Overview

overview

10

Static

static

10

2vFTA23042...IL.msi

windows7_x64

8

2vFTA23042...IL.msi

windows10-2004_x64

8

Analysis

  • max time kernel
    133s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2vFTA23042049-ABRIL.msi

  • Size

    280KB

  • MD5

    04e7028611b3a265f90a627f45e43721

  • SHA1

    10cc07c9d057baff07aa81e5f6c3833f8c763f8d

  • SHA256

    c51857627b43582a7f2995c27356717b474854716ddffabcc4ec03b0085bcc07

  • SHA512

    e6f39b4e3d934eae2a47e2ee382c7560e3c8852e95d2ce72ee1a6eb31e92b8e102a922638077b16f31ebdb9da92e932649f43d755627b0c5a1c45bff360b5382

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2vFTA23042049-ABRIL.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2044
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A8C0AAB67D86C95F0ED48C515292E0B6
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /MAX https://adobe.ly/2RY5GJR
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://adobe.ly/2RY5GJR
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1148
      • C:\Users\Admin\AppData\Local\Temp\lc298A.tmp
        "C:\Users\Admin\AppData\Local\Temp\lc298A.tmp"
        3⤵
        • Executes dropped EXE
        PID:1536

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    b9f21d8db36e88831e5352bb82c438b3

    SHA1

    4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

    SHA256

    998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

    SHA512

    d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2ac8579b94ae6870d4adb739b6b7b400

    SHA1

    06e6db8e3a1d90f394faf965a4bb9d23838a28ea

    SHA256

    1027ee1c96b013ebd8099462e362af4341b9aec3b62f332212bc15c00ea02bd8

    SHA512

    c16c1f6d592aeaf53135d12b2a659905ce4bf173000b8dbd3e8191cfdcd803b3e70aa321dc30360fd921fa50186878d2df84054e649dea10d0fd58d443369348

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    36068d8ac6be1276443c7de9c9451e49

    SHA1

    946b8cb49e8e293afaf428bd584c9f5fb80e5962

    SHA256

    80d4bca7fc51dfa02dfc64db7478368145d6d3cfb305ed67f26f02f79ccf74d9

    SHA512

    0b018b859acc0698cdd77722b089732fe4a36bc7d5ccd2505f8a643056f5273aaa8f93d8570e44952b5ded26efa26f51f16dc12cbc935dea0ece51125eb0fbd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
    Filesize

    13KB

    MD5

    76a5ec0f71f7193e7d1a84b4c356ab62

    SHA1

    646f09aea6a42d7438d8edb5fe8a2a408398386a

    SHA256

    8e213970cd208714ab6be498f8d8d1307895dd655f7e1688dce2c0db06652003

    SHA512

    a0e3a5df3f26a050723e58396e726908c1c988617c60c1f5272a3d45d131d10d44bc5765a7d0feb5feac76eab31855c26fae6580404563fb6476a33c562738aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
    Filesize

    23KB

    MD5

    ee25c0f1b847f0b4665aa7b807f5ea47

    SHA1

    e62928e3c56705ef1002e12a38145bd9a58de827

    SHA256

    f2fc680efa1e2d1f0a80a6b80f8cf7237b21d5afbce5d2ee8bd7faa9fb03cf5e

    SHA512

    7fe67b61309f65b8061f5d76b1166465400a4c698d3b9e924b6a6e13ddbd72f53d6a39b7cf21b78fe26f3592944814fba90fca5078cb8f3377214b31e51e4cf9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lc298A.tmp
    Filesize

    12KB

    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\034F8K7F.txt
    Filesize

    602B

    MD5

    fab541ed304e5cc08ef823289b4d090d

    SHA1

    5bb65cb4505d7f3158b2ac52629753f80695d525

    SHA256

    19bef71c4a76557d99c355e4f514cc3d608022758a0d9c570132973361f9b39e

    SHA512

    7ac92aeb7202f9803f4950f208c0b3acdcd374d1ffea5794e0d759f75a8b9f749e072ba79ac37108f7b7f94184a8c1cfa57304eae7a8afa83d217b6529a9c6e2

    Download Submit

  • C:\Windows\Installer\MSI28B7.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSI28F6.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSI2945.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSI2A5F.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\lc298A.tmp
    Filesize

    12KB

    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit

  • \Windows\Installer\MSI28B7.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSI28F6.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSI2945.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSI2A5F.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • memory/1536-67-0x0000000000000000-mapping.dmp

    Download

  • memory/1584-57-0x0000000075441000-0x0000000075443000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1584-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1700-58-0x0000000000000000-mapping.dmp

    Download

  • memory/2044-54-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

    Filesize

    8KB

    Download