Overview

overview

10

Static

static

10

8aa574ba92...6c.msi

windows7_x64

8

8aa574ba92...6c.msi

windows10-2004_x64

8

Analysis

  • max time kernel
    154s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-02-2022 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8aa574ba92ef3177d786c519d9f2acc86aa7d16afd44819cb23eddd28720776c.msi

  • Size

    280KB

  • MD5

    2e81921e3cdeddd24b74f59039bde7a0

  • SHA1

    45950947f0cf45583514eebc95a361e55fd479b8

  • SHA256

    8aa574ba92ef3177d786c519d9f2acc86aa7d16afd44819cb23eddd28720776c

  • SHA512

    287fb25c2f96df4cca630deb02e64b021395cb46dddc8fe40d833b1db2bc7c25e379824942e17bf1695c036f6115c5cb518c2811e7b5c4a087fd6914b4ab0c5f

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8aa574ba92ef3177d786c519d9f2acc86aa7d16afd44819cb23eddd28720776c.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:964
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2E5C427189A857B1C8DCC02922A7E90E
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:272
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /MAX https://adobe.ly/2RY5GJR
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://adobe.ly/2RY5GJR
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:976
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:976 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1072
      • C:\Users\Admin\AppData\Local\Temp\lc2C28.tmp
        "C:\Users\Admin\AppData\Local\Temp\lc2C28.tmp"
        3⤵
        • Executes dropped EXE
        PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    e980f8b839620ae894f8cb265c1a2a9f

    SHA1

    ed8875902c84604619932270c7d4867bb8f94ad9

    SHA256

    dba4cb8ed94427682d3456c87c55d6d7813848d0941a4cc59e83426b0af00156

    SHA512

    08d7cbc51085263d1edfd2bccca0cc167b3b7e3da1a94910ac5846ab1832727d16510b0f448b9ada8bdf5b6829a90bf0ceb8ee94e825c85cb8ecbe1fa8736d3b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    8cfccf03e9c0f67dd88c16fa526899ac

    SHA1

    9b5e5fa60d51a7500acb976991a34318b84a441a

    SHA256

    d5f7abd17408a1555779dd270b7d7a44129f669a7238425c6f8ecd3d689e890e

    SHA512

    9a5458a0d8066960f65e5fee80ec7a669d529133905b5347f1ceb9fa19e1fa744e102f5e86efcf717dd0f2f97dcf55873756ddf28bc3e26b972811ef6184d1f4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\o5rwqiw\imagestore.dat
    MD5

    c2a350a92279c42de442403e81a4bcad

    SHA1

    58a056b38a9c28ef5a799210ae54a83ebc745a84

    SHA256

    7b2ce17ee0f69c538f436a7affc2ac9bc6fc9ad742ed1e1cc58a0def4861c0a7

    SHA512

    d4e3d72f654ef5c32a8c6d52d3eccd447da9225c90be98f2a48cb66b477d3d9a2282fb0051b0f8619df29b60cacf415e530df9d15ea008a88c3c0244495fa87c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\o5rwqiw\imagestore.dat
    MD5

    82f2b3b2486832ec182057836a6fab1d

    SHA1

    059ae1e39aec7bdfa6a09f744079eb8f1b0a0c66

    SHA256

    4abda4ea55faab1d467f84d67d8bacb2b9ae778c58c691f7355c9479ac7d6410

    SHA512

    afa1419efed946df86e1529cbccd4164814bdc607d7efbccbb6b53d6263e42efaff8fe8e4e525c1cb26dc50d4aecd37149ecd3cd883721cd3e556f7ebabea06c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lc2C28.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X511TN78.txt
    MD5

    340a6ce4e0409dafead1c1cbf79e1a6c

    SHA1

    a1f93fcef0a382b542c951b1dee5c8bc1f946d2f

    SHA256

    22fb174f7cba7f139829f16dffdf32b8375c8ae3d3f059c68f8ade498345112f

    SHA512

    a34040ebecd69e5e1323346d3b07acb3abac25e8fb70b25cf9e1a64511a72fa9ea84968cf5d6e816fc8a9ae92591f51c1b098969656fbc3431c2e58b1c51ee40

    Download Submit
  • C:\Windows\Installer\MSI28D5.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI29CF.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI2B47.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI34F8.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\lc2C28.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit
  • \Windows\Installer\MSI28D5.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI29CF.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI2B47.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI34F8.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/272-56-0x0000000075341000-0x0000000075343000-memory.dmp
    Filesize

    8KB

    Download
  • memory/964-54-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp
    Filesize

    8KB

    Download