52ee7f6ddcd934ac50c937db06820e7ea6cb1a3908c6431b8b0bcb1e641712cb

Analysis

max time kernel
107s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2025, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MouseWithoutBordersSetup.msi
Size

1.3MB
MD5

2daa9baede028a537514ca882df818fb
SHA1

0609fd238849a9bc2aac3ed5ac0af68e8eb4be17
SHA256

52ee7f6ddcd934ac50c937db06820e7ea6cb1a3908c6431b8b0bcb1e641712cb
SHA512

e94417499da8c85cde94e03f26324c696ab62642eee086510ee2a197d7ee43fc43e63b39fd9ed7ab318a769bb20e188414168a0009444ebe398d54b7ca7a181a
SSDEEP

12288:/GqjbLnwl82DtIanlboksKEwcAHiYnq0jnzh85P+8jOZy2KsGU6a4Ks:hjbUtIWoJwcACYnN65PhOE2Z34K

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	552	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MouseWithoutBordersHelper.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MouseWithoutBordersHelper.exe.log	MouseWithoutBordersHelper.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MouseWithoutBordersSvc.exe.log	MouseWithoutBordersSvc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\License.rtf	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\Microsoft.ApplicationInsights.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\Microsoft.Diagnostics.Tracing.EventSource.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe.manifest	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF1C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{D3BC954F-D661-474C-B367-30EB6E56542E}\InstallerIcon.ico	msiexec.exe
File created	C:\Windows\Installer\{D3BC954F-D661-474C-B367-30EB6E56542E}\MMIcon.exe	msiexec.exe
File created	C:\Windows\Installer\e57bcc8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bcc8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D3BC954F-D661-474C-B367-30EB6E56542E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF9A.tmp	msiexec.exe
File created	C:\Windows\Installer\{D3BC954F-D661-474C-B367-30EB6E56542E}\InstallerIcon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{D3BC954F-D661-474C-B367-30EB6E56542E}\MMIcon.exe	msiexec.exe
File created	C:\Windows\Installer\e57bcca.msi	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
4032	MouseWithoutBordersHelper.exe
4568	MouseWithoutBorders.exe
2912	MouseWithoutBordersSvc.exe
2724	MouseWithoutBordersHelper.exe
3500	MouseWithoutBorders.exe
548	MouseWithoutBordersHelper.exe
4748	MouseWithoutBorders.exe
1992	MousewithoutBordersHelper.exe

Loads dropped DLL 3 IoCs

pid	Process
1380	MsiExec.exe
1380	MsiExec.exe
4800	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
552	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MouseWithoutBordersHelper.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MouseWithoutBordersHelper.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MouseWithoutBordersHelper.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\LastX = "96"	MouseWithoutBorders.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\LastY = "90"	MouseWithoutBorders.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MouseWithoutBordersHelper.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\LastY = "383"	MouseWithoutBorders.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\myKeyDate = "MQAvADEANAAvADIAMAAyADUA"	MouseWithoutBorders.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\MachineMatrix = "Spdebjwh,,,"	MouseWithoutBorders.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\MachinePool = "Spdebjwh:NONE,:,:,:"	MouseWithoutBorders.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\PackageID = "2"	MouseWithoutBorders.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\DesMachineIDString = "30460377"	MouseWithoutBorders.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\LastX = "749"	MouseWithoutBorders.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\MachinePool = "Spdebjwh:30460377,:,:,:"	MouseWithoutBorders.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MouseWithoutBordersHelper.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\MachineId = "30460377"	MouseWithoutBorders.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MouseWithoutBordersHelper.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MouseWithoutBordersHelper.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MouseWithoutBordersHelper.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MouseWithoutBordersHelper.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MouseWithoutBordersHelper.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\LastY = "548"	MouseWithoutBorders.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\MachinePool = "Spdebjwh:30460377,:,:,:"	MouseWithoutBorders.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MouseWithoutBorders	MouseWithoutBorders.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\LastX = "596"	MouseWithoutBorders.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MouseWithoutBorders\PackageID = "3"	MouseWithoutBorders.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\SourceList\PackageName = "MouseWithoutBordersSetup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F459CB3D166DC4743B7603BEE66545E2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\ProductName = "Microsoft Garage Mouse without Borders"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F459CB3D166DC4743B7603BEE66545E2\FilesFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\Version = "33685505"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B4CC218CCC2822478730CD14F44704F\F459CB3D166DC4743B7603BEE66545E2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\ProductIcon = "C:\\Windows\\Installer\\{D3BC954F-D661-474C-B367-30EB6E56542E}\\InstallerIcon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B4CC218CCC2822478730CD14F44704F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\PackageCode = "A19A8A022F080684F8DDF6A5DCCF37D1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F459CB3D166DC4743B7603BEE66545E2\SourceList\Media	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1992	MousewithoutBordersHelper.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2080	msiexec.exe
2080	msiexec.exe
4568	MouseWithoutBorders.exe
4568	MouseWithoutBorders.exe
4568	MouseWithoutBorders.exe
2912	MouseWithoutBordersSvc.exe
2912	MouseWithoutBordersSvc.exe
3500	MouseWithoutBorders.exe
3500	MouseWithoutBorders.exe
2912	MouseWithoutBordersSvc.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
2912	MouseWithoutBordersSvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	552	msiexec.exe
Token: SeSecurityPrivilege	2080	msiexec.exe
Token: SeCreateTokenPrivilege	552	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	552	msiexec.exe
Token: SeLockMemoryPrivilege	552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	552	msiexec.exe
Token: SeMachineAccountPrivilege	552	msiexec.exe
Token: SeTcbPrivilege	552	msiexec.exe
Token: SeSecurityPrivilege	552	msiexec.exe
Token: SeTakeOwnershipPrivilege	552	msiexec.exe
Token: SeLoadDriverPrivilege	552	msiexec.exe
Token: SeSystemProfilePrivilege	552	msiexec.exe
Token: SeSystemtimePrivilege	552	msiexec.exe
Token: SeProfSingleProcessPrivilege	552	msiexec.exe
Token: SeIncBasePriorityPrivilege	552	msiexec.exe
Token: SeCreatePagefilePrivilege	552	msiexec.exe
Token: SeCreatePermanentPrivilege	552	msiexec.exe
Token: SeBackupPrivilege	552	msiexec.exe
Token: SeRestorePrivilege	552	msiexec.exe
Token: SeShutdownPrivilege	552	msiexec.exe
Token: SeDebugPrivilege	552	msiexec.exe
Token: SeAuditPrivilege	552	msiexec.exe
Token: SeSystemEnvironmentPrivilege	552	msiexec.exe
Token: SeChangeNotifyPrivilege	552	msiexec.exe
Token: SeRemoteShutdownPrivilege	552	msiexec.exe
Token: SeUndockPrivilege	552	msiexec.exe
Token: SeSyncAgentPrivilege	552	msiexec.exe
Token: SeEnableDelegationPrivilege	552	msiexec.exe
Token: SeManageVolumePrivilege	552	msiexec.exe
Token: SeImpersonatePrivilege	552	msiexec.exe
Token: SeCreateGlobalPrivilege	552	msiexec.exe
Token: SeBackupPrivilege	2920	vssvc.exe
Token: SeRestorePrivilege	2920	vssvc.exe
Token: SeAuditPrivilege	2920	vssvc.exe
Token: SeBackupPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeBackupPrivilege	1844	srtasks.exe
Token: SeRestorePrivilege	1844	srtasks.exe
Token: SeSecurityPrivilege	1844	srtasks.exe
Token: SeTakeOwnershipPrivilege	1844	srtasks.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
552	msiexec.exe
552	msiexec.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe
4748	MouseWithoutBorders.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1844	2080	msiexec.exe	91
PID 2080 wrote to memory of 1844	2080	msiexec.exe	91
PID 2080 wrote to memory of 1380	2080	msiexec.exe	93
PID 2080 wrote to memory of 1380	2080	msiexec.exe	93
PID 2080 wrote to memory of 1380	2080	msiexec.exe	93
PID 2080 wrote to memory of 4800	2080	msiexec.exe	94
PID 2080 wrote to memory of 4800	2080	msiexec.exe	94
PID 2080 wrote to memory of 4800	2080	msiexec.exe	94
PID 552 wrote to memory of 4032	552	msiexec.exe	95
PID 552 wrote to memory of 4032	552	msiexec.exe	95
PID 4032 wrote to memory of 4568	4032	MouseWithoutBordersHelper.exe	97
PID 4032 wrote to memory of 4568	4032	MouseWithoutBordersHelper.exe	97
PID 4032 wrote to memory of 4568	4032	MouseWithoutBordersHelper.exe	97
PID 2912 wrote to memory of 2724	2912	MouseWithoutBordersSvc.exe	100
PID 2912 wrote to memory of 2724	2912	MouseWithoutBordersSvc.exe	100
PID 2724 wrote to memory of 3500	2724	MouseWithoutBordersHelper.exe	101
PID 2724 wrote to memory of 3500	2724	MouseWithoutBordersHelper.exe	101
PID 2724 wrote to memory of 3500	2724	MouseWithoutBordersHelper.exe	101
PID 2912 wrote to memory of 548	2912	MouseWithoutBordersSvc.exe	102
PID 2912 wrote to memory of 548	2912	MouseWithoutBordersSvc.exe	102
PID 548 wrote to memory of 4748	548	MouseWithoutBordersHelper.exe	103
PID 548 wrote to memory of 4748	548	MouseWithoutBordersHelper.exe	103
PID 548 wrote to memory of 4748	548	MouseWithoutBordersHelper.exe	103
PID 4748 wrote to memory of 1992	4748	MouseWithoutBorders.exe	105
PID 4748 wrote to memory of 1992	4748	MouseWithoutBorders.exe	105

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD = "1"	MouseWithoutBorders.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD = "1"	MouseWithoutBorders.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MouseWithoutBordersSetup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:552
- C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe
  "C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe" install completed
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe
    "C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4568

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 07FEF76E424D167338DBA9F279D18625
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1380
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DC5D8F7DE27F0CFA637090A1DE9AFEC2 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe
"C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe
  "C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe" "SvcExec" "winlogon"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe
    "C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe" "winlogon"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - System policy modification
    PID:3500
- C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe
  "C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe" "SvcExec" "default"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe
    "C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe" "default"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4748
  - - C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MousewithoutBordersHelper.exe
      "C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MousewithoutBordersHelper.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bcc9.rbs

Filesize
137KB

MD5
4817bbd17602c430346c107f68853392

SHA1
7cb6e59a505d0cb272613a104d02aa93cfff3a61

SHA256
bdb70ee250cb6f126e5c553b919370d73dfed99b655826d9daaed34c99f70bdf

SHA512
335bba8d06af0b72d006ea07c33058060c10203e68d824f75177d797ecef451945eacaebff04ba7e59710d6040b4197f416fe63f29be23bf0984d87b5c49ebca

Download Submit
C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\Microsoft.ApplicationInsights.dll

Filesize
178KB

MD5
4c4dfb5b8e6298b68254d4cc3166e71a

SHA1
511aebb8fffbb7b222f5e55eb389a6026115038f

SHA256
7a02a236fcf1a21fc43e26ab6179aea593074d70cbf1e11b46731106a4956107

SHA512
cb4f305f3ddc9945aee901e921773b818736874beaa497a366a3a1e86354ab3ca36e8684d1b477745b2548ccf8a7bb3c993630cc7e439beec15eb96053ae61d5

Download Submit
C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe

Filesize
703KB

MD5
a9260cd7303b0a8610defc2b4a310c92

SHA1
ead62e12c153f418939a1713c88c7e9d3cc2bb65

SHA256
907001750182086a11ff248625934465cc0abc02a14654a7b07d811c7391d40f

SHA512
2d4115b9497f41cafa223313586a8f740a815ba2ca2be3fee82ab053ee28a2124be88bc93c2984f09745984240c9bdb1897be8b8089c688759cb8db44609697f

Download Submit
C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe

Filesize
50KB

MD5
6c44b83c9b468994edb02c7daec454a8

SHA1
52d170d13ff0a694929616129b00892b377046e1

SHA256
d7e8f30b3f87373e89e8dec1273f161c478e621e2450279a01a3d0914d754b4f

SHA512
dbbdd9fce8f1ad30086dffb0eeae6d68d4f74ed664eb52e4a73f46408f0c8a9154c83c0ae5136ae49b92086f05cc89e75f1f74d814ed3b707adf57a3a1b0b4a2

Download Submit
C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe.config

Filesize
277B

MD5
b17a85c57fc2733a410e8f2c0bc3fd01

SHA1
0c200b634bf59439e1adb4e377264923c66878f5

SHA256
48d7ef9bc8949f337f958b54145130c4a666e8ccc261b2e27d156f09aea2e893

SHA512
ac501ba616e2f8934d1341c6234742a0302a0722f1fa840ec2d67b00077fbe5815dfbefdf3caf8c2e622664047da4e3ce6389cbe0a351e6703c8e767dc1a5268

Download Submit
C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe

Filesize
29KB

MD5
ac3d71c12f38ad7d22f98c95de8c8cbf

SHA1
e1f179c5334bdaf5764db984332f19bd0cac06f9

SHA256
d65d44126e2327891ba426a09471df0564456a9b37aad8b3453d2d5b06f6aef3

SHA512
4ccd08ac8b3798327561b3839c69c9e657938b50e3c20d988daef83367df384081bc332f38655e001667226b67cc44e0028ce48c53cb7137c2f935e714d7500a

Download Submit
C:\Windows\Installer\MSIBDE2.tmp

Filesize
127KB

MD5
93394d2866590fb66759f5f0263453f2

SHA1
2f0903d4b21a0231add1b4cd02e25c7c4974da84

SHA256
5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b

SHA512
f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

Download Submit
C:\Windows\Installer\e57bcc8.msi

Filesize
1.3MB

MD5
2daa9baede028a537514ca882df818fb

SHA1
0609fd238849a9bc2aac3ed5ac0af68e8eb4be17

SHA256
52ee7f6ddcd934ac50c937db06820e7ea6cb1a3908c6431b8b0bcb1e641712cb

SHA512
e94417499da8c85cde94e03f26324c696ab62642eee086510ee2a197d7ee43fc43e63b39fd9ed7ab318a769bb20e188414168a0009444ebe398d54b7ca7a181a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MouseWithoutBordersHelper.exe.log

Filesize
660B

MD5
1c5e1d0ff3381486370760b0f2eb656b

SHA1
f9df6be8804ef611063f1ff277e323b1215372de

SHA256
f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

SHA512
78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
925205f4915e7c3055ad983a778ed687

SHA1
57737bf664958b9b3e0534c84074dbd93628d747

SHA256
808182b5536e14e7ef433574135ae29dd1d491929fa48da6df39fe06808b0ad4

SHA512
2783e2f13981eb36ba1211ba25b363a64e646d6237fec22d66d5f00c668e7961bcb38e181cfcd9876421c290f9736dbbf42acc8cae4c26b9dc11c5c7eabb33cb

Download Submit
\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f8726cd4-9311-4ce2-8705-59321148e7e1}_OnDiskSnapshotProp

Filesize
6KB

MD5
1ae2c1b01c31e9c8a6586856559d1d88

SHA1
b9394b21444a1b5b6a047371801a6e43d7302bc0

SHA256
188b305a68e5194ba4522beb963fe75673b41947c0992c794e0793d7f9cd99e5

SHA512
7985f4b7a4b083e1f27313868549e114cbce17eca91ab7f6fc189345c42b2b4f68c445cbe8ab95f68f36206e0deb41dd7272815f0d7288d564f2cd32ac0ad3a7

Download Submit
memory/2912-68-0x00000144DA870000-0x00000144DA87C000-memory.dmp

Filesize
48KB

Download
memory/3500-72-0x00000258CCBA0000-0x00000258CCBF0000-memory.dmp

Filesize
320KB

Download
memory/4032-57-0x000001A47A300000-0x000001A47A310000-memory.dmp

Filesize
64KB

Download
memory/4568-62-0x00000221896D0000-0x0000022189782000-memory.dmp

Filesize
712KB

Download
memory/4568-64-0x0000022189B60000-0x0000022189B90000-memory.dmp

Filesize
192KB

Download
memory/4748-79-0x000001E2FE570000-0x000001E2FEA98000-memory.dmp

Filesize
5.2MB

Download