75fe871f78a0eea5ce5489c0815c230603aa45e2fc5f7bf67414a90888c63407

Resubmissions

30/06/2023, 08:09

230630-j2ll3agf35 7

30/06/2023, 08:03

230630-jxpg6age93 10

Analysis

max time kernel
300s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

新建文件夹 (2)/f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi
Size

2.4MB
MD5

64039f083c96cab5ea0de62f789886ce
SHA1

ffb89927ad892b7d6e3d6a88ec24a9d6a161dee2
SHA256

f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f
SHA512

8eee7c46b8a031858acabe871616e92e95d2e3b4be5b8eae425bc412dc51470c578c6991ba2f3d290a1b96a556853454ea0bb69336e54b9b7aa28354af998fae
SSDEEP

49152:3BiErnG0fwkAjwzYUrngrwjCBt4CFFDO84D2nng01WQhNzvS65R8ct:XnGvMzYUrhjCBZPO84DH01WQXzvP5xt

Score

7^/10

upx vmprotect

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023149-158.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1716	4.exe

Loads dropped DLL 1 IoCs

pid	Process
1716	4.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023149-158.dat	upx

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00060000000232ba-150.dat	vmprotect
behavioral2/files/0x00060000000232ba-151.dat	vmprotect
behavioral2/memory/1716-152-0x0000000000400000-0x0000000000873000-memory.dmp	vmprotect
behavioral2/memory/1716-155-0x0000000000400000-0x0000000000873000-memory.dmp	vmprotect
behavioral2/memory/1716-171-0x0000000000400000-0x0000000000873000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\默认公司名称\Firefox\1.exe	msiexec.exe
File created	C:\Program Files (x86)\默认公司名称\Firefox\4.exe	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{86E75AD9-70FC-48CE-A92B-0217573E20DF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4602.tmp	msiexec.exe
File created	C:\Windows\Installer\e5744db.msi	msiexec.exe
File created	C:\Windows\Installer\e5744d9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5744d9.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003c70357fb409b87e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003c70357f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809003c70357f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809193c70357f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003c70357f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1540	msiexec.exe
1540	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4488	msiexec.exe
Token: SeSecurityPrivilege	1540	msiexec.exe
Token: SeCreateTokenPrivilege	4488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4488	msiexec.exe
Token: SeLockMemoryPrivilege	4488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4488	msiexec.exe
Token: SeMachineAccountPrivilege	4488	msiexec.exe
Token: SeTcbPrivilege	4488	msiexec.exe
Token: SeSecurityPrivilege	4488	msiexec.exe
Token: SeTakeOwnershipPrivilege	4488	msiexec.exe
Token: SeLoadDriverPrivilege	4488	msiexec.exe
Token: SeSystemProfilePrivilege	4488	msiexec.exe
Token: SeSystemtimePrivilege	4488	msiexec.exe
Token: SeProfSingleProcessPrivilege	4488	msiexec.exe
Token: SeIncBasePriorityPrivilege	4488	msiexec.exe
Token: SeCreatePagefilePrivilege	4488	msiexec.exe
Token: SeCreatePermanentPrivilege	4488	msiexec.exe
Token: SeBackupPrivilege	4488	msiexec.exe
Token: SeRestorePrivilege	4488	msiexec.exe
Token: SeShutdownPrivilege	4488	msiexec.exe
Token: SeDebugPrivilege	4488	msiexec.exe
Token: SeAuditPrivilege	4488	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4488	msiexec.exe
Token: SeChangeNotifyPrivilege	4488	msiexec.exe
Token: SeRemoteShutdownPrivilege	4488	msiexec.exe
Token: SeUndockPrivilege	4488	msiexec.exe
Token: SeSyncAgentPrivilege	4488	msiexec.exe
Token: SeEnableDelegationPrivilege	4488	msiexec.exe
Token: SeManageVolumePrivilege	4488	msiexec.exe
Token: SeImpersonatePrivilege	4488	msiexec.exe
Token: SeCreateGlobalPrivilege	4488	msiexec.exe
Token: SeBackupPrivilege	1460	vssvc.exe
Token: SeRestorePrivilege	1460	vssvc.exe
Token: SeAuditPrivilege	1460	vssvc.exe
Token: SeBackupPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4488	msiexec.exe
4488	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1716	4.exe
1716	4.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2808	1540	msiexec.exe	102
PID 1540 wrote to memory of 2808	1540	msiexec.exe	102
PID 1540 wrote to memory of 1716	1540	msiexec.exe	104
PID 1540 wrote to memory of 1716	1540	msiexec.exe	104
PID 1540 wrote to memory of 1716	1540	msiexec.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2808
- C:\Program Files (x86)\默认公司名称\Firefox\4.exe
  "C:\Program Files (x86)\默认公司名称\Firefox\4.exe" /Commit
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\默认公司名称\Firefox\4.exe

Filesize
2.1MB

MD5
4ac3d60c4850e37a9b39976c1553df05

SHA1
45e5a0e35be7034e38543fc1a0c3f9ca3808fa5c

SHA256
c53eac22482ec00bebb3c006d442c7b48a448f9d0cc16a743af9a88de1a1da6c

SHA512
7b1e7044deab0f485e1968000df3409d003c38728ab6c07026b5818ed3f0550c32afa0149903e6696e306284b2680426ca8e38540292b35f60d3a8827d789753

Download Submit
C:\Program Files (x86)\默认公司名称\Firefox\4.exe

Filesize
2.1MB

MD5
4ac3d60c4850e37a9b39976c1553df05

SHA1
45e5a0e35be7034e38543fc1a0c3f9ca3808fa5c

SHA256
c53eac22482ec00bebb3c006d442c7b48a448f9d0cc16a743af9a88de1a1da6c

SHA512
7b1e7044deab0f485e1968000df3409d003c38728ab6c07026b5818ed3f0550c32afa0149903e6696e306284b2680426ca8e38540292b35f60d3a8827d789753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2K9QMOPD\8Q0ICXP2.htm

Filesize
377KB

MD5
7f188c456856eb42385eb47b3682a6eb

SHA1
d05335d2542a2099f088cb548209f9c4ece3e52a

SHA256
b5cbd3f085ca7c6ccddb1e6b648885a2f24bd414eaab582a56568142dbf5f1fd

SHA512
29e430d1f4bec7cb560e5b6fe53610581f1b8a2a6d2f8d75423f4ba6725ff3686d5cb5441373d991314aa0edad456537b537698636f1e575adc1d8692df1d03e

Download Submit
C:\Users\Public\Pictures\ms.dll

Filesize
41KB

MD5
d0a62532cecac152bc553474d5899a94

SHA1
fbb691817dfbae7518648c82304e42288b8354e3

SHA256
242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49

SHA512
9e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
f6cdfa05ae50642f49b9c9f0f3ab745f

SHA1
c2c1b115f6f9f556dcba9f2b75e23783b3f1832a

SHA256
ae650ded4efb0151d2c38169f0b7ed515e9e07bf8415d9acfa406affa54809f8

SHA512
e8618bed7235ad97def0eb606972bad933f09c6f3af59c6f0272e99419cd303d5deef8ba39a3898f8c2f3d209887604671c770cfbb70ec2295ba283291c66671

Download Submit
\??\Volume{7f35703c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ed52cdd9-b887-4b6e-8540-71880bda00f3}_OnDiskSnapshotProp

Filesize
5KB

MD5
c9d04c7a97d36a8b0c11ef1a81437df0

SHA1
d2fb34cb36a5828404badf019e1537df0d93c9ab

SHA256
e68bb93c34955b8bf7f23aea3ae0e3018cfbb417dcd1d53ffad418218229ff20

SHA512
357bc4b4e8826cb2e8b6d37d0ddc47be061c8500053b7699b5e211276b6fe88ad5a8174a6f87c9837dda7fb9fc8c963a3738d2704fa69a0ffb4cff976793994e

Download Submit
memory/1716-152-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1716-155-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1716-161-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1716-171-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1716-173-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download