Analysis
-
max time kernel
1200s -
max time network
681s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-07-2021 15:30
General
-
Target
REG.BR2.CGDCZJCFUNGBYDVNGJXGQIXMFMSMDFÒ.msi
-
Size
282KB
-
MD5
ccf235e43d3c30cada1d3cbc1e44ba51
-
SHA1
6040b0ad5a7bcdafefb94b7d515119ee449b16d7
-
SHA256
f905e9c4eddf8ce1d56241b41ba4bc68e01fa3898844d8e833980320ac22c1ef
-
SHA512
7d079684f317c783e3754f6bd1ebf015492e86ff67b715a632151acef736f02787cda8e2789bb2cff8775a0f150b1cae5580f85f99eed5b6adb74adbefb13a58
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 55 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\REG.BR2.CGDCZJCFUNGBYDVNGJXGQIXMFMSMDFÒ.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3163D953B2B15124F25C24050EDF273C2⤵
- Blocklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cd\;cd 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Start-Sleep -s 60;Invoke-Item 'CAQCENCRYA.lnk'3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe"C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\157393131\zmstage.exezmstage.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI40426.LOGMD5
43e95a5bfaff34eeadb69da38123b22e
SHA1436e5d8e25090371b95a42395f8f50fee2e7e205
SHA256a20205dcc100e9c24c375f8dfabcd3fc05e6f5e41a64d5254034552f5bd35af8
SHA512f1b1fc52a849623cfbb28226fa4222517d5828a385ab9a3f9dea8ee5b81808e4988506dd98701e66f56feefe06fbc4a59ab39513afb8e806ee9fdbfa89b6402d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAQCENCRYA.lnkMD5
05e8d6cd53a8700b3f4f98b75172ae08
SHA1cbdbbd892e40fa6c213d0f714572a594c3dc7450
SHA2560fdf0a002c2b362dfc55830cb28da58944526d79b02c37daeee2ff384c0a38e7
SHA51273ca71eaabf29e6770a6d9574dad64c40f846eaad88fec272dea124fe07edc85f2958b2f5184e861d6baa284ba8bce547449204b2487f5816911d2d35526be7f
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\Avira.OE.NativeCore.dllMD5
759bbd553496e0fad10ed1e89f83ecf9
SHA1240a2c2c465660e46f19de5bd5cb58a6f3a2d92a
SHA256568829dea29381ac4f997a1db9625e6619511b6849b1ddd0338a2a41f2710f72
SHA512186abbcf425b0d8f64c38aeaceac208df001321a49814642441bc236d14b8a82f3ebcb8e1eff839eef6ad0f00ba4388e4eb46bf5b43c8b3582f7573625a377ef
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\MSVCP120.dllMD5
fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\MSVCR120.dllMD5
034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exeMD5
8cbb75febfb4b0b7c3b6d3613386220c
SHA1ba5493b08354aee85151b7bbd15150a1c3f03d1d
SHA256f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a
SHA5128cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exeMD5
8cbb75febfb4b0b7c3b6d3613386220c
SHA1ba5493b08354aee85151b7bbd15150a1c3f03d1d
SHA256f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a
SHA5128cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd
-
C:\Windows\Installer\MSI712.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
C:\Windows\Installer\MSI85B.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\Avira.OE.NativeCore.dllMD5
759bbd553496e0fad10ed1e89f83ecf9
SHA1240a2c2c465660e46f19de5bd5cb58a6f3a2d92a
SHA256568829dea29381ac4f997a1db9625e6619511b6849b1ddd0338a2a41f2710f72
SHA512186abbcf425b0d8f64c38aeaceac208df001321a49814642441bc236d14b8a82f3ebcb8e1eff839eef6ad0f00ba4388e4eb46bf5b43c8b3582f7573625a377ef
-
\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exeMD5
8cbb75febfb4b0b7c3b6d3613386220c
SHA1ba5493b08354aee85151b7bbd15150a1c3f03d1d
SHA256f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a
SHA5128cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd
-
\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\msvcp120.dllMD5
fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\msvcr120.dllMD5
034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
\Windows\Installer\MSI712.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI85B.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
memory/740-106-0x000000006C910000-0x000000006EBA2000-memory.dmpFilesize
34.6MB
-
memory/740-107-0x000000006C911000-0x000000006CDB7000-memory.dmpFilesize
4.6MB
-
memory/740-108-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/740-97-0x0000000000000000-mapping.dmp
-
memory/1016-109-0x0000000000000000-mapping.dmp
-
memory/1752-63-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/1752-62-0x0000000000000000-mapping.dmp
-
memory/1868-70-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/1868-75-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1868-92-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/1868-85-0x00000000060F0000-0x00000000060F1000-memory.dmpFilesize
4KB
-
memory/1868-84-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1868-83-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1868-78-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/1868-93-0x00000000062E0000-0x00000000062E1000-memory.dmpFilesize
4KB
-
memory/1868-74-0x00000000012C0000-0x00000000012C1000-memory.dmpFilesize
4KB
-
memory/1868-73-0x0000000000F82000-0x0000000000F83000-memory.dmpFilesize
4KB
-
memory/1868-72-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/1868-71-0x00000000047B0000-0x00000000047B1000-memory.dmpFilesize
4KB
-
memory/1868-68-0x0000000000000000-mapping.dmp
-
memory/1996-59-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB