Overview

overview

8

Static

static

eceb164a69...13.msi

windows7_x64

8

eceb164a69...13.msi

windows10-2004_x64

8

Analysis

  • max time kernel
    4294178s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    30-03-2022 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eceb164a69e8f79bb08099fcdf2b75071c527b0107daebc0e7a88e246b4c7f13.msi

  • Size

    548KB

  • MD5

    dffb3d323708f624dc3469e99c3adcb3

  • SHA1

    043620bdea4fd9d48673db8081ffbd9f25d1d8ac

  • SHA256

    eceb164a69e8f79bb08099fcdf2b75071c527b0107daebc0e7a88e246b4c7f13

  • SHA512

    a30b70e5bb259410606d5e123e17b8502423912ecedf6d6ebad6b180a372c58f36231f0c85b610ad89e5328b1e63e257be932d4d3fea8971853516e31f531f84

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\eceb164a69e8f79bb08099fcdf2b75071c527b0107daebc0e7a88e246b4c7f13.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1212
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
      "C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:\ProgramData\Local\Google\exemple.rb
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:276
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ver
          4⤵
            PID:588
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:560
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "00000000000003B8"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1628

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Local\Google\arch
      Filesize

      6B

      MD5

      8a882b4a938846d19520af8484f09012

      SHA1

      4ba6aa85fc2d9c1f087fd0573ed818af71c4b6fe

      SHA256

      1009573fa6f897afcc5055f52a2216bfe7fcb308d6cab15922a5b3668df7f34b

      SHA512

      299aa6f6d42b8be1a827b8a2543b89de4c324a050d3aa34cf74b7550774586aeec60cccf83782c69569a0fb81a171e3ea6de0c56c11ec6f563b1fe1864452543

      Download Submit

    • C:\ProgramData\Local\Google\exemple.rb
      Filesize

      1002B

      MD5

      ff4a24c83564f1a01d5a815eaa8a2bf9

      SHA1

      2e713f9fc72db1ed0cd5088172c3b24906e8be13

      SHA256

      9c109c41d497cbe752edf56c1ac0e1ffb06357160b12100cc84eb2d4ddcb7b13

      SHA512

      e628d20c9bc728709d0f46557e5fd017e4594dcbd680486acd6ed1e1721a8692644f2cf0f323b30e74d03230b8320d2f6e1b0f5fd073192e1a28aa7e8ac2c7e1

      Download Submit

    • C:\ProgramData\Local\Google\name
      Filesize

      18B

      MD5

      2cdd9eba0462d944ffba481196e29e26

      SHA1

      038e8a8d1c0bc7c38f12c99c22b66d340a9a43f0

      SHA256

      94d333e71f4fc1e0ea72fd92b463e1e41100e09d4094aa7f5e89c02446ba71e0

      SHA512

      974248fb1d780dbd53fac093f790b40fdb9fa1c2ae25873cea79ea0d789dc5c70e66961d17e2c75f690050941a598a54803ecdd22a0f3da89d141ebc5f625e61

      Download Submit

    • C:\ProgramData\Local\Google\os
      Filesize

      7B

      MD5

      d7eeeee910efb9998f6c12c7ab0e8a78

      SHA1

      70e13d2bedbe139361bbbc9e446fd029d2bf4b8b

      SHA256

      adb14fb65d546224b96815d48af6823bf74c54aab2707831d539c2c2762403fe

      SHA512

      2e87c25678e5d0c0e3e7a344f03be0819d8a790b1af64877574ff479c9619d80b406b81ac4a1e6f1ff04cbcce1446a19a243867d4d28dae43363a8140a81906d

      Download Submit

    • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
      Filesize

      844KB

      MD5

      aa2f4fd92fe00de85428f39a6e0e9cfd

      SHA1

      1def65dde53ab24c122da6c76646a36d7d910790

      SHA256

      215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85

      SHA512

      952b500e4a291a8bd58810529c1fcc17d969b082d29f00460aba6ada44a30ddc41595f8b0fe71e568ecba803df69985840f10f0a9e478c796c73dc5659ce314e

      Download Submit

    • memory/276-60-0x0000000000000000-mapping.dmp

      Download

    • memory/588-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1212-54-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1640-56-0x0000000000000000-mapping.dmp

      Download

    • memory/1640-58-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

      Filesize

      8KB

      Download