Overview

overview

10

Static

static

1

SecuriteIn...95.msi

windows7-x64

10

SecuriteIn...95.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    97s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2023 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Other.Malware-gen.25698.21095.msi

  • Size

    3.8MB

  • MD5

    c39fec313f716b37b80ccf946ef5cc83

  • SHA1

    7af29257d77bab7ed5a70293abe44da3c1c10c37

  • SHA256

    015151bd2d2bfb88389899bfac44b0e17a28db00abc8e1463058d84de40b1925

  • SHA512

    0eeb8fa73bbf1886101db96ea376343fae6bae872a264b55feb58a1060c75772f45b5244b005613830e056cd7a58f8307bb54c01417cacd7a57d46542b160291

  • SSDEEP

    49152:LpUPlOPlQRNDP9nqI5KKs2p8iYu9ap7QqKHKG+n2H6h1Ug:LpTt4NDVPKB2vinG8n2Hs

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Other.Malware-gen.25698.21095.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1332
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4392
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4B257F93BE1067394B7BBE2AAE111575
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f083493d-07ba-4151-a180-8c407c2162c4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:3528
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:1340
      • C:\Users\Admin\AppData\Local\Temp\MW-f083493d-07ba-4151-a180-8c407c2162c4\files\Bpznb.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-f083493d-07ba-4151-a180-8c407c2162c4\files\Bpznb.exe"
        3⤵
        • Executes dropped EXE
        PID:4628
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-f083493d-07ba-4151-a180-8c407c2162c4\files.cab
    Filesize

    3.2MB

    MD5

    d48e27fd09c1b7d7efc29939323126fb

    SHA1

    321f957363671d8f0f87eb7a8efac23e5e7252e0

    SHA256

    a74cd4380aa8bdca4391c1a76073bf8ca20c6b605f93d359f46638e994a9d3ce

    SHA512

    3e89a71527a6488b43b19462cbdd00da3650905ae198c94d977dd9140261dfb3d7598da0dd64c197d2629a212498ff65bb29898009d5c757e35465df1b087565

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-f083493d-07ba-4151-a180-8c407c2162c4\files\Bpznb.exe
    Filesize

    900.0MB

    MD5

    e8a6986d0f9f178b7fe6b9dede6fbc7d

    SHA1

    591b22364bc3e56209699857a8425976cfa1ea18

    SHA256

    a918b48176792f8fda48ccb3912419cdef9b41731ffff056db86c75341ac1ac0

    SHA512

    1e626856d406567c61dab0b26877a26a5bbafb8ce65bb198f7fe1fec581e9b17648153a4f4112f6bc5fb6dde3cb79d6494ce03e361b3d7ed965b7769e500d9c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-f083493d-07ba-4151-a180-8c407c2162c4\files\Bpznb.exe
    Filesize

    897.0MB

    MD5

    4d61b56ca3a830ce1ba402d22c1dcc1c

    SHA1

    db7ee03582c833e53583ea81f397264210294ffe

    SHA256

    64267271df6d4200fb82cf3b361cd008c436726e9c887875616eb844c9c30caf

    SHA512

    63103c3142131b47d7292a2eb8b56ab2b3e764d0dde5efc8a2df21be2bf2167b6f8d70ab467e93e00db6e08c85c438759667cadaa28037eabf1b091c6f7462dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-f083493d-07ba-4151-a180-8c407c2162c4\msiwrapper.ini
    Filesize

    1KB

    MD5

    187aacaa474a29dcb3057cde43845dcb

    SHA1

    2aea6fdb460fd7273466728063855c2e3e27945f

    SHA256

    bdf06b0a3353bb36ebb5c7ea57780b31857396ff9916d7c1efbc4cb3e9be18d6

    SHA512

    a11d9999390ec0fc14feafb30145c98133f6120fd1f7d41d36d5d1287587e76c02a89def6af790fda45c1f3fcc554ebfca1ab7fec687496eec349a7a6e2004c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-f083493d-07ba-4151-a180-8c407c2162c4\msiwrapper.ini
    Filesize

    1KB

    MD5

    187aacaa474a29dcb3057cde43845dcb

    SHA1

    2aea6fdb460fd7273466728063855c2e3e27945f

    SHA256

    bdf06b0a3353bb36ebb5c7ea57780b31857396ff9916d7c1efbc4cb3e9be18d6

    SHA512

    a11d9999390ec0fc14feafb30145c98133f6120fd1f7d41d36d5d1287587e76c02a89def6af790fda45c1f3fcc554ebfca1ab7fec687496eec349a7a6e2004c5

    Download Submit

  • C:\Windows\Installer\MSIF6A9.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\Windows\Installer\MSIF6A9.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.0MB

    MD5

    3b14a26f5426e2f35d458b3f2eff5b5b

    SHA1

    d632c622201144f04159870ca4dbf145d8eaa04b

    SHA256

    3c85737480f37dd7c70d26a5d9ec5ad2bfd4a8f6bbf70b3228acfc7754a3ab5e

    SHA512

    2ba9c5a94f24c482a959f05ed73c91c29b7b3b2cf66358b8800f6585848c35f24dd01431769f42a870b4f9f301e68a957d0da8c9f5ca3342d4574b593f3b37e8

    Download Submit

  • \??\Volume{7e74cb8c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{06ae304f-50ad-4338-888b-aa237197d5d5}_OnDiskSnapshotProp
    Filesize

    5KB

    MD5

    190063d11ba9fc740f788b73a3afca4f

    SHA1

    68f6753fee99602b33395374e549513256726569

    SHA256

    b16b7d195e45df94f767e750f54d82a56d0cecf7fadb8338ad885c826274b52f

    SHA512

    eedfa27dc1293e39733ca880e8d0856db9c10abb6a83ce80419581669a4e8370ad91d66822e10be74335f3e65e19346f7c2aa3b8dce2045eb31424ed0db65815

    Download Submit

  • memory/4628-207-0x00000000008A0000-0x0000000000B68000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4628-208-0x0000000005550000-0x0000000005560000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4628-209-0x0000000005550000-0x0000000005560000-memory.dmp

    Filesize

    64KB

    Download