Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    21-01-2022 10:58

General

  • Target

    PDF.VIVO.DIGITAL.URN5SP.msi

  • Size

    3.4MB

  • MD5

    a43b17ac461d2eee6153710850346200

  • SHA1

    724917b805b4b609f3beaa7b713004b6d42d14f2

  • SHA256

    2f45197ef087c00da456fa9dc97b038e387eb2508c6197ed3f438c87f9d07063

  • SHA512

    6142cc2b3f904f49508c00e96bc69f4c21ca7547eb1f0ae01d37e3698b5436e5871c5750b5b12114b9516dc30d2f6b03b61a0e55d99c2b161063932f2f6b092d

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 8 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PDF.VIVO.DIGITAL.URN5SP.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:368
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1859427021E429DB85FD00AD58A53A6F
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\jp2launcher.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\jp2launcher.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1732
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1624
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:408

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI59c12.LOG
    MD5

    e8dc53a8382366f6e89fc103c6249c9e

    SHA1

    33540e7f2a26e032e10ac7d007812efc436bc0c8

    SHA256

    6bf2160fee18862d16bbe14541cf0db83e8a10c9d07d3de1475f1e66e022a6c6

    SHA512

    bc297c8315d05484d8a0822164082ead1ad25296ce84010fa0be0e22dfcb0f62ca38c064d32f2eaeb9aef5de66a0506e80b74970697ca3b6f19e56d9d62017bd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SHFOLDER.dll
    MD5

    c297d9dd9304f70a8eacffe09b4697b9

    SHA1

    f85f93cf0f4b0292c496e4c05b1e8f068ec32337

    SHA256

    1bb47c29af21042650e01c6c0a9d9f851687216f110293671664166e65bef81b

    SHA512

    3c2c47889c53ecdce9173a24554abf51b67c7121f4f5c42d0df01cebfda47bc30fd4a7b4ac9b342e725fd67c716ea17cbd2c4a670816e01c3dea983d6838a07e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\jp2launcher.exe
    MD5

    b2218df5c3373a9a1b619e53281e9806

    SHA1

    8b683c897ecc6fa6881d29f6c41c7c159d65fa62

    SHA256

    681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c

    SHA512

    1ea2d938086d3494f477c2e5459e2d5e1b57b7cf37aef792b745b7a261fcff183703696da2a52724331ec15ae82bc0a5dcdfd53d4a5374c38cafe23e15e10023

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\jp2launcher.exe
    MD5

    b2218df5c3373a9a1b619e53281e9806

    SHA1

    8b683c897ecc6fa6881d29f6c41c7c159d65fa62

    SHA256

    681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c

    SHA512

    1ea2d938086d3494f477c2e5459e2d5e1b57b7cf37aef792b745b7a261fcff183703696da2a52724331ec15ae82bc0a5dcdfd53d4a5374c38cafe23e15e10023

  • C:\Windows\Installer\MSI9FCB.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

  • C:\Windows\Installer\MSIA441.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

  • C:\Windows\Installer\MSIA4AF.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

  • C:\Windows\Installer\MSIA57B.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

  • C:\Windows\Installer\MSIAA70.tmp
    MD5

    87f70ac02d0d1af6c4ff6e0be80e6049

    SHA1

    c6209060c14ddeae1243d2a37b156d6c02c0a2fb

    SHA256

    0a384078f1719f7b482a48d0ba78c5a3357aa5c0e1e836f236c8f6b4608efcc1

    SHA512

    9addb90e42392620c51b122b26a822aa2d6b959c54d6031a7a6ae1ad2c6d7feaf8c99582ab6201ce473b6b887bb50bd305bbd2b0d82fc8bc35515baa1ecda481

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\shfolder.dll
    MD5

    c297d9dd9304f70a8eacffe09b4697b9

    SHA1

    f85f93cf0f4b0292c496e4c05b1e8f068ec32337

    SHA256

    1bb47c29af21042650e01c6c0a9d9f851687216f110293671664166e65bef81b

    SHA512

    3c2c47889c53ecdce9173a24554abf51b67c7121f4f5c42d0df01cebfda47bc30fd4a7b4ac9b342e725fd67c716ea17cbd2c4a670816e01c3dea983d6838a07e

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\shfolder.dll
    MD5

    c297d9dd9304f70a8eacffe09b4697b9

    SHA1

    f85f93cf0f4b0292c496e4c05b1e8f068ec32337

    SHA256

    1bb47c29af21042650e01c6c0a9d9f851687216f110293671664166e65bef81b

    SHA512

    3c2c47889c53ecdce9173a24554abf51b67c7121f4f5c42d0df01cebfda47bc30fd4a7b4ac9b342e725fd67c716ea17cbd2c4a670816e01c3dea983d6838a07e

  • \Windows\Installer\MSI9FCB.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

  • \Windows\Installer\MSIA441.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

  • \Windows\Installer\MSIA4AF.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

  • \Windows\Installer\MSIA57B.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

  • \Windows\Installer\MSIAA70.tmp
    MD5

    87f70ac02d0d1af6c4ff6e0be80e6049

    SHA1

    c6209060c14ddeae1243d2a37b156d6c02c0a2fb

    SHA256

    0a384078f1719f7b482a48d0ba78c5a3357aa5c0e1e836f236c8f6b4608efcc1

    SHA512

    9addb90e42392620c51b122b26a822aa2d6b959c54d6031a7a6ae1ad2c6d7feaf8c99582ab6201ce473b6b887bb50bd305bbd2b0d82fc8bc35515baa1ecda481

  • \Windows\Installer\MSIAA70.tmp
    MD5

    87f70ac02d0d1af6c4ff6e0be80e6049

    SHA1

    c6209060c14ddeae1243d2a37b156d6c02c0a2fb

    SHA256

    0a384078f1719f7b482a48d0ba78c5a3357aa5c0e1e836f236c8f6b4608efcc1

    SHA512

    9addb90e42392620c51b122b26a822aa2d6b959c54d6031a7a6ae1ad2c6d7feaf8c99582ab6201ce473b6b887bb50bd305bbd2b0d82fc8bc35515baa1ecda481

  • memory/764-134-0x0000000001270000-0x0000000001271000-memory.dmp
    Filesize

    4KB

  • memory/764-133-0x0000000004BB0000-0x0000000004E99000-memory.dmp
    Filesize

    2.9MB

  • memory/1732-140-0x0000000077BF0000-0x0000000077D7E000-memory.dmp
    Filesize

    1.6MB

  • memory/1732-147-0x00000000025F0000-0x0000000003A99000-memory.dmp
    Filesize

    20.7MB

  • memory/1732-151-0x00000000025F0000-0x0000000003A99000-memory.dmp
    Filesize

    20.7MB

  • memory/1732-161-0x00000000025F0000-0x0000000003A99000-memory.dmp
    Filesize

    20.7MB

  • memory/1732-168-0x00000000025F0000-0x0000000003A99000-memory.dmp
    Filesize

    20.7MB

  • memory/1732-200-0x0000000000630000-0x000000000077A000-memory.dmp
    Filesize

    1.3MB