Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
25-10-2021 17:19
General
-
Target
download.dat.msi
-
Size
953KB
-
MD5
f2836216ca554dfdc8a300decb644911
-
SHA1
338829d2c88f430b0d00bfb03ad8a43649b4e1d8
-
SHA256
951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f
-
SHA512
02148775c5db048566d0fb73e7d8da06597362a31934907ce356238bc1aa8ab4b319094d16d2a5881bf9b6797fde023c42a76846448a5436f4b72f067a668b1c
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 12 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 32 IoCs
-
Modifies data under HKEY_USERS 9 IoCs
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\download.dat.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A5E951C4B1DD54D434E13CCED01C46A02⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\OlCZLjuyNteA\lKGhCvzKoMrc.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\OlCZLjuyNteA\lKGhCvzKoMrc.exeC:\Users\Admin\OlCZLjuyNteA\lKGhCvzKoMrc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /TN "visual-estudio " /TR C:\\Users\Admin\OlCZLjuyNteA\lKGhCvzKoMrc.exe /SC minute /MO 2 /IT /RU %USERNAME%2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "visual-estudio " /TR C:\\Users\Admin\OlCZLjuyNteA\lKGhCvzKoMrc.exe /SC minute /MO 2 /IT /RU Admin3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5b01⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
58dfae01aa00545d2234403fed2fe071
SHA139e0fec80455c172842ae29c6f32dfd9f9af6734
SHA256b1b1fa0d5200580ae32fedbea71a1518bca977e854eb4c39cbfd6878533c4399
SHA51202eddbbcc5bd98be2fa20fc509ba5822091a3bd3024f5ee0c5ff1fc9615a6406e698bdb536ab47f1cd5ec18d19c93e9ea86e27b33b72339d57b51d10143f0558
-
MD5
8198bb1b12b41a286c7bbfa51fc45e46
SHA16c954fea8676904c0999f179bab8067896e9a14a
SHA256d37968ee7da25c83b9417218249d13a3cd177d8f30e012246a0ac4e32a307c77
SHA512a385332fdfa5d032283624cbf2e56f9b3618bac3a6b2cd96a0ce3923ebde8db5e27694d25f6d0ff22c1baa2ad458c12584ca3e067762e021f99479f9e732d703
-
MD5
f005db88d45289a876e941615c171fd1
SHA18224657600e5d0997bb055be00b871cae82eff54
SHA2561435322e9866f6654eaee12fdd8f9004c8e57654900671101f85501590b248df
SHA512f262df6afa9d7474eb7db8b0805639f6642ff0900c02161ba46c235ec3144bcf0dcedac67f6a40577a42f28c5e218e46b90dea18e52f1e7661f04f8a95a5e3a6
-
MD5
f82d4f0dae5b9fec3a2c9eda117a3e7d
SHA1a85ecba1354fa9fe9c1df86ecd0f6c4f97fb55c5
SHA25681f82b73951aadbf02acc849bf0f262e74c0b274db73a188e2016154f0bff0e5
SHA512d2eb4b2d54666dada213fbd67ef92d980b180fc10f29e044fb1c0ff6adb74d7be412ef20a902a8c8deab5ba6dcf55c846de13cf40cd27f5baefac3663944c0cb
-
MD5
c0b11a7e60f69241ddcb278722ab962f
SHA1ff855961eb5ed8779498915bab3d642044fc9bb1
SHA256a8d979460e970e84eacce36b8a68ae5f6b9cc0fe16e05a6209b4ead52b81b021
SHA512cb040aca6592310bffb72c898b8eb3ca8a46ff2df50212634c637593c58683c8ab62e0188da7aea362e1b063ae5db55cf4bf474295922af0ab94a526465cc472
-
MD5
ea245b00b9d27ef2bd96548a50a9cc2c
SHA18463fdcdd5ced10c519ee0b406408ae55368e094
SHA2564824a06b819cbe49c485d68a9802d9dae3e3c54d4c2d8b706c8a87b56ceefbf3
SHA512ef1e107571402925ab5b1d9b096d7ceff39c1245a23692a3976164d0de0314f726cca0cb10246fe58a13618fd5629a92025628373b3264153fc1d79b0415d9a7
-
MD5
55bb778fba7c0e7680d9536c26faff11
SHA1228b4cc2e25ab11d6d17511d2dcf54481589777c
SHA25671b779210d17cb75342fd229c6355a833927a76a9de3face5b88b3b18c345133
SHA512be4089ceb47469d1d89707eb5ae79fb474a505886bcd83c662ebd6ac9cae92cc03b9689cb937c5df5862e6c3f1e0495e5011d59521a910dd3277527ac424c155
-
MD5
a80d21f0f613d193812852cabf188f21
SHA12b26a05410a244e0558f9b89f2bcd32fdb8eee98
SHA256d6ad7018468d2a67b892077dbbc77d7d5b55fec2f1d8de15b4c414a29753fd33
SHA512da4a7afe65f5adb5a1214d901bb7aa8c736ff7863a696963ef31585a11846bf246efc5bd6c6266bb98c5e1368691468ca4bc849ca2cc1fe1d578eead783204e7
-
MD5
2358e10faa66a1c38caf7c3bcecf3386
SHA117a05b02fbb619a874996c32267fb49a19335eb4
SHA256b0197e1bae8448c4e334e1e8706be354d79b3a700860e9c2589905fb74b8672a
SHA5126801931659430be3996686a7466bb9dc2692499521b6d165cd1002616609833d119d17c30b1ba7fae50e8ca95bda5961115eee4ed47db25e0e69f423562f2eeb
-
MD5
113badfe1404cd59640cad6b409acb98
SHA12621f79b2143ae3704e814756e01d326d5145a5a
SHA25635a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a
SHA512f861e831b8311094e32071191585eaceaa512d2bc42096e243a1f94309546614cd788231ce08484039bc70c41824f6c6055b9add233b4793a79f3f399b3cbafb
-
MD5
113badfe1404cd59640cad6b409acb98
SHA12621f79b2143ae3704e814756e01d326d5145a5a
SHA25635a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a
SHA512f861e831b8311094e32071191585eaceaa512d2bc42096e243a1f94309546614cd788231ce08484039bc70c41824f6c6055b9add233b4793a79f3f399b3cbafb
-
MD5
1c8fa0a3230525dd56e5c51243f96fef
SHA1b995548f039250057d257107e858135d6502fb00
SHA256a8211a5c9c3acb0bc6cf3c8da70039ef52da42b8730dc5f9997318b2e6110eca
SHA5120e4622f20c6a2814979b01d883378e3b2087975b6c4e6bd1a88842727c351e11cead4d32d5e5d2c19e1acb2155ad4bcb191030347e70c495ab5a82832b41f11d
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
06bf05c1b207c1340db60571ee6ef552
SHA164b9ad03c6827a320633336c5e53c974d950ef67
SHA2562ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901
SHA512a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81
-
MD5
06bf05c1b207c1340db60571ee6ef552
SHA164b9ad03c6827a320633336c5e53c974d950ef67
SHA2562ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901
SHA512a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81
-
MD5
8198bb1b12b41a286c7bbfa51fc45e46
SHA16c954fea8676904c0999f179bab8067896e9a14a
SHA256d37968ee7da25c83b9417218249d13a3cd177d8f30e012246a0ac4e32a307c77
SHA512a385332fdfa5d032283624cbf2e56f9b3618bac3a6b2cd96a0ce3923ebde8db5e27694d25f6d0ff22c1baa2ad458c12584ca3e067762e021f99479f9e732d703
-
MD5
f82d4f0dae5b9fec3a2c9eda117a3e7d
SHA1a85ecba1354fa9fe9c1df86ecd0f6c4f97fb55c5
SHA25681f82b73951aadbf02acc849bf0f262e74c0b274db73a188e2016154f0bff0e5
SHA512d2eb4b2d54666dada213fbd67ef92d980b180fc10f29e044fb1c0ff6adb74d7be412ef20a902a8c8deab5ba6dcf55c846de13cf40cd27f5baefac3663944c0cb
-
MD5
c0b11a7e60f69241ddcb278722ab962f
SHA1ff855961eb5ed8779498915bab3d642044fc9bb1
SHA256a8d979460e970e84eacce36b8a68ae5f6b9cc0fe16e05a6209b4ead52b81b021
SHA512cb040aca6592310bffb72c898b8eb3ca8a46ff2df50212634c637593c58683c8ab62e0188da7aea362e1b063ae5db55cf4bf474295922af0ab94a526465cc472
-
MD5
ea245b00b9d27ef2bd96548a50a9cc2c
SHA18463fdcdd5ced10c519ee0b406408ae55368e094
SHA2564824a06b819cbe49c485d68a9802d9dae3e3c54d4c2d8b706c8a87b56ceefbf3
SHA512ef1e107571402925ab5b1d9b096d7ceff39c1245a23692a3976164d0de0314f726cca0cb10246fe58a13618fd5629a92025628373b3264153fc1d79b0415d9a7
-
MD5
55bb778fba7c0e7680d9536c26faff11
SHA1228b4cc2e25ab11d6d17511d2dcf54481589777c
SHA25671b779210d17cb75342fd229c6355a833927a76a9de3face5b88b3b18c345133
SHA512be4089ceb47469d1d89707eb5ae79fb474a505886bcd83c662ebd6ac9cae92cc03b9689cb937c5df5862e6c3f1e0495e5011d59521a910dd3277527ac424c155
-
MD5
a80d21f0f613d193812852cabf188f21
SHA12b26a05410a244e0558f9b89f2bcd32fdb8eee98
SHA256d6ad7018468d2a67b892077dbbc77d7d5b55fec2f1d8de15b4c414a29753fd33
SHA512da4a7afe65f5adb5a1214d901bb7aa8c736ff7863a696963ef31585a11846bf246efc5bd6c6266bb98c5e1368691468ca4bc849ca2cc1fe1d578eead783204e7
-
MD5
2358e10faa66a1c38caf7c3bcecf3386
SHA117a05b02fbb619a874996c32267fb49a19335eb4
SHA256b0197e1bae8448c4e334e1e8706be354d79b3a700860e9c2589905fb74b8672a
SHA5126801931659430be3996686a7466bb9dc2692499521b6d165cd1002616609833d119d17c30b1ba7fae50e8ca95bda5961115eee4ed47db25e0e69f423562f2eeb
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
MD5
06bf05c1b207c1340db60571ee6ef552
SHA164b9ad03c6827a320633336c5e53c974d950ef67
SHA2562ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901
SHA512a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81
-
MD5
06bf05c1b207c1340db60571ee6ef552
SHA164b9ad03c6827a320633336c5e53c974d950ef67
SHA2562ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901
SHA512a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81
-
Filesize
8KB
-
-
Filesize
4KB
-
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
3.6MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
4.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
8KB
-
-
-
-
Filesize
4KB