Analysis

  • max time kernel
    107s
  • max time network
    93s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:15

General

  • Target

    SecuriteInfo.com.Java.Ratty.2.16669.26428.msi

  • Size

    382KB

  • MD5

    aa3ff63ab96d65c389f21ccd788f3f3d

  • SHA1

    a8c88243d07e4293a543ab0ab98618c793e7f3db

  • SHA256

    cae5dae2e0d582b80b5029fc3c89f8497badeccf6750d8dceefa47029fae3b0f

  • SHA512

    9082dd93744e3ba338cd138736f6c186fefe4914fa57218b33cbd67b027ece64e1070d2cc1c72e2e5742d8e5d666193c137661897765596660d4fb1761584437

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 149 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Java.Ratty.2.16669.26428.msi
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:784
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Modifies service
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1748
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1428
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005A8" "00000000000003B8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:884

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    MD5

    9059bbcaec8405563e1ed187344ecf73

    SHA1

    7a69f8be92075cadb18dc2278b9fa5a60a0f93dd

    SHA256

    16b10c2a58b35ac463be8a03f5502ed14328824bed0ba2d75b564e334cfd8b28

    SHA512

    c0439a8f97d16861a0b66ce70b2932d217c334ee64ddf9bbcfc32311f90a48ea834f6ca5910887669168f888071d19618730dbe49ad614d0833d73ca922f5c31

  • memory/784-0-0x00000000041A0000-0x00000000041A4000-memory.dmp

    Filesize

    16KB

  • memory/784-1-0x00000000051A0000-0x00000000051A4000-memory.dmp

    Filesize

    16KB

  • memory/784-2-0x00000000051A0000-0x00000000051A4000-memory.dmp

    Filesize

    16KB

  • memory/784-3-0x00000000051A0000-0x00000000051A4000-memory.dmp

    Filesize

    16KB

  • memory/784-4-0x00000000051A0000-0x00000000051A4000-memory.dmp

    Filesize

    16KB

  • memory/1748-6-0x0000000002300000-0x0000000002304000-memory.dmp

    Filesize

    16KB

  • memory/1748-7-0x0000000001D30000-0x0000000001D34000-memory.dmp

    Filesize

    16KB