Overview

overview

8

Static

static

7z2201-x64.msi

windows7-x64

8

7z2201-x64.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    125s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2023, 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7z2201-x64.msi

  • Size

    1.8MB

  • MD5

    50515f156ae516461e28dd453230d448

  • SHA1

    3209574e09ec235b2613570e6d7d8d5058a64971

  • SHA256

    f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca

  • SHA512

    14593ca96d416a2fbb6bbbf8adec51978e6c0fb513882d5442ab5876e28dd79be14ca9dd77acff2d3d329cb7733f7e969e784c57e1f414d00f3c7b9d581638e5

  • SSDEEP

    49152:ynV9R5GSuwYgV4mN4eOYq4Z0APsx/Eho:ynV9Ro/mTlbqC04s/

Score
8/10
persistence

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7z2201-x64.msi
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4900
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Registers COM server for autorun
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:756
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4804

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      70da336c577fbd1985e65fb41ca5edfe

      SHA1

      4bf2645f8ebc8a1c232dd09ae9b6649f88c78c1e

      SHA256

      3904ef80f068e3936c00ba76a52e752ee9e159ded2159bc2d282d0e89545b801

      SHA512

      fc6e6ff0f26eca2443fb4c11b5aa3dfc969b326565406f413917a1e75f034b347525ade958b9a5dd847524faa52b09cc420fe314de23db48e30b48a22a5a6ec0

      Download Submit

    • \??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a3e4b226-d339-4383-bcd1-435e10466337}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      2767c9e1b9ea530ae1da9bdda8326f9f

      SHA1

      67b5ce18e746559ddbe406e8cc9c4e9c2502e7ba

      SHA256

      dd186d60f47c563e58636c5c55e72dd8ee6704b91b71f99d647386a21e07506b

      SHA512

      14be55741975e62444549b32f7567105b2de6badfe3c9dd768aac8624eb5df774df85e3b283d8723027c62e4cf84ca899fbf3b6c453e8f8a0e585eb3a1d5b441

      Download Submit