Analysis
-
max time kernel
1562s -
max time network
1792s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
09-05-2021 11:42
Static task
static1
Behavioral task
behavioral1
Sample
Avast-Setup-v8.56.msi
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Avast-Setup-v8.56.msi
Resource
win10v20210410
General
-
Target
Avast-Setup-v8.56.msi
-
Size
156KB
-
MD5
6d0aece3c6c497e5c95f5211391eeb5a
-
SHA1
27fe022501362ce3d8aad3d8d0ecf0b869580ba0
-
SHA256
9dc9fec6cfd0f7e565d2bcc58cc487f720d1b25bb650cb34431372d89c515fb5
-
SHA512
59e6e29a37d37e54ac1c75820f35fa5a4c0fccbe6a7962addd6e929bcd75e8e8465a5c6b59f28b22d14e54a76bc619440bbc5374265072b2bf9145cf100eb7f0
Malware Config
Extracted
metasploit
windows/reverse_tcp
3.22.53.161:10939
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
MSIC8AE.tmppid process 820 MSIC8AE.tmp -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f74c561.msi msiexec.exe File created C:\Windows\Installer\f74c562.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC82F.tmp msiexec.exe File opened for modification C:\Windows\Installer\f74c562.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f74c561.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIC8AE.tmp msiexec.exe -
Modifies data under HKEY_USERS 44 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1340 msiexec.exe 1340 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1948 msiexec.exe Token: SeIncreaseQuotaPrivilege 1948 msiexec.exe Token: SeRestorePrivilege 1340 msiexec.exe Token: SeTakeOwnershipPrivilege 1340 msiexec.exe Token: SeSecurityPrivilege 1340 msiexec.exe Token: SeCreateTokenPrivilege 1948 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1948 msiexec.exe Token: SeLockMemoryPrivilege 1948 msiexec.exe Token: SeIncreaseQuotaPrivilege 1948 msiexec.exe Token: SeMachineAccountPrivilege 1948 msiexec.exe Token: SeTcbPrivilege 1948 msiexec.exe Token: SeSecurityPrivilege 1948 msiexec.exe Token: SeTakeOwnershipPrivilege 1948 msiexec.exe Token: SeLoadDriverPrivilege 1948 msiexec.exe Token: SeSystemProfilePrivilege 1948 msiexec.exe Token: SeSystemtimePrivilege 1948 msiexec.exe Token: SeProfSingleProcessPrivilege 1948 msiexec.exe Token: SeIncBasePriorityPrivilege 1948 msiexec.exe Token: SeCreatePagefilePrivilege 1948 msiexec.exe Token: SeCreatePermanentPrivilege 1948 msiexec.exe Token: SeBackupPrivilege 1948 msiexec.exe Token: SeRestorePrivilege 1948 msiexec.exe Token: SeShutdownPrivilege 1948 msiexec.exe Token: SeDebugPrivilege 1948 msiexec.exe Token: SeAuditPrivilege 1948 msiexec.exe Token: SeSystemEnvironmentPrivilege 1948 msiexec.exe Token: SeChangeNotifyPrivilege 1948 msiexec.exe Token: SeRemoteShutdownPrivilege 1948 msiexec.exe Token: SeUndockPrivilege 1948 msiexec.exe Token: SeSyncAgentPrivilege 1948 msiexec.exe Token: SeEnableDelegationPrivilege 1948 msiexec.exe Token: SeManageVolumePrivilege 1948 msiexec.exe Token: SeImpersonatePrivilege 1948 msiexec.exe Token: SeCreateGlobalPrivilege 1948 msiexec.exe Token: SeBackupPrivilege 516 vssvc.exe Token: SeRestorePrivilege 516 vssvc.exe Token: SeAuditPrivilege 516 vssvc.exe Token: SeBackupPrivilege 1340 msiexec.exe Token: SeRestorePrivilege 1340 msiexec.exe Token: SeRestorePrivilege 1476 DrvInst.exe Token: SeRestorePrivilege 1476 DrvInst.exe Token: SeRestorePrivilege 1476 DrvInst.exe Token: SeRestorePrivilege 1476 DrvInst.exe Token: SeRestorePrivilege 1476 DrvInst.exe Token: SeRestorePrivilege 1476 DrvInst.exe Token: SeRestorePrivilege 1476 DrvInst.exe Token: SeLoadDriverPrivilege 1476 DrvInst.exe Token: SeLoadDriverPrivilege 1476 DrvInst.exe Token: SeLoadDriverPrivilege 1476 DrvInst.exe Token: SeRestorePrivilege 1340 msiexec.exe Token: SeTakeOwnershipPrivilege 1340 msiexec.exe Token: SeRestorePrivilege 1340 msiexec.exe Token: SeTakeOwnershipPrivilege 1340 msiexec.exe Token: SeRestorePrivilege 1340 msiexec.exe Token: SeTakeOwnershipPrivilege 1340 msiexec.exe Token: SeRestorePrivilege 1340 msiexec.exe Token: SeTakeOwnershipPrivilege 1340 msiexec.exe Token: SeRestorePrivilege 1340 msiexec.exe Token: SeTakeOwnershipPrivilege 1340 msiexec.exe Token: SeRestorePrivilege 1340 msiexec.exe Token: SeTakeOwnershipPrivilege 1340 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1948 msiexec.exe 1948 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exeMSIC8AE.tmpdescription pid process target process PID 1340 wrote to memory of 1032 1340 msiexec.exe MsiExec.exe PID 1340 wrote to memory of 1032 1340 msiexec.exe MsiExec.exe PID 1340 wrote to memory of 1032 1340 msiexec.exe MsiExec.exe PID 1340 wrote to memory of 1032 1340 msiexec.exe MsiExec.exe PID 1340 wrote to memory of 1032 1340 msiexec.exe MsiExec.exe PID 1340 wrote to memory of 1032 1340 msiexec.exe MsiExec.exe PID 1340 wrote to memory of 1032 1340 msiexec.exe MsiExec.exe PID 1340 wrote to memory of 820 1340 msiexec.exe MSIC8AE.tmp PID 1340 wrote to memory of 820 1340 msiexec.exe MSIC8AE.tmp PID 1340 wrote to memory of 820 1340 msiexec.exe MSIC8AE.tmp PID 1340 wrote to memory of 820 1340 msiexec.exe MSIC8AE.tmp PID 820 wrote to memory of 1148 820 MSIC8AE.tmp cmd.exe PID 820 wrote to memory of 1148 820 MSIC8AE.tmp cmd.exe PID 820 wrote to memory of 1148 820 MSIC8AE.tmp cmd.exe PID 820 wrote to memory of 1148 820 MSIC8AE.tmp cmd.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Avast-Setup-v8.56.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7DB6BB34A412F1F5C103544EB69127C92⤵
-
C:\Windows\Installer\MSIC8AE.tmp"C:\Windows\Installer\MSIC8AE.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005B0" "00000000000005A4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIC8AE.tmpMD5
8445acade2bf19b86c80f5c757c854e3
SHA1b919247aef9c63c2746778f112d99da3640336f3
SHA2561da82af2407ee52355bf097d086eaff78732fe5f647be6650d52e579eef96984
SHA512aae2d7b513c0e12085e3f45e15d9240f07002660151ab90c5bc4292a27ee47e6f94b50a07a5c6ff2eaafc074a1cf4d4d8a07355cc52643163486e2171997580d
-
memory/820-63-0x0000000000000000-mapping.dmp
-
memory/820-66-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/820-67-0x00000000003C0000-0x00000000003EB000-memory.dmpFilesize
172KB
-
memory/820-68-0x00000000004C0000-0x00000000004F1000-memory.dmpFilesize
196KB
-
memory/820-69-0x00000000021A0000-0x00000000021FF000-memory.dmpFilesize
380KB
-
memory/820-70-0x0000000000420000-0x0000000000440000-memory.dmpFilesize
128KB
-
memory/1032-62-0x0000000000000000-mapping.dmp
-
memory/1032-65-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/1148-71-0x0000000000000000-mapping.dmp
-
memory/1948-60-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB