0a6ba519cd28bce39d999a07d2b4dce17fdcd0a0f1ddef94158e377c40de8a26

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222.msi
Size

1.7MB
MD5

cf5da0ce656559358c5d06876bbbff3e
SHA1

166f0b46a849adeaf1d01378d0db0bb6040c9ed3
SHA256

0a6ba519cd28bce39d999a07d2b4dce17fdcd0a0f1ddef94158e377c40de8a26
SHA512

ca0f530922d8168cb633f30a5cb97874654515a0c361f20f4490f9f85beedd3f74595141b6305b755fa18796c678d2a89848a069b4471fbb5f66b5ce33343cf7
SSDEEP

49152:uElnsHyjtk2MYC5GD8hloJfCAh9RMUBrNUFqtBZl:hnsmtk2a1hlPERBsiT

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
584	msiexec.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	584	msiexec.exe
Token: SeIncreaseQuotaPrivilege	584	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeSecurityPrivilege	2488	msiexec.exe
Token: SeCreateTokenPrivilege	584	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	584	msiexec.exe
Token: SeLockMemoryPrivilege	584	msiexec.exe
Token: SeIncreaseQuotaPrivilege	584	msiexec.exe
Token: SeMachineAccountPrivilege	584	msiexec.exe
Token: SeTcbPrivilege	584	msiexec.exe
Token: SeSecurityPrivilege	584	msiexec.exe
Token: SeTakeOwnershipPrivilege	584	msiexec.exe
Token: SeLoadDriverPrivilege	584	msiexec.exe
Token: SeSystemProfilePrivilege	584	msiexec.exe
Token: SeSystemtimePrivilege	584	msiexec.exe
Token: SeProfSingleProcessPrivilege	584	msiexec.exe
Token: SeIncBasePriorityPrivilege	584	msiexec.exe
Token: SeCreatePagefilePrivilege	584	msiexec.exe
Token: SeCreatePermanentPrivilege	584	msiexec.exe
Token: SeBackupPrivilege	584	msiexec.exe
Token: SeRestorePrivilege	584	msiexec.exe
Token: SeShutdownPrivilege	584	msiexec.exe
Token: SeDebugPrivilege	584	msiexec.exe
Token: SeAuditPrivilege	584	msiexec.exe
Token: SeSystemEnvironmentPrivilege	584	msiexec.exe
Token: SeChangeNotifyPrivilege	584	msiexec.exe
Token: SeRemoteShutdownPrivilege	584	msiexec.exe
Token: SeUndockPrivilege	584	msiexec.exe
Token: SeSyncAgentPrivilege	584	msiexec.exe
Token: SeEnableDelegationPrivilege	584	msiexec.exe
Token: SeManageVolumePrivilege	584	msiexec.exe
Token: SeImpersonatePrivilege	584	msiexec.exe
Token: SeCreateGlobalPrivilege	584	msiexec.exe
Token: SeBackupPrivilege	2176	vssvc.exe
Token: SeRestorePrivilege	2176	vssvc.exe
Token: SeAuditPrivilege	2176	vssvc.exe
Token: SeBackupPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeSecurityPrivilege	2848	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
584	msiexec.exe
584	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2944	2488	msiexec.exe	34
PID 2488 wrote to memory of 2944	2488	msiexec.exe	34
PID 2488 wrote to memory of 2944	2488	msiexec.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\222.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2488 -s 856
  2⤵
  PID:2944