Analysis
-
max time kernel
4294196s -
max time network
199s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
22-03-2022 12:17
General
-
Target
d1d4e29f5fca0c97cd89a4b5134d298.msi
-
Size
100KB
-
MD5
aebfb88d2333ee74373a4cf582682070
-
SHA1
3d8b0dd99846144287aeeb025a5c9fc254f66fc0
-
SHA256
d1d4e29f5fca0c97cd89a4b5134d298bf2829cea92e5d116084b83d980d2c6e0
-
SHA512
9feb73d9c4902f03b94df49b3087418473dd0826480b5fde8ba3654dd8bf22bb372c8881e5254e5e8a0f6cf78bfb2d80c9060208c66478362bc6f75f12fca8cb
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 11 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d1d4e29f5fca0c97cd89a4b5134d298.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 86D9C9812452565EF4BB7DCF21FE4ED42⤵
- Loads dropped DLL
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "000000000000059C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD578f2fcaa601f2fb4ebc937ba532e7549
SHA1ddfb16cd4931c973a2037d3fc83a4d7d775d05e4
SHA256552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988
SHA512bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd
-
Filesize
344B
MD590a2634b0478d2503163439c2a7d5821
SHA1b6f23afeeda4782099c96ac7ae2eb1f02f315eec
SHA256f73ec90ab9106d2792c68790d47760f6dc70cfaf46acc73ea9a3ea64ec0f64dd
SHA51233142e1a6494a80edf0107f5b90096c416f068cd6ec7a245b5be0ae08a7041c24033b549fb6d0ec12ef9ef8f75135c6c89dee94997e35e3759c86bf5daca171d
-
Filesize
254B
MD56df3555b5c853c0359a62a8348bcec71
SHA171b637ecd03faa3c32f97e24ece0b0233beffa0b
SHA25697808538ef01c29dd1dcbfe89fb97036f42d66945b2748e572501ce1c8e3c0ed
SHA512290a4c109751be6fb37c1c0fa217e6fbd06d362d3fb80df731ea75d2ee9f8129f8e605d4213662f44816a85f34a02efd47800d448ea5ec3e02acee3ebb1eb1f3
-
Filesize
58KB
MD507944a97980bedc3b5864181bc59fc94
SHA1a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25
SHA25610f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab
SHA512aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a
-
Filesize
58KB
MD507944a97980bedc3b5864181bc59fc94
SHA1a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25
SHA25610f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab
SHA512aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a
-
Filesize
8KB