Overview

overview

8

Static

static

RandsomWare.msi

windows7_x64

8

RandsomWare.msi

windows10_x64

7

Analysis

  • max time kernel
    600s
  • max time network
    602s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    22-10-2021 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RandsomWare.msi

  • Size

    698KB

  • MD5

    eadca8bf5237297a07385d3a7ab386b2

  • SHA1

    688ab0e86912fa8c59755d8205e7a4decc2706d3

  • SHA256

    ae205185b912d2c4be5df9c4786b47e164db6e23fd9f51893e7e7c77f5ca4915

  • SHA512

    39d9c32edce729bb97bcef81a3510ab96f6003e13cc5e3a819208b431375dcdf610e49b929f045a6a26ae28a2ff5762ff67c19de5ab0ba8dbe00074c456d6021

Score
8/10
evasionransomware

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 4 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RandsomWare.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1612
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2E5C3303964E20D98E5FB71502B1D454 C
      2⤵
      • Loads dropped DLL
      PID:980
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 860E819CE9868CA1FC76A39F8929F443
      2⤵
      • Loads dropped DLL
      PID:948
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1648
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000003C0" "00000000000004B0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1936
    • C:\Program Files (x86)\Default Company Name\RandsomWare\RansomWare.exe
      "C:\Program Files (x86)\Default Company Name\RandsomWare\RansomWare.exe"
      1⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops desktop.ini file(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:1620
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1700
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x570
        1⤵
          PID:752

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Default Company Name\RandsomWare\RansomWare.exe
          MD5

          d3c355a11849cbd0d4f3937a79c81c96

          SHA1

          bdc7567d33da81654395d8fefc7500d124d87a31

          SHA256

          8b0d359eb8167b044bf25b943820a3b71e94bc3f0c26d9ba295dee1df014a7c0

          SHA512

          a9091d36341135e74ba7918bc1f1f3960d8d1e049361ccea700662311bdbaa6e8c23a224ca0d640c596d5f8b269839e50104de5e5f96fcfe57ef8523d8a0ce7d

          Download Submit
        • C:\Program Files (x86)\Default Company Name\RandsomWare\RansomWare.exe
          MD5

          d3c355a11849cbd0d4f3937a79c81c96

          SHA1

          bdc7567d33da81654395d8fefc7500d124d87a31

          SHA256

          8b0d359eb8167b044bf25b943820a3b71e94bc3f0c26d9ba295dee1df014a7c0

          SHA512

          a9091d36341135e74ba7918bc1f1f3960d8d1e049361ccea700662311bdbaa6e8c23a224ca0d640c596d5f8b269839e50104de5e5f96fcfe57ef8523d8a0ce7d

          Download Submit
        • C:\Program Files (x86)\Default Company Name\RandsomWare\RansomWare.exe.config
          MD5

          da0eed2f114f1288c8de452d5b95596e

          SHA1

          1cf8a57c6df6c309f373a2114a88b980a49d03e5

          SHA256

          ae5e7fa8373b273fad07e0486cebfd88c18f9517ba609c2b8e6534f5d9e53dcb

          SHA512

          a2b2f1cd8a772aa3ef074864dd1ce8a37fdb2a1a811b476dfb360f1c71fc787560e9f188916e2c73b290eda74a56251ddd8ef85dd462515df12d2e073da9cf38

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\MSICC63.tmp
          MD5

          9945f10135a4c7214fa5605c21e5de9b

          SHA1

          3826fb627c67efd574a30448ea7f1e560b949c87

          SHA256

          9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

          SHA512

          f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\MSICE19.tmp
          MD5

          9945f10135a4c7214fa5605c21e5de9b

          SHA1

          3826fb627c67efd574a30448ea7f1e560b949c87

          SHA256

          9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

          SHA512

          f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

          Download Submit
        • C:\Users\Admin\Desktop\RansomWare.lnk
          MD5

          32f66db0c740186def96a213b07415c5

          SHA1

          3702648b9abb0bf5be66ac79c4f3b7103f436df3

          SHA256

          b4a0ccd2be9f80dba9e81697f68bac0fa6925e87862dc1d2c4fcb7938b2b94b2

          SHA512

          c5b7d2e2e66f06ca12c44ea6bbc72963bac6ff1553528c22bb982ad94495affd51735fee9be3ebf34ec39a2aac08449c56d08bced11a0c79b3a3707ead6c6f9c

          Download Submit
        • C:\Users\Admin\Desktop\demon.ico
          MD5

          5720b8223f06a75eb1e99bd7e5f48a20

          SHA1

          f5bd34547ffa78f2e4967c3f8fd43de8b33d52fb

          SHA256

          0e2496d3d792a135c1fcf6bdfc86a5c43f47d500e62c55784cafde119e0ffcdc

          SHA512

          af4b32ed58d07ac570af3e1824e4694dc0e897346adc876063b46f2f583092787d15d93a7e76f0f740c43bb9b78e4717287b7d5b1e89c1d69037aee48b0dcd82

          Download Submit
        • C:\Windows\Installer\MSI2923.tmp
          MD5

          9945f10135a4c7214fa5605c21e5de9b

          SHA1

          3826fb627c67efd574a30448ea7f1e560b949c87

          SHA256

          9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

          SHA512

          f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

          Download Submit
        • C:\Windows\Installer\MSI29FE.tmp
          MD5

          9945f10135a4c7214fa5605c21e5de9b

          SHA1

          3826fb627c67efd574a30448ea7f1e560b949c87

          SHA256

          9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

          SHA512

          f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

          Download Submit
        • \Users\Admin\AppData\Local\Temp\MSICC63.tmp
          MD5

          9945f10135a4c7214fa5605c21e5de9b

          SHA1

          3826fb627c67efd574a30448ea7f1e560b949c87

          SHA256

          9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

          SHA512

          f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

          Download Submit
        • \Users\Admin\AppData\Local\Temp\MSICE19.tmp
          MD5

          9945f10135a4c7214fa5605c21e5de9b

          SHA1

          3826fb627c67efd574a30448ea7f1e560b949c87

          SHA256

          9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

          SHA512

          f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

          Download Submit
        • \Windows\Installer\MSI2923.tmp
          MD5

          9945f10135a4c7214fa5605c21e5de9b

          SHA1

          3826fb627c67efd574a30448ea7f1e560b949c87

          SHA256

          9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

          SHA512

          f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

          Download Submit
        • \Windows\Installer\MSI29FE.tmp
          MD5

          9945f10135a4c7214fa5605c21e5de9b

          SHA1

          3826fb627c67efd574a30448ea7f1e560b949c87

          SHA256

          9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

          SHA512

          f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

          Download Submit
        • memory/948-62-0x0000000000000000-mapping.dmp
          Download
        • memory/980-57-0x00000000751A1000-0x00000000751A3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/980-56-0x0000000000000000-mapping.dmp
          Download
        • memory/1612-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1620-71-0x0000000001290000-0x0000000001291000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1620-74-0x00000000011E0000-0x00000000011E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1620-75-0x00000000011E5000-0x00000000011F6000-memory.dmp
          Filesize

          68KB

          Download