Overview

overview

10

Static

static

10

c51857627b...07.msi

windows7_x64

8

c51857627b...07.msi

windows10-2004_x64

8

Analysis

  • max time kernel
    141s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c51857627b43582a7f2995c27356717b474854716ddffabcc4ec03b0085bcc07.msi

  • Size

    280KB

  • MD5

    04e7028611b3a265f90a627f45e43721

  • SHA1

    10cc07c9d057baff07aa81e5f6c3833f8c763f8d

  • SHA256

    c51857627b43582a7f2995c27356717b474854716ddffabcc4ec03b0085bcc07

  • SHA512

    e6f39b4e3d934eae2a47e2ee382c7560e3c8852e95d2ce72ee1a6eb31e92b8e102a922638077b16f31ebdb9da92e932649f43d755627b0c5a1c45bff360b5382

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c51857627b43582a7f2995c27356717b474854716ddffabcc4ec03b0085bcc07.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1892
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 27D08120AADCBB46D01751344EC927F3
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /MAX https://adobe.ly/2RY5GJR
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://adobe.ly/2RY5GJR
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:568
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:276
      • C:\Users\Admin\AppData\Local\Temp\lcD246.tmp
        "C:\Users\Admin\AppData\Local\Temp\lcD246.tmp"
        3⤵
        • Executes dropped EXE
        PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    b9f21d8db36e88831e5352bb82c438b3

    SHA1

    4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

    SHA256

    998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

    SHA512

    d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e71abcb9c8add91ee5af5adf70ece2d4

    SHA1

    b9da3f3f1cf1019f3b9e4cf992b0a8d4e71cf069

    SHA256

    0c56582f033a1ef7bdd34b003b7c95c7b1d7edccb6c13c9198921f38aa30116e

    SHA512

    180c95c34b25d4d5b2dc5537296b29903744ec44a5d887ddc2857e5025c64c3a0c749442d15b5eb97342ce487a4f85b463e7ac347b140778db44a1577cd1b98a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6bb7abf6b8e128f080a0e21722f306ad

    SHA1

    6cc9a2efc3b1711ea334742b9c5480643ce6f348

    SHA256

    10923c19d1eda074f906e27eab6bf1eeb34907c9d2e6c0b9944738cb804c7a06

    SHA512

    546a5e97e474ec1a3c6a921f04ffa2bad9345f754aabc581f2a109c8df531818171aad093f63d286af72c53ad095babe59a780ef0c1d45f893097ab5431edf42

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
    Filesize

    13KB

    MD5

    65149ccf4162c18b17d350b3ad0eaa41

    SHA1

    082f865b2a6c7276fa3d8b520ff2c130655cee6d

    SHA256

    70950b840ffe392f7164a53fdb97fad02aa81e502e67759984a584101e23422b

    SHA512

    b71d6993ba5d4d634b9b339c27cff0debd6bb43fc8dc27645952fa537c32b8ffffab349ff5a0c97a9dff76c9d5f7cf2abff3c07d519f9f55554ef86f4a9cf70c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
    Filesize

    23KB

    MD5

    91f6c9f6969c18fd9a4ab5981b42a460

    SHA1

    03996c117727010780c7e91bbbc04c14f3e9c3ad

    SHA256

    a07fdef8750e3bfa4e7893acf9f302ff7d16ceae4af3432a368711ecff2ba8f9

    SHA512

    8349514c219bf0dc1f5c7f27cc7a65f529c6e399a8db678b6c6e83a0435e30b210f6dffded63e0cdeb4da9bb39010c188ae3133a11951e5b8e4411089d08e213

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lcD246.tmp
    Filesize

    12KB

    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5WGLWXRJ.txt
    Filesize

    602B

    MD5

    55fe6ef3e9184e5a4625717785cb750e

    SHA1

    099606447f4cb26de427021fe811399fa412d08b

    SHA256

    ffaa890749847ac38869f8b566c1fd057ecfdf4f364a3825eb62f698e0b89b3b

    SHA512

    d6e5f0bb88e48942dafb093baec3af1a5e3bf26e2b86d939a7bd8a6ee752a26abac8c10d25d1ef13d3fa36cd75ce442a258806cf77bfe45e11dd17e4d29d8953

    Download Submit
  • C:\Windows\Installer\MSIB3E5.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSICA15.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSID221.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSID3A8.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\lcD246.tmp
    Filesize

    12KB

    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit
  • \Windows\Installer\MSIB3E5.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSICA15.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSID221.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSID3A8.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/1336-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1336-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1416-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1892-54-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-58-0x0000000000000000-mapping.dmp
    Download