Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2025, 17:06
Static task
static1
Behavioral task
behavioral1
Sample
4f13d4a71a5c335c0f3cf15b31dcbdd42cf9298ceb63be0bf1846233150ecea7.msi
Resource
win10v2004-20250313-en
windows10-2004-x64
General
-
Target
4f13d4a71a5c335c0f3cf15b31dcbdd42cf9298ceb63be0bf1846233150ecea7.msi
-
Size
5.2MB
-
MD5
cdec46b72a3d0ee11807fd836fb1a6a1
-
SHA1
d917ae9aa96183fabc5741c24ee092a1996e3b07
-
SHA256
4f13d4a71a5c335c0f3cf15b31dcbdd42cf9298ceb63be0bf1846233150ecea7
-
SHA512
3ce9d1c2f37ebd029988b7970584bb73aac45680720953a7f4030b87d0e704fa7e42af5261eaabf0e975b464ff150282805b5106d54f4131d044719298503271
-
SSDEEP
98304:7yXtlFC2Yj0r1V9kWbezWqsfuCYQwev/mpRt9HOeZ9MDRrPa17o:7ydlQ280r9kYAPsffYQoOm9qRrCx
Malware Config
Extracted
valleyrat_s2
1.0
47.236.171.20:10000
47.236.171.20:20000
127.0.0.1:80
-
campaign_date
2024.12.25
Signatures
-
ValleyRat
ValleyRat stage2 is a backdoor written in C++.
-
Valleyrat_s2 family
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 3440 msiexec.exe 6 3440 msiexec.exe 8 3440 msiexec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: ~Edwos.tmp File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: ~Edwos.tmp File opened (read-only) \??\W: ~Edwos.tmp File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: ~Edwos.tmp File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: ~Edwos.tmp File opened (read-only) \??\V: ~Edwos.tmp File opened (read-only) \??\Z: ~Edwos.tmp File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: ~Edwos.tmp File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: ~Edwos.tmp File opened (read-only) \??\O: ~Edwos.tmp File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: ~Edwos.tmp File opened (read-only) \??\S: ~Edwos.tmp File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: ~Edwos.tmp File opened (read-only) \??\R: ~Edwos.tmp File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: ~Edwos.tmp File opened (read-only) \??\U: ~Edwos.tmp File opened (read-only) \??\X: ~Edwos.tmp File opened (read-only) \??\Y: ~Edwos.tmp File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: ~Edwos.tmp File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: ~Edwos.tmp File opened (read-only) \??\T: ~Edwos.tmp -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI99C1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A11.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI99D2.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{182A12CA-9E07-4F91-A987-2FFE3BFC2E0E} msiexec.exe File opened for modification C:\Windows\Installer\MSI9A51.tmp msiexec.exe File created C:\Windows\Installer\e57973f.msi msiexec.exe File opened for modification C:\Windows\Installer\e57973f.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI9819.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9962.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 5760 EdgePlug.exe 3016 ~Edwos.tmp -
Loads dropped DLL 5 IoCs
pid Process 6064 MsiExec.exe 6064 MsiExec.exe 6064 MsiExec.exe 6064 MsiExec.exe 6064 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3440 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EdgePlug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~Edwos.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003ace5ea140a78ecc0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003ace5ea10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003ace5ea1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3ace5ea1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003ace5ea100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1564 msiexec.exe 1564 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeShutdownPrivilege 3440 msiexec.exe Token: SeIncreaseQuotaPrivilege 3440 msiexec.exe Token: SeSecurityPrivilege 1564 msiexec.exe Token: SeCreateTokenPrivilege 3440 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3440 msiexec.exe Token: SeLockMemoryPrivilege 3440 msiexec.exe Token: SeIncreaseQuotaPrivilege 3440 msiexec.exe Token: SeMachineAccountPrivilege 3440 msiexec.exe Token: SeTcbPrivilege 3440 msiexec.exe Token: SeSecurityPrivilege 3440 msiexec.exe Token: SeTakeOwnershipPrivilege 3440 msiexec.exe Token: SeLoadDriverPrivilege 3440 msiexec.exe Token: SeSystemProfilePrivilege 3440 msiexec.exe Token: SeSystemtimePrivilege 3440 msiexec.exe Token: SeProfSingleProcessPrivilege 3440 msiexec.exe Token: SeIncBasePriorityPrivilege 3440 msiexec.exe Token: SeCreatePagefilePrivilege 3440 msiexec.exe Token: SeCreatePermanentPrivilege 3440 msiexec.exe Token: SeBackupPrivilege 3440 msiexec.exe Token: SeRestorePrivilege 3440 msiexec.exe Token: SeShutdownPrivilege 3440 msiexec.exe Token: SeDebugPrivilege 3440 msiexec.exe Token: SeAuditPrivilege 3440 msiexec.exe Token: SeSystemEnvironmentPrivilege 3440 msiexec.exe Token: SeChangeNotifyPrivilege 3440 msiexec.exe Token: SeRemoteShutdownPrivilege 3440 msiexec.exe Token: SeUndockPrivilege 3440 msiexec.exe Token: SeSyncAgentPrivilege 3440 msiexec.exe Token: SeEnableDelegationPrivilege 3440 msiexec.exe Token: SeManageVolumePrivilege 3440 msiexec.exe Token: SeImpersonatePrivilege 3440 msiexec.exe Token: SeCreateGlobalPrivilege 3440 msiexec.exe Token: SeBackupPrivilege 2512 vssvc.exe Token: SeRestorePrivilege 2512 vssvc.exe Token: SeAuditPrivilege 2512 vssvc.exe Token: SeBackupPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeBackupPrivilege 1376 srtasks.exe Token: SeRestorePrivilege 1376 srtasks.exe Token: SeSecurityPrivilege 1376 srtasks.exe Token: SeTakeOwnershipPrivilege 1376 srtasks.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeBackupPrivilege 1376 srtasks.exe Token: SeRestorePrivilege 1376 srtasks.exe Token: SeSecurityPrivilege 1376 srtasks.exe Token: SeTakeOwnershipPrivilege 1376 srtasks.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3440 msiexec.exe 3440 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1564 wrote to memory of 1376 1564 msiexec.exe 100 PID 1564 wrote to memory of 1376 1564 msiexec.exe 100 PID 1564 wrote to memory of 6064 1564 msiexec.exe 102 PID 1564 wrote to memory of 6064 1564 msiexec.exe 102 PID 1564 wrote to memory of 6064 1564 msiexec.exe 102 PID 1564 wrote to memory of 5760 1564 msiexec.exe 103 PID 1564 wrote to memory of 5760 1564 msiexec.exe 103 PID 1564 wrote to memory of 5760 1564 msiexec.exe 103 PID 5760 wrote to memory of 3016 5760 EdgePlug.exe 104 PID 5760 wrote to memory of 3016 5760 EdgePlug.exe 104 PID 5760 wrote to memory of 3016 5760 EdgePlug.exe 104 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4f13d4a71a5c335c0f3cf15b31dcbdd42cf9298ceb63be0bf1846233150ecea7.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3440
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8AFB4A9EFAA7E2DB0E42F7312A40ABCB2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6064
-
-
C:\Users\Admin\AppData\Local\Temp\EdgePlug\EdgePlug.exe"C:\Users\Admin\AppData\Local\Temp\EdgePlug\EdgePlug.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5760 -
C:\ProgramData\~Edwos.tmpC:\ProgramData\~Edwos.tmp3⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53302b11db2d14d499e60ba4e3376eeba
SHA1cf715fc83b9e3b5d338243bf24386719dabce8b0
SHA256805ee97b8968a97a497a02826f19881a8a709b2f55d1a5190a0ec32f9fb5ffb4
SHA512f07caed54316adcc7ff5d1881dd429627afe96e8c1bd2c9ab93dc90c558050080265a3d55a3ed88b7b87287420261ace74da71d3962c411e4741e533c3761b31
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_7C680AFD6E5253822D96E16EE9FA86B6
Filesize1KB
MD5144303eed4ca7c0ebeaa3c144f56241f
SHA1c4217d906d03d0dfe54bbc8b2a4e87469026ef79
SHA256c52a67b148499123b4870eb9672678608ef2f537fbd8f34144e9d28dde63d59a
SHA5129d1dba4c25ac20dc744f2c04969c0ac2f020bdb7d8466aa9d19c8669af8f7b4e19b803a400b38e67118a7235dad1b619bcb20cc51d7e1dcfb65ff3005c0804b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD589b34ec8b8c20b957ca123b95e2be358
SHA168da446cfe0db1d355bedbd446e2a9cde8a6fcd9
SHA256418cd4ff12faa856e86ba76422cc01719365a59be805b0a2ac5c26677a715384
SHA512ecdec6d15eda92c2246554961f4cd6a70da7adfc7e21414e1fd4837fb7d2ff4a87b8f994eda4da5edaaf17b2034a1be550c314085df10834d6695aed9b13839d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_7C680AFD6E5253822D96E16EE9FA86B6
Filesize536B
MD506988604efa5bdb60752aa871f6a463f
SHA154cdc969fff1d18aeef74b138fbcb18c61cf033e
SHA2567fc66af59e2ef0a65aa18cc13994d533c306ed0ce299903a4c4e779b469e17a9
SHA5127e810a33750b9e0b3022fb2ea872cd6d89555616e01b876acf8f47fcb1ddb9c28881d1909b5ae433f388127d1726e8ac99f580051eda07ea3057b9a3735a3085
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD5fa0d56727d81fa589aaa56eb6959bf1e
SHA143d2aa304e14ed2d6c3ba886a97aad00caa97d55
SHA256a70b76e43c37b7b92dff69ebb3c859343924c6672711a1fba7b21588d94efc8d
SHA5127e06f056e3082d21ae304bda75a4ca90effdefd841b634c05d1311fbb24a3f2de7ad82602ea20bc483440712d3f8e74b23d38674bf55d09968c673983ff845f7
-
Filesize
4.4MB
MD5065029491d64e41610d29b401a173afe
SHA1938c3da5cad02617f8924874abda72e0121ea357
SHA2569e78f89ffa70b6426595e1007db89bc2bd9fd39600d659a347f4689c5a1e67ad
SHA5129716a64662d5235c71aa3b2e21460bc105f6656fb5a5544c722f01de4321970b19f29548aae48506e75f15a0edd1f02021023cbfaaeac4074ca52421ccf79ca6
-
Filesize
1005KB
MD50606e1a2fe0d72593405cafeb945c740
SHA1641e8cfea8d2203d3127b49939b1ed5f1c97dc9e
SHA2567b3a4e3e3f58fa49164d49b14bc10c13a9d734846956c8a7a433c8bb6c82d983
SHA512696152be48a1256c5eda545b8759671117a7b55e49723b437b6ee258a3b568b9440f1592e4abf4eb1aa878e960cc721bdbc55f2a48d77bb1b3315b75cc15946a
-
Filesize
24.1MB
MD53770de3ff8898d6a36f24671901f50d7
SHA1d0d4d62de4b5af6a07d4ee1cf15f4dd8b8e481a8
SHA2565440be53c303475f156309cc1d6965de310e0c497a7eea309528ff75b68fbfc2
SHA512984ceb553cab38534641aa3eb3003ecf64790a6604295bf239a6a222fc70c74903c43f9c880d4171397466602de08beb8ce5bd760bbabb8208bd0f272886c11e
-
\??\Volume{a15ece3a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3bbb8745-426a-4f3f-8020-c2e9672621cd}_OnDiskSnapshotProp
Filesize6KB
MD5251ba8a661f3b91260488a35fd15362c
SHA1cfc313d8ea238951e45fb600f111c9699c68793c
SHA25656859ba47355b192337013054e63a9d12bc9b5af8488d1b7550c5b2ff9bfc938
SHA5129fed5962b3bd7f935c5e45e30b5c4404567f4538ac6cfa2e0bb46ee982b3603b852641ce5d361dd77de8e8b7797cce80c8aa9b4581deea0e860fd83c30eb0704