Overview

overview

8

Static

static

trehjugdr4et6u.msi

windows7_x64

8

trehjugdr4et6u.msi

windows10_x64

8

Analysis

  • max time kernel
    28s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-10-2021 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    trehjugdr4et6u.msi

  • Size

    548KB

  • MD5

    065e70c3b1e6841074a25aafa95e20bd

  • SHA1

    0a230bdb9e7baf228a63deefa489e2263e879eaa

  • SHA256

    a69d27abd043cc676095f71300bf6b2368167536fcd4fe5342cf79a7e94fc2fe

  • SHA512

    3daf1be9ab90707cc706f58d3598f59f1f0fec4820eb8838041d9c3454b5daf12765005fb663f8501ab873ccfe8f67d02f8af87ea2e22389d9724e5a3d9c0f77

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\trehjugdr4et6u.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1876
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
      "C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:\ProgramData\Local\Google\exemple.rb
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1772
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ver
          4⤵
            PID:324
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1380
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005C0" "00000000000005BC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1604

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Local\Google\arch
      MD5

      8a882b4a938846d19520af8484f09012

      SHA1

      4ba6aa85fc2d9c1f087fd0573ed818af71c4b6fe

      SHA256

      1009573fa6f897afcc5055f52a2216bfe7fcb308d6cab15922a5b3668df7f34b

      SHA512

      299aa6f6d42b8be1a827b8a2543b89de4c324a050d3aa34cf74b7550774586aeec60cccf83782c69569a0fb81a171e3ea6de0c56c11ec6f563b1fe1864452543

      Download Submit
    • C:\ProgramData\Local\Google\exemple.rb
      MD5

      ff4a24c83564f1a01d5a815eaa8a2bf9

      SHA1

      2e713f9fc72db1ed0cd5088172c3b24906e8be13

      SHA256

      9c109c41d497cbe752edf56c1ac0e1ffb06357160b12100cc84eb2d4ddcb7b13

      SHA512

      e628d20c9bc728709d0f46557e5fd017e4594dcbd680486acd6ed1e1721a8692644f2cf0f323b30e74d03230b8320d2f6e1b0f5fd073192e1a28aa7e8ac2c7e1

      Download Submit
    • C:\ProgramData\Local\Google\name
      MD5

      0a6d8f9a1321afcc7f86f9f9e81144d9

      SHA1

      7acc822047556dcb813f53d5e5fc5066bc29f104

      SHA256

      edc9ff56b2b61627fbec33c2a0704a825ac423e5f241c0bbdc11131da5ebe7bb

      SHA512

      f47923f35b31cc295d17484ff862508a22082270967dc5ec141027dd69093b8e77ad99b7a435e4aa1ca7dad7c4c73dbb7800f7d51601c8f0d5e4106830e49ead

      Download Submit
    • C:\ProgramData\Local\Google\os
      MD5

      d7eeeee910efb9998f6c12c7ab0e8a78

      SHA1

      70e13d2bedbe139361bbbc9e446fd029d2bf4b8b

      SHA256

      adb14fb65d546224b96815d48af6823bf74c54aab2707831d539c2c2762403fe

      SHA512

      2e87c25678e5d0c0e3e7a344f03be0819d8a790b1af64877574ff479c9619d80b406b81ac4a1e6f1ff04cbcce1446a19a243867d4d28dae43363a8140a81906d

      Download Submit
    • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
      MD5

      aa2f4fd92fe00de85428f39a6e0e9cfd

      SHA1

      1def65dde53ab24c122da6c76646a36d7d910790

      SHA256

      215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85

      SHA512

      952b500e4a291a8bd58810529c1fcc17d969b082d29f00460aba6ada44a30ddc41595f8b0fe71e568ecba803df69985840f10f0a9e478c796c73dc5659ce314e

      Download Submit
    • memory/324-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1576-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1576-63-0x0000000075891000-0x0000000075893000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1772-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1876-59-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp
      Filesize

      8KB

      Download