5883edd9c939f4212021ed78572054caea0d3b0cb5c8d938357a7b499544b61a

General

Target

WebM_Premiere.msi
Size

9.8MB
MD5

a914bade13e6df609b57bf8a3e3d5010
SHA1

b9abb9fabe1e9a9b4f0391945b47fcede813da85
SHA256

8d0a4372c4af1f3e94661c2577b68c130f686506dbe647c98691ed7d2e3947e3
SHA512

051d575956323fc881741111528c841874b414aacb787c5542803d934122898ff38bb976d00b32fb95bc7986db7b01a05d4837276d69c40cc8b3b37e2807d27b
SSDEEP

196608:LBEKTWkkBNM5116cg2zc/blV4G1TwAfh91v3rPJsDjSOYl7m27lP:xWkQ6122Y/bljTwAfxv7xFn

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files\Adobe\Common\Plug-ins\7.0\MediaCore\WebM.prm msiexec.exe

description	ioc	process
File created	C:\Program Files\Adobe\Common\Plug-ins\7.0\MediaCore\WebM.prm	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B89B471B-5309-40E3-8E83-EB60C4A54269}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6C8.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d5ef.msi	msiexec.exe
File created	C:\Windows\Installer\e57d5ed.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d5ed.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2860 msiexec.exe

pid	process
2860	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2180 msiexec.exe
2180 msiexec.exe

pid	process
2180	msiexec.exe
2180	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2860	msiexec.exe
Token: SeSecurityPrivilege	2180	msiexec.exe
Token: SeCreateTokenPrivilege	2860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2860	msiexec.exe
Token: SeLockMemoryPrivilege	2860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2860	msiexec.exe
Token: SeMachineAccountPrivilege	2860	msiexec.exe
Token: SeTcbPrivilege	2860	msiexec.exe
Token: SeSecurityPrivilege	2860	msiexec.exe
Token: SeTakeOwnershipPrivilege	2860	msiexec.exe
Token: SeLoadDriverPrivilege	2860	msiexec.exe
Token: SeSystemProfilePrivilege	2860	msiexec.exe
Token: SeSystemtimePrivilege	2860	msiexec.exe
Token: SeProfSingleProcessPrivilege	2860	msiexec.exe
Token: SeIncBasePriorityPrivilege	2860	msiexec.exe
Token: SeCreatePagefilePrivilege	2860	msiexec.exe
Token: SeCreatePermanentPrivilege	2860	msiexec.exe
Token: SeBackupPrivilege	2860	msiexec.exe
Token: SeRestorePrivilege	2860	msiexec.exe
Token: SeShutdownPrivilege	2860	msiexec.exe
Token: SeDebugPrivilege	2860	msiexec.exe
Token: SeAuditPrivilege	2860	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2860	msiexec.exe
Token: SeChangeNotifyPrivilege	2860	msiexec.exe
Token: SeRemoteShutdownPrivilege	2860	msiexec.exe
Token: SeUndockPrivilege	2860	msiexec.exe
Token: SeSyncAgentPrivilege	2860	msiexec.exe
Token: SeEnableDelegationPrivilege	2860	msiexec.exe
Token: SeManageVolumePrivilege	2860	msiexec.exe
Token: SeImpersonatePrivilege	2860	msiexec.exe
Token: SeCreateGlobalPrivilege	2860	msiexec.exe
Token: SeBackupPrivilege	1400	vssvc.exe
Token: SeRestorePrivilege	1400	vssvc.exe
Token: SeAuditPrivilege	1400	vssvc.exe
Token: SeBackupPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2860 msiexec.exe
2860 msiexec.exe

pid	process
2860	msiexec.exe
2860	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2180 wrote to memory of 4432	2180	msiexec.exe	srtasks.exe
PID 2180 wrote to memory of 4432	2180	msiexec.exe	srtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WebM_Premiere.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d5ee.rbs

Filesize
8KB

MD5
fd1f798d871756981a769d666f424429

SHA1
7cfe26bb522e06c86fb1dbe8e7ff1a00afc2f512

SHA256
4ada9b308aaeb0b2c6d6e963bd48b01bbfbddd88901d0a9c60899fd0ff8ad182

SHA512
4f565ed7582843729ab232f3db4ea7a4f2943decf037962c6f45222e0e2abdd88576ac81925b20106ba06316cf7f9c0628abc8f5c947ae2c0154dbbd309639a2

Download Submit
C:\Windows\Installer\e57d5ed.msi

Filesize
9.8MB

MD5
a914bade13e6df609b57bf8a3e3d5010

SHA1
b9abb9fabe1e9a9b4f0391945b47fcede813da85

SHA256
8d0a4372c4af1f3e94661c2577b68c130f686506dbe647c98691ed7d2e3947e3

SHA512
051d575956323fc881741111528c841874b414aacb787c5542803d934122898ff38bb976d00b32fb95bc7986db7b01a05d4837276d69c40cc8b3b37e2807d27b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
8524185e092396b9eee27a2df2fff72b

SHA1
9a01edc665a33021ce64e9bb2e6ded5a98e38664

SHA256
28c0dc0c0c97e9d38d318897c1d00fc4f1c76908477be6fbb83b0e1339fcd597

SHA512
7ce7ea0ccf08bc5392c4df28562d4ca66527f1bb9d6f60f57a40dbeff28b9acd8a87888d7142c1f622990944c332c8d3eec549f670576b5dd8532d1426cba210

Download Submit
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ecb2ea9d-867e-4822-983c-64a71edad386}_OnDiskSnapshotProp

Filesize
6KB

MD5
9c251fb8da80d053e90e2765ae3cf8dd

SHA1
1d0b9e7520762893f85ac2d475115a00c9a8a5e5

SHA256
58794d879819cb028d7c9f35f8b3b767434968de9bbfda2f8cd9c9d64793c6c3

SHA512
3ea9b2a567f7d69e673b674dbaa871916ffbcc418cf56ac23a8d25161923a31c00c30c7991b5dc5f92ebd9fe9d3a88bdf1ad21aabbc2b4d01bab5600fc84ee03

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads