Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2023 07:48

General

  • Target

    UltraMailer V3.5/UltraMailer V3.5 [CRAX.PRO]/DHTMLEd [INSTALL THIS 1ST]/DhtmlEd.msi

  • Size

    345KB

  • MD5

    cdf797b7d8fae7406fe2a4894f15c8d3

  • SHA1

    0b04cf43e1abad1a617f1251fdeed47f736376c5

  • SHA256

    b610a81cdc5c1e3a19af235c9dc1ca0045bd8498689ffa2f8223acd5b34cfb24

  • SHA512

    318df6035ec361bd4da52cb2aaa9aac2822fd3ea75559369df598d57bcb1ffe125e07c5b3fcfb84dee4479dea3d9dbb36d8bec89a3b7cb2322e83f579ac0301e

  • SSDEEP

    6144:5edosggBGbLkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkM:4qspBGbLkkkkkkkkkkkkkkkkkkkkkkkb

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\UltraMailer V3.5\UltraMailer V3.5 [CRAX.PRO]\DHTMLEd [INSTALL THIS 1ST]\DhtmlEd.msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4616
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1448
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4032

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e588f2c.rbs

      Filesize

      37KB

      MD5

      3ee0f9d06c3af82e9d30163c7a3e03f1

      SHA1

      6fbe6866532fff98f188d2f6724c10b30ebde9ed

      SHA256

      9bcc50324fd66d9dd6a62e00f58888ed951f509197922187e1113222989af159

      SHA512

      51a5fc23e3f564ef766a8e6282f5a90bc3952d6090500b8ca439be837c8d1dcd767d4c073badfe744079eb56f4878b17a7e8c737379104ada63646ebcc770d63

    • C:\Windows\Installer\e588f2b.msi

      Filesize

      345KB

      MD5

      cdf797b7d8fae7406fe2a4894f15c8d3

      SHA1

      0b04cf43e1abad1a617f1251fdeed47f736376c5

      SHA256

      b610a81cdc5c1e3a19af235c9dc1ca0045bd8498689ffa2f8223acd5b34cfb24

      SHA512

      318df6035ec361bd4da52cb2aaa9aac2822fd3ea75559369df598d57bcb1ffe125e07c5b3fcfb84dee4479dea3d9dbb36d8bec89a3b7cb2322e83f579ac0301e

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.0MB

      MD5

      7ca605c04d74109609a4f1e0fb55b919

      SHA1

      e3e334a22204fba2d44d66aab569a0babce860d0

      SHA256

      f8307e33b06337fde49df424cfb5801b02c8ba6156036b8e2d55be5d138b2c9c

      SHA512

      aa0bf9d91ad4e871e10c99dea6fc217d77cdba2b2203f39641e6cbe0a6596b67860378611ec7044a76f3abf77597d6bd606185ffa437d43d5eebbfdfab83c778

    • \??\Volume{07416f20-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7cb9758b-e570-4da5-a53d-b320100d80ab}_OnDiskSnapshotProp

      Filesize

      5KB

      MD5

      af0f0057fd23febac18c2bb357d495f5

      SHA1

      3e1b3f91b0f026d7ac821f82190bffaf5050c6e0

      SHA256

      fdac1cd14787a83b190cf82ec8269a7b4334e5ba1b050a3269c5eaa437d7bf16

      SHA512

      30d23d8c97b8e13f74ecfa4d290924aab100307c2bd5cd44770a35d057350b0d7ca75366028ecb4d2b137ad8ed0ac1048500ade91537bb216df50f866943d795