e158310cb13d1a48304d68dfd83447c4208f27e03f4f13d6a2184364a7c174e4

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e158310cb13d1a48304d68dfd83447c4208f27e03f4f13d6a2184364a7c174e4.msi
Size

1.8MB
MD5

66b16b0e40121de05fc889765a9a2f54
SHA1

72bbd8cda91693a0f655c67b0e2e9f86efaecc73
SHA256

e158310cb13d1a48304d68dfd83447c4208f27e03f4f13d6a2184364a7c174e4
SHA512

0bddd047a67d76bba80514138ee591f4b3b47ffc7240b2bbf5f2260c34e0c333f7c4a8a967ae76631187ef4988e4aa9a0af9c585c0202c1534c2144779456c33
SSDEEP

24576:wt9cpVDhnsV2kDzeOahNZVtRIGE6czXkTXqH:vpRhnlazeOahNZVtaGPcx

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3012	msiexec.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe
Token: SeSecurityPrivilege	2596	msiexec.exe
Token: SeCreateTokenPrivilege	3012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3012	msiexec.exe
Token: SeLockMemoryPrivilege	3012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3012	msiexec.exe
Token: SeMachineAccountPrivilege	3012	msiexec.exe
Token: SeTcbPrivilege	3012	msiexec.exe
Token: SeSecurityPrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeLoadDriverPrivilege	3012	msiexec.exe
Token: SeSystemProfilePrivilege	3012	msiexec.exe
Token: SeSystemtimePrivilege	3012	msiexec.exe
Token: SeProfSingleProcessPrivilege	3012	msiexec.exe
Token: SeIncBasePriorityPrivilege	3012	msiexec.exe
Token: SeCreatePagefilePrivilege	3012	msiexec.exe
Token: SeCreatePermanentPrivilege	3012	msiexec.exe
Token: SeBackupPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeShutdownPrivilege	3012	msiexec.exe
Token: SeDebugPrivilege	3012	msiexec.exe
Token: SeAuditPrivilege	3012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3012	msiexec.exe
Token: SeChangeNotifyPrivilege	3012	msiexec.exe
Token: SeRemoteShutdownPrivilege	3012	msiexec.exe
Token: SeUndockPrivilege	3012	msiexec.exe
Token: SeSyncAgentPrivilege	3012	msiexec.exe
Token: SeEnableDelegationPrivilege	3012	msiexec.exe
Token: SeManageVolumePrivilege	3012	msiexec.exe
Token: SeImpersonatePrivilege	3012	msiexec.exe
Token: SeCreateGlobalPrivilege	3012	msiexec.exe
Token: SeBackupPrivilege	2308	vssvc.exe
Token: SeRestorePrivilege	2308	vssvc.exe
Token: SeAuditPrivilege	2308	vssvc.exe
Token: SeBackupPrivilege	2596	msiexec.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeRestorePrivilege	496	msiexec.exe
Token: SeTakeOwnershipPrivilege	496	msiexec.exe
Token: SeSecurityPrivilege	496	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3012	msiexec.exe
3012	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2772	2596	msiexec.exe	34
PID 2596 wrote to memory of 2772	2596	msiexec.exe	34
PID 2596 wrote to memory of 2772	2596	msiexec.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e158310cb13d1a48304d68dfd83447c4208f27e03f4f13d6a2184364a7c174e4.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2596 -s 868
  2⤵
  PID:2772