8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tn5250.msi
Size

2.0MB
MD5

df00268606a3e3488d08a5e2cec0c100
SHA1

7f6b44e59134341a7cad154d223a5121de42b5e9
SHA256

8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8
SHA512

9f5cd01d31fcf2616d2384270ccc5d914f071dd7ae5b7ba45a7e605053907db021ba28365e4396aef495373453f2126e884eff6604f5caa93086c994dce4e7ac
SSDEEP

49152:45kVY5AyE3D2aXE739bH/fwmOua7IX9qNGnHt6q+tMp:7Y5AJCWcNbHbOH7ItqN0Htj+

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2136	msiexec.exe
14	2404	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\readme.txt	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\mtn5250.chm	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.278	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.285	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.385	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.870	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1047	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1026	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.273	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\license.txt	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1025	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.875	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.277	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.280	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.284	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.297	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.500	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.871	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.037	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.274	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f774fd5.msi	msiexec.exe
File created	C:\Windows\Installer\{1607BB80-6FC9-4111-96E0-F5BD60334441}\controlPanelIcon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{1607BB80-6FC9-4111-96E0-F5BD60334441}\controlPanelIcon.exe	msiexec.exe
File created	C:\Windows\Installer\f774fd8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f774fd6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52E4.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f774fd5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI512E.tmp	msiexec.exe
File created	C:\Windows\Installer\f774fd6.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1680	tn5250.exe

Loads dropped DLL 4 IoCs

pid	Process
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
1072	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2136	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\08BB70619CF61114690E5FDB06334414\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\PackageCode = "3659D57DB5B13764D96BE8F330FF495D"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\ProductIcon = "C:\\Windows\\Installer\\{1607BB80-6FC9-4111-96E0-F5BD60334441}\\controlPanelIcon.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EFA965DEA46E0C94DBEB74AA1A71BD6E\08BB70619CF61114690E5FDB06334414	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\PackageName = "tn5250.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\08BB70619CF61114690E5FDB06334414	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Version = "67174400"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EFA965DEA46E0C94DBEB74AA1A71BD6E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\ProductName = "Mocha TN5250 for Windows 7/8/10/11"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\AdvertiseFlags = "388"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2404	msiexec.exe
2404	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2404	msiexec.exe
Token: SeTakeOwnershipPrivilege	2404	msiexec.exe
Token: SeSecurityPrivilege	2404	msiexec.exe
Token: SeCreateTokenPrivilege	2136	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2136	msiexec.exe
Token: SeLockMemoryPrivilege	2136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2136	msiexec.exe
Token: SeMachineAccountPrivilege	2136	msiexec.exe
Token: SeTcbPrivilege	2136	msiexec.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeLoadDriverPrivilege	2136	msiexec.exe
Token: SeSystemProfilePrivilege	2136	msiexec.exe
Token: SeSystemtimePrivilege	2136	msiexec.exe
Token: SeProfSingleProcessPrivilege	2136	msiexec.exe
Token: SeIncBasePriorityPrivilege	2136	msiexec.exe
Token: SeCreatePagefilePrivilege	2136	msiexec.exe
Token: SeCreatePermanentPrivilege	2136	msiexec.exe
Token: SeBackupPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeShutdownPrivilege	2136	msiexec.exe
Token: SeDebugPrivilege	2136	msiexec.exe
Token: SeAuditPrivilege	2136	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2136	msiexec.exe
Token: SeChangeNotifyPrivilege	2136	msiexec.exe
Token: SeRemoteShutdownPrivilege	2136	msiexec.exe
Token: SeUndockPrivilege	2136	msiexec.exe
Token: SeSyncAgentPrivilege	2136	msiexec.exe
Token: SeEnableDelegationPrivilege	2136	msiexec.exe
Token: SeManageVolumePrivilege	2136	msiexec.exe
Token: SeImpersonatePrivilege	2136	msiexec.exe
Token: SeCreateGlobalPrivilege	2136	msiexec.exe
Token: SeCreateTokenPrivilege	2136	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2136	msiexec.exe
Token: SeLockMemoryPrivilege	2136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2136	msiexec.exe
Token: SeMachineAccountPrivilege	2136	msiexec.exe
Token: SeTcbPrivilege	2136	msiexec.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeLoadDriverPrivilege	2136	msiexec.exe
Token: SeSystemProfilePrivilege	2136	msiexec.exe
Token: SeSystemtimePrivilege	2136	msiexec.exe
Token: SeProfSingleProcessPrivilege	2136	msiexec.exe
Token: SeIncBasePriorityPrivilege	2136	msiexec.exe
Token: SeCreatePagefilePrivilege	2136	msiexec.exe
Token: SeCreatePermanentPrivilege	2136	msiexec.exe
Token: SeBackupPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeShutdownPrivilege	2136	msiexec.exe
Token: SeDebugPrivilege	2136	msiexec.exe
Token: SeAuditPrivilege	2136	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2136	msiexec.exe
Token: SeChangeNotifyPrivilege	2136	msiexec.exe
Token: SeRemoteShutdownPrivilege	2136	msiexec.exe
Token: SeUndockPrivilege	2136	msiexec.exe
Token: SeSyncAgentPrivilege	2136	msiexec.exe
Token: SeEnableDelegationPrivilege	2136	msiexec.exe
Token: SeManageVolumePrivilege	2136	msiexec.exe
Token: SeImpersonatePrivilege	2136	msiexec.exe
Token: SeCreateGlobalPrivilege	2136	msiexec.exe
Token: SeCreateTokenPrivilege	2136	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2136	msiexec.exe
2136	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2860	2404	msiexec.exe	31
PID 2404 wrote to memory of 2860	2404	msiexec.exe	31
PID 2404 wrote to memory of 2860	2404	msiexec.exe	31
PID 2404 wrote to memory of 2860	2404	msiexec.exe	31
PID 2404 wrote to memory of 2860	2404	msiexec.exe	31
PID 2404 wrote to memory of 2860	2404	msiexec.exe	31
PID 2404 wrote to memory of 2860	2404	msiexec.exe	31
PID 2404 wrote to memory of 1072	2404	msiexec.exe	36
PID 2404 wrote to memory of 1072	2404	msiexec.exe	36
PID 2404 wrote to memory of 1072	2404	msiexec.exe	36
PID 2404 wrote to memory of 1072	2404	msiexec.exe	36
PID 2404 wrote to memory of 1072	2404	msiexec.exe	36
PID 2404 wrote to memory of 1072	2404	msiexec.exe	36
PID 2404 wrote to memory of 1072	2404	msiexec.exe	36
PID 2404 wrote to memory of 1680	2404	msiexec.exe	37
PID 2404 wrote to memory of 1680	2404	msiexec.exe	37
PID 2404 wrote to memory of 1680	2404	msiexec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\tn5250.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 99B285131222CFA4007481A0C2C134CF C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5724E94E3305E32458DCA03863F8DBC0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1072
- C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe
  "C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe" /Zempty
  2⤵
  - Executes dropped EXE
  PID:1680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2652

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002A8" "00000000000005AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f774fd7.rbs

Filesize
9KB

MD5
b9b83984887fcd3a0c4900ebac0c49a0

SHA1
4a6f2a8031abb2960f24e4cfea305f66b441fa67

SHA256
dd112c54ca8c94a53f88ce7ed5553083d1e94fef285f63fb1ad07f099491d921

SHA512
7115b4f3f1717b0bb555f5dd822387030dd54e3be48b321ebf99f0cb948629e00adbf090f11ab45fe2a64890be1d69f5b200301a87d0f8597659680ffb247c8a

Download Submit
C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.037

Filesize
1KB

MD5
2ca9f116991aeec0ce11adff1de2b9ed

SHA1
905a22af314da7d0df6545637d380d2f2d44505c

SHA256
574e41811a7aee269b6e1ea19296af65056ffdc6229a52cec380ecc2ef64dd56

SHA512
38a6a25ac7eb8d61b3ff05095771b8382c355cb82de1213f86030f683f97d6b4b7e2403deab2c0a3117a9509a445494bb70167add6fd01caa3eb11b53da55be3

Download Submit
C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe

Filesize
3.1MB

MD5
85834905af2f859fa3c353bc8874553a

SHA1
ffe5f2790d1c90124d64b7d3a793a8aa7cf7e67f

SHA256
3a49ea560bd9f82d3bdcb4136ea501387f5682b19a54f0d17bb0a01dec5698be

SHA512
f48643dda6894674b477fe9dadf22a3894e80b07f656fa9eb52be0caf291a2d932b9886685ec924e262dfc2a2220a7976a64dc228a52a27f059ce98cd2824658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4302ac33571a665623f83caa83e9d7b7

SHA1
38e4b1f7626af38f558f00b7585a8821a3ef371e

SHA256
85d864fdf43320e3535ad37f3d946a3bd648df66622cbbcb079b976abfa7ff41

SHA512
cc7530d96b6cf2d390a660fccd64170b6a32fb4ed777f3369ef92180abcaabfd94f74ba0ba8730084510fdeb42ded2a9b799d14c787424d3d11d2f2043642c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_EC420DCD3BBF75F74A9D9E7363E1AE4E

Filesize
727B

MD5
eb97e7442e3aca7df31cd380b08f116d

SHA1
de22b89accd3bbc77c90a7936e9906375747a0a8

SHA256
5d5d3bee2e0d17984505a32cf4f74e9980d046d0728e30bdf1fd30943284b175

SHA512
ee6435c20362e950c0614100f3a4869d86393a297d2be38f23caeec22607b886d077f0b3da3898a0564952e829447d448e5651e62c70be87835823082a0ee1eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
2234a2da0c7ba427c516a7ba532be7f4

SHA1
71bbac1f00303abebe6b8ee9f8cb1ec3f72e1e83

SHA256
a7c433170beb0d6d06d2b3e12790688c320e911d1217ec0eb90c6d46a28a5abb

SHA512
fdf3757943c042323652f78bb3135032c7268f61d6ec11317316768cde45527846de1e2c4bdeac2add5ccc8fa1548a8a53c514573eb07637669380e4d493790d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
a4de414b113cb82891b02dffdd0eafcb

SHA1
c71c1af32dacd7eaf47a8801613e1889b36a53e7

SHA256
5ad8e6083d982d92cb0851c02bedb850bb4bf6eb0f97d9befd72795a3e9ed660

SHA512
ac43e2936a7891b9284f83381ffe7bf666b45983ccdf3aa6ee7dff55a3331aae6af6bce6801e8a94e840a5e0697190c9c4eda2d1b018be8f549b41581632f750

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_EC420DCD3BBF75F74A9D9E7363E1AE4E

Filesize
404B

MD5
a6ba4642a681aee3ac143df0f9aabe32

SHA1
2dc56d822a0686631aa963c5db424c25b33ccc8f

SHA256
b8a3f6f25c57c49d8ba6d3d4877fe6a167d58365f96048bcb23fae49480526dc

SHA512
7766a6ac6d19b269674b1c89793197f9f89affacc4d5c146b85f7d74e715b9849601d938cf5195905c8000eee1b0bb96948828583b605ab0611b0c0722ee05df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58851d82ed6c529a29bbaf791ff3a993

SHA1
2b0a3014e181783ac7dced8284b595beb0eb837a

SHA256
a112fa54fe423b58f3125bfd843587f3ac4068ef7b038445d419e99bc74bbf5a

SHA512
ae5632e708b6cf37c78015964aeefdd74f543a6290f6598943a06e71e3d6e52254ed5473164db1529be923cea0548744a59f284e22d983e095bdfe8cc687a05c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
5f2de67c0e8bb9500c83f7c9ed4b587e

SHA1
3a7175626df71cbe0f2a9329dfa06aabab2e77aa

SHA256
34a6353d69766fdc832646e427da646e1e860d117a249ceee14574a38e8f4564

SHA512
3d3a010e73a072bfb714423c712d209e4b0c977f5feb912cbd6474dbf0cf4f97a95f1b48694df8002df8038021ba3f97598dbd4c8be32def54c7723541d37654

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
6b537c18ecdf1dc5ff7e30d56d460833

SHA1
8965bb2a7fad18a272afa3b2aebc7d1cbffb579c

SHA256
9bb49a9d4b07e719dacbabd1d0a1b3b28aadc731973f1af498fada8686964d60

SHA512
e1e73450409908560e4984a32ece9217e571204f086624c60e61b07e4e8ddd6c8730be43a4ecb68d6aa2dc96444f77c4040cd342cee2bd72608a8f143b3582ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC322.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC44E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\f774fd5.msi

Filesize
2.0MB

MD5
df00268606a3e3488d08a5e2cec0c100

SHA1
7f6b44e59134341a7cad154d223a5121de42b5e9

SHA256
8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8

SHA512
9f5cd01d31fcf2616d2384270ccc5d914f071dd7ae5b7ba45a7e605053907db021ba28365e4396aef495373453f2126e884eff6604f5caa93086c994dce4e7ac

Download Submit
\Users\Admin\AppData\Local\Temp\MSIC50A.tmp

Filesize
89KB

MD5
b051a3c68dcbf9e5b506aed6b0ef0ca8

SHA1
37c4a9c43b6b583b77fa750991a90cf36bcb17be

SHA256
91a0d1ba2a6f0c0999b85c1f9abae8487f0274020fbe1cb86c9b4e009861521c

SHA512
749450815c37d688935e460a95693245ea4a3cd5176d3eefee0556ca77d73465cb5f7344a2c4637b90c8f379419a1969793f9c106602c2c25bb65a7f6b4a543a

Download Submit
memory/1680-109-0x0000000000B70000-0x0000000000E94000-memory.dmp

Filesize
3.1MB

Download