Overview

overview

10

Static

static

10

f1b24565d1...b1.msi

windows7_x64

8

f1b24565d1...b1.msi

windows10-2004_x64

8

Analysis

  • max time kernel
    41s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1b24565d1c985eacda69cca690fdbf15a0b762132212910eee447aecc4c68b1.msi

  • Size

    384KB

  • MD5

    68aa83f9b1ccd1e4b0b4e3ea37e32eb4

  • SHA1

    d015d74ac082b9dfb2cc0594713b5b039a0de8b7

  • SHA256

    f1b24565d1c985eacda69cca690fdbf15a0b762132212910eee447aecc4c68b1

  • SHA512

    7dd329bf526ae0769baf36ae5980ffd2f39798589686d3beb99bfc7511da088eaedb50df3bf12b03d41e9d034abd39077d7e199287898dd5c5d8cccadb947067

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f1b24565d1c985eacda69cca690fdbf15a0b762132212910eee447aecc4c68b1.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1992
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1560
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:852
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "00000000000003DC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1472

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
    Filesize

    1KB

    MD5

    ecfa56f2372848216554e2ab96e551ad

    SHA1

    420458ea744625dc9876876559fc9ae8ef6a8aa8

    SHA256

    3d38c8014b138fb1d637014f787f385486ed917d30d2579e76f11e840da2a295

    SHA512

    48d8011b5006a59fa1bff987f591ac9cca90febea0bad3c6a6983ec5c0aa46bc784c005d6708d1be2a51f82d7eece76c60827f17dcc8c117a8132b6f82568882

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
    Filesize

    1KB

    MD5

    76f4b269e731be55be4da0f74e2239a2

    SHA1

    47a35f725d2da2b77883361cf3a7eb014948a1e9

    SHA256

    613678d14d87ef4350dc6539c6ee0de7d8d30abf0aa12fc202fc511d122cfac7

    SHA512

    39b505347c66358c15cbda350558ae621f0b6334f0b73195f7ab26674f0ceed796f1b8a6dac33eb298de32ebfe408941663c72b6cacdb7f7a753a97f96858f04

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
    Filesize

    264B

    MD5

    49b289439d738c68c8b711cc83724e24

    SHA1

    e13de9ec14de11bf31630036e1da82ca4d529577

    SHA256

    5f995a6f7e92cd5016e97c62d5574d2526a86a77963c2754e63c9781593d77b5

    SHA512

    c915ce6bbd214c61fe77a76c3872d54b19cd9a052950e362d2c474f27fa1c69e3b6cd0971694c23805139e164e5e9dc28adef0db090d4ff16742241ac28435b9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    459989f05a92e3b2f9981f400e14a74f

    SHA1

    0f90146e936c69c5e78cb81d32b52079a39ba1fb

    SHA256

    c83cfafaaada751ae65ac3c88dfe8fa3280890f89ec2cb2265f8494835f17850

    SHA512

    cec4e1ffb83ee2ca23cc725d6053ac393d2f7b142eaefc2f69ab173ecce1a508ad9a9593b9773a4309009ad49bee04b8b5ea0d9e49fc4e1946975fe7d1f03c13

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
    Filesize

    252B

    MD5

    dfa2679b04a0227c3eac646c411e0715

    SHA1

    a6277471ebabdb59b0317c9bd97ac519a2c0fadc

    SHA256

    e4d1930b3ff9bb7392e783b6e04b1b39e7c4b9b991f3fbfd6d6271b0583eea9a

    SHA512

    358d3eb64e6c9f84031bce677853aead530152feb52b64f3469b84139c5043897050df67fc1f7a6c41dbc9895abcb822c573286439498ae26edeeb45b34a5b68

    Download Submit

  • memory/1992-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

    Filesize

    8KB

    Download