Analysis

  • max time kernel
    153s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 17:34

General

  • Target

    ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d.msi

  • Size

    3.6MB

  • MD5

    bdbb71848ccda557b6be1f1ef6f8386c

  • SHA1

    1db41ab648efdb58fafba6494b9fc89a7c15dadb

  • SHA256

    ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d

  • SHA512

    dc63a6536d61a463fb93954e2c309adce3308102c1b58c50b855ab99fbe4d2f7a02f9d85ef2184986f6cc70b5de1015148f0b05069a619886c34722072259688

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • autoit_exe 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:508
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:680
      • C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe
        "C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Users\Admin\AppData\Local\Temp\exit.exe
          "C:\Users\Admin\AppData\Local\Temp\exit.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:964
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c i.cmd
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:372
            • C:\Windows\SysWOW64\PING.EXE
              ping ping-test.hldns.ru -n 3 -w 6000
              5⤵
              • Runs ping.exe
              PID:2416
            • C:\Windows\SysWOW64\PING.EXE
              ping ping-test.hldns.ru -n 3 -w 6000
              5⤵
              • Runs ping.exe
              PID:4016
            • C:\Users\Admin\AppData\Local\Temp\btc.exe
              btc.exe x -p3KPnoNJ3ReME4bEU5W9APkKS5ErkR3tNRT -y
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:428
              • C:\ProgramData\btc\exit.exe
                "C:\ProgramData\btc\exit.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1004
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c i.cmd
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1396
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bitcoin" /t REG_SZ /d "c:\ProgramData\btc\winserv.exe"
                    8⤵
                    • Adds Run key to start application
                    PID:2112
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3484
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
      1⤵
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:3104

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\btc\exit.exe

      MD5

      d76c6f53bcbbfb672a1f68a3017c1962

      SHA1

      976e087ca1a5d34cb326a96861df7ed79288b0d7

      SHA256

      258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505

      SHA512

      e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

    • C:\ProgramData\btc\exit.exe

      MD5

      d76c6f53bcbbfb672a1f68a3017c1962

      SHA1

      976e087ca1a5d34cb326a96861df7ed79288b0d7

      SHA256

      258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505

      SHA512

      e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

    • C:\ProgramData\btc\i.cmd

      MD5

      2769f4f3c0c132044c66e249f03c1828

      SHA1

      9085fa6517cd20e62bc525d756daf74f6cede8d6

      SHA256

      28771275ee7c58967e49acf1d939d7c9231ed952c1125109999e3cb9b3a6b8dd

      SHA512

      e9dd96e11c5a8e2ed59bf7c7ba320ed25ffdafbdc4f7d5a070467facf1328b9c0602639396a03358c4b35282a40934a96fb3b8d028dd05e12177505967751d2c

    • C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe

      MD5

      c3c3407f19d8fcdc6ef55f059f6beea6

      SHA1

      134185c71c2e6a2dd5441bff027de85f3a9b5c91

      SHA256

      8598695a8c7ef4672ba9357022abcb8b61ec6f6db3ff5588058872c17a9e75bb

      SHA512

      fb17dd760cfd691fb4d4005f56b55518bc3c51d7e7afafdab0ac50cca02af714b1391e2435732bae8e766985e031d855ed976750a125a9417e6257f0fa051818

    • C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe

      MD5

      c3c3407f19d8fcdc6ef55f059f6beea6

      SHA1

      134185c71c2e6a2dd5441bff027de85f3a9b5c91

      SHA256

      8598695a8c7ef4672ba9357022abcb8b61ec6f6db3ff5588058872c17a9e75bb

      SHA512

      fb17dd760cfd691fb4d4005f56b55518bc3c51d7e7afafdab0ac50cca02af714b1391e2435732bae8e766985e031d855ed976750a125a9417e6257f0fa051818

    • C:\Users\Admin\AppData\Local\Temp\btc.exe

      MD5

      1a81bdde68862f89ddde3276abe33c94

      SHA1

      fc5148ad9b387e91febd695d92f4233c2e92f600

      SHA256

      0b4797e50e773329365b83eb84da804f4d75483e6faa25b2b0c97c6c21ff1715

      SHA512

      048f441091c06759c4e81b6a331ed2aa489f1630e84162d40d3b7dab549f5f100dea61d8e51a806033c8121c29258c262f9de66af90a6e80d3d90f0e329bbe7a

    • C:\Users\Admin\AppData\Local\Temp\exit.exe

      MD5

      d76c6f53bcbbfb672a1f68a3017c1962

      SHA1

      976e087ca1a5d34cb326a96861df7ed79288b0d7

      SHA256

      258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505

      SHA512

      e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

    • C:\Users\Admin\AppData\Local\Temp\exit.exe

      MD5

      d76c6f53bcbbfb672a1f68a3017c1962

      SHA1

      976e087ca1a5d34cb326a96861df7ed79288b0d7

      SHA256

      258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505

      SHA512

      e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda

    • C:\Users\Admin\AppData\Local\Temp\i.cmd

      MD5

      4873668f4a034b615f15fd8983001468

      SHA1

      162dcd46d5e171535eb81d284126bfd68cb4d29c

      SHA256

      d91c01dc76613d7342f541703df60b6519fc4f0107db24b56a49a6ac220304a7

      SHA512

      f6b5fb56cf8a380451db16fd2af6b9bf994425b9ba86180c2ff38556c080d1d16123c0341d3cec4a84cd36972a5cc4bb8618d24cccc879751f2b455c4ed1070c

    • C:\Users\Admin\AppData\Local\Temp\syst.dll

      MD5

      1a81bdde68862f89ddde3276abe33c94

      SHA1

      fc5148ad9b387e91febd695d92f4233c2e92f600

      SHA256

      0b4797e50e773329365b83eb84da804f4d75483e6faa25b2b0c97c6c21ff1715

      SHA512

      048f441091c06759c4e81b6a331ed2aa489f1630e84162d40d3b7dab549f5f100dea61d8e51a806033c8121c29258c262f9de66af90a6e80d3d90f0e329bbe7a

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      MD5

      0da701373f22e9e61034a6a18c9884ff

      SHA1

      8f6cc291042f6f38e0c62fb5131b5aca650842b6

      SHA256

      8a00699225cc71933b61c29c83007d26b3430d9994b2e56aeb080af749d06b7e

      SHA512

      d9fe779b6e1821e237fd1c482f2d92f2a924df6dd1be82b893b19db8aa629385ee09854eaf3348c86e8408385e35d440da76b9e1fc2068d2a1b73f7cff9b5604

    • \??\Volume{e49a283c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a6bbd6da-6324-491c-ad60-d6de3294ac23}_OnDiskSnapshotProp

      MD5

      6a625b66e5b239afc16b1b2f7e400a4f

      SHA1

      2cc92dbb4a3fb03d1d98227b343ec03856bbf469

      SHA256

      0f658a24bce0e2c134db22f2bdabf96d428f0d1cb6e899bf4174504e6be44a8e

      SHA512

      63072b7f9d8da5f487e40592586d09aee1844c40bf4c36cd41b39a016703cee2ee9826ac3725987e5e2cdcf9be138612277dc8719491448100fd98c9f1a2d264