Overview

overview

10

Static

static

8 Cores.msi

windows7_x64

6

8 Cores.msi

windows10_x64

10

8 Cores.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    1050s
  • max time network
    840s
  • platform
    windows7_x64
  • resource
    win7-ja-20211208
  • submitted
    16-01-2022 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8 Cores.msi

  • Size

    319KB

  • MD5

    6047ee1af2d30ef7db95fabb788ec9f9

  • SHA1

    2731a77f03f97aa03adcd2c7c6f4342d2fd1d515

  • SHA256

    b3f5506d672e2ea0564c52413f1f8847c569542d2cd475937c6f21a443292728

  • SHA512

    7d8de10cdf4399692da6b7e80c96d865ffc891292e1bf16adaf663f2cf087802ae61bde15057a9aa7c82d6dbd0930e623c3a4c947502c5c1129bbc66d8aa03e8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 13 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\8 Cores.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:652
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1512
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1316
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1392
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000003E0" "00000000000004D0"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:960
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {CE204EF9-A707-4ED6-92BC-636B244F64ED} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
      PID:1356
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {5850053B-6249-44B0-96B1-45442FEF8076} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
        PID:676
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {096ECB54-A331-4A23-84FA-2B5892985696} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Program Files\Mozilla Firefox\default-browser-agent.exe
          "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
          2⤵
            PID:936

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/652-55-0x000007FEFC411000-0x000007FEFC413000-memory.dmp
          Filesize

          8KB

          Download
        • memory/936-58-0x0000000000000000-mapping.dmp
          Download