Overview

overview

10

Static

static

10

e9c0fcf1b6...8d.msi

windows7_x64

8

e9c0fcf1b6...8d.msi

windows10_x64

8

Analysis

  • max time kernel
    139s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11/01/2022, 21:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d.msi

  • Size

    4.0MB

  • MD5

    9c29559b0910132668be272b7228fb5b

  • SHA1

    57f3e22aba505bcc671d6b1ac54068c0cdead4b0

  • SHA256

    e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d

  • SHA512

    143392c71a7cd435e454b79bdcb89c2388a6462111f87bac9118e2189792be24b9bd768f28a5d47042f1e984e133e83d8fc2e0f5dc65746e6a248f482814efde

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 26 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:652
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6810C1A303306ADEA0D5E56B6D6A4D74
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1476
  • C:\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe
    C:\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe /SC minute /MO 2 /IT /RU %USERNAME%
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe /SC minute /MO 2 /IT /RU Admin
        3⤵
        • Creates scheduled task(s)
        PID:2164
  • C:\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe
    C:\\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:3828

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/652-115-0x00000232B8030000-0x00000232B8032000-memory.dmp

    Filesize

    8KB

    Download

  • memory/652-116-0x00000232B8030000-0x00000232B8032000-memory.dmp

    Filesize

    8KB

    Download

  • memory/764-118-0x000001C09D030000-0x000001C09D032000-memory.dmp

    Filesize

    8KB

    Download

  • memory/764-117-0x000001C09D030000-0x000001C09D032000-memory.dmp

    Filesize

    8KB

    Download

  • memory/968-154-0x0000000000F60000-0x0000000001064000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/968-161-0x00000000029B0000-0x00000000029B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/968-160-0x00000000038A1000-0x0000000003D27000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/3828-177-0x0000000000880000-0x0000000000984000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3972-121-0x00000000028E0000-0x00000000028E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3972-120-0x00000000028E0000-0x00000000028E1000-memory.dmp

    Filesize

    4KB

    Download