ff37bfe914dd0d8b5c7e6553f4204b8a65d4a9f9f1909ff7a3cf121070d05a20

Analysis

max time kernel
50s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows_exporter-Agent.msi
Size

10.1MB
MD5

7096892e6330a1630ac9c588aa01e3a2
SHA1

3adbaa05e9def1d97823615f2f47669bcb1d8395
SHA256

822166c33ce415436a287f4f5bf34c9737da5201cda3b6a31ffc5b2be5023679
SHA512

73462b1b03ee2b81eb421e13fc466224666db2c6312e4424cf6451001f2d94ea5006f71957ab1a5c9617a862bb44f27f919dffc370637345a5b17fe7f885e540
SSDEEP

196608:djo2fy0hWWpfeZdkW2ijrtlT95y0DalZEM/Jbr1ZOONCbLmUo2hWN:dES/UWQdz24R2JbrzOsamU+N

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files\windows_exporter\windows_exporter.exe msiexec.exe

description	ioc	process
File created	C:\Program Files\windows_exporter\windows_exporter.exe	msiexec.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e578f11.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EDD0CDE3-4519-4C1A-9FB4-C8C067615698}	msiexec.exe
File created	C:\Windows\Installer\e578f13.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI92B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e578f11.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FFC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9099.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90BA.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{EDD0CDE3-4519-4C1A-9FB4-C8C067615698}.SchedServiceConfig.rmi	MsiExec.exe

Executes dropped EXE 1 IoCs

Processes:

windows_exporter.exe

pid process

5072 windows_exporter.exe
Loads dropped DLL 5 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

3184 MsiExec.exe
3184 MsiExec.exe
3184 MsiExec.exe
4204 MsiExec.exe
4204 MsiExec.exe
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

4480 msiexec.exe

pid	process
5072	windows_exporter.exe

pid	process
3184	MsiExec.exe
3184	MsiExec.exe
3184	MsiExec.exe
4204	MsiExec.exe
4204	MsiExec.exe

pid	process
4480	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

windows_exporter.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	windows_exporter.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	windows_exporter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	windows_exporter.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B5BE6A662CF141B43A26C5EE6C143380	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3EDC0DDE9154A1C4F94B8C0C76166589	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\PackageCode = "6FA1BA3026A692E4D854A8349C0710FE"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\Version = "1310720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B5BE6A662CF141B43A26C5EE6C143380\3EDC0DDE9154A1C4F94B8C0C76166589	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\PackageName = "windows_exporter-Agent.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3EDC0DDE9154A1C4F94B8C0C76166589\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\ProductName = "windows_exporter"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EDC0DDE9154A1C4F94B8C0C76166589\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exewindows_exporter.exe

pid process

4388 msiexec.exe
4388 msiexec.exe
5072 windows_exporter.exe

pid	process
4388	msiexec.exe
4388	msiexec.exe
5072	windows_exporter.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeMsiExec.exe

description	pid	process
Token: SeShutdownPrivilege	4480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4480	msiexec.exe
Token: SeSecurityPrivilege	4388	msiexec.exe
Token: SeCreateTokenPrivilege	4480	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4480	msiexec.exe
Token: SeLockMemoryPrivilege	4480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4480	msiexec.exe
Token: SeMachineAccountPrivilege	4480	msiexec.exe
Token: SeTcbPrivilege	4480	msiexec.exe
Token: SeSecurityPrivilege	4480	msiexec.exe
Token: SeTakeOwnershipPrivilege	4480	msiexec.exe
Token: SeLoadDriverPrivilege	4480	msiexec.exe
Token: SeSystemProfilePrivilege	4480	msiexec.exe
Token: SeSystemtimePrivilege	4480	msiexec.exe
Token: SeProfSingleProcessPrivilege	4480	msiexec.exe
Token: SeIncBasePriorityPrivilege	4480	msiexec.exe
Token: SeCreatePagefilePrivilege	4480	msiexec.exe
Token: SeCreatePermanentPrivilege	4480	msiexec.exe
Token: SeBackupPrivilege	4480	msiexec.exe
Token: SeRestorePrivilege	4480	msiexec.exe
Token: SeShutdownPrivilege	4480	msiexec.exe
Token: SeDebugPrivilege	4480	msiexec.exe
Token: SeAuditPrivilege	4480	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4480	msiexec.exe
Token: SeChangeNotifyPrivilege	4480	msiexec.exe
Token: SeRemoteShutdownPrivilege	4480	msiexec.exe
Token: SeUndockPrivilege	4480	msiexec.exe
Token: SeSyncAgentPrivilege	4480	msiexec.exe
Token: SeEnableDelegationPrivilege	4480	msiexec.exe
Token: SeManageVolumePrivilege	4480	msiexec.exe
Token: SeImpersonatePrivilege	4480	msiexec.exe
Token: SeCreateGlobalPrivilege	4480	msiexec.exe
Token: SeBackupPrivilege	904	vssvc.exe
Token: SeRestorePrivilege	904	vssvc.exe
Token: SeAuditPrivilege	904	vssvc.exe
Token: SeBackupPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeShutdownPrivilege	4204	MsiExec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe
Token: SeRestorePrivilege	4388	msiexec.exe
Token: SeTakeOwnershipPrivilege	4388	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4480 msiexec.exe
4480 msiexec.exe

pid	process
4480	msiexec.exe
4480	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4388 wrote to memory of 4956	4388	msiexec.exe	srtasks.exe
PID 4388 wrote to memory of 4956	4388	msiexec.exe	srtasks.exe
PID 4388 wrote to memory of 3184	4388	msiexec.exe	MsiExec.exe
PID 4388 wrote to memory of 3184	4388	msiexec.exe	MsiExec.exe
PID 4388 wrote to memory of 3184	4388	msiexec.exe	MsiExec.exe
PID 4388 wrote to memory of 4204	4388	msiexec.exe	MsiExec.exe
PID 4388 wrote to memory of 4204	4388	msiexec.exe	MsiExec.exe
PID 4388 wrote to memory of 4204	4388	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\windows_exporter-Agent.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4480

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4956

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0BF04B7C8F57319E8C3F83E0C7CA4661
2⤵
- Loads dropped DLL
PID:3184

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D1B8530D94B5D913608EED043D24B4DC E Global\MSI0000
2⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4252

C:\Program Files\windows_exporter\windows_exporter.exe
"C:\Program Files\windows_exporter\windows_exporter.exe" --log.format logger:eventlog?name=windows_exporter
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5072

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578f12.rbs
Filesize
329KB

MD5
a897f8b8240e9893ebe2b542fac1dd63

SHA1
afc81d238e7ec533aacb013f8588748fa28d5556

SHA256
0508ae59ff8b9f684265d65ae24a13eba79b0b9278b7558687d8559d865ab854

SHA512
12d187da96dce14d8e4c6f454f271c00d7ef50325f34176df90ce489c0a4ec807b0560b8f79fc4160dc0d5319fcb436f79f47f4ccb7ed576bdea1c71a9cfa998

Download Submit
C:\Program Files\windows_exporter\windows_exporter.exe
Filesize
19.5MB

MD5
8a41cd83c16f6e9d060036ffee985f88

SHA1
0f90cc3cc01f3b96c74314dc562675948f5c89b1

SHA256
e99bcd3b0b4cc65c7ac40e95eb8a43c0ffa769fcb6b733a9ebc6c9f9d4ff69eb

SHA512
6eadb6dc7e8c79e8df88100643d86780a14bdcfd3617adfd4959c118493e1bb92bbf15b0969c645bb9502e1ca4caec9c866be309a565f784ac6085ef9f9c6d19

Download Submit
C:\Windows\Installer\MSI8FFC.tmp
Filesize
118KB

MD5
f2d47929b432a0be6db3b25ac5f50ae6

SHA1
dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

SHA256
0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

SHA512
97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

Download Submit
C:\Windows\Installer\MSI90BA.tmp
Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\e578f11.msi
Filesize
10.1MB

MD5
7096892e6330a1630ac9c588aa01e3a2

SHA1
3adbaa05e9def1d97823615f2f47669bcb1d8395

SHA256
822166c33ce415436a287f4f5bf34c9737da5201cda3b6a31ffc5b2be5023679

SHA512
73462b1b03ee2b81eb421e13fc466224666db2c6312e4424cf6451001f2d94ea5006f71957ab1a5c9617a862bb44f27f919dffc370637345a5b17fe7f885e540

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
8580605c010e8bc5c3538bdc9af9ae78

SHA1
06ece6074f74dd92615b292bfd598229a2caacc7

SHA256
7559d05a097aaab8601391b2cd737638089208f2b2edde58af25243cc827bfc4

SHA512
57397a808094e878043fcf515a0db2be8d56cff755fe88f16e8fed5f3c30d692fc0449451dfbb831d4b27dae109d9612bb903df2e6b593a8a99095e04e9a1e78

Download Submit
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2ec6e0e8-a7b4-4061-89bd-440d639bc250}_OnDiskSnapshotProp
Filesize
6KB

MD5
b0294751ccf3964db40ea53073e6bcf0

SHA1
084862580a9354ee025a08559a69561f49b31328

SHA256
ec16b61343ff91dbe35f0b9adccf5b3817db0e1b3a3ba8ca6cd2a6d3a429ce50

SHA512
e32b257c862f6edf389c250c97d654ddeccaf936a3c14736073ebaf68944892366543d108d196ddf7e2a8e20ad5e528c0557f964de1c7631058cfb2ea09a69fc

Download Submit