Overview

overview

8

Static

static

1

URLScan

urlscan

1

https://ve2-2.vfo.di...

windows10-2004-x64

8

Analysis

  • max time kernel
    381s
  • max time network
    381s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2023, 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ve2-2.vfo.digital/01215AJ172/VocalizerExpressive-2.2.121-frc-Amelie-PremiumHigh-enu.msi

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Unknown use of msiexec with remote resource 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I https://ve2-2.vfo.digital/01215AJ172/VocalizerExpressive-2.2.121-frc-Amelie-PremiumHigh-enu.msi
    1⤵
    • Blocklisted process makes network request
    • Unknown use of msiexec with remote resource
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4276
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:60
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4368
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:724
  • C:\Windows\system32\sethc.exe
    sethc.exe 231
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Windows\system32\EaseOfAccessDialog.exe
      "C:\Windows\system32\EaseOfAccessDialog.exe" 231
      2⤵
        PID:4008

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e5891cb.rbs
      Filesize

      11KB

      MD5

      a339e431443135a9ddf86baedf907886

      SHA1

      56e537e3c7ae616e5d60ab1787ecfc8540eb6d8b

      SHA256

      5533beb1c13e6774869154a67b2026ffbbb5b96337b96204a3a3a5601c6c60ed

      SHA512

      be024bf5ca7b62133b4dbf0148e19471ce300b29105bede62b5fde23dc1fa45d6f6f94661ff9056b23c5037fab61aa67c403af70954eebe988027feaf785130d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
      Filesize

      1KB

      MD5

      0e8fb79c8cfb8022c09c29c9b1885a6d

      SHA1

      8abef17222288bc47ca24773ef45dfb8c7d51805

      SHA256

      f4afbf56ee3304fbfc0d91bceeca8ae7ddc8b8504d65ca2dabf93b74c758120d

      SHA512

      f9ed9c7d21b8da2bb3462930315e246ae84159a4fae99ade03a19f16248752830895448c8f5e0188dd0553eb5e83456f391e61eacaa1e3b8490eb5960bb2e987

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_450FCB4290F6670C0CF4B842C58D8B64
      Filesize

      1KB

      MD5

      ea0aa97b20d529c4ae56995fc647c0df

      SHA1

      83ad726ae54c92f0a06b0d7297993bf2b1624331

      SHA256

      692ff6880fa97742d11a925cc22cba9e4e551b2a2ee968e8178b0a2f50c09471

      SHA512

      b63813b9ad096988c80ecff8c0f7c12f39ae46aeb802bad1a767db2e8aaddfce03d4aadb67a4e0c232ff1ab10001841d61bd024aa78e7e2b8531d97e91273de2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
      Filesize

      398B

      MD5

      12e14fe13c6fff954be5be0ebd48980b

      SHA1

      5dae0481bb7ffafa0586869e3d962884df948afd

      SHA256

      3b820374336a44c58c85c09377906db05f1dfb57dc55f5ddb1873b022d55fa58

      SHA512

      0f55db089a6f5528b37bea6a1a033dc6e8474d0a5d69d936d792bb2d351a5adf244b932f2c3dcf990d74e0a9c19bb9d0f85a2e306b43dab0a3b9f56852076d1b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_450FCB4290F6670C0CF4B842C58D8B64
      Filesize

      398B

      MD5

      c8faec1ccc84995db9da8e862370a07e

      SHA1

      705cb8c60cc4ac4b4cce7b4e6c0a4933ca44b66f

      SHA256

      cba7049e6d06dbd810d119282481d76ca817fbf07e3b3171da95b7ada5450731

      SHA512

      c573e1c7852349ff53b62508c6df3dfa0f966b5d7c1813c46325dd8a2c3bf154856fb7b6848172364e01c28c8c622f009070a7ad46c82c1189ae4d788d0d34c5

      Download Submit

    • C:\Windows\Installer\MSIAEF2.tmp
      Filesize

      313.1MB

      MD5

      4beaa30cf16d53a49972dc3353280907

      SHA1

      f0ad81655ccae4f8878193fbd3a5a0e85ce4dbee

      SHA256

      e1cff0ab067a754ae8aca8e55031530894d438a1d6ede3e46b17c3a8167fb596

      SHA512

      732cd88bc2389166d4ba6bbd6fc1a35d12a46e53bac1ac54cc1414e2929277a89714b173411018416908312d679e11c5dddf05bee81528a78e394127f3762bda

      Download Submit

    • C:\Windows\Installer\MSIAEF2.tmp
      Filesize

      313.1MB

      MD5

      4beaa30cf16d53a49972dc3353280907

      SHA1

      f0ad81655ccae4f8878193fbd3a5a0e85ce4dbee

      SHA256

      e1cff0ab067a754ae8aca8e55031530894d438a1d6ede3e46b17c3a8167fb596

      SHA512

      732cd88bc2389166d4ba6bbd6fc1a35d12a46e53bac1ac54cc1414e2929277a89714b173411018416908312d679e11c5dddf05bee81528a78e394127f3762bda

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      11.8MB

      MD5

      6a04ca9bb5f6b905eafaedc528797cde

      SHA1

      12a47307a5673816ee2cb6bf815a7aafc25d6e5c

      SHA256

      17fd36d986b774acdce774a6d1bcb5845005a73c2595668d59d3246463ed81b9

      SHA512

      3c8b0152d224bf6bd55162966009c29db4f34988dd0d22c0d6bc91b39db3cf591d64c8c330ebead0135f11ac7b01ebffa1eb5374a9de4dd84e997bf2fa7b6485

      Download Submit

    • \??\Volume{6aa5dca8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a2aa3238-bcee-4661-b203-d389439d3a32}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      ff78f77d27383f8d4a8544f7270f243a

      SHA1

      d32e66104cf950b6b1a523a1ca163216b967481d

      SHA256

      7cf917d10ad13fac4f4bc44f451cfb6bb3bcaa1177c07f3cb36bfda8c4eb0990

      SHA512

      cc3cec7b4da6f0c7d572ef0f183e900eba4013b31b29fac2e914fbd9595c8031b8b5adde7f9e8d50334be2906a8a31647a0e835a01bf2ee3f64fec4c35731d34

      Download Submit

    • memory/60-169-0x000002A03F4C0000-0x000002A03FF81000-memory.dmp

      Filesize

      10.8MB

      Download