Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2025, 17:00
Static task
static1
Behavioral task
behavioral1
Sample
4f13d4a71a5c335c0f3cf15b31dcbdd42cf9298ceb63be0bf1846233150ecea7.msi
Resource
win10v2004-20250314-en
windows10-2004-x64
General
-
Target
4f13d4a71a5c335c0f3cf15b31dcbdd42cf9298ceb63be0bf1846233150ecea7.msi
-
Size
5.2MB
-
MD5
cdec46b72a3d0ee11807fd836fb1a6a1
-
SHA1
d917ae9aa96183fabc5741c24ee092a1996e3b07
-
SHA256
4f13d4a71a5c335c0f3cf15b31dcbdd42cf9298ceb63be0bf1846233150ecea7
-
SHA512
3ce9d1c2f37ebd029988b7970584bb73aac45680720953a7f4030b87d0e704fa7e42af5261eaabf0e975b464ff150282805b5106d54f4131d044719298503271
-
SSDEEP
98304:7yXtlFC2Yj0r1V9kWbezWqsfuCYQwev/mpRt9HOeZ9MDRrPa17o:7ydlQ280r9kYAPsffYQoOm9qRrCx
Malware Config
Extracted
valleyrat_s2
1.0
47.236.171.20:10000
47.236.171.20:20000
127.0.0.1:80
-
campaign_date
2024.12.25
Signatures
-
ValleyRat
ValleyRat stage2 is a backdoor written in C++.
-
Valleyrat_s2 family
-
Blocklisted process makes network request 3 IoCs
flow pid Process 13 5772 msiexec.exe 23 5772 msiexec.exe 28 5772 msiexec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: ~Edwos.tmp File opened (read-only) \??\X: ~Edwos.tmp File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: ~Edwos.tmp File opened (read-only) \??\O: ~Edwos.tmp File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: ~Edwos.tmp File opened (read-only) \??\V: ~Edwos.tmp File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: ~Edwos.tmp File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: ~Edwos.tmp File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: ~Edwos.tmp File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: ~Edwos.tmp File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: ~Edwos.tmp File opened (read-only) \??\Y: ~Edwos.tmp File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: ~Edwos.tmp File opened (read-only) \??\P: ~Edwos.tmp File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: ~Edwos.tmp File opened (read-only) \??\E: ~Edwos.tmp File opened (read-only) \??\J: ~Edwos.tmp File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: ~Edwos.tmp File opened (read-only) \??\Z: ~Edwos.tmp File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: ~Edwos.tmp File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIABE1.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIAD9A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAC8E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIACBE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAD0D.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{182A12CA-9E07-4F91-A987-2FFE3BFC2E0E} msiexec.exe File created C:\Windows\Installer\e57aa4a.msi msiexec.exe File opened for modification C:\Windows\Installer\e57aa4a.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIAAB7.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 5440 EdgePlug.exe 4320 ~Edwos.tmp -
Loads dropped DLL 5 IoCs
pid Process 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 5772 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EdgePlug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Edwos.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f29fd82888d514450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f29fd8280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f29fd828000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df29fd828000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f29fd82800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4756 msiexec.exe 4756 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeShutdownPrivilege 5772 msiexec.exe Token: SeIncreaseQuotaPrivilege 5772 msiexec.exe Token: SeSecurityPrivilege 4756 msiexec.exe Token: SeCreateTokenPrivilege 5772 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5772 msiexec.exe Token: SeLockMemoryPrivilege 5772 msiexec.exe Token: SeIncreaseQuotaPrivilege 5772 msiexec.exe Token: SeMachineAccountPrivilege 5772 msiexec.exe Token: SeTcbPrivilege 5772 msiexec.exe Token: SeSecurityPrivilege 5772 msiexec.exe Token: SeTakeOwnershipPrivilege 5772 msiexec.exe Token: SeLoadDriverPrivilege 5772 msiexec.exe Token: SeSystemProfilePrivilege 5772 msiexec.exe Token: SeSystemtimePrivilege 5772 msiexec.exe Token: SeProfSingleProcessPrivilege 5772 msiexec.exe Token: SeIncBasePriorityPrivilege 5772 msiexec.exe Token: SeCreatePagefilePrivilege 5772 msiexec.exe Token: SeCreatePermanentPrivilege 5772 msiexec.exe Token: SeBackupPrivilege 5772 msiexec.exe Token: SeRestorePrivilege 5772 msiexec.exe Token: SeShutdownPrivilege 5772 msiexec.exe Token: SeDebugPrivilege 5772 msiexec.exe Token: SeAuditPrivilege 5772 msiexec.exe Token: SeSystemEnvironmentPrivilege 5772 msiexec.exe Token: SeChangeNotifyPrivilege 5772 msiexec.exe Token: SeRemoteShutdownPrivilege 5772 msiexec.exe Token: SeUndockPrivilege 5772 msiexec.exe Token: SeSyncAgentPrivilege 5772 msiexec.exe Token: SeEnableDelegationPrivilege 5772 msiexec.exe Token: SeManageVolumePrivilege 5772 msiexec.exe Token: SeImpersonatePrivilege 5772 msiexec.exe Token: SeCreateGlobalPrivilege 5772 msiexec.exe Token: SeBackupPrivilege 4840 vssvc.exe Token: SeRestorePrivilege 4840 vssvc.exe Token: SeAuditPrivilege 4840 vssvc.exe Token: SeBackupPrivilege 4756 msiexec.exe Token: SeRestorePrivilege 4756 msiexec.exe Token: SeRestorePrivilege 4756 msiexec.exe Token: SeTakeOwnershipPrivilege 4756 msiexec.exe Token: SeRestorePrivilege 4756 msiexec.exe Token: SeTakeOwnershipPrivilege 4756 msiexec.exe Token: SeRestorePrivilege 4756 msiexec.exe Token: SeTakeOwnershipPrivilege 4756 msiexec.exe Token: SeRestorePrivilege 4756 msiexec.exe Token: SeTakeOwnershipPrivilege 4756 msiexec.exe Token: SeRestorePrivilege 4756 msiexec.exe Token: SeTakeOwnershipPrivilege 4756 msiexec.exe Token: SeRestorePrivilege 4756 msiexec.exe Token: SeTakeOwnershipPrivilege 4756 msiexec.exe Token: SeRestorePrivilege 4756 msiexec.exe Token: SeTakeOwnershipPrivilege 4756 msiexec.exe Token: SeRestorePrivilege 4756 msiexec.exe Token: SeTakeOwnershipPrivilege 4756 msiexec.exe Token: SeRestorePrivilege 4756 msiexec.exe Token: SeTakeOwnershipPrivilege 4756 msiexec.exe Token: SeBackupPrivilege 712 srtasks.exe Token: SeRestorePrivilege 712 srtasks.exe Token: SeSecurityPrivilege 712 srtasks.exe Token: SeTakeOwnershipPrivilege 712 srtasks.exe Token: SeBackupPrivilege 712 srtasks.exe Token: SeRestorePrivilege 712 srtasks.exe Token: SeSecurityPrivilege 712 srtasks.exe Token: SeTakeOwnershipPrivilege 712 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5772 msiexec.exe 5772 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4756 wrote to memory of 712 4756 msiexec.exe 101 PID 4756 wrote to memory of 712 4756 msiexec.exe 101 PID 4756 wrote to memory of 748 4756 msiexec.exe 103 PID 4756 wrote to memory of 748 4756 msiexec.exe 103 PID 4756 wrote to memory of 748 4756 msiexec.exe 103 PID 4756 wrote to memory of 5440 4756 msiexec.exe 104 PID 4756 wrote to memory of 5440 4756 msiexec.exe 104 PID 4756 wrote to memory of 5440 4756 msiexec.exe 104 PID 5440 wrote to memory of 4320 5440 EdgePlug.exe 105 PID 5440 wrote to memory of 4320 5440 EdgePlug.exe 105 PID 5440 wrote to memory of 4320 5440 EdgePlug.exe 105 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4f13d4a71a5c335c0f3cf15b31dcbdd42cf9298ceb63be0bf1846233150ecea7.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5772
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:712
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F870D1E9F74682D3911E1452B03FB71B2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\EdgePlug\EdgePlug.exe"C:\Users\Admin\AppData\Local\Temp\EdgePlug\EdgePlug.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\ProgramData\~Edwos.tmpC:\ProgramData\~Edwos.tmp3⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4320
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f5b51d860b537ed0c0ff4a45bfbdd4ac
SHA12824c9713f24a27d8ca7f309076371df88a6d16f
SHA25627535adf42d24f416ce78d1067b9217596a035ce667c3570732d836a6509a7ec
SHA51265bbfe3f8584ff637e259b68527cdafcbef2ff5dfdac2d319a127c0d303ef94ad5906cd999d2adcb39ab69cf3538c40943073116096e0926ecc4ed4dcf976829
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_7C680AFD6E5253822D96E16EE9FA86B6
Filesize1KB
MD5144303eed4ca7c0ebeaa3c144f56241f
SHA1c4217d906d03d0dfe54bbc8b2a4e87469026ef79
SHA256c52a67b148499123b4870eb9672678608ef2f537fbd8f34144e9d28dde63d59a
SHA5129d1dba4c25ac20dc744f2c04969c0ac2f020bdb7d8466aa9d19c8669af8f7b4e19b803a400b38e67118a7235dad1b619bcb20cc51d7e1dcfb65ff3005c0804b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD589b34ec8b8c20b957ca123b95e2be358
SHA168da446cfe0db1d355bedbd446e2a9cde8a6fcd9
SHA256418cd4ff12faa856e86ba76422cc01719365a59be805b0a2ac5c26677a715384
SHA512ecdec6d15eda92c2246554961f4cd6a70da7adfc7e21414e1fd4837fb7d2ff4a87b8f994eda4da5edaaf17b2034a1be550c314085df10834d6695aed9b13839d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_7C680AFD6E5253822D96E16EE9FA86B6
Filesize536B
MD5b318049eba6c6fe41c867d1ca8f4a7d6
SHA14d2cd3aad5d675b73a56a348281f91a10721ca38
SHA256af1230fc958163cf41522a7a295d8ddc7e1579d4b39524a3e670b8f16d267899
SHA5121de4eaa7decc3dca7cbeb8d457922f29f8f7404f7b585de6f1fa32ceb7993a42b21aed8b1cfe138faa97b1206a17827a75ff5c1c9135bb3ad36b878e333c2a24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD590550b9b31ee3498517157d3bd2abe4d
SHA10a501c4400bf1fd8ffa0cf75e588ee987ae4ce2e
SHA256e172e945f7d72176ba4f0f06f68b3beaf3991345568e5d259e9a6dfeebd11a24
SHA512cda79b6d738cb85bbb2769ac7d4edf3fdf69e8b9eea5ff56b626d089995b899278eec54bb7eabf309b01ad4ca52f02db58ef62c31eafa2d1d86fb81960aeabfb
-
Filesize
4.4MB
MD5065029491d64e41610d29b401a173afe
SHA1938c3da5cad02617f8924874abda72e0121ea357
SHA2569e78f89ffa70b6426595e1007db89bc2bd9fd39600d659a347f4689c5a1e67ad
SHA5129716a64662d5235c71aa3b2e21460bc105f6656fb5a5544c722f01de4321970b19f29548aae48506e75f15a0edd1f02021023cbfaaeac4074ca52421ccf79ca6
-
Filesize
1005KB
MD50606e1a2fe0d72593405cafeb945c740
SHA1641e8cfea8d2203d3127b49939b1ed5f1c97dc9e
SHA2567b3a4e3e3f58fa49164d49b14bc10c13a9d734846956c8a7a433c8bb6c82d983
SHA512696152be48a1256c5eda545b8759671117a7b55e49723b437b6ee258a3b568b9440f1592e4abf4eb1aa878e960cc721bdbc55f2a48d77bb1b3315b75cc15946a
-
Filesize
24.1MB
MD5940cf5575e06bd685d1c99cfdb444b6c
SHA14ee685e1c88b3fbb09492b35536b90d33d6cdc61
SHA256cade2a731f82af1cb0e0b15bff5d5edbd7010a03bd712f86442e8802026e9a0b
SHA512c541d686ffe830796637f090423cf34aa51c150e3cea922af59c1178c821407c8166ba9b219fca450cfe5b75fb0a1326effc06206023c5f9eafa34ae36174213
-
\??\Volume{28d89ff2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{38f360cc-1ee2-4621-a878-65a16ca5eb02}_OnDiskSnapshotProp
Filesize6KB
MD5f30a3c6901e5eefa37b4d4369b613c62
SHA1b7e87e767a641be8e59d9e3a5b830be4357ef3ef
SHA2567a74e2646bbcc7f96c472d1f0a7986a3cb83d7ca733053ff009a669b589d2a49
SHA5126b9e72d32d05fede2537c7001289a7cb193389bc6dd923a576911817de00d94e5ff91a109ea53e4bedd838f8490dafe2a6e900dd369ecad3fdeaa1ff02140387