Analysis

  • max time kernel
    161s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    13-02-2022 10:45

General

  • Target

    42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b.msi

  • Size

    639KB

  • MD5

    4ab860c4a0b02410cd0f5adf80153c3e

  • SHA1

    3983610f2687885b350d259b936a19a3f2c45f6b

  • SHA256

    42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b

  • SHA512

    5c982d65f306efc3a37ea97f7e4dc99d95c1f32b19c20e1872df31349ac25f65bd5a6422aa561ababa745d320f8545c94b20a5e85c1d10638f303414eba713c0

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 55 IoCs
  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3424
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:2280
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1BBF251AE53A85E843445533C9EA676A
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /MAX https://adobe.ly/2RY5GJR
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://adobe.ly/2RY5GJR
          4⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe65ae46f8,0x7ffe65ae4708,0x7ffe65ae4718
            5⤵
              PID:644
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,12291705424316491589,18408188821323590599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
              5⤵
                PID:3680
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,12291705424316491589,18408188821323590599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2320
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,12291705424316491589,18408188821323590599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
                5⤵
                  PID:3392
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12291705424316491589,18408188821323590599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
                  5⤵
                    PID:2708
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12291705424316491589,18408188821323590599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
                    5⤵
                      PID:2108
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,12291705424316491589,18408188821323590599,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5448 /prefetch:8
                      5⤵
                        PID:2276
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12291705424316491589,18408188821323590599,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
                        5⤵
                          PID:2892
                    • C:\Users\Admin\AppData\Local\Temp\lc98AA.tmp
                      "C:\Users\Admin\AppData\Local\Temp\lc98AA.tmp"
                      3⤵
                      • Executes dropped EXE
                      PID:920
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k NetworkService -p
                  1⤵
                  • Drops file in Windows directory
                  • Modifies data under HKEY_USERS
                  PID:1360
                • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                  1⤵
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:772
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:3112

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Discovery

                  Query Registry

                  3
                  T1012

                  Peripheral Device Discovery

                  1
                  T1120

                  System Information Discovery

                  4
                  T1082

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\lc98AA.tmp
                    MD5

                    55ffee241709ae96cf64cb0b9a96f0d7

                    SHA1

                    b191810094dd2ee6b13c0d33458fafcd459681ae

                    SHA256

                    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

                    SHA512

                    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

                  • C:\Users\Admin\AppData\Local\Temp\lc98AA.tmp
                    MD5

                    55ffee241709ae96cf64cb0b9a96f0d7

                    SHA1

                    b191810094dd2ee6b13c0d33458fafcd459681ae

                    SHA256

                    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

                    SHA512

                    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

                  • C:\Windows\Installer\MSI7D37.tmp
                    MD5

                    318dea4099b577bc51ae5e21eb8c566d

                    SHA1

                    e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

                    SHA256

                    f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

                    SHA512

                    65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

                  • C:\Windows\Installer\MSI7D37.tmp
                    MD5

                    318dea4099b577bc51ae5e21eb8c566d

                    SHA1

                    e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

                    SHA256

                    f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

                    SHA512

                    65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

                  • C:\Windows\Installer\MSI9232.tmp
                    MD5

                    9f1e5d66c2889018daef4aef604eebc4

                    SHA1

                    b80294261c8a1635e16e14f55a3d76889ff2c857

                    SHA256

                    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                    SHA512

                    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                  • C:\Windows\Installer\MSI9232.tmp
                    MD5

                    9f1e5d66c2889018daef4aef604eebc4

                    SHA1

                    b80294261c8a1635e16e14f55a3d76889ff2c857

                    SHA256

                    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                    SHA512

                    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                  • C:\Windows\Installer\MSI937B.tmp
                    MD5

                    9f1e5d66c2889018daef4aef604eebc4

                    SHA1

                    b80294261c8a1635e16e14f55a3d76889ff2c857

                    SHA256

                    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                    SHA512

                    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                  • C:\Windows\Installer\MSI937B.tmp
                    MD5

                    9f1e5d66c2889018daef4aef604eebc4

                    SHA1

                    b80294261c8a1635e16e14f55a3d76889ff2c857

                    SHA256

                    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                    SHA512

                    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                  • C:\Windows\Installer\MSI9570.tmp
                    MD5

                    9f1e5d66c2889018daef4aef604eebc4

                    SHA1

                    b80294261c8a1635e16e14f55a3d76889ff2c857

                    SHA256

                    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                    SHA512

                    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                  • C:\Windows\Installer\MSI9570.tmp
                    MD5

                    9f1e5d66c2889018daef4aef604eebc4

                    SHA1

                    b80294261c8a1635e16e14f55a3d76889ff2c857

                    SHA256

                    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                    SHA512

                    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                  • C:\Windows\Installer\MSIA81F.tmp
                    MD5

                    9f1e5d66c2889018daef4aef604eebc4

                    SHA1

                    b80294261c8a1635e16e14f55a3d76889ff2c857

                    SHA256

                    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                    SHA512

                    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                  • C:\Windows\Installer\MSIA81F.tmp
                    MD5

                    9f1e5d66c2889018daef4aef604eebc4

                    SHA1

                    b80294261c8a1635e16e14f55a3d76889ff2c857

                    SHA256

                    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                    SHA512

                    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                  • \??\pipe\LOCAL\crashpad_2416_FNFYXCFQRBRWIRFM
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  • memory/3392-156-0x00007FFE85560000-0x00007FFE85561000-memory.dmp
                    Filesize

                    4KB