Overview

overview

10

Static

static

6

_.msi

windows7_x64

8

_.msi

windows10_x64

8

fhoffa-n11163nkd.vbs

windows7_x64

10

fhoffa-n11163nkd.vbs

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-01-2021 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    _.msi

  • Size

    11.4MB

  • MD5

    1fa69ec9be99a31ec668e03e71f3956b

  • SHA1

    2d35b6bf792b8a651c62c159ca90f3080d38240c

  • SHA256

    78fcc7d75a5886b74c02f41ff4a6cc9f0d6d29ce0d4c0242d11e626363c0c7dc

  • SHA512

    ae3af1b1db199c88531e6a4be16dce386a890176b13692a3cf6778ece49ebf04a43f5d9c8448d8680ad176bcb2615bf247d26637118fce535a8c218bf0349c2a

Score
8/10
persistenceransomware

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 87 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\_.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1096
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1188
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:364
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000003BC" "00000000000004CC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    8367ccf35a3de86edc2eec55cae9360a

    SHA1

    67d83de902078d7037cf3cc53fdc243580c45ee4

    SHA256

    ef80411ad497a72453e1138e35dbd12654b2367e2a8ff658c83ab3c993fb3e7d

    SHA512

    636ed7ab28e0aa75f7ba2ee8389e5a7369d78d4b5b162ae34d5c9fc1d8d3a8677a17a848e78e7a7297325101cb7fedca5e8d47f114d6ab209e247edc361d5900

    Download Submit
  • memory/1096-2-0x000007FEFBBB1000-0x000007FEFBBB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1096-3-0x00000000031C0000-0x00000000031C4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1096-6-0x0000000004150000-0x0000000004154000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1096-9-0x0000000004150000-0x0000000004154000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1096-8-0x0000000005CD0000-0x0000000005CD4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1096-10-0x0000000004150000-0x0000000004154000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1096-14-0x0000000004150000-0x0000000004154000-memory.dmp
    Filesize

    16KB

    Download