Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2023 08:00

General

  • Target

    CapCut_2_2_0_491_capcutpc_0.msi

  • Size

    880KB

  • MD5

    9119e1089119e0714fe06e239944faef

  • SHA1

    86f8b24dfcfb1a4cbf373c41ef55427d7ca3ecdc

  • SHA256

    b0f32d577b677e6793d77b53148bb4df5ef2f9f1ce29cc76548f80705deacd35

  • SHA512

    c445bfc2613c647e2c91e2d85f484e583223009c5b02858495ea4cec96b08d6ee8e5e21436ab46b04d742c8c90e01a176b001d5d628fb84303cc49f8774508d0

  • SSDEEP

    12288:qurWV30ISQvKKwR5GAauHX4qih45ggXnotXs8cAYc:qug30IlvKKwc44q55ggXotc8cA

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CapCut_2_2_0_491_capcutpc_0.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1716
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding CEDFB2A7DD89D4F12905D93433D0A317 C
      2⤵
      • Loads dropped DLL
      PID:1388
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1B865312E1E2158ED9DC9F0E32ABB16E
      2⤵
      • Loads dropped DLL
      PID:1152
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1948
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "00000000000004A4"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1552
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Program Files (x86)\Microsoft\EdgeWebView\setup.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe
        2⤵
        • Kills process with taskkill
        PID:1952
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM msedge.exe
        2⤵
        • Kills process with taskkill
        PID:2028
      • C:\Windows\system32\timeout.exe
        timeout /t 1
        2⤵
        • Delays execution with timeout.exe
        PID:288

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\6e3ca6.rbs

      Filesize

      9KB

      MD5

      9d995446558b68e157d3003a5e94a56b

      SHA1

      07e3b69e4b2cf83acf0796b7c510bad1fc7e2b06

      SHA256

      c4d6097345c2d0381a2dfb9d26b4b12c73ac2cb9d776df08d853f2860ea7d61b

      SHA512

      88ffc24d1382dcfc4e9e7ff5fe9b5e25560174bc979d7779e58a4d488212b3e8a3c066c85ad511c65ea72637f94c1dae0ec9a77550db3db4cc4f26162b744c72

    • C:\Program Files (x86)\Microsoft\EdgeWebView\setup.bat

      Filesize

      279B

      MD5

      13c4c845b001ddbad9ef3275a41924a7

      SHA1

      7c3600b54d2ed584f5f9e70299984b233b29d770

      SHA256

      a2a75f92696af48a34e089d0195acbb2ebc67146e6bc8a92ee0c577aa61fcf53

      SHA512

      4d330facc1c53af1c0912a9419f4ac4bb8a2990b7c9344f1a265cb984a3714b27adbe0facb1f1e4f296c1962bf5dcab5064105d69658ab7145e5dd239ceeebb7

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      18c29e3a021874964e09091df9593c32

      SHA1

      fadd3121fdd1a21ae3064a4c09291b6dc57c4bd3

      SHA256

      448cda1afc242d827153feca29584a4bca748d7182e5f471fc8b5c0af20b2fdd

      SHA512

      c3770014667ef25beb7bb9e0fe1c9b5411f1b01af49085c6473a0386689f3056e57ce6a024262e5ff8a95c2ff17959a003acc672198f4b25094a1af1cbf510db

    • C:\Users\Admin\AppData\Local\Temp\Cab100A.tmp

      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    • C:\Users\Admin\AppData\Local\Temp\MSI160B.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • C:\Users\Admin\AppData\Local\Temp\MSI187C.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • C:\Users\Admin\AppData\Local\Temp\MSI18FA.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • C:\Users\Admin\AppData\Local\Temp\MSI18FA.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • C:\Users\Admin\AppData\Local\Temp\MSI1A24.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • C:\Users\Admin\AppData\Local\Temp\MSI1D02.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • C:\Users\Admin\AppData\Local\Temp\MSI4D46.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • C:\Users\Admin\AppData\Local\Temp\MSI4D85.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • C:\Users\Admin\AppData\Local\Temp\Tar1117.tmp

      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

    • C:\Windows\Installer\6e3ca4.msi

      Filesize

      880KB

      MD5

      9119e1089119e0714fe06e239944faef

      SHA1

      86f8b24dfcfb1a4cbf373c41ef55427d7ca3ecdc

      SHA256

      b0f32d577b677e6793d77b53148bb4df5ef2f9f1ce29cc76548f80705deacd35

      SHA512

      c445bfc2613c647e2c91e2d85f484e583223009c5b02858495ea4cec96b08d6ee8e5e21436ab46b04d742c8c90e01a176b001d5d628fb84303cc49f8774508d0

    • C:\Windows\Installer\MSI413A.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • \Users\Admin\AppData\Local\Temp\MSI160B.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • \Users\Admin\AppData\Local\Temp\MSI187C.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • \Users\Admin\AppData\Local\Temp\MSI18FA.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • \Users\Admin\AppData\Local\Temp\MSI1A24.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • \Users\Admin\AppData\Local\Temp\MSI1D02.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • \Users\Admin\AppData\Local\Temp\MSI4D46.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • \Users\Admin\AppData\Local\Temp\MSI4D85.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • \Windows\Installer\MSI413A.tmp

      Filesize

      555KB

      MD5

      4d436978faaef6c90ad5b208102fa0b4

      SHA1

      08930ae826c426ebfc3f96c324319bd9384472c0

      SHA256

      6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

      SHA512

      692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

    • memory/1388-173-0x00000000002B0000-0x00000000002B2000-memory.dmp

      Filesize

      8KB