Overview

overview

10

Static

static

1

KeystoneTo...er.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KeystoneToolFirmwareInstallDriver.msi

  • Size

    16.9MB

  • MD5

    f56d4170e1b61a09174a2fa2aaca156f

  • SHA1

    b580cdf6d8bdb0fb58fb43ca02622b701c04629e

  • SHA256

    b37af0248306ef231856a0f916df0c3e0b01a21c5ec5a057e327819ffc951a6c

  • SHA512

    a7df8c576d5cdf885e06c414370c033da463addea6d401e09e00b4df97e8da24a129e26f12530ee1b36cef77e7ae3c0c520781bf82ee0f2fdd1b8c797e177f8f

  • SSDEEP

    393216:GQ/kpjIpPVT8zcSbY2n7r3SYcCxaGc0JZTKpy6nCi1:Gq2oQYSU2nHCZCC0/sy6Cw

Score
10/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2672
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4808
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\KeystoneToolFirmwareInstallDriver.msi
      1⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Event Triggered Execution: Installer Packages
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1536
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:440
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding B6B2DA795D9D9173138F4007C035286E
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-cdd872a3-bd2b-4803-a027-1ff9113f46aa\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
          3⤵
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:1488
        • C:\Windows\SysWOW64\EXPAND.EXE
          "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
          3⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:3772
        • C:\Users\Admin\AppData\Local\Temp\MW-cdd872a3-bd2b-4803-a027-1ff9113f46aa\files\rdefi.exe
          "C:\Users\Admin\AppData\Local\Temp\MW-cdd872a3-bd2b-4803-a027-1ff9113f46aa\files\rdefi.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1332
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 396
            4⤵
            • Program crash
            PID:3960
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 424
            4⤵
            • Program crash
            PID:1816
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-cdd872a3-bd2b-4803-a027-1ff9113f46aa\files"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4548
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-cdd872a3-bd2b-4803-a027-1ff9113f46aa\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:2704
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:764
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 1332
      1⤵
        PID:552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1332 -ip 1332
        1⤵
          PID:4888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_39AF5D25B3F9D3E80BF4219E88DE6834
          Filesize

          1KB

          MD5

          09e2b8893f4909683f8127bdc3d359b0

          SHA1

          66e91adfd11a2e8a303ecee11bad52c50dd90947

          SHA256

          a7172fb8000e3661ba2dba6db872f06299c334bbc1971ba56e13e4d61fe00112

          SHA512

          9fe0069e77fbb57eb1a1786a0a718a9a9cd5bb608dfadfdab31bed59ca550eaea85c021db478e077a6bc41c0c78053165958366e3c4c38cfa4e3c4b77aaeab9a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
          Filesize

          1KB

          MD5

          709e0bdb6889d957458b46382f05cf7b

          SHA1

          0eaa5b2086024b95f85933bf8d6d0f2025730847

          SHA256

          b0d861668b5721d58727a9293169dd681a092cc54c0f840d837741b9ec1f4b11

          SHA512

          8340b8d70e50d44f93c3071ba5d9a470f824cbaaad0846c66b2072d5665a827c97d471f439b75af98143e0f8a5ca5de62bb7f4aadea431e4aaef9b70202b4eca

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_39AF5D25B3F9D3E80BF4219E88DE6834
          Filesize

          536B

          MD5

          c5d43c1384d022c01759820dda9225ec

          SHA1

          fce3a9924fe042f58a460a2c8d1ad1731c92b49a

          SHA256

          ca83b815adebb95d02cb481716c6ba510e832ff85f335b26133aef71d22b1d43

          SHA512

          f46ed4f9a0fd5cd0984bf7388a3b5d10e6e780ccb4c2bb403e1dc47b94b167985c321c0ebf36c95a9db7d44a422cca19394b02520453bbdd2f0988350134309e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
          Filesize

          536B

          MD5

          d10f72521b198f16b8a38085d1ff1880

          SHA1

          06611b0fe5ed6769625a8f3e112c420ae1b7677a

          SHA256

          6284782a7384bf92c9fcc7713267661d46e4352ae0b26531e2975a11aa89c175

          SHA512

          3628737296fc13fa0c4ba02518910bda45ced3ee24d0361114f0da8c517bf83ad06d03d4db69f29a538f06274dcf836cf727ed722ca90b668ca3652f7a0c6d63

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-cdd872a3-bd2b-4803-a027-1ff9113f46aa\files.cab
          Filesize

          16.6MB

          MD5

          dd9aedf6aec933277fc4379763c151d1

          SHA1

          58a91403a898f0f636c94a71a635ae35208b5601

          SHA256

          f5a2d20ce0d385dbfa532783959a0f22fe1d0dbf9f14da445b6c10ebc9a160bf

          SHA512

          b1d63b4b0dccca8d39b2ef6df051252fe2b9c7aec7ed2938aa2aba5bf06f756001779ac928cf278b8c435d0e1b7ec14bf9f06015d712abda885e8ebd6166b56c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-cdd872a3-bd2b-4803-a027-1ff9113f46aa\files\rdefi.exe
          Filesize

          16.6MB

          MD5

          e72eb906455851801d4a9c4846cdc513

          SHA1

          edc1e87aede635330339de311c1a1246a0fbcd47

          SHA256

          7bc43a41029ae7f7215306e7c5f03d901672bd378963cb97cdb0036f3cf7d222

          SHA512

          3eeec46f7a4bcc935f5dda5c53e6a5faf5d1a062f7bb8baf62d84e7edea9c8ef5e683e70b6ab3684c9ec12e13b076643d1337ecd0c4f78eef142e996005cb66f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-cdd872a3-bd2b-4803-a027-1ff9113f46aa\msiwrapper.ini
          Filesize

          364B

          MD5

          f3f79b90601b51dbb56f96a31d8934ce

          SHA1

          bec67ae4d0d91ee2d96c76c5f32c2c59b2aa71db

          SHA256

          3f582d51f6276de8d20bb73111e9a9bb96a19080ca5c37131bd3e90d03086b26

          SHA512

          5770159ecf392b43c7b785d0cd062a5dcff68af5ccbecbbf7c1d47d0c2893d24aa3237b85dd2e1e4c84c5db56d45329659affea19f57b5e6b55145d6144bcdbf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-cdd872a3-bd2b-4803-a027-1ff9113f46aa\msiwrapper.ini
          Filesize

          1KB

          MD5

          b9ba11f6c8c84d0daa67eb0614e1281d

          SHA1

          1cc061dfd9651ffe3fb655bf0247674048e4a981

          SHA256

          eda9f8383b1089ecf28b8d367960fb656dc1c64ae7740f8b10cf405f281edefb

          SHA512

          be95a98fd6a3a1a1bf28b89dd2e66dd2341f90f6752bc9ac2501166379559dad07a6e0d1391aaad5ed18bc9315bd3b02570e002de220a04f49f3f46d1fc8e618

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-cdd872a3-bd2b-4803-a027-1ff9113f46aa\msiwrapper.ini
          Filesize

          1KB

          MD5

          63004d8b56fc83e15bda3d280f335f7c

          SHA1

          a0a64b9dd64dfe2c570ff19c45255aadb2ad7f79

          SHA256

          e297b06a1950ab02486239a0b15dff7dcba5925dd9872d0853bf2fadb92ec34e

          SHA512

          71f272b84ba1facdb6bfc8745acc714d781149b3a1fde5ed1b399dcf8516cd0a48c1a747af26eb10c426f9e6ad0ab18cd64572b06e27adeb23660f0abf9f8e7c

          Download Submit

        • C:\Windows\Installer\MSI172.tmp
          Filesize

          208KB

          MD5

          0c8921bbcc37c6efd34faf44cf3b0cb5

          SHA1

          dcfa71246157edcd09eecaf9d4c5e360b24b3e49

          SHA256

          fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

          SHA512

          ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

          Download Submit

        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
          Filesize

          24.1MB

          MD5

          5ca01e1242ff1ff3b73d41fd15c64f7b

          SHA1

          d563951fb135412f3f041fa36bff0727cd12eaf5

          SHA256

          9065b6485d7d08853e78f6a2e43950e8e61364e2e7d98099fc96f93d1e2ff602

          SHA512

          e1f2491b04db7563bbedb17831f6570f544137896a6fe48a84429c97d8dc88e6ef1e7c85a24458d0ec91f66869841c2e524a50f6600183bdaeeafcc262ff6535

          Download Submit

        • \??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4b27cbd3-9c32-4a42-9a10-0384028a32fd}_OnDiskSnapshotProp
          Filesize

          6KB

          MD5

          d92cee56ba6c50267ccf9fd196768e6b

          SHA1

          b9f3736f417395a4cb376a27e141524530c38d7c

          SHA256

          881ce0f00ef887fd3631cf46bf574858455e78dbafd83d44246f36f80c5529b6

          SHA512

          fa2bf1fd4ddc80daef7d9ac1d008aa98207b737c5e5c089a8c2f98d517ab84e74a4bb9ac9a198a4969da25091830b68def68363182fa37835975a8fc5eb7e73e

          Download Submit

        • memory/1332-86-0x0000000002680000-0x0000000002A80000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1332-87-0x0000000002680000-0x0000000002A80000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1332-88-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1332-90-0x0000000075AF0000-0x0000000075D05000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4808-91-0x0000000000B90000-0x0000000000B9A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4808-96-0x0000000075AF0000-0x0000000075D05000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4808-94-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4808-93-0x0000000001400000-0x0000000001800000-memory.dmp

          Filesize

          4.0MB

          Download