Analysis

  • max time kernel
    123s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-02-2022 12:30

General

  • Target

    59a7e7d08911df41b3db1c6ef0d515f1bce2cd49320944198ffea3cd51f3e1c4.msi

  • Size

    384KB

  • MD5

    4a3d69c28c4742177d6238bc16486f0d

  • SHA1

    517b70828d6c203939315d219b28502578620c17

  • SHA256

    59a7e7d08911df41b3db1c6ef0d515f1bce2cd49320944198ffea3cd51f3e1c4

  • SHA512

    bce9777d4d0536f793d88a7a0266386740469d2fb20f8df9e3b7127c5aeb9fcec32c0c3ae2afc143a6c7cfc7cfd139a65a3a8c3870843a93566e1402ef3e0b31

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\59a7e7d08911df41b3db1c6ef0d515f1bce2cd49320944198ffea3cd51f3e1c4.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1692
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:676
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:832
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000005A8" "00000000000005B4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1360

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1692-54-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

    Filesize

    8KB