Overview

overview

10

Static

static

1

r3.msi

windows7-x64

8

r3.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2023 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    r3.msi

  • Size

    6.4MB

  • MD5

    6f7e07b84897cccab30594305416d36f

  • SHA1

    6d1d531c921a17b36e792e2843311e27b9aa77a4

  • SHA256

    9982330ae990386cd74625f0eaa26ae697574694eb2ec330c2acac5e0149fdc0

  • SHA512

    689ba6b48065a9098ef62bc8ed0650fa0b66f403af9dc315a456d514ea61afda7cf67c3786760e4ac49adc8a60f489199e6aae08a59aa4ef8e57e064bce9e892

  • SSDEEP

    196608:+kyJofCBPu0rDMQFVOiNRUm0TcrdJgRueb3IR6s8:DymfCBPoYOiPTacBeue7xs8

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\r3.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2044
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\chch.ps1"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\auzmm3fc.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AAE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7A9D.tmp"
          4⤵
            PID:432
      • C:\Windows\system32\msiexec.exe
        msiexec /i "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ChatGPT.msi"
        2⤵
        • Enumerates connected drives
        • Suspicious use of FindShellTrayWindow
        PID:1364
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1956
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000003C4"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1844

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\6c6ab7.rbs
      Filesize

      7KB

      MD5

      ee6f58a6f4ee6a1edf71956d02638ca6

      SHA1

      095d230ace8450b575c14a8ccec3fd0501c89aa1

      SHA256

      989022d73e892ee8d2f8721676cdc7446cb6ad46c4c9c0343f4aa12f5b065783

      SHA512

      a298ea815a29a98417ef41e8c78933a865ef3b85f5bd91d07168a55750f50998f85ff3c1c8f08900f8fba85ab42fc098bd17c604ebe213de7f3f667d011116db

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
      Filesize

      765B

      MD5

      80363f00b74e4d31ae90d11373f1ca03

      SHA1

      8b2a11b7f2cdb4605c32166d94bfaa2a3559f73a

      SHA256

      e5a87252918a448a50ddacbce3306d3f0ca0e101cb660bf258ce0bf12e158c0a

      SHA512

      25cb5bf44289d5eaba6cf015eba0f2f7a168c406e13e64bc3dbda02eb55b8b0270c5a833ddd0bb65f7cb1f3f82de629a2fbb866e7136cb5a5a9450a0f53cf5d7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      e71c8443ae0bc2e282c73faead0a6dd3

      SHA1

      0c110c1b01e68edfacaeae64781a37b1995fa94b

      SHA256

      95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

      SHA512

      b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      e71c8443ae0bc2e282c73faead0a6dd3

      SHA1

      0c110c1b01e68edfacaeae64781a37b1995fa94b

      SHA256

      95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

      SHA512

      b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_378BA46A07A0483C428E7FC44C59C2CB
      Filesize

      638B

      MD5

      526a94f21c7058bcb9519f95ddf2a5d6

      SHA1

      9f34a3227493ffea8ed6a8cfb9d0449f3d8db0ba

      SHA256

      bdd0ddb7f6154c3bf6e81af11c6ee93594acf337d51359c42f56c48136e103d4

      SHA512

      4c6464cc6b483c0034d1e54da53235f311e749b69771bd433240f480b479a6a2812a8e5d612ada2c0e042cfa669cc89d549430800d18d16ef68c76812d41a1f9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
      Filesize

      1KB

      MD5

      a080f020cade47ccb36ac24db1830623

      SHA1

      8b2ac0fe31f3f518a533030d8b3da6bcf34ff04f

      SHA256

      b1c512c38c4a64c83e3eede94c91391ba5767006b1547615d2a25e67561522ce

      SHA512

      5674a19923003b3f86c1e4caf0fa1daee8dab45d0fe29665058a9faa20fef1bed6379ea757633490d6a796c9a8de4b230eb6cfc611061f66c2bed364a8228d08

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
      Filesize

      484B

      MD5

      5b7a834b8d2e227ebc7c2ac2244cc050

      SHA1

      ac1703fcf9074925b33f31996b357e712da674af

      SHA256

      ad13cb86cb9c056ddd04c8a8254c57b74ba256d789eedbd1d97074fee63497b5

      SHA512

      4604700596baccc88f52c6bca98e2862ed27d8b7c51d640653cd86c4d3b8c446a3d44b81cc2cbc79d4fc38e9d609b1ea8c8c0580237b6f3c99ce6f9fdcdf8a30

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b6a94f5a3c687cffa1409cec8b3e1396

      SHA1

      0bbbef9d758000b9d6113d5c4e2295c632e007af

      SHA256

      22c9621a4d994e9bb680690d8db1fc5b25c485679838800b73054fb81b546ad0

      SHA512

      addf4baac299d563e47d5081ce53a2473136df50407dd6dde21f808a9d6137354179aa42619c70ecc6c8faf00b1ed9b833932f4c176d26767f90cd5ee95a9100

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_378BA46A07A0483C428E7FC44C59C2CB
      Filesize

      484B

      MD5

      436a4d0a027b457519c8c7c401301c6a

      SHA1

      7fc619254c3b06437db81a077e97f4aa5bd36735

      SHA256

      bd39c090a43814bdce6f519a5c173476cf46cd63d27b3e7c0ece09e38cecfa02

      SHA512

      504ce6101efdfae0bbc788e55b14617205b2270b12c053877ca32c51a02ac4a4b3788738b87473ea155e1429bd38a7b1b305fcd183e181e2f9849e5f89e023b2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
      Filesize

      482B

      MD5

      96cc7fcfbd8edfc13c62dda69f6f7352

      SHA1

      226d3c89abc8a54126bc2d41785208a59dbb64eb

      SHA256

      080a5965d755974f3f7668b0a92142df86455a62073e628ffbd1915c4a793dd7

      SHA512

      1217f1b359d650f2d4fe4a8f45e762679f7cc10e2173d3efcaa5d9e5d643ffedad9504c60e10134f5c1e35ab2fe0a93978c502ec04d1aa4a1d77a73cd583af0e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ChatGPT.msi
      Filesize

      5.7MB

      MD5

      41c305f5555c83b876ad9055d8f6d6a8

      SHA1

      e3d2af686f2b4b1a03bf3853790697640c94ba22

      SHA256

      29eef3d0b07ebf231546fdd0719b0102008310916ceda253fadb4037f484e753

      SHA512

      956d2004ab0a69f4bf3fea667ba64a72d70a9ac4d699b5b9cda38417f3db1fe8f8e066b46dc2bf0fbb5afc4eb08ed004c0dbd1805b71f805253ab227be26dfa5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\chch.ps1
      Filesize

      2.3MB

      MD5

      b4153c305f599325177fc402c696c4f9

      SHA1

      2832c07119d99a03cff018a56088f1e4861cd42a

      SHA256

      6271fd1865bed9afbc9e92f36714e97495f5b327f8cda1e02b569e9e1b9daef5

      SHA512

      86068967708635fc21a7702fa2ce8a32cc80b687ba80e217908e81fa5bdd3aca00400759948ed67c93f6807aa156943fc876817ccfb963a0890c1f2fa3d116b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES7AAE.tmp
      Filesize

      1KB

      MD5

      a67af70a60c8ff97ebc0c01aeebdb4d2

      SHA1

      a3f44bde8be22beb4f8283080d6ae4ca0cc0fa16

      SHA256

      5345606dcdcc2ee250c6730824eb3d086a8211c17cb2e606efde042759cde64e

      SHA512

      98374fadb5ac4d3877309bf3d824a33fb2bfcbb2e75e21864576f7fcd5d43503a99e396f2b949b1609290bcd583f4e7135069c6e44599acfbada751d16105713

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarF45.tmp
      Filesize

      161KB

      MD5

      be2bec6e8c5653136d3e72fe53c98aa3

      SHA1

      a8182d6db17c14671c3d5766c72e58d87c0810de

      SHA256

      1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

      SHA512

      0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\auzmm3fc.dll
      Filesize

      3KB

      MD5

      dd4d2da4b4f004714f65807aa6c63484

      SHA1

      c41a758c5a97649bde06aee530e7eae6eb340937

      SHA256

      f2b40dd42ac327f692128063725f912997ecdb08833d00edeaf1733cf79a488d

      SHA512

      9977a13e3021dbe5b3ac86279c3dd852db662e0a43f354f633492c05ff06f19f8eaaabefc057503d42c64013c839319b0768dbdf7737e942de7d34388b8934bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\auzmm3fc.pdb
      Filesize

      7KB

      MD5

      d22c438f99244c467164bb3d53720dbc

      SHA1

      4c4eec19e08682dbd2d4e807209733b4f47f021d

      SHA256

      794057025f40748ad959cb4cce5ba3eb1c0fbb1fc8446ee55ce8cb6e9cd6b8a4

      SHA512

      405f417574f3e5f7e5c111b1b791938673ebc13d3daedad0bd00c9e5ac773787432c9ef23d06209a25ef95e418a3cb3aa294c7dcb833a4c44100cbcf5693bfae

      Download Submit

    • C:\Windows\Installer\6c6ab5.msi
      Filesize

      6.4MB

      MD5

      6f7e07b84897cccab30594305416d36f

      SHA1

      6d1d531c921a17b36e792e2843311e27b9aa77a4

      SHA256

      9982330ae990386cd74625f0eaa26ae697574694eb2ec330c2acac5e0149fdc0

      SHA512

      689ba6b48065a9098ef62bc8ed0650fa0b66f403af9dc315a456d514ea61afda7cf67c3786760e4ac49adc8a60f489199e6aae08a59aa4ef8e57e064bce9e892

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC7A9D.tmp
      Filesize

      652B

      MD5

      a5f46c7e4ee2d7b3ce656a382f4b5762

      SHA1

      220b18e96d024bad709dbf551f11025a28387462

      SHA256

      6184b443acb1570127eda0de4825d15e0ef741b8bcba0dc6fcce6db04c2e45ed

      SHA512

      655e3175fd5fc413534540853478a68efc30a47e8575d0a0f876de66b2389d5aa930e42461d0ea781dec97e0231cf25aa425ddf845b1eb7842da909be5580cac

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\auzmm3fc.0.cs
      Filesize

      203B

      MD5

      b611be9282deb44eed731f72bcbb2b82

      SHA1

      cc1d606d853bbabd5fef87255356a0d54381c289

      SHA256

      ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

      SHA512

      63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\auzmm3fc.cmdline
      Filesize

      309B

      MD5

      8f57eebc829384a1ac54db943736cdc7

      SHA1

      0ade575edd5c98dd8ac1deb99386155ae1599149

      SHA256

      2c6884808cd9530271560649e78a70194fa8ff569c17425f207635b039b9dafa

      SHA512

      f866de1ed202ee6439a38e435f3c5e33a9f0f1498f4c489f3526256272344dbf4944ba8f7c40761b87afcd317f9492b5fa285cd07fde8bcb78fe2d461586048e

      Download Submit

    • memory/1340-161-0x0000000002790000-0x0000000002810000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1340-163-0x0000000002790000-0x0000000002810000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1340-162-0x0000000002790000-0x0000000002810000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1340-154-0x00000000023F0000-0x00000000023F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1340-172-0x0000000002830000-0x0000000002838000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1340-153-0x000000001B170000-0x000000001B452000-memory.dmp

      Filesize

      2.9MB

      Download