Overview

overview

8

Static

static

SKv1101015.msi

windows7_x64

8

SKv1101015.msi

windows10-2004_x64

8

Analysis

  • max time kernel
    140s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20220331-en
  • submitted
    04-04-2022 04:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SKv1101015.msi

  • Size

    1.4MB

  • MD5

    58322cc0d504de7b8c105a1ad4835819

  • SHA1

    a3eacab0d427be9c962d86e93c04cd59d6dc65af

  • SHA256

    dc1982b083f3629e55d3bc6a057487c492a70eca3deb9306b30caf70090b9f8c

  • SHA512

    498a6f2a4a5c18d6ef39e3ef903309507f463a74a8c1a7b67352c68a0986e17b020b779c26cb69b10cc199ced1f112ba054d118f0bec404301b0a63ee0ec9d2a

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 16 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SKv1101015.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:976
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1BD9F5335FF852B2C41C464EAFDB3C7B
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssFE01.ps1"
        3⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1414.ps1"
        3⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1924
    • C:\Windows\Installer\MSI13E4.tmp
      "C:\Windows\Installer\MSI13E4.tmp" /DontWait /HideWindow /dir "C:\Users\Admin\AppData\Roaming\BBSK\" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noninteractive -ExecutionPolicy bypass -c "[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes('SK.Driver.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes('S.dll'));[sk.S]::Start()"
      2⤵
      • Executes dropped EXE
      PID:1940
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2028
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "00000000000005A8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2044
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -ExecutionPolicy bypass -c "[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes('SK.Driver.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes('S.dll'));[sk.S]::Start()"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1456

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
    Filesize

    1KB

    MD5

    78f2fcaa601f2fb4ebc937ba532e7549

    SHA1

    ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

    SHA256

    552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

    SHA512

    bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1a2f30f230a8098f41c5252ce8180b8a

    SHA1

    0ca55e58cdde0b46d2143dba2f543c1b5f6e68e7

    SHA256

    a11941e70e14ab3220ec5082b1b5ea122e11d2b797b3f7550b5edb245a8bf5bf

    SHA512

    c234ecd68189b153a25264bc63ef0c2044de66213bbae6797fd3bce39c3ba199fd3376ccea1f27287245f99047d6901b43485c87af65add7538fd218ea53dee6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
    Filesize

    254B

    MD5

    cae4e3dc65f102a53f6d224931bca464

    SHA1

    76166d9fc8a6f498ffb1d0f0c20d8ec3ba99acf9

    SHA256

    46c74c24705d7df5d132eda73aaeae4a292ef1629e8a56bb3c97710219704cbf

    SHA512

    39cf0f6027867a7555751edcf85990cfd2660c0c02eb94c201070847d6ff3cbd1c450790f0c28b78459c134587a59b23a852017eb78af1febb0556382fe93f4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pss1404.ps1
    Filesize

    2KB

    MD5

    0e49ece0ba776dbb056795c786c269b1

    SHA1

    b6de915a28b625b7fb0d81c4f7e4635a1b5f6e4f

    SHA256

    dbda97267694d0bb8feb126a092c1ed56125d84fc58fd7b55e00ba9b39aa90c2

    SHA512

    cd10a86cf25a1218440afae719945d18e29d730413bf84c3210feb85537370d945824cb936046644640bea9febbf1e5a5346d381619a1cd442a9c37355600108

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pss1414.ps1
    Filesize

    5KB

    MD5

    e1a030409b76b8e88b5298578cde3013

    SHA1

    306aec5bec9791be7f75b792ae2f8c6d7caf5ada

    SHA256

    2e305ac9026fbe2f6e75a45a8d4abc8ee71cd0b7916adda1f69bdd4763c3ecb9

    SHA512

    c9b78a93c7bea91bb920056dd322038f10b5975591462c5fc14e37528a2c2dd0f75475e5a65158a284b5f4b9a7cbae8fab308ed684717fb314f9f33969e635dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pssFDF0.ps1
    Filesize

    2KB

    MD5

    c601f894ae26402f106645992ff5be53

    SHA1

    7bab5fa72ec22ff51f6ed2bbf21faa6392cddcbe

    SHA256

    d4fe52f4ea0b2f07058900c29b36755ae5305193b9e8d55f510336efc8ff3cff

    SHA512

    08a66972d0a8a3b30759b37cb6e0490bcac857c3e6eeb3547f86e16929014983fdd2b10f9c3a0d999bab4475918007ec24662188cef4ff1718968393c40b56fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pssFE01.ps1
    Filesize

    5KB

    MD5

    ed35fddf7b7cd82169b1e945745cb4d3

    SHA1

    4dda3da4f3832e66ee60e55bfaea280347980652

    SHA256

    2ebc32eaef63c775d94397d96eb73ea029c38fe07f1fc41f2023ff9c353eae01

    SHA512

    ff094ffdebb22d7836e9f1b683de1e9cf3f7ee84e61f7eab65e90be35bd5b9d97c710e06b7003338b17cd891664a7f0c1bee6e9e9389a50b6db34a0f66020076

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BBSK\S.dll
    Filesize

    14KB

    MD5

    b4fd68b7de055270cd28f5fe6a5b976f

    SHA1

    289337f56d89660383701af405a6b51441920960

    SHA256

    68750e1fea85a7999d16e934cde463fbb2bf3feb9fbb37cc55dd5f52304cb5e4

    SHA512

    446f41e14b10b7367aff10a0c773be668413076bfad0db5787c50da97925a8b34bba427c256f53eb04af359e448ba26918370383285c36ce515233c832b9fc00

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BBSK\SK.Driver.dll
    Filesize

    162KB

    MD5

    aff20ab7ee8357357ed7ada87ce70d0a

    SHA1

    712b0a11d8ca4b05496d9824b3cb3353728eb9fc

    SHA256

    f6381b45e5c834b563610281da628f061bb6331a850c4145dbe86d0a2a6befb2

    SHA512

    f225508d5168148fa44c7b5568a972016204e177b4e88f6c4078d5d836d05979ad08ce874d72fb71b8cc345a6708c6529389948be9e9ef3968f9115fb154ae52

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    dd8fdf8a65fbd4f266866c225f23aa34

    SHA1

    11f050c9d0585870322c22a69927059476320014

    SHA256

    a80a54b86dc0ce3f109cec83634a2713b8af8b9ac374f9b68ce75cf95e0dee7e

    SHA512

    5d97fb452f05e74239c0dd8aca38a04223750f77e7c927b8c7c72ec676220d8a5dee92297de82826966f4e96f157c5f2f309f402d381cc13d8d3cd04e389e1f5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    dd8fdf8a65fbd4f266866c225f23aa34

    SHA1

    11f050c9d0585870322c22a69927059476320014

    SHA256

    a80a54b86dc0ce3f109cec83634a2713b8af8b9ac374f9b68ce75cf95e0dee7e

    SHA512

    5d97fb452f05e74239c0dd8aca38a04223750f77e7c927b8c7c72ec676220d8a5dee92297de82826966f4e96f157c5f2f309f402d381cc13d8d3cd04e389e1f5

    Download Submit

  • C:\Windows\Installer\MSI13D3.tmp
    Filesize

    398KB

    MD5

    882e26bce2987a04b0e50ef204466cbe

    SHA1

    a5b675e9030da9d63dcdfb9fe0ba622684da933e

    SHA256

    e50a65d4c06f025e07860d535ee73ffbd6eef209599d26b8e0be1e624f65c1b3

    SHA512

    339142bbfaf48846ec1ba0ec7cc20caedd1b77d73c8e04adc01aea06ba351f5639504d121a06c23faab1a855e9ef07354c71593a94847e7596f027fea6c358b6

    Download Submit

  • C:\Windows\Installer\MSI13E4.tmp
    Filesize

    93KB

    MD5

    213bd0facd6c4a0e24386a21992fa8ec

    SHA1

    49773287bb25dd7abe74547beed4d2cfc4fb62a9

    SHA256

    b66f0ecbf2acf12ce47778167cd0f1a76a5de4f53489976ea41b0d0469d02f46

    SHA512

    98f712d0e28cae4ef3e9fed83ce76432b2d0f50999034c87f8210f9d0fb830ee7bd4bbb7d2cf3bfec4de2e358a6527821f33971b68282c3442f6b05ac3be6045

    Download Submit

  • C:\Windows\Installer\MSIF802.tmp
    Filesize

    398KB

    MD5

    882e26bce2987a04b0e50ef204466cbe

    SHA1

    a5b675e9030da9d63dcdfb9fe0ba622684da933e

    SHA256

    e50a65d4c06f025e07860d535ee73ffbd6eef209599d26b8e0be1e624f65c1b3

    SHA512

    339142bbfaf48846ec1ba0ec7cc20caedd1b77d73c8e04adc01aea06ba351f5639504d121a06c23faab1a855e9ef07354c71593a94847e7596f027fea6c358b6

    Download Submit

  • C:\Windows\Installer\MSIF813.tmp
    Filesize

    260KB

    MD5

    f0e3167159d38491b01a23bae32647ca

    SHA1

    6c385f0ceaaa591b40497ee522316a7987846ed1

    SHA256

    15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

    SHA512

    dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

    Download Submit

  • C:\Windows\Installer\MSIFBAC.tmp
    Filesize

    260KB

    MD5

    f0e3167159d38491b01a23bae32647ca

    SHA1

    6c385f0ceaaa591b40497ee522316a7987846ed1

    SHA256

    15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

    SHA512

    dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

    Download Submit

  • C:\Windows\Installer\MSIFC3A.tmp
    Filesize

    260KB

    MD5

    f0e3167159d38491b01a23bae32647ca

    SHA1

    6c385f0ceaaa591b40497ee522316a7987846ed1

    SHA256

    15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

    SHA512

    dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

    Download Submit

  • \Windows\Installer\MSI13D3.tmp
    Filesize

    398KB

    MD5

    882e26bce2987a04b0e50ef204466cbe

    SHA1

    a5b675e9030da9d63dcdfb9fe0ba622684da933e

    SHA256

    e50a65d4c06f025e07860d535ee73ffbd6eef209599d26b8e0be1e624f65c1b3

    SHA512

    339142bbfaf48846ec1ba0ec7cc20caedd1b77d73c8e04adc01aea06ba351f5639504d121a06c23faab1a855e9ef07354c71593a94847e7596f027fea6c358b6

    Download Submit

  • \Windows\Installer\MSIF802.tmp
    Filesize

    398KB

    MD5

    882e26bce2987a04b0e50ef204466cbe

    SHA1

    a5b675e9030da9d63dcdfb9fe0ba622684da933e

    SHA256

    e50a65d4c06f025e07860d535ee73ffbd6eef209599d26b8e0be1e624f65c1b3

    SHA512

    339142bbfaf48846ec1ba0ec7cc20caedd1b77d73c8e04adc01aea06ba351f5639504d121a06c23faab1a855e9ef07354c71593a94847e7596f027fea6c358b6

    Download Submit

  • \Windows\Installer\MSIF813.tmp
    Filesize

    260KB

    MD5

    f0e3167159d38491b01a23bae32647ca

    SHA1

    6c385f0ceaaa591b40497ee522316a7987846ed1

    SHA256

    15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

    SHA512

    dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

    Download Submit

  • \Windows\Installer\MSIFBAC.tmp
    Filesize

    260KB

    MD5

    f0e3167159d38491b01a23bae32647ca

    SHA1

    6c385f0ceaaa591b40497ee522316a7987846ed1

    SHA256

    15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

    SHA512

    dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

    Download Submit

  • \Windows\Installer\MSIFC3A.tmp
    Filesize

    260KB

    MD5

    f0e3167159d38491b01a23bae32647ca

    SHA1

    6c385f0ceaaa591b40497ee522316a7987846ed1

    SHA256

    15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

    SHA512

    dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

    Download Submit

  • memory/976-54-0x000007FEFB791000-0x000007FEFB793000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1456-88-0x0000000073030000-0x00000000735DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1612-59-0x00000000759E1000-0x00000000759E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1612-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1924-77-0x0000000000000000-mapping.dmp

    Download

  • memory/1924-90-0x0000000073030000-0x00000000735DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1924-91-0x0000000001F20000-0x0000000001FA3000-memory.dmp

    Filesize

    524KB

    Download

  • memory/1940-76-0x0000000000000000-mapping.dmp

    Download

  • memory/1940-81-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2004-71-0x0000000002232000-0x0000000002234000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2004-70-0x0000000073030000-0x00000000735DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2004-68-0x0000000000000000-mapping.dmp

    Download