Overview

overview

10

Static

static

10

foo.msi

windows7_x64

6

foo.msi

windows10_x64

6

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    17-11-2021 02:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    foo.msi

  • Size

    64.2MB

  • MD5

    2d070b14498b782e1fb3500ef50b0c2a

  • SHA1

    475f50ea2192809daebb5ce61aaadc2a4708af24

  • SHA256

    b5e4e29d5457654f954e4267723b05d447f311c6cf96723fdca761a8e94948ec

  • SHA512

    0e5e7611f953500603baf4cd25788e75d36525c01e45e6b886a6a3896c78e1efc30579772215b78107a47e32950a7a58a8016882608037d00097a5088e7d510c

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\foo.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1632
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:292
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe /c "c:\opt\td-agent\td-agent-prompt.bat & fluentd --reg-winsvc i & fluentd --reg-winsvc-fluentdopt "-c C:\opt\td-agent\etc\td-agent\td-agent.conf -o C:\opt\td-agent\td-agent.log""
      2⤵
        PID:1496
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /c "sc config fluentdwinsvc start= delayed-auto"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\SysWOW64\sc.exe
          sc config fluentdwinsvc start= delayed-auto
          3⤵
            PID:1732
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /c "sc start fluentdwinsvc"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1512
          • C:\Windows\SysWOW64\sc.exe
            sc start fluentdwinsvc
            3⤵
              PID:936
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:816
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000005B4" "00000000000005B0"
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:1244

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/936-61-0x0000000000000000-mapping.dmp

          Download

        • memory/1496-57-0x0000000000000000-mapping.dmp

          Download

        • memory/1512-60-0x0000000000000000-mapping.dmp

          Download

        • memory/1632-55-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1732-59-0x0000000000000000-mapping.dmp

          Download

        • memory/1964-58-0x0000000000000000-mapping.dmp

          Download