Analysis
-
max time kernel
151s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220715-es -
resource tags
-
submitted
19-07-2022 15:43
General
-
Target
ffc153b44cf9232a5256efdc907d658af451c08bd5b60657eb4dfad464639a8b.exe
-
Size
11.0MB
-
MD5
88dfe0c8151c63d9ed0af236d4d64945
-
SHA1
36fd988674e2148cb6f9de9fd23ebefb935de164
-
SHA256
ffc153b44cf9232a5256efdc907d658af451c08bd5b60657eb4dfad464639a8b
-
SHA512
60c065504e3f34b3d8424749bdd9f964bc3dc7cb46ba8a60cd898092459b4f5163ebcb71b5c621a2feb2fb0db43ef824bbe92e8f1558b864240a33ae01ecf9c0
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 10 IoCs
-
Themida packer 9 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffc153b44cf9232a5256efdc907d658af451c08bd5b60657eb4dfad464639a8b.exe"C:\Users\Admin\AppData\Local\Temp\ffc153b44cf9232a5256efdc907d658af451c08bd5b60657eb4dfad464639a8b.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Your Company\add-in 3.1.0\install\D46D527\add-in.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ffc153b44cf9232a5256efdc907d658af451c08bd5b60657eb4dfad464639a8b.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1658245741 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 22ADB2F4B65EB229CEFD851785122EF1 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 340EDB74DF49A542DC579FA7DD4753562⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Your Company\add-in\FileNew.exe"C:\Users\Admin\AppData\Roaming\Your Company\add-in\FileNew.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI67D8.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Users\Admin\AppData\Roaming\Your Company\add-in 3.1.0\install\D46D527\FileNew.exeFilesize
557KB
MD5e33bcdd61d70a1961df2c6d7f0c18351
SHA1958ff5402b7e05be694b00bb760f124b79fe0c7d
SHA256b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4
SHA512d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b
-
C:\Users\Admin\AppData\Roaming\Your Company\add-in 3.1.0\install\D46D527\add-in.msiFilesize
1.1MB
MD59ca56b1b068e1146de0b3b6914163807
SHA10f8d5c711e792414b3e788be0afc00a8d6025ca0
SHA256d6fcfd7768dc960113e63a2a1f226b92859269570e93f9691819c3c8aec1d67e
SHA512c5b5fc6b10fcb6c6f1b9fa977dd34fbd0d3210e6f69c7107ca9c645aa94947657457d8e9afb4997112676af119fa6083381c5a4009faff511809f2cd3646f69d
-
C:\Users\Admin\AppData\Roaming\Your Company\add-in 3.1.0\install\D46D527\aspack.dllFilesize
8.1MB
MD56f7ba66990c3036f8cdc3880821c4ae3
SHA1ab63d5741c652ec6cd5f58c9e76ddb3d00e5ee2b
SHA256a74205c03943d53d6268f206754735e76be7615c5e7745b67c9118b8e3361883
SHA512919a2b6478507ab0aaf53f31cb5e91d20ea411c508d01d35e53b1e43cb54e63cd8a180688d825f8ca9d8961be4a0dea030c9664040ccb0868288e3db3231b6a4
-
C:\Users\Admin\AppData\Roaming\Your Company\add-in\FileNew.exeFilesize
557KB
MD5e33bcdd61d70a1961df2c6d7f0c18351
SHA1958ff5402b7e05be694b00bb760f124b79fe0c7d
SHA256b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4
SHA512d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b
-
C:\Users\Admin\AppData\Roaming\Your Company\add-in\FileNew.exeFilesize
557KB
MD5e33bcdd61d70a1961df2c6d7f0c18351
SHA1958ff5402b7e05be694b00bb760f124b79fe0c7d
SHA256b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4
SHA512d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b
-
C:\Users\Admin\AppData\Roaming\Your Company\add-in\aspack.dllFilesize
8.1MB
MD56f7ba66990c3036f8cdc3880821c4ae3
SHA1ab63d5741c652ec6cd5f58c9e76ddb3d00e5ee2b
SHA256a74205c03943d53d6268f206754735e76be7615c5e7745b67c9118b8e3361883
SHA512919a2b6478507ab0aaf53f31cb5e91d20ea411c508d01d35e53b1e43cb54e63cd8a180688d825f8ca9d8961be4a0dea030c9664040ccb0868288e3db3231b6a4
-
C:\Windows\Installer\MSI7C90.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI7D4C.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI7DAB.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI8903.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
C:\Windows\Installer\MSI8A3D.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
\Users\Admin\AppData\Local\Temp\MSI67D8.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Users\Admin\AppData\Roaming\Your Company\add-in 3.1.0\install\decoder.dllFilesize
182KB
MD552415e1c96d5578c1a6114214426d5c1
SHA182f1c6f5edd920b002f4f75ae94ddb9b179fd5a9
SHA256de54cf4cdede3f772967e2e9613d2584fc5143f30d3dd97e8791fc3f89b0d34f
SHA512d5e7b037c7b52cddbe8148386dce085d5b372668f08154c66d4b8c3cb4200dc753d930590c50d676d34b6de2ca0d05e7b1aa7f528d087b00fa754a877af708a6
-
\Users\Admin\AppData\Roaming\Your Company\add-in 3.1.0\install\decoder.dllFilesize
182KB
MD552415e1c96d5578c1a6114214426d5c1
SHA182f1c6f5edd920b002f4f75ae94ddb9b179fd5a9
SHA256de54cf4cdede3f772967e2e9613d2584fc5143f30d3dd97e8791fc3f89b0d34f
SHA512d5e7b037c7b52cddbe8148386dce085d5b372668f08154c66d4b8c3cb4200dc753d930590c50d676d34b6de2ca0d05e7b1aa7f528d087b00fa754a877af708a6
-
\Users\Admin\AppData\Roaming\Your Company\add-in 3.1.0\install\decoder.dllFilesize
182KB
MD552415e1c96d5578c1a6114214426d5c1
SHA182f1c6f5edd920b002f4f75ae94ddb9b179fd5a9
SHA256de54cf4cdede3f772967e2e9613d2584fc5143f30d3dd97e8791fc3f89b0d34f
SHA512d5e7b037c7b52cddbe8148386dce085d5b372668f08154c66d4b8c3cb4200dc753d930590c50d676d34b6de2ca0d05e7b1aa7f528d087b00fa754a877af708a6
-
\Users\Admin\AppData\Roaming\Your Company\add-in\aspack.dllFilesize
8.1MB
MD56f7ba66990c3036f8cdc3880821c4ae3
SHA1ab63d5741c652ec6cd5f58c9e76ddb3d00e5ee2b
SHA256a74205c03943d53d6268f206754735e76be7615c5e7745b67c9118b8e3361883
SHA512919a2b6478507ab0aaf53f31cb5e91d20ea411c508d01d35e53b1e43cb54e63cd8a180688d825f8ca9d8961be4a0dea030c9664040ccb0868288e3db3231b6a4
-
\Windows\Installer\MSI7C90.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI7D4C.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI7DAB.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI8903.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
\Windows\Installer\MSI8A3D.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
memory/856-63-0x0000000000000000-mapping.dmp
-
memory/1172-59-0x0000000000000000-mapping.dmp
-
memory/1292-54-0x0000000075691000-0x0000000075693000-memory.dmpFilesize
8KB
-
memory/1292-55-0x0000000073A61000-0x0000000073A63000-memory.dmpFilesize
8KB
-
memory/1520-81-0x0000000000000000-mapping.dmp
-
memory/1520-87-0x0000000000790000-0x00000000032D6000-memory.dmpFilesize
43.3MB
-
memory/1520-88-0x0000000076FD0000-0x0000000077150000-memory.dmpFilesize
1.5MB
-
memory/1520-89-0x0000000000790000-0x00000000032D6000-memory.dmpFilesize
43.3MB
-
memory/1520-90-0x0000000000790000-0x00000000032D6000-memory.dmpFilesize
43.3MB
-
memory/1520-91-0x0000000000790000-0x00000000032D6000-memory.dmpFilesize
43.3MB
-
memory/1520-92-0x0000000000790000-0x00000000032D6000-memory.dmpFilesize
43.3MB
-
memory/1520-93-0x0000000000790000-0x00000000032D6000-memory.dmpFilesize
43.3MB
-
memory/1728-58-0x000007FEFB671000-0x000007FEFB673000-memory.dmpFilesize
8KB
-
memory/1968-66-0x0000000000000000-mapping.dmp