Analysis
-
max time kernel
1570s -
max time network
1569s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-05-2021 11:38
Static task
static1
Behavioral task
behavioral1
Sample
Avast-Setup-v8.56.msi
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Avast-Setup-v8.56.msi
Resource
win10v20210408
General
-
Target
Avast-Setup-v8.56.msi
-
Size
156KB
-
MD5
a31c17a0a4a0d3caf0472c747c890d1a
-
SHA1
2022484abc139e3643dcf2e1f29a0e52564e738f
-
SHA256
0685a699fb13d6bc99b6aee35381acf77b00155d56e7448a300aa308fd07598c
-
SHA512
b551814e1056a96298fab0de7bdc3d746ff7db07cdb0d3b5dc39ee8fc260e03de8b7b329226ce8dbc50bcd809bb8d335fd0de7f2eddf5748d1ed990b5ff0af14
Malware Config
Extracted
metasploit
windows/reverse_tcp
3.141.210.37:18573
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
MSI2963.tmppid process 1664 MSI2963.tmp -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File created C:\Windows\Installer\f7426f1.msi msiexec.exe File opened for modification C:\Windows\Installer\f7426f1.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2932.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2963.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f7426f2.ipi msiexec.exe File opened for modification C:\Windows\Installer\f7426f2.ipi msiexec.exe -
Modifies data under HKEY_USERS 44 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1736 msiexec.exe 1736 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1240 msiexec.exe Token: SeIncreaseQuotaPrivilege 1240 msiexec.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeTakeOwnershipPrivilege 1736 msiexec.exe Token: SeSecurityPrivilege 1736 msiexec.exe Token: SeCreateTokenPrivilege 1240 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1240 msiexec.exe Token: SeLockMemoryPrivilege 1240 msiexec.exe Token: SeIncreaseQuotaPrivilege 1240 msiexec.exe Token: SeMachineAccountPrivilege 1240 msiexec.exe Token: SeTcbPrivilege 1240 msiexec.exe Token: SeSecurityPrivilege 1240 msiexec.exe Token: SeTakeOwnershipPrivilege 1240 msiexec.exe Token: SeLoadDriverPrivilege 1240 msiexec.exe Token: SeSystemProfilePrivilege 1240 msiexec.exe Token: SeSystemtimePrivilege 1240 msiexec.exe Token: SeProfSingleProcessPrivilege 1240 msiexec.exe Token: SeIncBasePriorityPrivilege 1240 msiexec.exe Token: SeCreatePagefilePrivilege 1240 msiexec.exe Token: SeCreatePermanentPrivilege 1240 msiexec.exe Token: SeBackupPrivilege 1240 msiexec.exe Token: SeRestorePrivilege 1240 msiexec.exe Token: SeShutdownPrivilege 1240 msiexec.exe Token: SeDebugPrivilege 1240 msiexec.exe Token: SeAuditPrivilege 1240 msiexec.exe Token: SeSystemEnvironmentPrivilege 1240 msiexec.exe Token: SeChangeNotifyPrivilege 1240 msiexec.exe Token: SeRemoteShutdownPrivilege 1240 msiexec.exe Token: SeUndockPrivilege 1240 msiexec.exe Token: SeSyncAgentPrivilege 1240 msiexec.exe Token: SeEnableDelegationPrivilege 1240 msiexec.exe Token: SeManageVolumePrivilege 1240 msiexec.exe Token: SeImpersonatePrivilege 1240 msiexec.exe Token: SeCreateGlobalPrivilege 1240 msiexec.exe Token: SeBackupPrivilege 1336 vssvc.exe Token: SeRestorePrivilege 1336 vssvc.exe Token: SeAuditPrivilege 1336 vssvc.exe Token: SeBackupPrivilege 1736 msiexec.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeRestorePrivilege 1196 DrvInst.exe Token: SeRestorePrivilege 1196 DrvInst.exe Token: SeRestorePrivilege 1196 DrvInst.exe Token: SeRestorePrivilege 1196 DrvInst.exe Token: SeRestorePrivilege 1196 DrvInst.exe Token: SeRestorePrivilege 1196 DrvInst.exe Token: SeRestorePrivilege 1196 DrvInst.exe Token: SeLoadDriverPrivilege 1196 DrvInst.exe Token: SeLoadDriverPrivilege 1196 DrvInst.exe Token: SeLoadDriverPrivilege 1196 DrvInst.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeTakeOwnershipPrivilege 1736 msiexec.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeTakeOwnershipPrivilege 1736 msiexec.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeTakeOwnershipPrivilege 1736 msiexec.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeTakeOwnershipPrivilege 1736 msiexec.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeTakeOwnershipPrivilege 1736 msiexec.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeTakeOwnershipPrivilege 1736 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1240 msiexec.exe 1240 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exedescription pid process target process PID 1736 wrote to memory of 1612 1736 msiexec.exe MsiExec.exe PID 1736 wrote to memory of 1612 1736 msiexec.exe MsiExec.exe PID 1736 wrote to memory of 1612 1736 msiexec.exe MsiExec.exe PID 1736 wrote to memory of 1612 1736 msiexec.exe MsiExec.exe PID 1736 wrote to memory of 1612 1736 msiexec.exe MsiExec.exe PID 1736 wrote to memory of 1612 1736 msiexec.exe MsiExec.exe PID 1736 wrote to memory of 1612 1736 msiexec.exe MsiExec.exe PID 1736 wrote to memory of 1664 1736 msiexec.exe MSI2963.tmp PID 1736 wrote to memory of 1664 1736 msiexec.exe MSI2963.tmp PID 1736 wrote to memory of 1664 1736 msiexec.exe MSI2963.tmp PID 1736 wrote to memory of 1664 1736 msiexec.exe MSI2963.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Avast-Setup-v8.56.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7BBDD298EA1F832D0525417A78C89B62⤵
-
C:\Windows\Installer\MSI2963.tmp"C:\Windows\Installer\MSI2963.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000002D0" "00000000000005A8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI2963.tmpMD5
abf8e8992450606a9a105db417c7026e
SHA1ef39ed2f67328ab085dd3546fc8417bee70386cb
SHA256b6d726d795245a163215ed261f2b6c030d0abead967077bf1bac3170d1a79e7c
SHA5128eeaf6fef20ba24299ad5e1c4cea3f373a69a5d105d8753dc21cda21ea9f9c92e14a40f31f9dac4a7b0506d985794c5fb19d79f34c8ec98527e59ddecbfa72af
-
memory/1240-59-0x000007FEFB591000-0x000007FEFB593000-memory.dmpFilesize
8KB
-
memory/1612-61-0x0000000000000000-mapping.dmp
-
memory/1612-64-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1664-62-0x0000000000000000-mapping.dmp
-
memory/1664-65-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB