Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 17:52
Static task
static1
Behavioral task
behavioral1
Sample
document8765.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
document8765.exe
Resource
win10v2004-20220812-en
General
-
Target
document8765.exe
-
Size
4.7MB
-
MD5
b2a0b09874ba025e4909c76f3fc0fb70
-
SHA1
80c75997f2582afdbc550f5256c13ff1424aab81
-
SHA256
e1d1b39589002db4260dad9f4567cbb5a07803ca1fe7a17f1ca7f9bd1f035827
-
SHA512
1bb29068e3c8f8547e719a951820790521215a2b057cffd9ba73fdfd8537c065151d64fa49bcdf25ba9671952b1b51bb05c8a94fef6c131bb834ff6a030e8194
-
SSDEEP
98304:uFj6+6efPlwcw/lXvcbCOwEY/Gf4IPB3YwP:vefPzMlX+wjQP
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
document8765.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation document8765.exe -
Loads dropped DLL 8 IoCs
Processes:
MsiExec.exerundll32.exepid process 516 MsiExec.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
document8765.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4688 document8765.exe Token: SeShutdownPrivilege 1640 msiexec.exe Token: SeIncreaseQuotaPrivilege 1640 msiexec.exe Token: SeSecurityPrivilege 2580 msiexec.exe Token: SeCreateTokenPrivilege 1640 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1640 msiexec.exe Token: SeLockMemoryPrivilege 1640 msiexec.exe Token: SeIncreaseQuotaPrivilege 1640 msiexec.exe Token: SeMachineAccountPrivilege 1640 msiexec.exe Token: SeTcbPrivilege 1640 msiexec.exe Token: SeSecurityPrivilege 1640 msiexec.exe Token: SeTakeOwnershipPrivilege 1640 msiexec.exe Token: SeLoadDriverPrivilege 1640 msiexec.exe Token: SeSystemProfilePrivilege 1640 msiexec.exe Token: SeSystemtimePrivilege 1640 msiexec.exe Token: SeProfSingleProcessPrivilege 1640 msiexec.exe Token: SeIncBasePriorityPrivilege 1640 msiexec.exe Token: SeCreatePagefilePrivilege 1640 msiexec.exe Token: SeCreatePermanentPrivilege 1640 msiexec.exe Token: SeBackupPrivilege 1640 msiexec.exe Token: SeRestorePrivilege 1640 msiexec.exe Token: SeShutdownPrivilege 1640 msiexec.exe Token: SeDebugPrivilege 1640 msiexec.exe Token: SeAuditPrivilege 1640 msiexec.exe Token: SeSystemEnvironmentPrivilege 1640 msiexec.exe Token: SeChangeNotifyPrivilege 1640 msiexec.exe Token: SeRemoteShutdownPrivilege 1640 msiexec.exe Token: SeUndockPrivilege 1640 msiexec.exe Token: SeSyncAgentPrivilege 1640 msiexec.exe Token: SeEnableDelegationPrivilege 1640 msiexec.exe Token: SeManageVolumePrivilege 1640 msiexec.exe Token: SeImpersonatePrivilege 1640 msiexec.exe Token: SeCreateGlobalPrivilege 1640 msiexec.exe Token: SeCreateTokenPrivilege 1640 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1640 msiexec.exe Token: SeLockMemoryPrivilege 1640 msiexec.exe Token: SeIncreaseQuotaPrivilege 1640 msiexec.exe Token: SeMachineAccountPrivilege 1640 msiexec.exe Token: SeTcbPrivilege 1640 msiexec.exe Token: SeSecurityPrivilege 1640 msiexec.exe Token: SeTakeOwnershipPrivilege 1640 msiexec.exe Token: SeLoadDriverPrivilege 1640 msiexec.exe Token: SeSystemProfilePrivilege 1640 msiexec.exe Token: SeSystemtimePrivilege 1640 msiexec.exe Token: SeProfSingleProcessPrivilege 1640 msiexec.exe Token: SeIncBasePriorityPrivilege 1640 msiexec.exe Token: SeCreatePagefilePrivilege 1640 msiexec.exe Token: SeCreatePermanentPrivilege 1640 msiexec.exe Token: SeBackupPrivilege 1640 msiexec.exe Token: SeRestorePrivilege 1640 msiexec.exe Token: SeShutdownPrivilege 1640 msiexec.exe Token: SeDebugPrivilege 1640 msiexec.exe Token: SeAuditPrivilege 1640 msiexec.exe Token: SeSystemEnvironmentPrivilege 1640 msiexec.exe Token: SeChangeNotifyPrivilege 1640 msiexec.exe Token: SeRemoteShutdownPrivilege 1640 msiexec.exe Token: SeUndockPrivilege 1640 msiexec.exe Token: SeSyncAgentPrivilege 1640 msiexec.exe Token: SeEnableDelegationPrivilege 1640 msiexec.exe Token: SeManageVolumePrivilege 1640 msiexec.exe Token: SeImpersonatePrivilege 1640 msiexec.exe Token: SeCreateGlobalPrivilege 1640 msiexec.exe Token: SeCreateTokenPrivilege 1640 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1640 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1640 msiexec.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
document8765.exemsiexec.exeMsiExec.exedescription pid process target process PID 4688 wrote to memory of 1640 4688 document8765.exe msiexec.exe PID 4688 wrote to memory of 1640 4688 document8765.exe msiexec.exe PID 4688 wrote to memory of 1640 4688 document8765.exe msiexec.exe PID 2580 wrote to memory of 516 2580 msiexec.exe MsiExec.exe PID 2580 wrote to memory of 516 2580 msiexec.exe MsiExec.exe PID 2580 wrote to memory of 516 2580 msiexec.exe MsiExec.exe PID 516 wrote to memory of 4436 516 MsiExec.exe rundll32.exe PID 516 wrote to memory of 4436 516 MsiExec.exe rundll32.exe PID 516 wrote to memory of 4436 516 MsiExec.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\document8765.exe"C:\Users\Admin\AppData\Local\Temp\document8765.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1640
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7F29D73A590956B47643A112AA5AC6C C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240555031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
PID:4436
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1016KB
MD573475c63fde46aac78f942937230537f
SHA12738c1a44cb67adaf3510d90b2398b1fc41a3430
SHA25687426736b1157828ba843bac4adf5bed17dc37db7c411c963e1529d4d21d66b0
SHA5120f66bc116ee62669d6ed4bdc84e27796c6d601619eed92b8274b9c89ead2ea5bfdc590a66470bc66324f41e64e9b5ec50268dc6dd322b02d6094f568de4487b5
-
Filesize
1016KB
MD573475c63fde46aac78f942937230537f
SHA12738c1a44cb67adaf3510d90b2398b1fc41a3430
SHA25687426736b1157828ba843bac4adf5bed17dc37db7c411c963e1529d4d21d66b0
SHA5120f66bc116ee62669d6ed4bdc84e27796c6d601619eed92b8274b9c89ead2ea5bfdc590a66470bc66324f41e64e9b5ec50268dc6dd322b02d6094f568de4487b5
-
Filesize
1016KB
MD573475c63fde46aac78f942937230537f
SHA12738c1a44cb67adaf3510d90b2398b1fc41a3430
SHA25687426736b1157828ba843bac4adf5bed17dc37db7c411c963e1529d4d21d66b0
SHA5120f66bc116ee62669d6ed4bdc84e27796c6d601619eed92b8274b9c89ead2ea5bfdc590a66470bc66324f41e64e9b5ec50268dc6dd322b02d6094f568de4487b5
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
466KB
MD590f06bea5a196926711feaad344c1e7e
SHA1861e4f80c57676e8f8f288b0c9df4b8639184214
SHA25615b94caf2a52ad2296d099a2b0666decab0d00396ff5d94726c158b4a34c4317
SHA51254411631a6314f714a551bd4f1834e87edd34f18b20e697caa98ce4783cb10f28365536c35bc7eccb30701e6c4131c6541e8668227e05366112919812ce25a70
-
Filesize
466KB
MD590f06bea5a196926711feaad344c1e7e
SHA1861e4f80c57676e8f8f288b0c9df4b8639184214
SHA25615b94caf2a52ad2296d099a2b0666decab0d00396ff5d94726c158b4a34c4317
SHA51254411631a6314f714a551bd4f1834e87edd34f18b20e697caa98ce4783cb10f28365536c35bc7eccb30701e6c4131c6541e8668227e05366112919812ce25a70
-
Filesize
20KB
MD52bf660e4d5929045e0704ca9beb156e0
SHA12beb37462a31ccf1b406ba5eee3dbd0dd77f9c5f
SHA25629e3e009d17c754af1adc44b3008f877a0068bf43b7dd989a74ba569dc3710f6
SHA512f98f2fc29f6a0f6b247f324f092e04864390d781562e31b905e70a361ec7a03a961bb7a893db51ecd481df1bf6b3a1596d042492184e2f100f1433cb84eeff5b
-
Filesize
20KB
MD52bf660e4d5929045e0704ca9beb156e0
SHA12beb37462a31ccf1b406ba5eee3dbd0dd77f9c5f
SHA25629e3e009d17c754af1adc44b3008f877a0068bf43b7dd989a74ba569dc3710f6
SHA512f98f2fc29f6a0f6b247f324f092e04864390d781562e31b905e70a361ec7a03a961bb7a893db51ecd481df1bf6b3a1596d042492184e2f100f1433cb84eeff5b
-
Filesize
2.5MB
MD531df653a1b4d2d3111df8c8a905f1297
SHA11ddad6ef3be78cb099363f7093bf9a3ea3ee7f81
SHA2560e3ded0439839c6ab7a8f656eeb5e1e4c7aeb18b9374629298394da2db66f335
SHA512e92ffe088b16953bd39c8805bdace2bb6b1d831f5badee8bad666d7560a213a26f33b9200da5e13e1cd25c5b4be447e53f5d28cc8608c152826ebab756726b08