Analysis
-
max time kernel
119s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 19:43
Static task
static1
Behavioral task
behavioral1
Sample
install.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
install.msi
Resource
win10v2004-20241007-en
General
-
Target
install.msi
-
Size
1.9MB
-
MD5
bdc8b7229eaa7473c25a37f08ba79189
-
SHA1
9699c8b0f0235bae5285a80b3e3b8c447d2aad0c
-
SHA256
7b939d1d59b370c836fea6703a254127de36ac0259538809535bb136b6725c72
-
SHA512
1332bfad5da5c8fce17cf374ff1012831744e3e69cea4b87607eb9dc95b6ebc51c91a6766ee186d5ee8a5e027111ec74a644bd470fb891c60240239f727b3e17
-
SSDEEP
24576:kt9cpVDhI6DDys5Rtmi/Bt3O79TqszKlGEa7vFLf2nxh7H7mGV:jpRhFnywtmABg7Qm+GlDFLfax17m
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1228 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\f770224.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f770223.msi msiexec.exe File opened for modification C:\Windows\Installer\f770223.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2EE.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Executes dropped EXE 1 IoCs
pid Process 2420 install.exe -
Loads dropped DLL 4 IoCs
pid Process 2888 MsiExec.exe 2888 MsiExec.exe 2888 MsiExec.exe 2888 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2084 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2784 msiexec.exe 2784 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 2084 msiexec.exe Token: SeIncreaseQuotaPrivilege 2084 msiexec.exe Token: SeRestorePrivilege 2784 msiexec.exe Token: SeTakeOwnershipPrivilege 2784 msiexec.exe Token: SeSecurityPrivilege 2784 msiexec.exe Token: SeCreateTokenPrivilege 2084 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2084 msiexec.exe Token: SeLockMemoryPrivilege 2084 msiexec.exe Token: SeIncreaseQuotaPrivilege 2084 msiexec.exe Token: SeMachineAccountPrivilege 2084 msiexec.exe Token: SeTcbPrivilege 2084 msiexec.exe Token: SeSecurityPrivilege 2084 msiexec.exe Token: SeTakeOwnershipPrivilege 2084 msiexec.exe Token: SeLoadDriverPrivilege 2084 msiexec.exe Token: SeSystemProfilePrivilege 2084 msiexec.exe Token: SeSystemtimePrivilege 2084 msiexec.exe Token: SeProfSingleProcessPrivilege 2084 msiexec.exe Token: SeIncBasePriorityPrivilege 2084 msiexec.exe Token: SeCreatePagefilePrivilege 2084 msiexec.exe Token: SeCreatePermanentPrivilege 2084 msiexec.exe Token: SeBackupPrivilege 2084 msiexec.exe Token: SeRestorePrivilege 2084 msiexec.exe Token: SeShutdownPrivilege 2084 msiexec.exe Token: SeDebugPrivilege 2084 msiexec.exe Token: SeAuditPrivilege 2084 msiexec.exe Token: SeSystemEnvironmentPrivilege 2084 msiexec.exe Token: SeChangeNotifyPrivilege 2084 msiexec.exe Token: SeRemoteShutdownPrivilege 2084 msiexec.exe Token: SeUndockPrivilege 2084 msiexec.exe Token: SeSyncAgentPrivilege 2084 msiexec.exe Token: SeEnableDelegationPrivilege 2084 msiexec.exe Token: SeManageVolumePrivilege 2084 msiexec.exe Token: SeImpersonatePrivilege 2084 msiexec.exe Token: SeCreateGlobalPrivilege 2084 msiexec.exe Token: SeBackupPrivilege 2676 vssvc.exe Token: SeRestorePrivilege 2676 vssvc.exe Token: SeAuditPrivilege 2676 vssvc.exe Token: SeBackupPrivilege 2784 msiexec.exe Token: SeRestorePrivilege 2784 msiexec.exe Token: SeRestorePrivilege 2724 DrvInst.exe Token: SeRestorePrivilege 2724 DrvInst.exe Token: SeRestorePrivilege 2724 DrvInst.exe Token: SeRestorePrivilege 2724 DrvInst.exe Token: SeRestorePrivilege 2724 DrvInst.exe Token: SeRestorePrivilege 2724 DrvInst.exe Token: SeRestorePrivilege 2724 DrvInst.exe Token: SeLoadDriverPrivilege 2724 DrvInst.exe Token: SeLoadDriverPrivilege 2724 DrvInst.exe Token: SeLoadDriverPrivilege 2724 DrvInst.exe Token: SeRestorePrivilege 2784 msiexec.exe Token: SeTakeOwnershipPrivilege 2784 msiexec.exe Token: SeRestorePrivilege 2784 msiexec.exe Token: SeTakeOwnershipPrivilege 2784 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2084 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2888 2784 msiexec.exe 35 PID 2784 wrote to memory of 2888 2784 msiexec.exe 35 PID 2784 wrote to memory of 2888 2784 msiexec.exe 35 PID 2784 wrote to memory of 2888 2784 msiexec.exe 35 PID 2784 wrote to memory of 2888 2784 msiexec.exe 35 PID 2784 wrote to memory of 2888 2784 msiexec.exe 35 PID 2784 wrote to memory of 2888 2784 msiexec.exe 35 PID 2888 wrote to memory of 1228 2888 MsiExec.exe 36 PID 2888 wrote to memory of 1228 2888 MsiExec.exe 36 PID 2888 wrote to memory of 1228 2888 MsiExec.exe 36 PID 2888 wrote to memory of 1228 2888 MsiExec.exe 36 PID 2888 wrote to memory of 2000 2888 MsiExec.exe 38 PID 2888 wrote to memory of 2000 2888 MsiExec.exe 38 PID 2888 wrote to memory of 2000 2888 MsiExec.exe 38 PID 2888 wrote to memory of 2000 2888 MsiExec.exe 38 PID 2888 wrote to memory of 2420 2888 MsiExec.exe 40 PID 2888 wrote to memory of 2420 2888 MsiExec.exe 40 PID 2888 wrote to memory of 2420 2888 MsiExec.exe 40 PID 2888 wrote to memory of 2420 2888 MsiExec.exe 40 PID 2888 wrote to memory of 2420 2888 MsiExec.exe 40 PID 2888 wrote to memory of 2420 2888 MsiExec.exe 40 PID 2888 wrote to memory of 2420 2888 MsiExec.exe 40 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2084
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3DB03CEDC31A0BBD97DB63C2249D7B62⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-50442e9b-f739-47aa-be8d-04b0e51e561f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1228
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\MW-50442e9b-f739-47aa-be8d-04b0e51e561f\files\install.exe"C:\Users\Admin\AppData\Local\Temp\MW-50442e9b-f739-47aa-be8d-04b0e51e561f\files\install.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "000000000000048C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5dde33cc7bc57e73262a9587e6fd2c73b
SHA1429a01f8dd68c1d46f32a3a13e4b5051803139a3
SHA2563fb44f2533de3106494be7f12fb2a7f3fe9453384385e5b2d489788dbc150bab
SHA51231f0d86a3638341e40f949cf9f386abe843afa3a04abe36ac26071b63507a5c19fcc54f594cc280bc1969bed7879163324477027bff0f1a68e5ef09f27b60d66
-
Filesize
386B
MD5908e2010baad2e14fab8a27de6a29f69
SHA1a114f24ed9c1f83e8f5bd35713dc1e12bd370c3b
SHA2561f533e5e881bc433200f7e0b46e255dd53db8c1c2f7289299bbe6c1baa831d85
SHA512cdfb9eb8abec806066b9e5cb299f0b628858c05b0a647fea8c2f06d629f81d0bd01b5b82daaed3b37fc214acc723663fe8c4aeb079a0c0fcc62cc4cdb21e465b
-
Filesize
1KB
MD5b1eea7d4eba6b500d17a82dce0469cf6
SHA14433e1ccb1d0ab7f829f64c727b7cfcc32d1147d
SHA256cb621ede1f4e61ae9ac43e0d94461c1d52874f8a48471602febf047a2b63080f
SHA512ac063dae218efc4ab0f0ec9b87e647e914b63f7511d9d80d03b18b824ee98fab20cbc2b9a55384608391d1cda42d54b10e4eac830c5fcb8980f5ebb55a4b30b3
-
Filesize
1KB
MD5924b7c7bb5e198cfb110a745126ae673
SHA1cbd7ccc66d5990651643ed1ee096a145dcfaaa3b
SHA25683c6e47301acd0ec1f9c98d9605d7ef2cece80d3b97e22123694d6081df2a07f
SHA512c59f3f0f0c34854a952868ef9e5a38ceda2a05362a4e83b22a2bbab935e75e8385291b39fda6be8948f14e76e567af0439e69f1a8ba6141cfa4b95d6c797c450
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108