Overview

overview

8

Static

static

URLScan

urlscan

1

http://static.corest...

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2022 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://static.corestrengths.com/core-cloud/csp/4.8.3/en-US/CSP-en-US-Windows-latest.msi

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Unknown use of msiexec with remote resource 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I http://static.corestrengths.com/core-cloud/csp/4.8.3/en-US/CSP-en-US-Windows-latest.msi
    1⤵
    • Blocklisted process makes network request
    • Unknown use of msiexec with remote resource
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1016
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2340
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 36727D5DD232D4616D4B0C0FE2A0A428
        2⤵
        • Loads dropped DLL
        PID:4984
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3584

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSI7256.tmp
      Filesize

      948.2MB

      MD5

      8726e88275ee134b989e08bb24c20bb8

      SHA1

      de97c661b10432a2d0ab951054c0a264fc940b45

      SHA256

      c9fb4a99848d319cc33c70a8cb3edc0fa0a32a4fa3cc7da1b511ddd584079c10

      SHA512

      f9f41f711ac42a73087f1d9d62c13b2e41581c480d5de5d791652f108045906fa36b4fcc76fbcbc15da6a24f8d8423644bc7ba1bb93adf3999532b1939822212

      Download Submit

    • C:\Windows\Installer\MSI94C9.tmp
      Filesize

      128KB

      MD5

      bd237aac254bd2285aa3b2d9023beedc

      SHA1

      3d2715c92a301dcad0d3d4683d559886202dec37

      SHA256

      b126b59c75f9e3ca19bd5f901c462325e954baf5719765bb0ea4a6e09b6b6b69

      SHA512

      72e912c23b6d3220b0b8d4ff262a28797ecc163449221ed5e5e047c3b0706f4b85211e74e61a3ac0ef6b1d5dda35eb341e2528a607ac3fca883c1d60967faa0a

      Download Submit

    • C:\Windows\Installer\MSI94C9.tmp
      Filesize

      128KB

      MD5

      bd237aac254bd2285aa3b2d9023beedc

      SHA1

      3d2715c92a301dcad0d3d4683d559886202dec37

      SHA256

      b126b59c75f9e3ca19bd5f901c462325e954baf5719765bb0ea4a6e09b6b6b69

      SHA512

      72e912c23b6d3220b0b8d4ff262a28797ecc163449221ed5e5e047c3b0706f4b85211e74e61a3ac0ef6b1d5dda35eb341e2528a607ac3fca883c1d60967faa0a

      Download Submit

    • memory/2340-133-0x0000000000000000-mapping.dmp

      Download

    • memory/4984-134-0x0000000000000000-mapping.dmp

      Download