cf0e116dee54548758f13c3149761d93a51e4d197ebc155bb2e91cb79b136497

Analysis

max time kernel
95s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2220944d9985a6843374f41b835a9825.msi
Size

272KB
MD5

2220944d9985a6843374f41b835a9825
SHA1

1929c4c64ea4cc18608eaf6140d1b28fa98d7ed3
SHA256

3d5d3eb3853ff82697da75cf6da041f61f72e06d686010a02d52ebaa63ddca65
SHA512

f1ec6f41d5b9ed14885df6e090a77b06c10f2e61ed36525dfd4e953a61c948da8271c2ea5e29dd5fcdba62e2acc218e74b71312e3ef30c54a87b387534e2c816
SSDEEP

6144:5EtTqjFaFtV9KoA68Atd/Tdle0U0gCKTkn9om07/6s2eD5HG:5E9fN26ZtLlDGCos9ofis2gH

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE30E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e1e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e1e4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4108	MSIE30E.tmp

Loads dropped DLL 2 IoCs

pid	Process
4108	MSIE30E.tmp
4108	MSIE30E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4208	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3040	4108	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIE30E.tmp

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023ccd-10.dat	nsis_installer_1
behavioral2/files/0x0008000000023ccd-10.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4428	msiexec.exe
4428	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4208	msiexec.exe
Token: SeSecurityPrivilege	4428	msiexec.exe
Token: SeCreateTokenPrivilege	4208	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4208	msiexec.exe
Token: SeLockMemoryPrivilege	4208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4208	msiexec.exe
Token: SeMachineAccountPrivilege	4208	msiexec.exe
Token: SeTcbPrivilege	4208	msiexec.exe
Token: SeSecurityPrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeLoadDriverPrivilege	4208	msiexec.exe
Token: SeSystemProfilePrivilege	4208	msiexec.exe
Token: SeSystemtimePrivilege	4208	msiexec.exe
Token: SeProfSingleProcessPrivilege	4208	msiexec.exe
Token: SeIncBasePriorityPrivilege	4208	msiexec.exe
Token: SeCreatePagefilePrivilege	4208	msiexec.exe
Token: SeCreatePermanentPrivilege	4208	msiexec.exe
Token: SeBackupPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeShutdownPrivilege	4208	msiexec.exe
Token: SeDebugPrivilege	4208	msiexec.exe
Token: SeAuditPrivilege	4208	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4208	msiexec.exe
Token: SeChangeNotifyPrivilege	4208	msiexec.exe
Token: SeRemoteShutdownPrivilege	4208	msiexec.exe
Token: SeUndockPrivilege	4208	msiexec.exe
Token: SeSyncAgentPrivilege	4208	msiexec.exe
Token: SeEnableDelegationPrivilege	4208	msiexec.exe
Token: SeManageVolumePrivilege	4208	msiexec.exe
Token: SeImpersonatePrivilege	4208	msiexec.exe
Token: SeCreateGlobalPrivilege	4208	msiexec.exe
Token: SeBackupPrivilege	3528	vssvc.exe
Token: SeRestorePrivilege	3528	vssvc.exe
Token: SeAuditPrivilege	3528	vssvc.exe
Token: SeBackupPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeBackupPrivilege	3744	srtasks.exe
Token: SeRestorePrivilege	3744	srtasks.exe
Token: SeSecurityPrivilege	3744	srtasks.exe
Token: SeTakeOwnershipPrivilege	3744	srtasks.exe
Token: SeBackupPrivilege	3744	srtasks.exe
Token: SeRestorePrivilege	3744	srtasks.exe
Token: SeSecurityPrivilege	3744	srtasks.exe
Token: SeTakeOwnershipPrivilege	3744	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4208	msiexec.exe
4208	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 3744	4428	msiexec.exe	87
PID 4428 wrote to memory of 3744	4428	msiexec.exe	87
PID 4428 wrote to memory of 4108	4428	msiexec.exe	89
PID 4428 wrote to memory of 4108	4428	msiexec.exe	89
PID 4428 wrote to memory of 4108	4428	msiexec.exe	89
PID 4108 wrote to memory of 4468	4108	MSIE30E.tmp	90
PID 4108 wrote to memory of 4468	4108	MSIE30E.tmp	90
PID 4108 wrote to memory of 4468	4108	MSIE30E.tmp	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2220944d9985a6843374f41b835a9825.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4208

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- C:\Windows\Installer\MSIE30E.tmp
  "C:\Windows\Installer\MSIE30E.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\Installer\MSIE30E.tmp
    "C:\Windows\Installer\MSIE30E.tmp"
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 812
    3⤵
    - Program crash
    PID:3040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4108 -ip 4108
1⤵
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nscE438.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Windows\Installer\MSIE30E.tmp

Filesize
245KB

MD5
4613cbcf3184897a7dcfbe0569303863

SHA1
9b2f4c444cfbb5914299c7f44d867c1dcdf8c7cc

SHA256
b6845befbaf2db54214bf388d650636f2ea251289131751f1735779007ea2334

SHA512
906f4f5fb0af20d5471d4f01ed6ecff952153ee355bc252d4d206b9f5e6f97db8b5df83d5e0a5fb56fd38bf117f44bb60a419873a370f3392fe3ae2ba5a40dcd

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
d88cd47dbc2d7fad71ba3d7e6340c225

SHA1
4c44b2ea2b7f6ea6ea9bf8f9d5d78868d330b2bb

SHA256
c7a724861b5347b13d4ca33ab43ca0d776ec47f122961afc29a74ac43246cb6e

SHA512
80943c6a40de40d25daadedaa21ace00bdd697cffd6d6592262b1dbb1f8d8932827ec8fddf29b2a2dc09f656d7a028e722f08741eea401a70a3daee7154d6334

Download Submit
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f6cf4a5c-e3f1-486f-998f-ed8362b5e257}_OnDiskSnapshotProp

Filesize
6KB

MD5
5cf733fb20f1ee38a30df147dcdb610e

SHA1
7177e39b03a8fd276397e2c1a6b653e84edf5808

SHA256
89e7d0ca86c37285cca917931f350a9be7833dbcb3424c28c25b31c39e546562

SHA512
fe036a96fcbe51d7bfee5642d369ef496e7ae51c18bb54018717d32d297d31ef684e369b362957e87cc2564f375ebdcc65f101ae5a34e6d009aaf49b106a9e30

Download Submit