Overview

overview

10

Static

static

Due-Dilige...es.msi

windows7_x64

8

Due-Dilige...es.msi

windows10_x64

10

Resubmissions

19/06/2024, 06:12

240619-gyadhsvhkh 10

16/09/2021, 08:31

210916-keqg6scfa6 10

Analysis

  • max time kernel
    137s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    16/09/2021, 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\MSI564.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI564.tmp"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:1976
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A776C0033133A581DF8120B718B69634 C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss792.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi770.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr771.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr772.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1036
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1C8C29DDB20EC90356E1F3B19CDCC9D9 C
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:1288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1032-52-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1036-66-0x00000000021C1000-0x00000000021C2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1036-67-0x00000000021C2000-0x00000000021C4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1036-65-0x00000000021C0000-0x00000000021C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1536-59-0x0000000075B51000-0x0000000075B53000-memory.dmp

    Filesize

    8KB

    Download