Overview

overview

10

Static

static

10

42c82a811f...3b.msi

windows7_x64

8

42c82a811f...3b.msi

windows10-2004_x64

8

Analysis

  • max time kernel
    154s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-02-2022 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b.msi

  • Size

    639KB

  • MD5

    4ab860c4a0b02410cd0f5adf80153c3e

  • SHA1

    3983610f2687885b350d259b936a19a3f2c45f6b

  • SHA256

    42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b

  • SHA512

    5c982d65f306efc3a37ea97f7e4dc99d95c1f32b19c20e1872df31349ac25f65bd5a6422aa561ababa745d320f8545c94b20a5e85c1d10638f303414eba713c0

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1656
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F352DEB7B6A08CC4CEA5DDF1159674C1
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /MAX https://adobe.ly/2RY5GJR
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:380
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://adobe.ly/2RY5GJR
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1084
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1084 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1196
      • C:\Users\Admin\AppData\Local\Temp\lcF2E0.tmp
        "C:\Users\Admin\AppData\Local\Temp\lcF2E0.tmp"
        3⤵
        • Executes dropped EXE
        PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    fa744953a5c92d6270c56c94dcd3e98e

    SHA1

    e115a5be7bfc23892a3b25092573ccf36c124048

    SHA256

    a7d690a39852c408b2b5fa9942879e1d18918c1ce95675c2d7662f021edbbac6

    SHA512

    a697270e2679c3f60ed8d1759638e6682ae68878a925e406a53915587261caf0f15f5b73020ba20526a9bf8b09a222eaf7b15a0d65d8ca43dbeb10901b222160

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    b0c35c77442a4cb676aa4e1a84709c0d

    SHA1

    a3e8f422ef8b49b958aeb6196d056887322ac31d

    SHA256

    bacf0cbdd10fa08c1b5bbf65e04c1434442f203b6a4a9564d4a78a9c9e88ceb2

    SHA512

    c7ad74d7b64d5e1b164b965bff4b160a96c573f36793903c9f4f76873f3bb2cdb2f2ffce637750444621684c266c5bbbe31877f538ce9583cc0a58e949d05be0

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7w612sw\imagestore.dat
    MD5

    337a365fcc11b11989f1a1847d223a91

    SHA1

    d9c1843293347d288f2ca8668dc8467f80295975

    SHA256

    e4ead53188b69c43da13ce520fd7ac54543f3545329acf12debf03e93160f193

    SHA512

    9a1122ebb72b324711ea66f8e6a8e43164f1ec5eeacf7ff2ee5037cb6fca103825ac62002d4e0bbc62db735c9556a38858dae26a08d3532453381e9068a6b2c4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7w612sw\imagestore.dat
    MD5

    cac8b557639715168c6473571475812c

    SHA1

    c36c85ecbda8bfb7cf74d2965953417555567cb8

    SHA256

    fa9b0dc082d09b0a0c81a60f6087fd2c588b7888e57972952edf947e1dbb137e

    SHA512

    bfcb8b997160e6eb98043d4f0795ff00080c53e4c72feb99130cf2bd610670bc3988e1a6dbcfaa730f017cb3cc6f341f8fff69722f360a13d623742a640baa78

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lcF2E0.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C3SUJVXF.txt
    MD5

    14a0cd22502c76dbb54e06ed81f6d86e

    SHA1

    d324bc08fea742afdf19bda4553e9d7177dd61ac

    SHA256

    07c9d1a2e6d121d4be38c8b8b7e3294d14e14c9963394eb3ed0ef4c346588035

    SHA512

    8b2d6e43591a3609c923aacfd287c12f877fcee22c24a86a20b0c8502f9a9c1873ea99d29d2cc7464500a1572f022f206a7c13292decf156d333a68b2a2e92ad

    Download Submit
  • C:\Windows\Installer\MSI1D22.tmp
    MD5

    318dea4099b577bc51ae5e21eb8c566d

    SHA1

    e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

    SHA256

    f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

    SHA512

    65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

    Download Submit
  • C:\Windows\Installer\MSIAFD.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSIE6D7.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSIE7A3.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSIF164.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\lcF2E0.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit
  • \Windows\Installer\MSI1D22.tmp
    MD5

    318dea4099b577bc51ae5e21eb8c566d

    SHA1

    e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

    SHA256

    f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

    SHA512

    65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

    Download Submit
  • \Windows\Installer\MSIAFD.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSIE6D7.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSIE7A3.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSIF164.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/1656-55-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1732-57-0x0000000074EC1000-0x0000000074EC3000-memory.dmp
    Filesize

    8KB

    Download