Overview

overview

6

Static

static

1

Far30b6116...11.msi

windows7-x64

6

Far30b6116...11.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2023 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Far30b6116.x86.20230311.msi

  • Size

    11.7MB

  • MD5

    8e38d51f0f9753a93f070bbf73224c31

  • SHA1

    4c63462944c091728d6f143ab722acd650600e8d

  • SHA256

    97b854e68751f34bd26fd4d8da4564c0dfc82217dda15b3b63b1683171260cc6

  • SHA512

    56277eb7885558b51db4b6bd4330fe840962b7d51a5c55c7f4af9a0134cfdecf4e40a36028b9e66d1ee0994970e1cc6eede60b597e3241c072ec50cb31c04379

  • SSDEEP

    196608:2DCG5ufWfIoGE50QZRCDc+m3kV1HTxY9WsWIndmETerTiqqX0jyYRynkSsh:5fAPGE0QZ7Xm1GnwEHq95wnU

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Far30b6116.x86.20230311.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1392
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3272
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    PID:1300
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:2648
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3700

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\wsuA48D.tmp
      Filesize

      14KB

      MD5

      c01eaa0bdcd7c30a42bbb35a9acbf574

      SHA1

      0aee3e1b873e41d040f1991819d0027b6cc68f54

      SHA256

      32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

      SHA512

      d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
      Filesize

      29KB

      MD5

      96043cdd240f4e7217d2ae190e12bfb0

      SHA1

      9f49e35f7ff622882ba01421ec16fe878b18ddf4

      SHA256

      68b2e2eb9f2e3e24aeb8ab031fc72dd94cf491974d8ac9aa7de7b9bbf3a861a3

      SHA512

      db89ef3354c788bbb9f2e5af69d5f6b6f66414888370ac35c44c941779d1e91a9ab2e3a6d5bf07e524c36094b9dd548720ee9afa628af5b05da165d0125e99b7

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
      Filesize

      29KB

      MD5

      5fc2fe0d336b29757860e255f77aa522

      SHA1

      04cf23b259e24ed1f0b896a0ae77ad27419c7809

      SHA256

      bfef855d8c8db43ee8ef3133a68165d8905ac8d6470f346648e1d275b65ed1fa

      SHA512

      d15231d791938f562d117fa52842f6eda85e0cd95c3a3a13f1f5ec1642b09d54b2c5022b18de8e030414746ab135b5442829d0a850771c11e4dc5814bdbf2c7a

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
      Filesize

      29KB

      MD5

      22a99541fa2719d4afbd6b78f41a3554

      SHA1

      c47939811a648f7c6ae0d67cf8b9766d7b66b2e7

      SHA256

      5b4c4481a817765eaa09cae5a00310bce556cfb25d2c0dc3208431732e4e0321

      SHA512

      13b119c3eb6cd58654f58df5e61b8756b4db27d659d81e33f2794955d93519878a753af6c0c3890781b4c0c400be00175bd205fa558a31bca6e46ebbf78e6218

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
      Filesize

      29KB

      MD5

      221cab7c7bd31a13779fd8983a785490

      SHA1

      96cf399ae00edf641e949e90496c00e7efbfa8f5

      SHA256

      be0f9e512e8eb094ab1356a44390e09341afd04671b6ed40b6ec6757554af61c

      SHA512

      15b98e96f1fdbd5ef51c5f56f9ca5a3c48a387f6756bba7f577e3a4595c69bd1429f9d00d4f9490cd20715636b5bd1ddba8de2011d1a0d7d652c16835385de9f

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
      Filesize

      29KB

      MD5

      43b0180ce367c0655153a18956006c6d

      SHA1

      1942a105c0a4fe45eb738d7315e1dfeec5fc4987

      SHA256

      10e34be5edd12128a59db2615d57c7c8e374668ddb63018ce89675d500a1e0f7

      SHA512

      8ee6f05d8d848b093b59c4308b5789b13277f4efc5d2eeb47d0126f3103130c9748916fe759e02c62a244fa6a95d2a2f19ca1e4f207ecd9e57ac7f8de108a495

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
      Filesize

      29KB

      MD5

      499aa49e9afbcb008b1f8426beaa2265

      SHA1

      ff7d68caf53300afad7c5a644c95c9278c2772d3

      SHA256

      69e3e3ea62cf0943481a36320a6b42fc88c03a60b96d5c79560210d198b79f34

      SHA512

      c49b2d089fccdb277aa4b4580a5713e3149eee952d0f7068f04cb69711f2a362a3d670aa7518030739766372f0f996c170713a2abf68584d9ff524a02a710e2d

      Download Submit

    • memory/3700-320-0x00000129E5040000-0x00000129E5050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3700-341-0x00000129ED3D0000-0x00000129ED3D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3700-342-0x00000129ED3D0000-0x00000129ED3D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3700-343-0x00000129ED4E0000-0x00000129ED4E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3700-339-0x00000129ED3A0000-0x00000129ED3A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3700-304-0x00000129E4F40000-0x00000129E4F50000-memory.dmp

      Filesize

      64KB

      Download