Overview

overview

9

Static

static

d1d4e29f5f...98.msi

windows7_x64

8

d1d4e29f5f...98.msi

windows10-2004_x64

9

Analysis

  • max time kernel
    4294196s
  • max time network
    199s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    22-03-2022 12:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1d4e29f5fca0c97cd89a4b5134d298.msi

  • Size

    100KB

  • MD5

    aebfb88d2333ee74373a4cf582682070

  • SHA1

    3d8b0dd99846144287aeeb025a5c9fc254f66fc0

  • SHA256

    d1d4e29f5fca0c97cd89a4b5134d298bf2829cea92e5d116084b83d980d2c6e0

  • SHA512

    9feb73d9c4902f03b94df49b3087418473dd0826480b5fde8ba3654dd8bf22bb372c8881e5254e5e8a0f6cf78bfb2d80c9060208c66478362bc6f75f12fca8cb

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d1d4e29f5fca0c97cd89a4b5134d298.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1924
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 86D9C9812452565EF4BB7DCF21FE4ED4
      2⤵
      • Loads dropped DLL
      PID:1324
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1800
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "000000000000059C"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
    Filesize

    1KB

    MD5

    78f2fcaa601f2fb4ebc937ba532e7549

    SHA1

    ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

    SHA256

    552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

    SHA512

    bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    90a2634b0478d2503163439c2a7d5821

    SHA1

    b6f23afeeda4782099c96ac7ae2eb1f02f315eec

    SHA256

    f73ec90ab9106d2792c68790d47760f6dc70cfaf46acc73ea9a3ea64ec0f64dd

    SHA512

    33142e1a6494a80edf0107f5b90096c416f068cd6ec7a245b5be0ae08a7041c24033b549fb6d0ec12ef9ef8f75135c6c89dee94997e35e3759c86bf5daca171d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
    Filesize

    254B

    MD5

    6df3555b5c853c0359a62a8348bcec71

    SHA1

    71b637ecd03faa3c32f97e24ece0b0233beffa0b

    SHA256

    97808538ef01c29dd1dcbfe89fb97036f42d66945b2748e572501ce1c8e3c0ed

    SHA512

    290a4c109751be6fb37c1c0fa217e6fbd06d362d3fb80df731ea75d2ee9f8129f8e605d4213662f44816a85f34a02efd47800d448ea5ec3e02acee3ebb1eb1f3

    Download Submit
  • C:\Windows\Installer\MSI8D2F.tmp
    Filesize

    58KB

    MD5

    07944a97980bedc3b5864181bc59fc94

    SHA1

    a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25

    SHA256

    10f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab

    SHA512

    aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a

    Download Submit
  • \Windows\Installer\MSI8D2F.tmp
    Filesize

    58KB

    MD5

    07944a97980bedc3b5864181bc59fc94

    SHA1

    a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25

    SHA256

    10f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab

    SHA512

    aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a

    Download Submit
  • memory/1924-54-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp
    Filesize

    8KB

    Download