Overview

overview

10

Static

static

10

0113d8a67b...95.msi

windows7_x64

8

0113d8a67b...95.msi

windows10-2004_x64

8

Analysis

  • max time kernel
    154s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-02-2022 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0113d8a67b61dd6163b003c806d997f1f26da9df316744571aa1295c7ffb9995.msi

  • Size

    639KB

  • MD5

    2e299b1fcf357f678bbf00a06ead424f

  • SHA1

    58f5f158f679b5a031dfc0e1323fd7a4dc24c3f4

  • SHA256

    0113d8a67b61dd6163b003c806d997f1f26da9df316744571aa1295c7ffb9995

  • SHA512

    37cb0f8d929b793b5bf20f291de10b863cc63b59d2a990c07b4df4f1c64149ee335bf4961f7ac50390b614516f862fb7b3a38d7162ed4f91ba6e56685b4a1400

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0113d8a67b61dd6163b003c806d997f1f26da9df316744571aa1295c7ffb9995.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1576
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 3156C0DEFCDB5E5FCEA4A1810303A429
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /MAX https://adobe.ly/2RY5GJR
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:604
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://adobe.ly/2RY5GJR
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1620
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1588
      • C:\Users\Admin\AppData\Local\Temp\lc1437.tmp
        "C:\Users\Admin\AppData\Local\Temp\lc1437.tmp"
        3⤵
        • Executes dropped EXE
        PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    75f68662f23f67b556cf98831427e87f

    SHA1

    180a69b2768e5312bbcdbf17d173d004db3af969

    SHA256

    186aa0a7330fe806ae0d49486d820940d112da3567aeaf606fb3a8656b560779

    SHA512

    59e2746352eaf3ab1fd6d54b6d6b61e4d8a7982d0fcb3899e39ea3067b7122d6de4180d50394d99086e0727f2d41c67dbd9a958b718e1637fcb2632a0a0c1b85

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    e23a238e8f27b2b2bf902ca1d5ed8a6c

    SHA1

    c51ef5a9a72a41f40a6d2546c53532239e71957e

    SHA256

    9785e4464dae9437be62ff2356108b4cb53d795bb2a31ae09154a7bebff27adf

    SHA512

    1320624dc6c0576051476311659e6372e0daa7830d2d676ceadb85e1e4b5d25ee613f5fdf09bc21d1980054682e3f2207ca403f1159621b5b51764ad37c3cc0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\o5rwqiw\imagestore.dat
    MD5

    5f2482f440fc241c9948297ec59b10cd

    SHA1

    5d36fec186ed54dc355ec5ed17022f4ef9b69b3d

    SHA256

    78f04169f25ae8c9775349fd7e1b77649116e00ec81a3b201ab32b74824f61d4

    SHA512

    1ba8e81dbc65ac7c19cb872851c9327feb75838c6f0b9f95317d2ea8977b7732dab6f38350858a3534dddb53a26f3488d9df6f3a58d9dc74ec737780f6d86d27

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\o5rwqiw\imagestore.dat
    MD5

    65d3dc6a7d397fdd62dd1b395cd2f903

    SHA1

    655796ad595eb8e5fa2b404d71dbbd53c5099425

    SHA256

    8c7e3221aa2dd091f8718e7fad8d5265a155376d36593eb982d5dbb061deeda8

    SHA512

    409b953f83c4314e8222ebefda200fc1f09cc7e1c91828829703471d4c711343337aa432a1425e4888c00d9b121593400d2d8dab89ab8f75d756b55224d3e318

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lc1437.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FS5ODZAY.txt
    MD5

    b9f9bc0818c00bad4aeb8b68fec58021

    SHA1

    70eded0c83d7bc1b4b1c4b8851471e8b74dc96d7

    SHA256

    80555ec57a9bb861e634bcc36255de5834338a70a799f2db0411980fcb2bbfb3

    SHA512

    7f49cea632f1ffc39ba318f3913306e8449df5f3dd19e4cae4ce63868def52fda43f1f4d3d4e54ae83b0e07be55d7d567a16936a9548074a8519cf73a545e628

    Download Submit
  • C:\Windows\Installer\MSI1305.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI1354.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI13C2.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI15D6.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSIEEB2.tmp
    MD5

    318dea4099b577bc51ae5e21eb8c566d

    SHA1

    e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

    SHA256

    f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

    SHA512

    65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

    Download Submit
  • \Users\Admin\AppData\Local\Temp\lc1437.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit
  • \Windows\Installer\MSI1305.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI1354.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI13C2.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI15D6.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSIEEB2.tmp
    MD5

    318dea4099b577bc51ae5e21eb8c566d

    SHA1

    e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

    SHA256

    f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

    SHA512

    65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

    Download Submit
  • memory/1576-54-0x000007FEFB571000-0x000007FEFB573000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1624-56-0x00000000754B1000-0x00000000754B3000-memory.dmp
    Filesize

    8KB

    Download