Overview

overview

8

Static

static

10

download.dat.msi

windows7_x64

8

download.dat.msi

windows10_x64

8

Analysis

  • max time kernel
    120s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    25/10/2021, 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    download.dat.msi

  • Size

    953KB

  • MD5

    f2836216ca554dfdc8a300decb644911

  • SHA1

    338829d2c88f430b0d00bfb03ad8a43649b4e1d8

  • SHA256

    951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f

  • SHA512

    02148775c5db048566d0fb73e7d8da06597362a31934907ce356238bc1aa8ab4b319094d16d2a5881bf9b6797fde023c42a76846448a5436f4b72f067a668b1c

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\download.dat.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3352
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 017247D0E3775E9B5754A55B09D8BF31
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:1972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1972-121-0x0000000000D60000-0x0000000000D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1972-120-0x0000000000D60000-0x0000000000D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-118-0x000001F537390000-0x000001F537392000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2568-117-0x000001F537390000-0x000001F537392000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3352-116-0x000002253C5F0000-0x000002253C5F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3352-115-0x000002253C5F0000-0x000002253C5F2000-memory.dmp

    Filesize

    8KB

    Download