Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2023 19:13
Static task
static1
Behavioral task
behavioral1
Sample
doc_06.20.msi
Resource
win7-20230220-en
General
-
Target
doc_06.20.msi
-
Size
2.2MB
-
MD5
41f1f58087ac8ca8009d07032bf4319f
-
SHA1
8ab6be5ac1e70f9cf1a970e4a7b2c53f29dac067
-
SHA256
38c37a12323334e8362d19f6788755fc5ba35f51b9f53a07ef5481f906807864
-
SHA512
0c60361265f062afeab7f03e648da982050fa58b86bdf90d972b2a936a5c316cb45c6d696a106f18797e2d9810ace6ca12a13703be4cbaf618c50f3e4d4ba359
-
SSDEEP
49152:QHVNAxnHKwlpMBHOZ7wZAf8dwjeZvpA+ZSqfShYNUeCMziwF:Q12xHKwlpOH00dw0pFsbJZA
Malware Config
Extracted
bumblebee
msi11606
176.111.174.67:443
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4152 regsvr32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
regsvr32.exepid process 4152 regsvr32.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756} msiexec.exe File opened for modification C:\Windows\Installer\MSIEDDF.tmp msiexec.exe File created C:\Windows\Installer\e56ec5b.msi msiexec.exe File created C:\Windows\Installer\e56ec59.msi msiexec.exe File opened for modification C:\Windows\Installer\e56ec59.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009865abc95f2d4b980000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009865abc90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809009865abc9000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2716 msiexec.exe 2716 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1972 msiexec.exe Token: SeIncreaseQuotaPrivilege 1972 msiexec.exe Token: SeSecurityPrivilege 2716 msiexec.exe Token: SeCreateTokenPrivilege 1972 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1972 msiexec.exe Token: SeLockMemoryPrivilege 1972 msiexec.exe Token: SeIncreaseQuotaPrivilege 1972 msiexec.exe Token: SeMachineAccountPrivilege 1972 msiexec.exe Token: SeTcbPrivilege 1972 msiexec.exe Token: SeSecurityPrivilege 1972 msiexec.exe Token: SeTakeOwnershipPrivilege 1972 msiexec.exe Token: SeLoadDriverPrivilege 1972 msiexec.exe Token: SeSystemProfilePrivilege 1972 msiexec.exe Token: SeSystemtimePrivilege 1972 msiexec.exe Token: SeProfSingleProcessPrivilege 1972 msiexec.exe Token: SeIncBasePriorityPrivilege 1972 msiexec.exe Token: SeCreatePagefilePrivilege 1972 msiexec.exe Token: SeCreatePermanentPrivilege 1972 msiexec.exe Token: SeBackupPrivilege 1972 msiexec.exe Token: SeRestorePrivilege 1972 msiexec.exe Token: SeShutdownPrivilege 1972 msiexec.exe Token: SeDebugPrivilege 1972 msiexec.exe Token: SeAuditPrivilege 1972 msiexec.exe Token: SeSystemEnvironmentPrivilege 1972 msiexec.exe Token: SeChangeNotifyPrivilege 1972 msiexec.exe Token: SeRemoteShutdownPrivilege 1972 msiexec.exe Token: SeUndockPrivilege 1972 msiexec.exe Token: SeSyncAgentPrivilege 1972 msiexec.exe Token: SeEnableDelegationPrivilege 1972 msiexec.exe Token: SeManageVolumePrivilege 1972 msiexec.exe Token: SeImpersonatePrivilege 1972 msiexec.exe Token: SeCreateGlobalPrivilege 1972 msiexec.exe Token: SeBackupPrivilege 4192 vssvc.exe Token: SeRestorePrivilege 4192 vssvc.exe Token: SeAuditPrivilege 4192 vssvc.exe Token: SeBackupPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1972 msiexec.exe 1972 msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
msiexec.exedescription pid process target process PID 2716 wrote to memory of 960 2716 msiexec.exe srtasks.exe PID 2716 wrote to memory of 960 2716 msiexec.exe srtasks.exe PID 2716 wrote to memory of 4152 2716 msiexec.exe regsvr32.exe PID 2716 wrote to memory of 4152 2716 msiexec.exe regsvr32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\doc_06.20.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1972
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:960
-
C:\Windows\system32\regsvr32.exeregsvr32 "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\e1.dll"2⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:4152
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD53842e5d711099fa7ae9772ec1e0f75cd
SHA1c4a7945bab405b2d9b533c8f2c94a2a7e83fb9a1
SHA256bab6dfdd548fd8d101ec78042a003fb9203e12a1ad83c36caa22b58ed1aebc0a
SHA5122c5e60e0355d919aecc4281ed608a53fcb3c59a543f6f680b7a94a0efbd6bb00c7e8d9076b90275a30b1bdee16b4aedeaa26d27b2955a6ca27317fb50db2bc56
-
Filesize
2.5MB
MD504889da884690bd296877a6a2453a715
SHA1235a8e9a16a4e963fb2c453cbb469ea3e1590da3
SHA256d1270e29d9a235bb456db76f5c88042eb06964145dd2b31f2ef87d5af1254e57
SHA51274875267c6b96ef6c44ac19021f96213cd115061f881b22d849ebc98aa21c92af64f46c86b908b2da53d3f6fe8d9e7bd291ce11882cff0d11bf1294a39c58cc2
-
Filesize
2.5MB
MD504889da884690bd296877a6a2453a715
SHA1235a8e9a16a4e963fb2c453cbb469ea3e1590da3
SHA256d1270e29d9a235bb456db76f5c88042eb06964145dd2b31f2ef87d5af1254e57
SHA51274875267c6b96ef6c44ac19021f96213cd115061f881b22d849ebc98aa21c92af64f46c86b908b2da53d3f6fe8d9e7bd291ce11882cff0d11bf1294a39c58cc2
-
Filesize
2.2MB
MD541f1f58087ac8ca8009d07032bf4319f
SHA18ab6be5ac1e70f9cf1a970e4a7b2c53f29dac067
SHA25638c37a12323334e8362d19f6788755fc5ba35f51b9f53a07ef5481f906807864
SHA5120c60361265f062afeab7f03e648da982050fa58b86bdf90d972b2a936a5c316cb45c6d696a106f18797e2d9810ace6ca12a13703be4cbaf618c50f3e4d4ba359
-
Filesize
23.0MB
MD50ded11f295fe29549a5bfc058f30ee03
SHA1637bbad072ccbaa6e5eec0afcaded3d5c1b3a8fe
SHA2566848b312e6477de456d95db7c76a2d86ac658a26fc279f5d9eb64bc613548ebe
SHA512e876497443d0e071bf29bcd5089da9183edd53d3950345072ce907bdf49d716f9d8c49f6664b4e059e6cfd1914043df6005d7ff7edafa6782403a2f484061305
-
\??\Volume{c9ab6598-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4e20789d-358f-4135-91e5-e1e094a72117}_OnDiskSnapshotProp
Filesize5KB
MD5c65a80683f731e780634ab2c1d3cb710
SHA134733af461238a9c2e1d9043a9b0dc6cb3fa9f76
SHA256fe1afe45074c9724774e0925d0e6757faba8eea854ffe78da35903b9eb679b5f
SHA51282a2ae015e35c2b6797001a783de557813bbdd63b9e1d791274b4b8e4758cfe7dd597abf87cab212d003d8bfdc7d295d930ca80256a68f270df8669dc0c220a2