Overview

overview

8

Static

static

trehjugdr4et6u.msi

windows7_x64

8

trehjugdr4et6u.msi

windows10_x64

8

Analysis

  • max time kernel
    101s
  • max time network
    103s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    07-10-2021 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    trehjugdr4et6u.msi

  • Size

    548KB

  • MD5

    065e70c3b1e6841074a25aafa95e20bd

  • SHA1

    0a230bdb9e7baf228a63deefa489e2263e879eaa

  • SHA256

    a69d27abd043cc676095f71300bf6b2368167536fcd4fe5342cf79a7e94fc2fe

  • SHA512

    3daf1be9ab90707cc706f58d3598f59f1f0fec4820eb8838041d9c3454b5daf12765005fb663f8501ab873ccfe8f67d02f8af87ea2e22389d9724e5a3d9c0f77

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 7 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\trehjugdr4et6u.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2384
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1568
    • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
      "C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:\ProgramData\Local\Google\exemple.rb
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ver
          4⤵
            PID:3120
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
      1⤵
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:940

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2384-115-0x00000233CEC20000-0x00000233CEC22000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2384-116-0x00000233CEC20000-0x00000233CEC22000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-118-0x0000019EF3E00000-0x0000019EF3E02000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-117-0x0000019EF3E00000-0x0000019EF3E02000-memory.dmp

      Filesize

      8KB

      Download