Analysis
-
max time kernel
8s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-04-2023 17:52
Behavioral task
behavioral1
Sample
krisp-v1.21.1-x64.msi
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
krisp-v1.21.1-x64.msi
Resource
win10v2004-20230221-en
General
-
Target
krisp-v1.21.1-x64.msi
-
Size
70.1MB
-
MD5
e2d02c2d0d744411a0a6e2935dea4f84
-
SHA1
fba0fcd0cff2c4ceda85c87ef2458558c8754401
-
SHA256
10cba83ef3cbfdc6636647c9fe1c273ffd7e833cd88b93f9c9666e8449764a36
-
SHA512
99681131e3cebee6416c4e08cbf766f36d8560a2c47eb160d4bdb6394bd038da9f58a2546f866d4a61c42423e08922e6ef1b432981f0f1d3f2d6931b9b926ae9
-
SSDEEP
1572864:5bT5TAvyIckmyh4kzaYBqYeTPpCQiyjTtSEOWfd9rdnYjNxYfw8A:5bTtCaEaYBaPiCrOAFYjrYfw
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 2 1444 msiexec.exe 4 1444 msiexec.exe 6 1444 msiexec.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exerundll32.exepid process 1704 MsiExec.exe 1684 rundll32.exe 1684 rundll32.exe 1684 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1444 msiexec.exe Token: SeIncreaseQuotaPrivilege 1444 msiexec.exe Token: SeRestorePrivilege 708 msiexec.exe Token: SeTakeOwnershipPrivilege 708 msiexec.exe Token: SeSecurityPrivilege 708 msiexec.exe Token: SeCreateTokenPrivilege 1444 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1444 msiexec.exe Token: SeLockMemoryPrivilege 1444 msiexec.exe Token: SeIncreaseQuotaPrivilege 1444 msiexec.exe Token: SeMachineAccountPrivilege 1444 msiexec.exe Token: SeTcbPrivilege 1444 msiexec.exe Token: SeSecurityPrivilege 1444 msiexec.exe Token: SeTakeOwnershipPrivilege 1444 msiexec.exe Token: SeLoadDriverPrivilege 1444 msiexec.exe Token: SeSystemProfilePrivilege 1444 msiexec.exe Token: SeSystemtimePrivilege 1444 msiexec.exe Token: SeProfSingleProcessPrivilege 1444 msiexec.exe Token: SeIncBasePriorityPrivilege 1444 msiexec.exe Token: SeCreatePagefilePrivilege 1444 msiexec.exe Token: SeCreatePermanentPrivilege 1444 msiexec.exe Token: SeBackupPrivilege 1444 msiexec.exe Token: SeRestorePrivilege 1444 msiexec.exe Token: SeShutdownPrivilege 1444 msiexec.exe Token: SeDebugPrivilege 1444 msiexec.exe Token: SeAuditPrivilege 1444 msiexec.exe Token: SeSystemEnvironmentPrivilege 1444 msiexec.exe Token: SeChangeNotifyPrivilege 1444 msiexec.exe Token: SeRemoteShutdownPrivilege 1444 msiexec.exe Token: SeUndockPrivilege 1444 msiexec.exe Token: SeSyncAgentPrivilege 1444 msiexec.exe Token: SeEnableDelegationPrivilege 1444 msiexec.exe Token: SeManageVolumePrivilege 1444 msiexec.exe Token: SeImpersonatePrivilege 1444 msiexec.exe Token: SeCreateGlobalPrivilege 1444 msiexec.exe Token: SeCreateTokenPrivilege 1444 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1444 msiexec.exe Token: SeLockMemoryPrivilege 1444 msiexec.exe Token: SeIncreaseQuotaPrivilege 1444 msiexec.exe Token: SeMachineAccountPrivilege 1444 msiexec.exe Token: SeTcbPrivilege 1444 msiexec.exe Token: SeSecurityPrivilege 1444 msiexec.exe Token: SeTakeOwnershipPrivilege 1444 msiexec.exe Token: SeLoadDriverPrivilege 1444 msiexec.exe Token: SeSystemProfilePrivilege 1444 msiexec.exe Token: SeSystemtimePrivilege 1444 msiexec.exe Token: SeProfSingleProcessPrivilege 1444 msiexec.exe Token: SeIncBasePriorityPrivilege 1444 msiexec.exe Token: SeCreatePagefilePrivilege 1444 msiexec.exe Token: SeCreatePermanentPrivilege 1444 msiexec.exe Token: SeBackupPrivilege 1444 msiexec.exe Token: SeRestorePrivilege 1444 msiexec.exe Token: SeShutdownPrivilege 1444 msiexec.exe Token: SeDebugPrivilege 1444 msiexec.exe Token: SeAuditPrivilege 1444 msiexec.exe Token: SeSystemEnvironmentPrivilege 1444 msiexec.exe Token: SeChangeNotifyPrivilege 1444 msiexec.exe Token: SeRemoteShutdownPrivilege 1444 msiexec.exe Token: SeUndockPrivilege 1444 msiexec.exe Token: SeSyncAgentPrivilege 1444 msiexec.exe Token: SeEnableDelegationPrivilege 1444 msiexec.exe Token: SeManageVolumePrivilege 1444 msiexec.exe Token: SeImpersonatePrivilege 1444 msiexec.exe Token: SeCreateGlobalPrivilege 1444 msiexec.exe Token: SeCreateTokenPrivilege 1444 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1444 msiexec.exe 1444 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 708 wrote to memory of 1704 708 msiexec.exe MsiExec.exe PID 708 wrote to memory of 1704 708 msiexec.exe MsiExec.exe PID 708 wrote to memory of 1704 708 msiexec.exe MsiExec.exe PID 708 wrote to memory of 1704 708 msiexec.exe MsiExec.exe PID 708 wrote to memory of 1704 708 msiexec.exe MsiExec.exe PID 1704 wrote to memory of 1684 1704 MsiExec.exe rundll32.exe PID 1704 wrote to memory of 1684 1704 MsiExec.exe rundll32.exe PID 1704 wrote to memory of 1684 1704 MsiExec.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\krisp-v1.21.1-x64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 53FC033C71DBA4A0C2AAB6524E5E310E C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI4C28.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7097671 1 InstallerHelper!InstallerHelper.CustomActions.GetOSVersion3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\Local\Temp\MSI4C28.tmpFilesize
617KB
MD56985489e7d7d224e6d2cabc8c9cf71c0
SHA1bcfc8b2eba0402f0d0913c362d192096aae71483
SHA256a57a419a99d84fef10af39fc841c00dc24a8b625f0874c62132407f47425ee38
SHA512ea5cc073582057b15cffe673bc70ca6227991843cc6f6ca0a09a1263d76dddac00ff8372beb30c3d844fbc03e63e3274b08a9efd9a6cb4cc808622e96d55e41c
-
C:\Users\Admin\AppData\Local\Temp\Tar49C5.tmpFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
\Users\Admin\AppData\Local\Temp\MSI4C28.tmpFilesize
617KB
MD56985489e7d7d224e6d2cabc8c9cf71c0
SHA1bcfc8b2eba0402f0d0913c362d192096aae71483
SHA256a57a419a99d84fef10af39fc841c00dc24a8b625f0874c62132407f47425ee38
SHA512ea5cc073582057b15cffe673bc70ca6227991843cc6f6ca0a09a1263d76dddac00ff8372beb30c3d844fbc03e63e3274b08a9efd9a6cb4cc808622e96d55e41c
-
\Users\Admin\AppData\Local\Temp\MSI4C28.tmpFilesize
617KB
MD56985489e7d7d224e6d2cabc8c9cf71c0
SHA1bcfc8b2eba0402f0d0913c362d192096aae71483
SHA256a57a419a99d84fef10af39fc841c00dc24a8b625f0874c62132407f47425ee38
SHA512ea5cc073582057b15cffe673bc70ca6227991843cc6f6ca0a09a1263d76dddac00ff8372beb30c3d844fbc03e63e3274b08a9efd9a6cb4cc808622e96d55e41c
-
\Users\Admin\AppData\Local\Temp\MSI4C28.tmp-\InstallerHelper.dllFilesize
177KB
MD5bab22511f48c61e6221044455297d7a6
SHA1d57fe2e104c4b269b85880449e9217bde8a47b23
SHA2567369e0afeceb6d3c90f8d949d8d85ebb50668f3b093804a4516f533b60fda2fa
SHA5124d3f3926c278adf0cc95bb38603f0508c0872f340e9d7857d2250d83517a182a017a0bde03faf4465645343a970f973504f0e1e10102b25b1fa98282655e3dde
-
\Users\Admin\AppData\Local\Temp\MSI4C28.tmp-\InstallerHelper.dllFilesize
177KB
MD5bab22511f48c61e6221044455297d7a6
SHA1d57fe2e104c4b269b85880449e9217bde8a47b23
SHA2567369e0afeceb6d3c90f8d949d8d85ebb50668f3b093804a4516f533b60fda2fa
SHA5124d3f3926c278adf0cc95bb38603f0508c0872f340e9d7857d2250d83517a182a017a0bde03faf4465645343a970f973504f0e1e10102b25b1fa98282655e3dde
-
memory/1684-125-0x0000000001BE0000-0x0000000001C0E000-memory.dmpFilesize
184KB
-
memory/1684-129-0x0000000001C10000-0x0000000001C40000-memory.dmpFilesize
192KB
-
memory/1684-138-0x000000001AA80000-0x000000001AB00000-memory.dmpFilesize
512KB