Analysis

  • max time kernel
    43s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2022 23:15

General

  • Target

    ddf798fa09f7c72f9fec4478841990d7.msi

  • Size

    92KB

  • MD5

    ddf798fa09f7c72f9fec4478841990d7

  • SHA1

    42b8bc580bd77c330432fb7cf6d9b8c8212961bd

  • SHA256

    b2b07b32c681a44c647814d09eeac5d691ae67ebf1862bd23c639fce7027685a

  • SHA512

    fa39bd42f000e8dffb4638a65cb08ab0f4393a7ed8ef718efa7f3652c00cd1aa31c6f3fb5365674700a08eb066d3e514e7f8131fce0bccd9b5897ea96c9b2425

  • SSDEEP

    768:8lUJ5BxTORGx4/dpZ6G+jzI/RyGwaW27N5MSdm4cyWMDC/yWMDCmYinj:hxTcdpZ6G//RzwaN1d00DU0D37n

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ddf798fa09f7c72f9fec4478841990d7.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:560
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 22ADA5BF294DDB9685F512A1A4A8CE5C
      2⤵
      • Loads dropped DLL
      PID:1392
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:628
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E4" "0000000000000498"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    60KB

    MD5

    6c6a24456559f305308cb1fb6c5486b3

    SHA1

    3273ac27d78572f16c3316732b9756ebc22cb6ed

    SHA256

    efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

    SHA512

    587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

    Filesize

    1KB

    MD5

    78f2fcaa601f2fb4ebc937ba532e7549

    SHA1

    ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

    SHA256

    552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

    SHA512

    bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    deb6245787aa02fa63e8be5f9ec8fa8e

    SHA1

    181a6dd89a833ca6331b3ea298e8cc78d4e5f9b7

    SHA256

    c73e73c25f0aedd2ed42a00746a29f838d50e6fba82b6a55df36f1e73b541795

    SHA512

    74d087c5032c20a13616a587d15e265e0572cad32c9c15597fa01eef1b1a4c923c0b0c034d523e008ff594a94d61d02f9981894d62ab84d107a4c55654bd3e55

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

    Filesize

    254B

    MD5

    66610947fe37b694926a930a82bfd265

    SHA1

    c38ca8fa7273a50ea62c3c4260e9552ad5de376c

    SHA256

    77aea8acd21971eecea7759a04fc47fc53da47d4508a3ac9a8901defbe34037b

    SHA512

    50d25bb84faaff5b757ca069be0dbd51ad72aa580e9257bff2f7b37face6dd17bd46df977e8293d2ddc41878a14d1da11d0d62ec96a1f2f03e9627988001ed10

  • C:\Windows\Installer\MSI73E5.tmp

    Filesize

    50KB

    MD5

    19fa3be964d43ee5eaddb1198cb34cfa

    SHA1

    08214c36b827979ff393daf669709e516b305e49

    SHA256

    d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373

    SHA512

    7c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738

  • \Windows\Installer\MSI73E5.tmp

    Filesize

    50KB

    MD5

    19fa3be964d43ee5eaddb1198cb34cfa

    SHA1

    08214c36b827979ff393daf669709e516b305e49

    SHA256

    d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373

    SHA512

    7c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738

  • memory/560-54-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp

    Filesize

    8KB