Overview

overview

10

Static

static

10

ffbb522721...f9.msi

windows7_x64

8

ffbb522721...f9.msi

windows10-2004_x64

8

Analysis

  • max time kernel
    119s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 02:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffbb522721eb4c518fe199d0cd60da52875933a5171b3d0ff0e1f855834b02f9.msi

  • Size

    384KB

  • MD5

    781379eaa915fc31b506737317c84368

  • SHA1

    a8e531220a3cb652feb600944a357b614adda2b4

  • SHA256

    ffbb522721eb4c518fe199d0cd60da52875933a5171b3d0ff0e1f855834b02f9

  • SHA512

    f0c9081a58f19f997deeae4b1c9d69ce87e2be91f33168727687a88f04f59369561342cc12bbc0bed5d0675ea2ff1804827dfb78d07148069c14620e0b37983b

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ffbb522721eb4c518fe199d0cd60da52875933a5171b3d0ff0e1f855834b02f9.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1268
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1476
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1152
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000003EC" "0000000000000570"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:544

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
    MD5

    7c13e2b4f2780cdde5523c304cca5015

    SHA1

    07a663b5f03bf8e7bb54a71871fe2baabef22f75

    SHA256

    365f401aa9abc00197c525989e6bd1dd131fc009ec547ac6230efc83adf6713b

    SHA512

    f70d2ce1fb1781e34cd1fee387f806c16920a926666d49b5d35f713136345716e7cb14b10c6fefef204395d3df4c3c263c08de8af88e5103b8423422616fa538

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
    MD5

    f2ad82b5108e5dbfef4cb344505823f0

    SHA1

    fcf59e38426ba73bc3de5789e2ede680a57d519b

    SHA256

    5738782b4fad90beca293376f16d1a6a2b00b18ce8f50aeeccfd480a7f4c02e0

    SHA512

    30b060a779b7fcac8ab035e6b690f0b0f9150eb2994bdd7283e8b7d2a912666a183c64f95d921d5c54fbac1ba942f2d20e80b570d6eb29ae866bf02cbce20c7c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
    MD5

    70a8e7df854cb9811ca3c8980a0daa30

    SHA1

    1bf490a66d8315d86efd69b6cecdf75e748e5289

    SHA256

    70843fc4cacfe7d7fe7141909f508feae6c9af361d29d2371d5e1ca1b6f6238c

    SHA512

    63ab22ba09a0f80b1ce5e5c705d979c0ee49e61d38b7d017a851edf6eac952ccd161ec98a75442b645cc62942f9f85b664c4ca50d852839fa9bf972991e720ec

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    4506e2524ce133d2df5351ceaa0330e3

    SHA1

    2832ad19709b8fbaf0d7cc9f94c1f6b702555f10

    SHA256

    caf24269e478d19007cc3a3854ed6d6d5de45d8045dfa2da82ee27081606ecc3

    SHA512

    9c02043c35f96b17104603f87cf3a8ef64bef75b1e01c88e3225417657e2a70ce465acebc64cacbf22cb2d0f717dd31ba3277a55172a3d9ec2230e637def90a4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
    MD5

    0897fd973002f44a28f623de458c8f2e

    SHA1

    3432de4a7694b69f5c5ee1f21e7763729edbb771

    SHA256

    b1dcfbe2318e8badef1e33dd6e8e365389f74e9e7ce15ed096272bf88143ea28

    SHA512

    655783e43307e8ee194efb239c96a66f76659fa38ba337cb258a108eb9944b929db99d8cf5db5925dacf00be7551fbec86e1ab1609777a7550d6e5327a3c7814

    Download Submit

  • memory/1268-55-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

    Filesize

    8KB

    Download