	1128	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1128	msiexec.exe
Token: SeChangeNotifyPrivilege	1128	msiexec.exe
Token: SeRemoteShutdownPrivilege	1128	msiexec.exe
Token: SeUndockPrivilege	1128	msiexec.exe
Token: SeSyncAgentPrivilege	1128	msiexec.exe
Token: SeEnableDelegationPrivilege	1128	msiexec.exe
Token: SeManageVolumePrivilege	1128	msiexec.exe
Token: SeImpersonatePrivilege	1128	msiexec.exe
Token: SeCreateGlobalPrivilege	1128	msiexec.exe
Token: SeCreateTokenPrivilege	1128	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1128	msiexec.exe
Token: SeLockMemoryPrivilege	1128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1128	msiexec.exe
Token: SeMachineAccountPrivilege	1128	msiexec.exe
Token: SeTcbPrivilege	1128	msiexec.exe
Token: SeSecurityPrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeLoadDriverPrivilege	1128	msiexec.exe
Token: SeSystemProfilePrivilege	1128	msiexec.exe
Token: SeSystemtimePrivilege	1128	msiexec.exe
Token: SeProfSingleProcessPrivilege	1128	msiexec.exe
Token: SeIncBasePriorityPrivilege	1128	msiexec.exe
Token: SeCreatePagefilePrivilege	1128	msiexec.exe
Token: SeCreatePermanentPrivilege	1128	msiexec.exe
Token: SeBackupPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeShutdownPrivilege	1128	msiexec.exe
Token: SeDebugPrivilege	1128	msiexec.exe
Token: SeAuditPrivilege	1128	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1128	msiexec.exe
Token: SeChangeNotifyPrivilege	1128	msiexec.exe
Token: SeRemoteShutdownPrivilege	1128	msiexec.exe
Token: SeUndockPrivilege	1128	msiexec.exe
Token: SeSyncAgentPrivilege	1128	msiexec.exe
Token: SeEnableDelegationPrivilege	1128	msiexec.exe
Token: SeManageVolumePrivilege	1128	msiexec.exe
Token: SeImpersonatePrivilege	1128	msiexec.exe
Token: SeCreateGlobalPrivilege	1128	msiexec.exe
Token: SeCreateTokenPrivilege	1128	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1128	msiexec.exe
1128	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2788	2780	msiexec.exe	31
PID 2780 wrote to memory of 2788	2780	msiexec.exe	31
PID 2780 wrote to memory of 2788	2780	msiexec.exe	31
PID 2780 wrote to memory of 2788	2780	msiexec.exe	31
PID 2780 wrote to memory of 2788	2780	msiexec.exe	31
PID 2780 wrote to memory of 2788	2780	msiexec.exe	31
PID 2780 wrote to memory of 2788	2780	msiexec.exe	31
PID 2780 wrote to memory of 2052	2780	msiexec.exe	36
PID 2780 wrote to memory of 2052	2780	msiexec.exe	36
PID 2780 wrote to memory of 2052	2780	msiexec.exe	36
PID 2780 wrote to memory of 2052	2780	msiexec.exe	36
PID 2780 wrote to memory of 2052	2780	msiexec.exe	36
PID 2780 wrote to memory of 2052	2780	msiexec.exe	36
PID 2780 wrote to memory of 2052	2780	msiexec.exe	36
PID 2780 wrote to memory of 1992	2780	msiexec.exe	38
PID 2780 wrote to memory of 1992	2780	msiexec.exe	38
PID 2780 wrote to memory of 1992	2780	msiexec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\tn5250.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3129348520FCC2DDC0DF51AAA38D8927 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 96A73649D0D9CB0E07D0C7814D57C0B6
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe
  "C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe" /Zempty
  2⤵
  - Executes dropped EXE
  PID:1992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2100

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "00000000000003C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2868

C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe
"C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe"
1⤵
- Executes dropped EXE
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f773545.rbs

Filesize
9KB

MD5
fb6bd907e68820fe36789bf3cb2dcab9

SHA1
2ee51a44f369123378131d4dbb1129dc9742061e

SHA256
3c0fcdda17060774ebd318c0fca697dfd564f10c1ee44deb97cfaa416d3e4468

SHA512
8a0461dc876fdf3ab074256f682ac55b8316c1bb3d12abfff50cf58d4cf219ccc23d10e898e70e2531898bf93839bd3197b8b12ec92fb638d47986f72c6046b1

Download Submit
C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.037

Filesize
1KB

MD5
2ca9f116991aeec0ce11adff1de2b9ed

SHA1
905a22af314da7d0df6545637d380d2f2d44505c

SHA256
574e41811a7aee269b6e1ea19296af65056ffdc6229a52cec380ecc2ef64dd56

SHA512
38a6a25ac7eb8d61b3ff05095771b8382c355cb82de1213f86030f683f97d6b4b7e2403deab2c0a3117a9509a445494bb70167add6fd01caa3eb11b53da55be3

Download Submit
C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe

Filesize
3.1MB

MD5
85834905af2f859fa3c353bc8874553a

SHA1
ffe5f2790d1c90124d64b7d3a793a8aa7cf7e67f

SHA256
3a49ea560bd9f82d3bdcb4136ea501387f5682b19a54f0d17bb0a01dec5698be

SHA512
f48643dda6894674b477fe9dadf22a3894e80b07f656fa9eb52be0caf291a2d932b9886685ec924e262dfc2a2220a7976a64dc228a52a27f059ce98cd2824658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4302ac33571a665623f83caa83e9d7b7

SHA1
38e4b1f7626af38f558f00b7585a8821a3ef371e

SHA256
85d864fdf43320e3535ad37f3d946a3bd648df66622cbbcb079b976abfa7ff41

SHA512
cc7530d96b6cf2d390a660fccd64170b6a32fb4ed777f3369ef92180abcaabfd94f74ba0ba8730084510fdeb42ded2a9b799d14c787424d3d11d2f2043642c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_EC420DCD3BBF75F74A9D9E7363E1AE4E

Filesize
727B

MD5
4f8791861a7f914ba42a43db2cf3683c

SHA1
cfec212ec8dbeed485b4f69913b0fe8ada624478

SHA256
5134b71f9c4d800a4c1bb6d3a97bbfba6c91832a87df74f2a8d3d4f07f25052e

SHA512
564047e80b872e77a8d59eb942f162fb20abfce7d48ed321d6412d61ff7a874a1e1abb58c49357ed1bb7f28449436732d708dad607a38679361acf5844ef1892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
c5325af001c52aca934eadbea6e052bf

SHA1
6874523550ed5a89d37835fc468701b7f5375d40

SHA256
9040f3f40aa15886f4ef60141b67e96542ac690a8fd9c9b4d52bdb0cf1b4c773

SHA512
ef90d907375d2dedaa619bff669eb4dc16862a7fb16b4e73cc92b98792e19e6389c500aacb58dfdf4d7f71cf07367d00422f754766c433035e6becc475ed89db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
d149162dd34b07a99e6329b8c2acf5b7

SHA1
53871b0162fb23f34cbf4d6ec957a59750e45e87

SHA256
e7428f8ef637ed6b580614d1efc44e80157e88dad495fe4400abcb0e8b753b98

SHA512
52b8426c8db2c9dc443507d199b7c0e3da7de6e8705324693f50f1f1ef1382358c7fac49327bb05c8cd0436303368a4efb2e62ef1922e7f65897b9eea2905a31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_EC420DCD3BBF75F74A9D9E7363E1AE4E

Filesize
404B

MD5
3e53fb092300ac69705f4f9c152338e0

SHA1
ba8c1b654a490569464694a7f855c95201b79844

SHA256
37742009eb0185225d967719c1f12f36df8c5b1ca426ca6052aa94bcfa00d1e8

SHA512
e525b8edf2988a6803e03245a08f4522b7414341ba6f5ec1df5c3066cea0fb62f29d6b4d97dff073f751c382eb27bd8ef264aaa40d2b427440ac34edc84a174a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27619083b5787ccb56884b7e15e689b0

SHA1
4cd968c1bf08628002df55d83b6283ea574fc15f

SHA256
68576fea38f43855e2bd3d8886804521587c4c9922ab026c559944878e0e2be7

SHA512
8c23d81d978111590c3461e048e33bb7509f6e7884a4dd878816f3d9281975d82c6ba4ad419fc87447de294bb8eb064d8389980c9d188a73ace6f1bfcd8066e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
028c6337ca8c836c743142103119a8cb

SHA1
3f2aaca2190b38aaf96c250f7b2a0a2daee82e74

SHA256
a6173c070bb60088220d4dcaf2ffaf88797b80a9b42def8ee2418ecf51b24c79

SHA512
7286dcda5c50eda5f6ce8d915ad5f24c22ffc1d9be8aee516219f140a146774b967c62c5867e17edc87a8f0b8a6d14ddbf90dfffb8ec021ea1541195201b368f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
be172d28e2c839c0d17c278cc19f19f9

SHA1
fb6cfcf382d559357b4fe1f8e05327e291ebbbdf

SHA256
093ee6c19aab92e094aa00daded6d312cf634ce938e8dbf222e2b0c76eb4149a

SHA512
4b5f64e5eece019556448f0232cfa2f5dea1ed6dc74990d3f30839e872fecb1847d06c03d26aa702b576958d852040f6db1d33864b0df4c3eea872096180a253

Download Submit
C:\Users\Admin\AppData\Local\MochaSoft\tn5250.exe_Url_d4i3cmv1wc030qyhuqx0eikcebzsvbyp\4.0.0.0\user.config

Filesize
806B

MD5
053456b8c363d80fe4384c0a8e615bb9

SHA1
d594ea6c8f93743446a2109617744433cfe84a67

SHA256
15b96a0783f90cff295b0ad8a805663f478be836a9f1cfd5fafc7376c69e2197

SHA512
cbc832925066e2a3b2e165fdb12f826b7b32d3665d128f25fb4c030d66690c927bdc2e0a38a1224ec3f019282439b3d599639048cfd90d5ca54e5ba44a291693

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAF16.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB1C8.tmp

Filesize
89KB

MD5
b051a3c68dcbf9e5b506aed6b0ef0ca8

SHA1
37c4a9c43b6b583b77fa750991a90cf36bcb17be

SHA256
91a0d1ba2a6f0c0999b85c1f9abae8487f0274020fbe1cb86c9b4e009861521c

SHA512
749450815c37d688935e460a95693245ea4a3cd5176d3eefee0556ca77d73465cb5f7344a2c4637b90c8f379419a1969793f9c106602c2c25bb65a7f6b4a543a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB10C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\f773543.msi

Filesize
2.0MB

MD5
df00268606a3e3488d08a5e2cec0c100

SHA1
7f6b44e59134341a7cad154d223a5121de42b5e9

SHA256
8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8

SHA512
9f5cd01d31fcf2616d2384270ccc5d914f071dd7ae5b7ba45a7e605053907db021ba28365e4396aef495373453f2126e884eff6604f5caa93086c994dce4e7ac

Download Submit
memory/1992-109-0x00000000013D0000-0x00000000016F4000-memory.dmp

Filesize
3.1MB

Download
memory/2268-131-0x00000000000B0000-0x00000000003D4000-memory.dmp

Filesize
3.1MB

Download