60e03e1dfc1606c12dd7a590306a0c2766f36f0e9d75fc0d441e4ccb31bf0f66

Analysis

max time kernel
83s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15/09/2022, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.rar
Size

3.2MB
MD5

b53dbf0106a7eae3a7b073b254162c16
SHA1

6ca3fa39a0c07c0e26ff5339adb7496b310452a9
SHA256

60e03e1dfc1606c12dd7a590306a0c2766f36f0e9d75fc0d441e4ccb31bf0f66
SHA512

7ed532840789c0294c34b8a8596b619d4cfab7201e66311f07530a9d81cf8e68a9a0b9715ee7fc8ce7f52978a080f2ca6ce6437f92b773c6e514282d4a7979ab
SSDEEP

98304:2jrxn7HBzkcomean6DKOGAt6Ni4iIOundiQE:qdnjBzDb0L76NEIO3QE

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1172	MsiExec.exe
1172	MsiExec.exe
1172	MsiExec.exe
1172	MsiExec.exe
2012	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5D34.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6d4473.ipi	msiexec.exe
File created	C:\Windows\Installer\6d4471.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4700.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A2C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A7B.tmp	msiexec.exe
File created	C:\Windows\Installer\6d4473.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\6d4471.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI516F.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
932	msiexec.exe
932	msiexec.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: 33	1084	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1084	AUDIODG.EXE
Token: 33	1084	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1084	AUDIODG.EXE
Token: SeRestorePrivilege	1492	7zG.exe
Token: 35	1492	7zG.exe
Token: SeSecurityPrivilege	1492	7zG.exe
Token: SeSecurityPrivilege	1492	7zG.exe
Token: SeShutdownPrivilege	1668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeSecurityPrivilege	932	msiexec.exe
Token: SeCreateTokenPrivilege	1668	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1668	msiexec.exe
Token: SeLockMemoryPrivilege	1668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1668	msiexec.exe
Token: SeMachineAccountPrivilege	1668	msiexec.exe
Token: SeTcbPrivilege	1668	msiexec.exe
Token: SeSecurityPrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeLoadDriverPrivilege	1668	msiexec.exe
Token: SeSystemProfilePrivilege	1668	msiexec.exe
Token: SeSystemtimePrivilege	1668	msiexec.exe
Token: SeProfSingleProcessPrivilege	1668	msiexec.exe
Token: SeIncBasePriorityPrivilege	1668	msiexec.exe
Token: SeCreatePagefilePrivilege	1668	msiexec.exe
Token: SeCreatePermanentPrivilege	1668	msiexec.exe
Token: SeBackupPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeShutdownPrivilege	1668	msiexec.exe
Token: SeDebugPrivilege	1668	msiexec.exe
Token: SeAuditPrivilege	1668	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1668	msiexec.exe
Token: SeChangeNotifyPrivilege	1668	msiexec.exe
Token: SeRemoteShutdownPrivilege	1668	msiexec.exe
Token: SeUndockPrivilege	1668	msiexec.exe
Token: SeSyncAgentPrivilege	1668	msiexec.exe
Token: SeEnableDelegationPrivilege	1668	msiexec.exe
Token: SeManageVolumePrivilege	1668	msiexec.exe
Token: SeImpersonatePrivilege	1668	msiexec.exe
Token: SeCreateGlobalPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1492	7zG.exe
1668	msiexec.exe
1668	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 948	1712	cmd.exe	27
PID 1712 wrote to memory of 948	1712	cmd.exe	27
PID 1712 wrote to memory of 948	1712	cmd.exe	27
PID 932 wrote to memory of 1172	932	msiexec.exe	37
PID 932 wrote to memory of 1172	932	msiexec.exe	37
PID 932 wrote to memory of 1172	932	msiexec.exe	37
PID 932 wrote to memory of 1172	932	msiexec.exe	37
PID 932 wrote to memory of 1172	932	msiexec.exe	37
PID 932 wrote to memory of 1172	932	msiexec.exe	37
PID 932 wrote to memory of 1172	932	msiexec.exe	37
PID 932 wrote to memory of 2012	932	msiexec.exe	39
PID 932 wrote to memory of 2012	932	msiexec.exe	39
PID 932 wrote to memory of 2012	932	msiexec.exe	39
PID 932 wrote to memory of 2012	932	msiexec.exe	39
PID 932 wrote to memory of 2012	932	msiexec.exe	39

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\1.rar
  2⤵
  - Modifies registry class
  PID:948

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1872

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap6946:82:7zEvent24201
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1492

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\182d30fb29b6bff76dd557e55246b8ef.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1668

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 29C489DCD7C0A05F20158EA58171220E
  2⤵
  - Loads dropped DLL
  PID:1172
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 86DB1752B78199DC5CCE34BA5EB12704
  2⤵
  - Loads dropped DLL
  PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\182d30fb29b6bff76dd557e55246b8ef.msi

Filesize
108.4MB

MD5
182d30fb29b6bff76dd557e55246b8ef

SHA1
7bb2e25286c3b41d6f7c20d60cda076ad87cea77

SHA256
f2d5f80d595128a9c80fd661673655a01912c4eaca381d9e4e484fcbe6af6554

SHA512
1f8122e6efadee856a507109731e60b00a4cae3403bac55dffdd676e5a7a81fd08c8532cd04b250fd6a9509099c358635cc99ba25e8b4348c1409a5a83f71e21

Download Submit
C:\Windows\Installer\MSI4700.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI4A2C.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI4A7B.tmp

Filesize
860KB

MD5
71b541254864bd52f85e932e2040cbe8

SHA1
713766e1818f8d7ca814c86109c9cdd5d57914ef

SHA256
b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538

SHA512
4d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2

Download Submit
C:\Windows\Installer\MSI4CEC.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI5D34.tmp

Filesize
106.2MB

MD5
eeac072023b4dcdb28f7a9c48b46f88a

SHA1
c59d0edcc7e4caca877074978b5f0cabc7631500

SHA256
5e71693441b2efb7c09a64e130d683289023481134dc83a4a5b6c10135495182

SHA512
d21f3bae49d2ebe4d37456512fe24e16ae6fb1d979219e95eca61428176c4e7b94f5a41c767586907a957eb7ab0c2e008ea9b97e019b5460c46d2dc71d30f177

Download Submit
\Windows\Installer\MSI4700.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSI4A2C.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSI4A7B.tmp

Filesize
860KB

MD5
71b541254864bd52f85e932e2040cbe8

SHA1
713766e1818f8d7ca814c86109c9cdd5d57914ef

SHA256
b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538

SHA512
4d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2

Download Submit
\Windows\Installer\MSI4CEC.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSI5D34.tmp

Filesize
106.2MB

MD5
eeac072023b4dcdb28f7a9c48b46f88a

SHA1
c59d0edcc7e4caca877074978b5f0cabc7631500

SHA256
5e71693441b2efb7c09a64e130d683289023481134dc83a4a5b6c10135495182

SHA512
d21f3bae49d2ebe4d37456512fe24e16ae6fb1d979219e95eca61428176c4e7b94f5a41c767586907a957eb7ab0c2e008ea9b97e019b5460c46d2dc71d30f177

Download Submit
memory/1172-87-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1712-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download