Analysis

  • max time kernel
    149s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    19-10-2021 14:50

General

  • Target

    t1.msi

  • Size

    124KB

  • MD5

    5262da4295e8a62d58d17991b35bf860

  • SHA1

    3fba37528f6b06d2c89c7d86ce6352df438f1855

  • SHA256

    058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf

  • SHA512

    8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18

Score
10/10

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Executes dropped EXE 1 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\t1.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1508
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:584
    • C:\Windows\Installer\MSI8D82.tmp
      "C:\Windows\Installer\MSI8D82.tmp"
      2⤵
      • Executes dropped EXE
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\Installer\MSI8D82.tmp
        "C:\Windows\Installer\MSI8D82.tmp"
        3⤵
        • Checks QEMU agent file
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1764
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1288
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000003A4" "00000000000003D0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSI8D82.tmp

    MD5

    8c0ef68bfe8b4f2d72ca3599aedb6387

    SHA1

    b6c02d95c26e2ec62ba27d0e4c3cd3b1e7f25261

    SHA256

    4b2a32c7afbfb44a85d88bfd4f0a79306278d880c64a28bf3242dc686665c8fe

    SHA512

    87bf4a30a191e4e7ccc4c17122868a7355d20d4666c954d0229c47bd253077565ee151b33d3a3fff439d56cf0e6360d923055ec7a4993f797a8446a86d29d733

  • C:\Windows\Installer\MSI8D82.tmp

    MD5

    8c0ef68bfe8b4f2d72ca3599aedb6387

    SHA1

    b6c02d95c26e2ec62ba27d0e4c3cd3b1e7f25261

    SHA256

    4b2a32c7afbfb44a85d88bfd4f0a79306278d880c64a28bf3242dc686665c8fe

    SHA512

    87bf4a30a191e4e7ccc4c17122868a7355d20d4666c954d0229c47bd253077565ee151b33d3a3fff439d56cf0e6360d923055ec7a4993f797a8446a86d29d733

  • C:\Windows\Installer\MSI8D82.tmp

    MD5

    8c0ef68bfe8b4f2d72ca3599aedb6387

    SHA1

    b6c02d95c26e2ec62ba27d0e4c3cd3b1e7f25261

    SHA256

    4b2a32c7afbfb44a85d88bfd4f0a79306278d880c64a28bf3242dc686665c8fe

    SHA512

    87bf4a30a191e4e7ccc4c17122868a7355d20d4666c954d0229c47bd253077565ee151b33d3a3fff439d56cf0e6360d923055ec7a4993f797a8446a86d29d733

  • memory/864-63-0x0000000077CB0000-0x0000000077E30000-memory.dmp

    Filesize

    1.5MB

  • memory/864-70-0x0000000077CB0000-0x0000000077E30000-memory.dmp

    Filesize

    1.5MB

  • memory/864-59-0x0000000000240000-0x0000000000251000-memory.dmp

    Filesize

    68KB

  • memory/864-61-0x0000000076B61000-0x0000000076B63000-memory.dmp

    Filesize

    8KB

  • memory/864-62-0x0000000077AD0000-0x0000000077C79000-memory.dmp

    Filesize

    1.7MB

  • memory/864-57-0x0000000000220000-0x0000000000226000-memory.dmp

    Filesize

    24KB

  • memory/864-58-0x0000000000220000-0x000000000022A000-memory.dmp

    Filesize

    40KB

  • memory/864-55-0x0000000000000000-mapping.dmp

  • memory/1508-53-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmp

    Filesize

    8KB

  • memory/1764-68-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

  • memory/1764-71-0x00000000001B0000-0x00000000002B0000-memory.dmp

    Filesize

    1024KB

  • memory/1764-66-0x0000000000401230-mapping.dmp

  • memory/1764-73-0x0000000077AD0000-0x0000000077C79000-memory.dmp

    Filesize

    1.7MB

  • memory/1764-74-0x0000000077CB0000-0x0000000077E30000-memory.dmp

    Filesize

    1.5MB