Analysis
-
max time kernel
123s -
max time network
99s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 13:51
Static task
static1
Behavioral task
behavioral1
Sample
_.msi
Resource
win7v20201028
Behavioral task
behavioral2
Sample
_.msi
Resource
win10v20201028
Behavioral task
behavioral3
Sample
fhoffa-n11163nkd.vbs
Resource
win7v20201028
Behavioral task
behavioral4
Sample
fhoffa-n11163nkd.vbs
Resource
win10v20201028
General
-
Target
_.msi
-
Size
11.4MB
-
MD5
1fa69ec9be99a31ec668e03e71f3956b
-
SHA1
2d35b6bf792b8a651c62c159ca90f3080d38240c
-
SHA256
78fcc7d75a5886b74c02f41ff4a6cc9f0d6d29ce0d4c0242d11e626363c0c7dc
-
SHA512
ae3af1b1db199c88531e6a4be16dce386a890176b13692a3cf6778ece49ebf04a43f5d9c8448d8680ad176bcb2615bf247d26637118fce535a8c218bf0349c2a
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 2 1096 msiexec.exe 5 1188 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Imo Messenger = "\"C:\\Users\\Admin\\AppData\\Roaming\\Imo Messenger\\ImoDesktopApp.exe\" -minimized" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI10BB.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f750c02.msi msiexec.exe File opened for modification C:\Windows\Installer\f750c02.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f750c03.ipi msiexec.exe File created C:\Windows\Installer\f750c05.msi msiexec.exe File opened for modification C:\Windows\Installer\f750c03.ipi msiexec.exe -
Modifies data under HKEY_USERS 44 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1188 msiexec.exe 1188 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 1096 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 87 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1096 msiexec.exe Token: SeIncreaseQuotaPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1188 msiexec.exe Token: SeTakeOwnershipPrivilege 1188 msiexec.exe Token: SeSecurityPrivilege 1188 msiexec.exe Token: SeCreateTokenPrivilege 1096 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1096 msiexec.exe Token: SeLockMemoryPrivilege 1096 msiexec.exe Token: SeIncreaseQuotaPrivilege 1096 msiexec.exe Token: SeMachineAccountPrivilege 1096 msiexec.exe Token: SeTcbPrivilege 1096 msiexec.exe Token: SeSecurityPrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeLoadDriverPrivilege 1096 msiexec.exe Token: SeSystemProfilePrivilege 1096 msiexec.exe Token: SeSystemtimePrivilege 1096 msiexec.exe Token: SeProfSingleProcessPrivilege 1096 msiexec.exe Token: SeIncBasePriorityPrivilege 1096 msiexec.exe Token: SeCreatePagefilePrivilege 1096 msiexec.exe Token: SeCreatePermanentPrivilege 1096 msiexec.exe Token: SeBackupPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeShutdownPrivilege 1096 msiexec.exe Token: SeDebugPrivilege 1096 msiexec.exe Token: SeAuditPrivilege 1096 msiexec.exe Token: SeSystemEnvironmentPrivilege 1096 msiexec.exe Token: SeChangeNotifyPrivilege 1096 msiexec.exe Token: SeRemoteShutdownPrivilege 1096 msiexec.exe Token: SeUndockPrivilege 1096 msiexec.exe Token: SeSyncAgentPrivilege 1096 msiexec.exe Token: SeEnableDelegationPrivilege 1096 msiexec.exe Token: SeManageVolumePrivilege 1096 msiexec.exe Token: SeImpersonatePrivilege 1096 msiexec.exe Token: SeCreateGlobalPrivilege 1096 msiexec.exe Token: SeBackupPrivilege 364 vssvc.exe Token: SeRestorePrivilege 364 vssvc.exe Token: SeAuditPrivilege 364 vssvc.exe Token: SeBackupPrivilege 1188 msiexec.exe Token: SeRestorePrivilege 1188 msiexec.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeLoadDriverPrivilege 1624 DrvInst.exe Token: SeLoadDriverPrivilege 1624 DrvInst.exe Token: SeLoadDriverPrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1188 msiexec.exe Token: SeTakeOwnershipPrivilege 1188 msiexec.exe Token: SeRestorePrivilege 1188 msiexec.exe Token: SeTakeOwnershipPrivilege 1188 msiexec.exe Token: SeRestorePrivilege 1188 msiexec.exe Token: SeTakeOwnershipPrivilege 1188 msiexec.exe Token: SeRestorePrivilege 1188 msiexec.exe Token: SeTakeOwnershipPrivilege 1188 msiexec.exe Token: SeRestorePrivilege 1188 msiexec.exe Token: SeTakeOwnershipPrivilege 1188 msiexec.exe Token: SeRestorePrivilege 1188 msiexec.exe Token: SeTakeOwnershipPrivilege 1188 msiexec.exe Token: SeRestorePrivilege 1188 msiexec.exe Token: SeTakeOwnershipPrivilege 1188 msiexec.exe Token: SeRestorePrivilege 1188 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1096 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\_.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000003BC" "00000000000004CC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
8367ccf35a3de86edc2eec55cae9360a
SHA167d83de902078d7037cf3cc53fdc243580c45ee4
SHA256ef80411ad497a72453e1138e35dbd12654b2367e2a8ff658c83ab3c993fb3e7d
SHA512636ed7ab28e0aa75f7ba2ee8389e5a7369d78d4b5b162ae34d5c9fc1d8d3a8677a17a848e78e7a7297325101cb7fedca5e8d47f114d6ab209e247edc361d5900
-
memory/1096-2-0x000007FEFBBB1000-0x000007FEFBBB3000-memory.dmpFilesize
8KB
-
memory/1096-3-0x00000000031C0000-0x00000000031C4000-memory.dmpFilesize
16KB
-
memory/1096-6-0x0000000004150000-0x0000000004154000-memory.dmpFilesize
16KB
-
memory/1096-9-0x0000000004150000-0x0000000004154000-memory.dmpFilesize
16KB
-
memory/1096-8-0x0000000005CD0000-0x0000000005CD4000-memory.dmpFilesize
16KB
-
memory/1096-10-0x0000000004150000-0x0000000004154000-memory.dmpFilesize
16KB
-
memory/1096-14-0x0000000004150000-0x0000000004154000-memory.dmpFilesize
16KB