Overview

overview

7

Static

static

1

SecuriteIn...21.msi

windows7-x64

7

SecuriteIn...21.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    15-02-2023 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.28945.7721.msi

  • Size

    12.8MB

  • MD5

    22499f67ab91bdc43967a3ffd9d4a73a

  • SHA1

    4a660bb1421d3df423702f630c3bde242967def0

  • SHA256

    d1a7c0fe0e6f2790d8603cd7b6dfd10f6f340165eec003b4be8a5b68515f9023

  • SHA512

    78de900d4dcff4f9113829dc521d498e233d68fe2258d0df0a0c1853e436588993fe4ef7fa35fa242e38cbd4374775897310aa1a59ba884a3b7b6961124f42c9

  • SSDEEP

    393216:guJ6RO06ATsQq6IUKqwm1JL8Wl6TJPqsDs:SR/6m27LZm1xFUJPq

Score
7/10
discovery

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 43 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.28945.7721.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1700
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A8A5291C5FDBF95E29D47681CE0E4703
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:676
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:900
      • C:\Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files\s7.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files\s7.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\ProgramData\banikiyig\diwomohimoba.exe
          "C:\ProgramData\banikiyig\diwomohimoba.exe"
          4⤵
          • Executes dropped EXE
          PID:1504
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c @echo off & ping 127.0.0.1 -n 5 -w 1000 > nul & del "C:\Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files\s7.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:920
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 5 -w 1000
            5⤵
            • Runs ping.exe
            PID:812
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        PID:1280
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:520
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000003E0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:920

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\banikiyig\diwomohimoba.exe
    Filesize

    26.6MB

    MD5

    c967bf6e9afb0add33c02621a767a616

    SHA1

    46fa0e0b9add643c2a09316892685718c71f0186

    SHA256

    1fea935596d276171d43958169b78a6815ff3baafd98ac7804218c0a000cd95f

    SHA512

    2493606b3f1a9209587f297056480ccceb8001d9bd034962e9b26b2f549565c2d1d0fc42461e4237b304615a99d8ee4f78ea5f1cf54f71696f919e9c0c38f9ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files.cab
    Filesize

    12.2MB

    MD5

    07ef05e6ea4e1ace9b227a4d01094f59

    SHA1

    b4039603eaad277ffc647a9435b5ef0361de20ed

    SHA256

    018ec3e92de5ac18e02f6f3ad23995f233355466649f0e46df5c430d50c2989d

    SHA512

    369237768c32da57fcb3dea6bce50b797e72250605deb351a8b137368dc5bec95195873e5406918cd9f863605abb9f6ab8548349e92b87bed93dcd8f3603ec19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files\s7.exe
    Filesize

    188.6MB

    MD5

    304309325cc34f105abf92f29a4b01c0

    SHA1

    2ef3e993728f702f999ed771e40599fdbe109f3d

    SHA256

    634c90b25933be957016e019da5b316e528c60385fc588af66ee705c46478192

    SHA512

    307a002fabe1a5aa348fd3f6d88f17f11b3859656da8c069521a1fd04906209cd75bd550662413e6c1edea1c98a955bcb0bbc4a24bb390ab4bd57875b74f2e0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files\s7.exe
    Filesize

    188.7MB

    MD5

    f5eaab2c07b4ee13ff159eb7df6fddea

    SHA1

    0defddfd233200bc3bda416323b12de4351eca3c

    SHA256

    134b1b793248c8b90d88eddb2094006fd9e9a770ce2a517342739f4316b87dbb

    SHA512

    4e485fbb5b8f537039d659c601d6da8314e4573bbc56f4a53888a9598a4226646001b4cfb040b07efda19a1099d7eb261c02a0cb3340e32e5d5a16d9cd31b9af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\msiwrapper.ini
    Filesize

    1KB

    MD5

    68beaa93fd739a0bc511ab73cda8e459

    SHA1

    f26d982eb6cb961ae398c8ee914f93b408e6b2c5

    SHA256

    9a1cd8b928b47a71bb58cfeac4763d844d06d1f413173be5bb47ee20dae75b11

    SHA512

    dde63c5323d53cf418f9b3208b9da0357f3fb197debce3d8dd062c98e32d2aa0b1a19dff102086ec19a7bc476ef21e71457e35235249e2b3c2c28e972f633620

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\msiwrapper.ini
    Filesize

    1KB

    MD5

    78b8f8dd8136825e4434b862965fd199

    SHA1

    9c21c417627072c27ee2f875de22fe69973f1a42

    SHA256

    a5cb41b685e57bf09ce170384e0965a9e72ba8f5ae2c67d52e2a2d827088f17d

    SHA512

    ad22b928e45de2b7a0148446ce13bd9e7c125b857a341cfa06cf0b393db41e1196e5a941c1f1b995890e88385f56a8bc38d76f9dfa86ebc4f70c90471dea3af3

    Download Submit

  • C:\Windows\Installer\MSI788B.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\Windows\Installer\MSI92FF.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • \ProgramData\banikiyig\diwomohimoba.exe
    Filesize

    31.4MB

    MD5

    8a58ebb36ef79f36bae90322bf785e63

    SHA1

    a2f0407d910bbbfed5c01dc90bf39dcb16a1e5f5

    SHA256

    771df8691f4ceead43ff199802593adc7b8c11dbabf3d6def79fc9cca30bfbd1

    SHA512

    40030807d10ca35ae0ca6270dcec25b45935737dca6613f46e863500012de5199efeacd0d9b9903846e2a5ed5a651d402c0f493946cbe40bb9e5b0d7e906e427

    Download Submit

  • \ProgramData\banikiyig\diwomohimoba.exe
    Filesize

    26.6MB

    MD5

    2f978152cb60706e11cccb8b86915c31

    SHA1

    3132e12b01af32c1d9bc3bc7d1e8f7df828a0f97

    SHA256

    65356d265dad385d92abb7a94f98ea39f16fc5eabf1eeb044825f3065aaf44ab

    SHA512

    710b95c994c0d9b644c9b8019ea8c4e9909e0fdfd7c5c895707b57cbd6d40c0c3f9ecb7fe782d98efe5c6e0c542d7cd212864b867f79479ffa8b455a3e9fd619

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files\s7.exe
    Filesize

    187.8MB

    MD5

    0793a805415414ddf7963f9fe4068495

    SHA1

    c6ee6d2a5050acea8a0a7c223ae18732352e1bfd

    SHA256

    7edb78838df61ed5af1f6ad34726372ea8956933dcf0dd01460379455c270de4

    SHA512

    1879243618dccfadd608c031a103f18034d6cd74652b7c7942cbe99a26a285e875b7e7970dd8638a83663ce59d1a0eeead72e7ce94b25ca02c1aa64a214300f0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files\s7.exe
    Filesize

    188.4MB

    MD5

    da711f03d040a07e49ead7917d96d40c

    SHA1

    39503f43ba250e3a46af2211300b2a55770d48b0

    SHA256

    18bd91c43612fbb4573d38e99c16861ef8b608e2a90aa89dc6ac0b6e423ed2cf

    SHA512

    30d11a0f3f5459e0325280307666f1bc7488505fe9c920362a8057545d9259537faf1a542337cefb9a38cc35a00a5acb6f752b97d8501c8eda3ff7d02db4bf50

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files\s7.exe
    Filesize

    189.9MB

    MD5

    902e5fc2348573bb18fc4ee82b0d3b1e

    SHA1

    dbc8e829ddb9b3a838b3b58c3f2dd527e7e6be65

    SHA256

    3a3ad3758b7db08b548b2548e7ff46a4536fac0fe40acd6dfbafdcce23fa7e7a

    SHA512

    4014c91c59b919df81074e10695a032b980c73842c7f522001a63fc78d750b102c1b0b23becbf21769a0a9e17cbb3b677381063ea88c804cb2adefaf86d5fab3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files\s7.exe
    Filesize

    188.8MB

    MD5

    d0e925d566146692962769da2f25ce56

    SHA1

    798c333b56f29eabdb60f033bdea6d0880133e58

    SHA256

    3be377d628d331b69ef3eb13088fd3103485acfcbc33f48ae53539c0dfb240a0

    SHA512

    d3ffeba5d65dc8024824b7092814f224ab2366b3fe14aa90b4a3956d00953b2c4c462cd82a75c9c7319aa1769cc9ec03a04cb03428e7b2072158bbbca02bdf08

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-8d4cfcde-7f64-45c2-8b12-e2b972467cfc\files\s7.exe
    Filesize

    189.8MB

    MD5

    a39494483d605a59c3079840d5329e8f

    SHA1

    1231d5fed03d52e0025ae2f1a40d37aa26b41d92

    SHA256

    182733f736b3920bb42650b98ea05753870fcd13aed96e4d7a585a66acc2387a

    SHA512

    5c8a7aee33e816a2da4a03c84d298383accb57785faba92c68367551e6ca6de52c39f380319091ab61db847c35510ede6941ed0982347a2d311a3ece5e5e3405

    Download Submit

  • \Windows\Installer\MSI788B.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • \Windows\Installer\MSI92FF.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • memory/676-60-0x0000000000000000-mapping.dmp

    Download

  • memory/812-84-0x0000000000000000-mapping.dmp

    Download

  • memory/868-56-0x0000000000000000-mapping.dmp

    Download

  • memory/868-57-0x0000000075671000-0x0000000075673000-memory.dmp

    Filesize

    8KB

    Download

  • memory/900-63-0x0000000000000000-mapping.dmp

    Download

  • memory/920-82-0x0000000000000000-mapping.dmp

    Download

  • memory/1280-85-0x0000000000000000-mapping.dmp

    Download

  • memory/1504-80-0x0000000000000000-mapping.dmp

    Download

  • memory/1504-89-0x0000000001020000-0x0000000002498000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/1600-83-0x0000000000688000-0x0000000000692000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1600-77-0x0000000000688000-0x0000000000692000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1600-72-0x0000000000DF0000-0x0000000002268000-memory.dmp

    Filesize

    20.5MB

    Download

  • memory/1600-70-0x0000000000000000-mapping.dmp

    Download

  • memory/1700-54-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

    Filesize

    8KB

    Download