Analysis
-
max time kernel
28s -
max time network
78s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-10-2021 13:51
Static task
static1
Behavioral task
behavioral1
Sample
trehjugdr4et6u.msi
Resource
win7v20210408
Behavioral task
behavioral2
Sample
trehjugdr4et6u.msi
Resource
win10-en-20210920
General
-
Target
trehjugdr4et6u.msi
-
Size
548KB
-
MD5
065e70c3b1e6841074a25aafa95e20bd
-
SHA1
0a230bdb9e7baf228a63deefa489e2263e879eaa
-
SHA256
a69d27abd043cc676095f71300bf6b2368167536fcd4fe5342cf79a7e94fc2fe
-
SHA512
3daf1be9ab90707cc706f58d3598f59f1f0fec4820eb8838041d9c3454b5daf12765005fb663f8501ab873ccfe8f67d02f8af87ea2e22389d9724e5a3d9c0f77
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rebol-view-278-3-1.exepid Process 1576 rebol-view-278-3-1.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
msiexec.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\ProgramData\\Local\\Google\\rebol-view-278-3-1.exe -w -i -s C:\\ProgramData\\Local\\Google\\exemple.rb" msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc Process File created C:\Windows\Installer\f75843d.msi msiexec.exe File opened for modification C:\Windows\Installer\f75843d.msi msiexec.exe File created C:\Windows\Installer\f75843e.ipi msiexec.exe File opened for modification C:\Windows\Installer\f75843e.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI865F.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe -
Modifies data under HKEY_USERS 44 IoCs
Processes:
DrvInst.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid Process 2036 msiexec.exe 2036 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid Process Token: SeShutdownPrivilege 1876 msiexec.exe Token: SeIncreaseQuotaPrivilege 1876 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeSecurityPrivilege 2036 msiexec.exe Token: SeCreateTokenPrivilege 1876 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1876 msiexec.exe Token: SeLockMemoryPrivilege 1876 msiexec.exe Token: SeIncreaseQuotaPrivilege 1876 msiexec.exe Token: SeMachineAccountPrivilege 1876 msiexec.exe Token: SeTcbPrivilege 1876 msiexec.exe Token: SeSecurityPrivilege 1876 msiexec.exe Token: SeTakeOwnershipPrivilege 1876 msiexec.exe Token: SeLoadDriverPrivilege 1876 msiexec.exe Token: SeSystemProfilePrivilege 1876 msiexec.exe Token: SeSystemtimePrivilege 1876 msiexec.exe Token: SeProfSingleProcessPrivilege 1876 msiexec.exe Token: SeIncBasePriorityPrivilege 1876 msiexec.exe Token: SeCreatePagefilePrivilege 1876 msiexec.exe Token: SeCreatePermanentPrivilege 1876 msiexec.exe Token: SeBackupPrivilege 1876 msiexec.exe Token: SeRestorePrivilege 1876 msiexec.exe Token: SeShutdownPrivilege 1876 msiexec.exe Token: SeDebugPrivilege 1876 msiexec.exe Token: SeAuditPrivilege 1876 msiexec.exe Token: SeSystemEnvironmentPrivilege 1876 msiexec.exe Token: SeChangeNotifyPrivilege 1876 msiexec.exe Token: SeRemoteShutdownPrivilege 1876 msiexec.exe Token: SeUndockPrivilege 1876 msiexec.exe Token: SeSyncAgentPrivilege 1876 msiexec.exe Token: SeEnableDelegationPrivilege 1876 msiexec.exe Token: SeManageVolumePrivilege 1876 msiexec.exe Token: SeImpersonatePrivilege 1876 msiexec.exe Token: SeCreateGlobalPrivilege 1876 msiexec.exe Token: SeBackupPrivilege 1380 vssvc.exe Token: SeRestorePrivilege 1380 vssvc.exe Token: SeAuditPrivilege 1380 vssvc.exe Token: SeBackupPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeRestorePrivilege 1604 DrvInst.exe Token: SeRestorePrivilege 1604 DrvInst.exe Token: SeRestorePrivilege 1604 DrvInst.exe Token: SeRestorePrivilege 1604 DrvInst.exe Token: SeRestorePrivilege 1604 DrvInst.exe Token: SeRestorePrivilege 1604 DrvInst.exe Token: SeRestorePrivilege 1604 DrvInst.exe Token: SeLoadDriverPrivilege 1604 DrvInst.exe Token: SeLoadDriverPrivilege 1604 DrvInst.exe Token: SeLoadDriverPrivilege 1604 DrvInst.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 1876 msiexec.exe 1876 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
msiexec.exerebol-view-278-3-1.execmd.exedescription pid Process procid_target PID 2036 wrote to memory of 1576 2036 msiexec.exe 31 PID 2036 wrote to memory of 1576 2036 msiexec.exe 31 PID 2036 wrote to memory of 1576 2036 msiexec.exe 31 PID 2036 wrote to memory of 1576 2036 msiexec.exe 31 PID 1576 wrote to memory of 1772 1576 rebol-view-278-3-1.exe 32 PID 1576 wrote to memory of 1772 1576 rebol-view-278-3-1.exe 32 PID 1576 wrote to memory of 1772 1576 rebol-view-278-3-1.exe 32 PID 1576 wrote to memory of 1772 1576 rebol-view-278-3-1.exe 32 PID 1772 wrote to memory of 324 1772 cmd.exe 34 PID 1772 wrote to memory of 324 1772 cmd.exe 34 PID 1772 wrote to memory of 324 1772 cmd.exe 34 PID 1772 wrote to memory of 324 1772 cmd.exe 34
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\trehjugdr4et6u.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1876
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\ProgramData\Local\Google\rebol-view-278-3-1.exe"C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:\ProgramData\Local\Google\exemple.rb2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch3⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver4⤵PID:324
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005C0" "00000000000005BC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8a882b4a938846d19520af8484f09012
SHA14ba6aa85fc2d9c1f087fd0573ed818af71c4b6fe
SHA2561009573fa6f897afcc5055f52a2216bfe7fcb308d6cab15922a5b3668df7f34b
SHA512299aa6f6d42b8be1a827b8a2543b89de4c324a050d3aa34cf74b7550774586aeec60cccf83782c69569a0fb81a171e3ea6de0c56c11ec6f563b1fe1864452543
-
MD5
ff4a24c83564f1a01d5a815eaa8a2bf9
SHA12e713f9fc72db1ed0cd5088172c3b24906e8be13
SHA2569c109c41d497cbe752edf56c1ac0e1ffb06357160b12100cc84eb2d4ddcb7b13
SHA512e628d20c9bc728709d0f46557e5fd017e4594dcbd680486acd6ed1e1721a8692644f2cf0f323b30e74d03230b8320d2f6e1b0f5fd073192e1a28aa7e8ac2c7e1
-
MD5
0a6d8f9a1321afcc7f86f9f9e81144d9
SHA17acc822047556dcb813f53d5e5fc5066bc29f104
SHA256edc9ff56b2b61627fbec33c2a0704a825ac423e5f241c0bbdc11131da5ebe7bb
SHA512f47923f35b31cc295d17484ff862508a22082270967dc5ec141027dd69093b8e77ad99b7a435e4aa1ca7dad7c4c73dbb7800f7d51601c8f0d5e4106830e49ead
-
MD5
d7eeeee910efb9998f6c12c7ab0e8a78
SHA170e13d2bedbe139361bbbc9e446fd029d2bf4b8b
SHA256adb14fb65d546224b96815d48af6823bf74c54aab2707831d539c2c2762403fe
SHA5122e87c25678e5d0c0e3e7a344f03be0819d8a790b1af64877574ff479c9619d80b406b81ac4a1e6f1ff04cbcce1446a19a243867d4d28dae43363a8140a81906d
-
MD5
aa2f4fd92fe00de85428f39a6e0e9cfd
SHA11def65dde53ab24c122da6c76646a36d7d910790
SHA256215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85
SHA512952b500e4a291a8bd58810529c1fcc17d969b082d29f00460aba6ada44a30ddc41595f8b0fe71e568ecba803df69985840f10f0a9e478c796c73dc5659ce314e