Overview

overview

9

Static

static

6

ฺฺฺà...ฺฺ

windows10_x64

9

ฺฺฺà...ºà¸º1m

windows10_x64

8

Analysis

  • max time kernel
    55s
  • max time network
    45s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21-11-2020 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    534867_DOCTOURElC.msi

  • Size

    9.8MB

  • MD5

    bf69b794fe2b921f1cbafd3ec1e6c733

  • SHA1

    22464766695801e76be5b86978a57c3d7bc3c9be

  • SHA256

    dacf7e5ad5c8d564f185a961faa76018f2ba3c43dfcda03b33546bbbeb78d9fc

  • SHA512

    b33a8d903fe6e474424b3c0a1212b10df35cfb4784c9289f29b4f408b530c936c8c7a14b8dc213fd983668e368997fd932131b07334c41bd2d3129cefc383b46

Score
8/10

Malware Config

Signatures

  • Blacklisted process makes network request 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\534867_DOCTOURElC.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:580
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:696
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F2E629DEE0E4D33C373AB35828181112
      2⤵
      • Blacklisted process makes network request
      • Loads dropped DLL
      PID:3224
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 1872
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSI86E9.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI8E3D.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI90A0.tmp
    MD5

    075c6a47cc7dc05ef47baae76c9a516b

    SHA1

    70d45bfd7a2d76ff3a9e4b845a51b763e1071cfb

    SHA256

    2bccb444b918328bb593b8dbdd5f47f6ec9bc67597f967cb00dea4eca2e51ee9

    SHA512

    19adc94af5e0fde7f9f7619b452d7e3530326a2dccafd7f72c7d4b46dbbe50c29ed7489cb2e7a3ae84325ba03976423461209dfdc078d7fd5f54bb464578c63f

    Download Submit
  • \Windows\Installer\MSI86E9.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI8E3D.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI90A0.tmp
    MD5

    075c6a47cc7dc05ef47baae76c9a516b

    SHA1

    70d45bfd7a2d76ff3a9e4b845a51b763e1071cfb

    SHA256

    2bccb444b918328bb593b8dbdd5f47f6ec9bc67597f967cb00dea4eca2e51ee9

    SHA512

    19adc94af5e0fde7f9f7619b452d7e3530326a2dccafd7f72c7d4b46dbbe50c29ed7489cb2e7a3ae84325ba03976423461209dfdc078d7fd5f54bb464578c63f

    Download Submit
  • \Windows\Installer\MSI90A0.tmp
    MD5

    075c6a47cc7dc05ef47baae76c9a516b

    SHA1

    70d45bfd7a2d76ff3a9e4b845a51b763e1071cfb

    SHA256

    2bccb444b918328bb593b8dbdd5f47f6ec9bc67597f967cb00dea4eca2e51ee9

    SHA512

    19adc94af5e0fde7f9f7619b452d7e3530326a2dccafd7f72c7d4b46dbbe50c29ed7489cb2e7a3ae84325ba03976423461209dfdc078d7fd5f54bb464578c63f

    Download Submit
  • memory/2100-22-0x0000000005450000-0x0000000005451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2100-8-0x0000000004C20000-0x0000000004C21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3224-13-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-16-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-12-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-0-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-10-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-14-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-15-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-9-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-17-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-18-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-19-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-20-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-21-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-11-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-23-0x0000000000000000-mapping.dmp
    Download