75fe871f78a0eea5ce5489c0815c230603aa45e2fc5f7bf67414a90888c63407

Resubmissions

30/06/2023, 08:09

230630-j2ll3agf35 7

30/06/2023, 08:03

230630-jxpg6age93 10

Analysis

max time kernel
299s
max time network
302s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

新建文件夹 (2)/f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi
Size

2.4MB
MD5

64039f083c96cab5ea0de62f789886ce
SHA1

ffb89927ad892b7d6e3d6a88ec24a9d6a161dee2
SHA256

f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f
SHA512

8eee7c46b8a031858acabe871616e92e95d2e3b4be5b8eae425bc412dc51470c578c6991ba2f3d290a1b96a556853454ea0bb69336e54b9b7aa28354af998fae
SSDEEP

49152:3BiErnG0fwkAjwzYUrngrwjCBt4CFFDO84D2nng01WQhNzvS65R8ct:XnGvMzYUrhjCBZPO84DH01WQXzvP5xt

Score

7^/10

upx vmprotect

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000600000001429c-78.dat	acprotect
behavioral1/memory/1276-80-0x0000000010000000-0x0000000010021000-memory.dmp	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1276	4.exe

Loads dropped DLL 1 IoCs

pid	Process
1276	4.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001429c-78.dat	upx
behavioral1/memory/1276-80-0x0000000010000000-0x0000000010021000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0006000000014171-72.dat	vmprotect
behavioral1/memory/1276-73-0x0000000000400000-0x0000000000873000-memory.dmp	vmprotect
behavioral1/memory/1276-90-0x0000000000400000-0x0000000000873000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\默认公司名称\Firefox\4.exe	msiexec.exe
File created	C:\Program Files (x86)\默认公司名称\Firefox\1.exe	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c983b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c983b.msi	msiexec.exe
File created	C:\Windows\Installer\6c983c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99FF.tmp	msiexec.exe
File created	C:\Windows\Installer\6c983e.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1404	msiexec.exe
1404	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1128	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1404	msiexec.exe
Token: SeTakeOwnershipPrivilege	1404	msiexec.exe
Token: SeSecurityPrivilege	1404	msiexec.exe
Token: SeCreateTokenPrivilege	1128	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1128	msiexec.exe
Token: SeLockMemoryPrivilege	1128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1128	msiexec.exe
Token: SeMachineAccountPrivilege	1128	msiexec.exe
Token: SeTcbPrivilege	1128	msiexec.exe
Token: SeSecurityPrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeLoadDriverPrivilege	1128	msiexec.exe
Token: SeSystemProfilePrivilege	1128	msiexec.exe
Token: SeSystemtimePrivilege	1128	msiexec.exe
Token: SeProfSingleProcessPrivilege	1128	msiexec.exe
Token: SeIncBasePriorityPrivilege	1128	msiexec.exe
Token: SeCreatePagefilePrivilege	1128	msiexec.exe
Token: SeCreatePermanentPrivilege	1128	msiexec.exe
Token: SeBackupPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeShutdownPrivilege	1128	msiexec.exe
Token: SeDebugPrivilege	1128	msiexec.exe
Token: SeAuditPrivilege	1128	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1128	msiexec.exe
Token: SeChangeNotifyPrivilege	1128	msiexec.exe
Token: SeRemoteShutdownPrivilege	1128	msiexec.exe
Token: SeUndockPrivilege	1128	msiexec.exe
Token: SeSyncAgentPrivilege	1128	msiexec.exe
Token: SeEnableDelegationPrivilege	1128	msiexec.exe
Token: SeManageVolumePrivilege	1128	msiexec.exe
Token: SeImpersonatePrivilege	1128	msiexec.exe
Token: SeCreateGlobalPrivilege	1128	msiexec.exe
Token: SeBackupPrivilege	580	vssvc.exe
Token: SeRestorePrivilege	580	vssvc.exe
Token: SeAuditPrivilege	580	vssvc.exe
Token: SeBackupPrivilege	1404	msiexec.exe
Token: SeRestorePrivilege	1404	msiexec.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeLoadDriverPrivilege	1156	DrvInst.exe
Token: SeLoadDriverPrivilege	1156	DrvInst.exe
Token: SeLoadDriverPrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1404	msiexec.exe
Token: SeTakeOwnershipPrivilege	1404	msiexec.exe
Token: SeRestorePrivilege	1404	msiexec.exe
Token: SeTakeOwnershipPrivilege	1404	msiexec.exe
Token: SeRestorePrivilege	1404	msiexec.exe
Token: SeTakeOwnershipPrivilege	1404	msiexec.exe
Token: SeRestorePrivilege	1404	msiexec.exe
Token: SeTakeOwnershipPrivilege	1404	msiexec.exe
Token: SeRestorePrivilege	1404	msiexec.exe
Token: SeTakeOwnershipPrivilege	1404	msiexec.exe
Token: SeRestorePrivilege	1404	msiexec.exe
Token: SeTakeOwnershipPrivilege	1404	msiexec.exe
Token: SeRestorePrivilege	1404	msiexec.exe
Token: SeTakeOwnershipPrivilege	1404	msiexec.exe
Token: SeRestorePrivilege	1404	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1128	msiexec.exe
1128	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1276	4.exe
1276	4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1276	1404	msiexec.exe	32
PID 1404 wrote to memory of 1276	1404	msiexec.exe	32
PID 1404 wrote to memory of 1276	1404	msiexec.exe	32
PID 1404 wrote to memory of 1276	1404	msiexec.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Program Files (x86)\默认公司名称\Firefox\4.exe
  "C:\Program Files (x86)\默认公司名称\Firefox\4.exe" /Commit
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000328" "0000000000000564"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\默认公司名称\Firefox\4.exe

Filesize
2.1MB

MD5
4ac3d60c4850e37a9b39976c1553df05

SHA1
45e5a0e35be7034e38543fc1a0c3f9ca3808fa5c

SHA256
c53eac22482ec00bebb3c006d442c7b48a448f9d0cc16a743af9a88de1a1da6c

SHA512
7b1e7044deab0f485e1968000df3409d003c38728ab6c07026b5818ed3f0550c32afa0149903e6696e306284b2680426ca8e38540292b35f60d3a8827d789753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPQI3YTS\5A94SPCZ.htm

Filesize
377KB

MD5
4774e0999e7b5d0539f1577c1f628a91

SHA1
88c0ae3139a4ac1c19b96297249f370d2627a245

SHA256
65c65121c3deba8f282609f513ae2b8b2ca0c6f9c793c4eee9832510dff53de1

SHA512
a16e35326639cb29299a5a06257a779b21145f39afa0e6528a625ec0f18048a67e1d8962258d55d19d7daf2e232c6d8945ef9dba862614410af9dd8c47c2470b

Download Submit
\Users\Public\Pictures\zl.dll

Filesize
41KB

MD5
d0a62532cecac152bc553474d5899a94

SHA1
fbb691817dfbae7518648c82304e42288b8354e3

SHA256
242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49

SHA512
9e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51

Download Submit
memory/1276-73-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1276-80-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1276-90-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1276-91-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download