Overview

overview

8

Static

static

8

virus2.msi

windows7_x64

8

virus2.msi

windows10_x64

8

Analysis

  • max time kernel
    99s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-07-2021 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    virus2.msi

  • Size

    265KB

  • MD5

    adaf86a844ceb4e80e4ca98ccff75d13

  • SHA1

    f87f0382283517ea2a4df566e6d1106034ef4095

  • SHA256

    c1cb8740e27287680dc48fe05b24abccab80c18c34a442bc9dac0a0b7b700241

  • SHA512

    9b48d3b261c71d1dc40d6e4513cf93c6b04a38475b3a357194e1b869ee319a163f81089e4cf36fc497556a1e401c480d76b574786d696e384ea667bd770465d9

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\virus2.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1200
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 248CB6A8A4F54622AA43991BC06E3CE1
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /MIN https://bit.ly/3hXtxZbancs
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3hXtxZbancs
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    cc2c580147f351e117d5cfb45f07eb39

    SHA1

    fc25bdbc36704340ef5fcfd9589c6a29980c5581

    SHA256

    2a7c5eb84d4f1f14feb6915c578e31c7ee065a13cc853670cde9d6e22fbd4e69

    SHA512

    4677be3f3e7f47fa8535d7e08ca0ee1f4f8278293f90e1b05287a41afdc7e6d25893f1a976b18fc7c4795a3f0c6f5a1df7b705345a3ec623117d0feccf0ece26

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    2902de11e30dcc620b184e3bb0f0c1cb

    SHA1

    5d11d14a2558801a2688dc2d6dfad39ac294f222

    SHA256

    e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

    SHA512

    efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    2297ca9e113a4db37c3e9cc40e091f33

    SHA1

    e266d6b0cdbe180e4ddedee6f039c3718a3c933e

    SHA256

    4d3ba05f02741d5d9a438d0b938dfa193a31f27e79b387f3cb7ed951d46ea3cd

    SHA512

    7589ce13aabbdb09fe61aec928a0f5df11d506f3c195ee00711283e1cb2dbc84d3e20d8fcdb44598aa70ed9660f38c05af07e444fd215606cd420d15d99d89e1

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    20fc4ce34adf8fba31d38e05aab88eca

    SHA1

    2f18c655390c421db14ba2676f4e888b4c3f9524

    SHA256

    2895a561c821b2b39faa8b5c890a21ec50f9aaddd5c1d3af62f1f58b6cfdf860

    SHA512

    b50520914b2c45f3f3e82b3d14959ecca7eac9eaf294c048fc983aaff08768abe2258a0d59f76198e62ac1ad6c705314cf90124bed79061eae3bbc36fe717836

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
    MD5

    eb72c3038a0de09ec4979271a89315e8

    SHA1

    4eee719aa630260b8db87c00577468ca7c96ef6d

    SHA256

    c79b1925d005545e653a09401eaa77513b019a959bdd5d3ccbff368c597a433a

    SHA512

    d5457c301b75ba07e59afc74ce8e6ce72ff0cc1f9ff77e997a0567a2c79eb0008889033ad711eb7805f96d0b0ddf5213bfeea698988725eb0cffe636f6aab909

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MSI40001.LOG
    MD5

    1a1d15d7011c5467d9198919b71ff66c

    SHA1

    ff1936d738dd697a1d7a391814fa35ddf7b6ecb5

    SHA256

    9da2b40e3142b2e544b86d13b63eade249bb9d247b13ba4816a2e9ce2e9a50ac

    SHA512

    0307523c0c8f58792eedd92525facafb0392f30cd0899310a4d3ddd358570afdaead33c76a125d881f235a442a9d091cc38cb157492fcf412e64bc19fef8b3d0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LDEDO9HR.txt
    MD5

    2306d3f69b105c71076e64671eb76797

    SHA1

    1aa23c2499859a89eb30d64e4245fb25653cb543

    SHA256

    e951afc390c76876360416b302afa86a931a4923a26d405448c2c0d678244e42

    SHA512

    8f5d3c3bf00b33f1fed9883b1f34810ff5cbe67c4de09a986af22893798fadee24be140c5f4b2a1fa98d9b996003e644ed81ddf25b1942c99a4fbd85442f2b35

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q46MGNJQ.txt
    MD5

    914a2718d662922b7b4c78ea311fd15e

    SHA1

    6bc6cda11e508fca26d3e751f8fb9b8f6ceb3867

    SHA256

    d604a84b1833192a3bdbee3d0db1a3d38886df9df57f323964634a3f80e52b57

    SHA512

    b60e986a0a053be4fcdf35829fe4b2f4f3fdf5d0c2ba0ad3034d268ce9bb8ec5219a9c7057f37c3279d9f82cb139fa1efbc12431cc0dae3d0d65f18c2a3697f1

    Download Submit
  • C:\Windows\Installer\MSI3E7.tmp
    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit
  • \Windows\Installer\MSI3E7.tmp
    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit
  • memory/1200-60-0x000007FEFC221000-0x000007FEFC223000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1368-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1476-72-0x00000000006E0000-0x00000000006E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1476-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1588-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1744-64-0x00000000768B1000-0x00000000768B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1744-63-0x0000000000000000-mapping.dmp
    Download