97908f93a4305247578983906ca3e34652d891af1a1efca7579a762a1f5da6ad

Analysis

max time kernel
92s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

T1_软件包_1.0.9.msi
Size

14.3MB
MD5

ff2157d97d849d3bf67fd86d031662bc
SHA1

6310d810f1702177e11029990d1d1441f1b2c562
SHA256

442ab408377978c7d86bc9cb5fd566cac22ad2285a66a64fd173e155d7318abc
SHA512

90e699632d610f38573a77b462d43e04af4e69fd8a7772579dbfc09e8187eaedf1b39353e652a81f60177a12fc41e6baa67b8e9e4b574c5e379544890dbdda2b
SSDEEP

196608:j3KNfuUZj2vtrAZhVXQQv0sOAeym0a2uXRjoYSS3noSC:ON5jOSVXQM0sOAewhOBX

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3896	MsiExec.exe
3896	MsiExec.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\7za.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\data.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\Update.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Update.png	MsiExec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIFC90.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE18.tmp	msiexec.exe
File created	C:\Windows\Installer\e57fb77.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7130A435-B139-4895-A5D5-F634A43923EC}	msiexec.exe
File created	C:\Windows\Installer\e57fb79.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57fb77.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
3896	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2920	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\PackageCode = "F19D36DF66D4C4B4DA6C1F106872A891"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C\534A0317931B59845A5D6F434A9332CE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\534A0317931B59845A5D6F434A9332CE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\534A0317931B59845A5D6F434A9332CE\ProdFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\SourceList\PackageName = "T1_软件包_1.0.9.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\ProductName = "Setup"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\Version = "16973828"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\534A0317931B59845A5D6F434A9332CE\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1288	msiexec.exe
1288	msiexec.exe
3896	MsiExec.exe
3896	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2920	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2920	msiexec.exe
Token: SeSecurityPrivilege	1288	msiexec.exe
Token: SeCreateTokenPrivilege	2920	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2920	msiexec.exe
Token: SeLockMemoryPrivilege	2920	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2920	msiexec.exe
Token: SeMachineAccountPrivilege	2920	msiexec.exe
Token: SeTcbPrivilege	2920	msiexec.exe
Token: SeSecurityPrivilege	2920	msiexec.exe
Token: SeTakeOwnershipPrivilege	2920	msiexec.exe
Token: SeLoadDriverPrivilege	2920	msiexec.exe
Token: SeSystemProfilePrivilege	2920	msiexec.exe
Token: SeSystemtimePrivilege	2920	msiexec.exe
Token: SeProfSingleProcessPrivilege	2920	msiexec.exe
Token: SeIncBasePriorityPrivilege	2920	msiexec.exe
Token: SeCreatePagefilePrivilege	2920	msiexec.exe
Token: SeCreatePermanentPrivilege	2920	msiexec.exe
Token: SeBackupPrivilege	2920	msiexec.exe
Token: SeRestorePrivilege	2920	msiexec.exe
Token: SeShutdownPrivilege	2920	msiexec.exe
Token: SeDebugPrivilege	2920	msiexec.exe
Token: SeAuditPrivilege	2920	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2920	msiexec.exe
Token: SeChangeNotifyPrivilege	2920	msiexec.exe
Token: SeRemoteShutdownPrivilege	2920	msiexec.exe
Token: SeUndockPrivilege	2920	msiexec.exe
Token: SeSyncAgentPrivilege	2920	msiexec.exe
Token: SeEnableDelegationPrivilege	2920	msiexec.exe
Token: SeManageVolumePrivilege	2920	msiexec.exe
Token: SeImpersonatePrivilege	2920	msiexec.exe
Token: SeCreateGlobalPrivilege	2920	msiexec.exe
Token: SeBackupPrivilege	628	vssvc.exe
Token: SeRestorePrivilege	628	vssvc.exe
Token: SeAuditPrivilege	628	vssvc.exe
Token: SeBackupPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2920	msiexec.exe
2920	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3412	1288	msiexec.exe	98
PID 1288 wrote to memory of 3412	1288	msiexec.exe	98
PID 1288 wrote to memory of 3896	1288	msiexec.exe	100
PID 1288 wrote to memory of 3896	1288	msiexec.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\T1_软件包_1.0.9.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2920

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3412
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 3DD25539EEFB2430656311545E14A640 E Global\MSI0000
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57fb78.rbs

Filesize
13.7MB

MD5
4b9a20c0ce2332a1699484bce6f645b5

SHA1
2d8739cc5eda55d8a4b6bb2f2ab2dfe521c6f76b

SHA256
e0df9d14410d17a7b87f7841f6f2f7727c50646a7f06a33f1c584bde7cd1d5ed

SHA512
8641721b6ba2ba6a0e76d36c18d62b21b56d3f279a6e3b468a7c297dd0b86e845d5f2f04bbb0bd9f0b1c1c094f8f3e21e3e4721a37ae6d94449ccf00e913d7c4

Download Submit
C:\Windows\Installer\MSIFE18.tmp

Filesize
13.7MB

MD5
9f8a34d5aad84a6cf84b457311aedc79

SHA1
5e52ac0f843d3eabd953c074c50bb9d31ea366a5

SHA256
2218bdc1a141068e124211828141b5131bf76c71e9f33535fc241febf3f92a05

SHA512
8f10be170b5cb5f7ac6a2219251ce98dc0e97181f31f0655d24c2a6182b8fc480cca3834567c1b17d105530372141174718f323bff4a35b30f68fd7ae641ffe6

Download Submit
C:\Windows\Installer\e57fb77.msi

Filesize
14.3MB

MD5
ff2157d97d849d3bf67fd86d031662bc

SHA1
6310d810f1702177e11029990d1d1441f1b2c562

SHA256
442ab408377978c7d86bc9cb5fd566cac22ad2285a66a64fd173e155d7318abc

SHA512
90e699632d610f38573a77b462d43e04af4e69fd8a7772579dbfc09e8187eaedf1b39353e652a81f60177a12fc41e6baa67b8e9e4b574c5e379544890dbdda2b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
fd58606099da579bc34e72eb6017f803

SHA1
74228d47eed17ddc5bf49e95c0a5791eb86eaa41

SHA256
b2bb7759f505ff2be206bb8c5e2b52a309fe4be995f27e0f206c27125bed8fee

SHA512
f4f36af404986b825f19da9824b6541c491bf1dd47cb0f0230cc550dd14908fea381e41bf667ac48f665123567e91b2f67852f445e221a3ad3fa412501eaeb8c

Download Submit
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5394843b-960e-4455-a24f-531cb69abbef}_OnDiskSnapshotProp

Filesize
6KB

MD5
4e5a4f02ba41206b930f1d341b5a63e8

SHA1
36569de0ae71c8f7e92ccea4fae20f32bdda2dc4

SHA256
cb430947fe4f218d428f758c51ea102573d0f7a94e815aba1bfd8674cf900dd2

SHA512
9399879c4181ad5328ba30ceac9d913ab618a88d1bc331a7b678209f05cbb1801ce8f0091b8fedd6f2ad5b50c0c4b7dd4e745b207bac39534beffd66c2d0a953

Download Submit
memory/3896-20-0x00007FFBCA710000-0x00007FFBCA712000-memory.dmp

Filesize
8KB

Download
memory/3896-21-0x00007FFBCA720000-0x00007FFBCA722000-memory.dmp

Filesize
8KB

Download
memory/3896-22-0x00007FFBA93E0000-0x00007FFBAAA55000-memory.dmp

Filesize
22.5MB

Download