Overview

overview

10

Static

static

Win10.0_Sy...re.msi

windows7_x64

8

Win10.0_Sy...re.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    219s
  • max time network
    101s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    02-05-2022 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Win10.0_System_Upgrade_Software.msi

  • Size

    92KB

  • MD5

    108c1a102c58234f4cda627079df75c3

  • SHA1

    21d6f08bd6bab100eb0b1a09c806c78577ec5b25

  • SHA256

    a0e41e8c856a4e7a71893abf513b6ebefde78dd81b37e560a29cf25a83b9df9b

  • SHA512

    0f4476005fa08acf212e1ec8bb548a9503a998e063e048de9cce438500f13ff5a98acac8ba4c3eeaf5572b583c6da9e2af23e23e3971675e260c628c2d6afb9b

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Win10.0_System_Upgrade_Software.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1860
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding E9DDA75443AD57DC86528E27D771E1BA
      2⤵
      • Loads dropped DLL
      PID:1944
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:980
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C4" "00000000000003CC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    b9f21d8db36e88831e5352bb82c438b3

    SHA1

    4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

    SHA256

    998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

    SHA512

    d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
    Filesize

    1KB

    MD5

    78f2fcaa601f2fb4ebc937ba532e7549

    SHA1

    ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

    SHA256

    552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

    SHA512

    bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    f72f9fdee835915d3f3581d321e068ea

    SHA1

    cca0cb56d61fb42e880f37b7c10e324bed429239

    SHA256

    d7e9abe83d7a3f05b6dcd167bfec2cd57bad1201064da27d933e6f91d27ae90f

    SHA512

    dfe74e884f25bdec4ba2bc3768a6ee5480613e19dd95b7383d3060fafffc5625271fc643f8bf713c3f580bb83a363280b6eba29bcb9b2b2bd2af3d9f02eff31d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
    Filesize

    254B

    MD5

    528598f99605c2c1b11794d7c488ca33

    SHA1

    d38d306975b80140de97ae065fa7fca13a1b335b

    SHA256

    34c06130ee53553d678bcea6c7f8bd1989c8f6c947080130f82922d9ac3a0dc5

    SHA512

    aac977e1f7cc26709b8b7e0f6560052c7df39dcb187f9346078c2c80eac175a235b3fae308cd137ef5d0c6db0713031a9639094861d720a15865141de0320f5b

    Download Submit
  • C:\Windows\Installer\MSIB097.tmp
    Filesize

    52KB

    MD5

    f005f55386eadf6580d39b51eb8b3b9d

    SHA1

    3c2c6e752c1b7c1380722b3d73ceef080c212bbd

    SHA256

    9dcd2d8b8e4ed0ec47a617ac34ec595259450c97cd07027fe5e63c6bba48ce0c

    SHA512

    43972b1e6a22f8763b84e8208ee8c83f90970052fe52f54645ad7c27c08075d367d9e7d68a8b727a2390c4946d27913aadde868f79b3363716a50380a667b409

    Download Submit
  • \Windows\Installer\MSIB097.tmp
    Filesize

    52KB

    MD5

    f005f55386eadf6580d39b51eb8b3b9d

    SHA1

    3c2c6e752c1b7c1380722b3d73ceef080c212bbd

    SHA256

    9dcd2d8b8e4ed0ec47a617ac34ec595259450c97cd07027fe5e63c6bba48ce0c

    SHA512

    43972b1e6a22f8763b84e8208ee8c83f90970052fe52f54645ad7c27c08075d367d9e7d68a8b727a2390c4946d27913aadde868f79b3363716a50380a667b409

    Download Submit
  • memory/1860-54-0x000007FEFB851000-0x000007FEFB853000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1944-60-0x0000000000000000-mapping.dmp
    Download