Overview

overview

10

Static

static

42c0b7865a...7f.msi

windows7_x64

8

42c0b7865a...7f.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    61s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    04-07-2022 08:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi

  • Size

    3.0MB

  • MD5

    83d7f0fe8d269f04c7665c0b6cbb8ada

  • SHA1

    902921743f59ff19eeb395d2618ef5addeac62fd

  • SHA256

    42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f

  • SHA512

    c51cc2f1779bc9fd659cda5524464098fa19dd86910d7a23b4353d944e5dbe56ba43314ecb9b6352b9614e7f43f76d7b61fe60bf5a5c4889ac264dd8a7f845eb

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 21 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1984
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B7D0B2F327F81C5E9F914D574703585C
      2⤵
      • Loads dropped DLL
      PID:1712
    • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe"
        3⤵
        • Executes dropped EXE
        PID:300
        • C:\windows\temp\word.exe
          "C:\windows\temp\word.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1472
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1472 -s 544
            5⤵
            • Program crash
            PID:1996
        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\windows\temp\补充材料.docx"
          4⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:548
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_8C97.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Microsoft\' -retry_count 10"
        3⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1592
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1908
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1344
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004EC" "0000000000000598"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AI_8C97.ps1
    Filesize

    13KB

    MD5

    bc738a907de8fd82f60b3076399d2919

    SHA1

    b1ba780669af90d283ee41b46fd3a9c0be63289e

    SHA256

    b2d5923658a04edcff416e46d17c64badd95d02df97601e141ade64474c9e3f0

    SHA512

    70a66f14b056aa2c92df10f5875e835642ced758512c54a85739ddf208362f080644d72d50129ba0adcb941c02a0398c90f1a6ad1762a8070c3f872a84679d9b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    e1d61ecc97a4feba458f9f4513f7099e

    SHA1

    be4cd4d92a64ced37b6cdd2e0e0e3375f77272b3

    SHA256

    edbdf6e6877c2b743b4dcdbc2305ddf24c308fb4037e76132c40023da000e881

    SHA512

    e6c82c32af3c25aba56662963a1506ba9454825e26b47731d8c2a1bd29cefa4ac9d37cd4b6a7784ed9ac5715870292a49b64ac6be9e721a9d22214f107b46433

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    e1d61ecc97a4feba458f9f4513f7099e

    SHA1

    be4cd4d92a64ced37b6cdd2e0e0e3375f77272b3

    SHA256

    edbdf6e6877c2b743b4dcdbc2305ddf24c308fb4037e76132c40023da000e881

    SHA512

    e6c82c32af3c25aba56662963a1506ba9454825e26b47731d8c2a1bd29cefa4ac9d37cd4b6a7784ed9ac5715870292a49b64ac6be9e721a9d22214f107b46433

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    e1d61ecc97a4feba458f9f4513f7099e

    SHA1

    be4cd4d92a64ced37b6cdd2e0e0e3375f77272b3

    SHA256

    edbdf6e6877c2b743b4dcdbc2305ddf24c308fb4037e76132c40023da000e881

    SHA512

    e6c82c32af3c25aba56662963a1506ba9454825e26b47731d8c2a1bd29cefa4ac9d37cd4b6a7784ed9ac5715870292a49b64ac6be9e721a9d22214f107b46433

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe
    Filesize

    748KB

    MD5

    cf23d98b7e5d4f005b90c14e99ef146a

    SHA1

    a89c40cc44930374ac4510f4978990f987975e7d

    SHA256

    6306724878799a05095288abdafb4d8e2a741f66f33ccebf5d834fbb08da7d8f

    SHA512

    176ba66df9f050cc932b6367c47e1c9ccfec3e2813234545cdc55eed13ddb72034d2d6984a9cd2fef9ed13ffdd5b698b275ad7c940ba74cf62c1fa2c4a3de579

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe
    Filesize

    748KB

    MD5

    cf23d98b7e5d4f005b90c14e99ef146a

    SHA1

    a89c40cc44930374ac4510f4978990f987975e7d

    SHA256

    6306724878799a05095288abdafb4d8e2a741f66f33ccebf5d834fbb08da7d8f

    SHA512

    176ba66df9f050cc932b6367c47e1c9ccfec3e2813234545cdc55eed13ddb72034d2d6984a9cd2fef9ed13ffdd5b698b275ad7c940ba74cf62c1fa2c4a3de579

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.ini
    Filesize

    1KB

    MD5

    aa344a2c80996664a3487d188bb8db38

    SHA1

    df818590e6b6c6f00a8636630e3382932e283059

    SHA256

    671eb170889772d3db273ac5e69a0c0a3bc842721c583d164afb7f1e34033c82

    SHA512

    46e39a5a55789b7f05f7107d1fef1b5271bfc61741c7d3018e8661b6d2f9bb604c1081a130c557b01c005ae6bbd3836d7cf25e0fb79a7d7de54222dcb56edca5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\file_deleter.ps1
    Filesize

    13KB

    MD5

    bc738a907de8fd82f60b3076399d2919

    SHA1

    b1ba780669af90d283ee41b46fd3a9c0be63289e

    SHA256

    b2d5923658a04edcff416e46d17c64badd95d02df97601e141ade64474c9e3f0

    SHA512

    70a66f14b056aa2c92df10f5875e835642ced758512c54a85739ddf208362f080644d72d50129ba0adcb941c02a0398c90f1a6ad1762a8070c3f872a84679d9b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe
    Filesize

    681KB

    MD5

    0340cd41dc46e57d7a496c55e735f8b3

    SHA1

    78ef3380bb7307d5b2020a35c5a845160b9405e3

    SHA256

    bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596

    SHA512

    7ee2732940b0626d0d45f364e35ed7207b09b9ba979468dfce281293d3817fac50379e43f1fa43affb7a7e22413b08352a024d19f089d3213af662ab4b103066

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe
    Filesize

    681KB

    MD5

    0340cd41dc46e57d7a496c55e735f8b3

    SHA1

    78ef3380bb7307d5b2020a35c5a845160b9405e3

    SHA256

    bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596

    SHA512

    7ee2732940b0626d0d45f364e35ed7207b09b9ba979468dfce281293d3817fac50379e43f1fa43affb7a7e22413b08352a024d19f089d3213af662ab4b103066

    Download Submit
  • C:\Windows\Installer\MSI74D3.tmp
    Filesize

    549KB

    MD5

    822ec3c1b42ffdf6db9a15936f4512cf

    SHA1

    6ea07cae9eea92dd58bb6a81d3795033825e7045

    SHA256

    94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

    SHA512

    0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

    Download Submit
  • C:\Windows\Installer\MSI7715.tmp
    Filesize

    549KB

    MD5

    822ec3c1b42ffdf6db9a15936f4512cf

    SHA1

    6ea07cae9eea92dd58bb6a81d3795033825e7045

    SHA256

    94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

    SHA512

    0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

    Download Submit
  • C:\Windows\Installer\MSI7AED.tmp
    Filesize

    549KB

    MD5

    822ec3c1b42ffdf6db9a15936f4512cf

    SHA1

    6ea07cae9eea92dd58bb6a81d3795033825e7045

    SHA256

    94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

    SHA512

    0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

    Download Submit
  • C:\Windows\Installer\MSI7B9A.tmp
    Filesize

    631KB

    MD5

    825dfb5d9b0e8a8e6035741c984b60a8

    SHA1

    c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a

    SHA256

    68d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa

    SHA512

    4cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35

    Download Submit
  • C:\Windows\Installer\MSI834A.tmp
    Filesize

    631KB

    MD5

    825dfb5d9b0e8a8e6035741c984b60a8

    SHA1

    c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a

    SHA256

    68d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa

    SHA512

    4cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe
    Filesize

    681KB

    MD5

    0340cd41dc46e57d7a496c55e735f8b3

    SHA1

    78ef3380bb7307d5b2020a35c5a845160b9405e3

    SHA256

    bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596

    SHA512

    7ee2732940b0626d0d45f364e35ed7207b09b9ba979468dfce281293d3817fac50379e43f1fa43affb7a7e22413b08352a024d19f089d3213af662ab4b103066

    Download Submit
  • \Windows\Installer\MSI74D3.tmp
    Filesize

    549KB

    MD5

    822ec3c1b42ffdf6db9a15936f4512cf

    SHA1

    6ea07cae9eea92dd58bb6a81d3795033825e7045

    SHA256

    94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

    SHA512

    0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

    Download Submit
  • \Windows\Installer\MSI7715.tmp
    Filesize

    549KB

    MD5

    822ec3c1b42ffdf6db9a15936f4512cf

    SHA1

    6ea07cae9eea92dd58bb6a81d3795033825e7045

    SHA256

    94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

    SHA512

    0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

    Download Submit
  • \Windows\Installer\MSI7AED.tmp
    Filesize

    549KB

    MD5

    822ec3c1b42ffdf6db9a15936f4512cf

    SHA1

    6ea07cae9eea92dd58bb6a81d3795033825e7045

    SHA256

    94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

    SHA512

    0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

    Download Submit
  • \Windows\Installer\MSI7B9A.tmp
    Filesize

    631KB

    MD5

    825dfb5d9b0e8a8e6035741c984b60a8

    SHA1

    c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a

    SHA256

    68d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa

    SHA512

    4cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35

    Download Submit
  • \Windows\Installer\MSI834A.tmp
    Filesize

    631KB

    MD5

    825dfb5d9b0e8a8e6035741c984b60a8

    SHA1

    c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a

    SHA256

    68d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa

    SHA512

    4cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35

    Download Submit
  • memory/300-76-0x0000000000000000-mapping.dmp
    Download
  • memory/548-89-0x00000000716ED000-0x00000000716F8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/548-82-0x0000000072C81000-0x0000000072C84000-memory.dmp
    Filesize

    12KB

    Download
  • memory/548-84-0x0000000070701000-0x0000000070703000-memory.dmp
    Filesize

    8KB

    Download
  • memory/548-85-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1160-104-0x0000000070150000-0x00000000706FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1160-105-0x0000000070150000-0x00000000706FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1160-81-0x0000000000000000-mapping.dmp
    Download
  • memory/1160-86-0x0000000070150000-0x00000000706FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1160-87-0x0000000070150000-0x00000000706FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1472-78-0x0000000000F70000-0x00000000011BE000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/1592-94-0x0000000070150000-0x00000000706FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1592-90-0x0000000000000000-mapping.dmp
    Download
  • memory/1592-102-0x0000000070150000-0x00000000706FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1624-101-0x0000000070150000-0x00000000706FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1624-97-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-106-0x0000000070150000-0x00000000706FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1712-57-0x0000000075DB1000-0x0000000075DB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1712-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1908-93-0x0000000000000000-mapping.dmp
    Download
  • memory/1908-100-0x0000000070150000-0x00000000706FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1908-103-0x0000000070150000-0x00000000706FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1924-73-0x00000000752B1000-0x00000000752B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1924-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1996-79-0x0000000000000000-mapping.dmp
    Download