Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
26-07-2023 13:48
General
-
Target
Project_1650464.msi
-
Size
1.8MB
-
MD5
247a8cc39384e93d258360a11381000f
-
SHA1
23893f035f8564dfea5030b9fdd54120d96072bb
-
SHA256
6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
-
SHA512
336eca9569c0072e92ce16743f47ba9d6be06390a196f8e81654d6a42642ff5c99e423bfed00a8396bb0b037d5b54df8c3bde53757646e7e1a204f3be271c998
-
SSDEEP
24576:ftncpVGP4I9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRp:epUP59FBJZEH1X1arF0vN/nX
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 11 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Project_1650464.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E3A4FEA3D5E15118D006BA63340735612⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\files\Autoit3.exe"C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\files\Autoit3.exe" UGtZgHHT.au33⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hbakfcf\Autoit3.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\ProgramData\hbakfcf\afcedba\aeebdfgFilesize
129B
MD5a2cf6717718fdd3cc2b8c56c0261811a
SHA19da130825ed3cd09a5894e742bae0c9fdfb0cba6
SHA256a4e6241adbb09464b7e4fe785ddee423ae36d672330d197a416a090fa30183d1
SHA51267b32582f024656cf03cbe71243eb0099c53bfd1c09cf23bc6e4b50cbd3e735a4679f8bcfa9674b0130059d9355ff8f67efa4b105a01d51f244b82b3467d39d5
-
C:\ProgramData\hbakfcf\afcedba\aeebdfgFilesize
129B
MD5b8a02902b438c2851441b24a9aa4eb23
SHA155f86a814b228911b7b1e7158c74901321e36838
SHA256a12c40356546c76c8b7f4fe20a8d1f830e65eeb62615154e7c29ac8bdad3a657
SHA512b1ee8a9285776e6580e3a413a88ea3e28742447c4287a7d5c0796b61c7deda6f685403f512a7485ddf5eb79a9f9c11a6e8361695c60d92d0fa9c179222a7198f
-
C:\ProgramData\hbakfcf\ebdgcde.au3Filesize
772KB
MD5aea1a49b96656e8972ca0301ca717211
SHA1af1998d4986dd3a849abbd646514d0ccb5c99d3b
SHA256e8fb271c648a03b90a0e16e55fe18d6dd6a2a2498ffd8d845a3a164e0ec48203
SHA5128e2b15609280c9ff8ecdb7a83b920dc906cbb5093bbe410ec2b840b88ba4fbcdfeebf0e80593290a861e81f756f72ddfd09e0559386b3ceb6d3ec8706c0f5180
-
C:\ProgramData\hbakfcf\ebdgcde.au3Filesize
772KB
MD5aea1a49b96656e8972ca0301ca717211
SHA1af1998d4986dd3a849abbd646514d0ccb5c99d3b
SHA256e8fb271c648a03b90a0e16e55fe18d6dd6a2a2498ffd8d845a3a164e0ec48203
SHA5128e2b15609280c9ff8ecdb7a83b920dc906cbb5093bbe410ec2b840b88ba4fbcdfeebf0e80593290a861e81f756f72ddfd09e0559386b3ceb6d3ec8706c0f5180
-
C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\files.cabFilesize
1.6MB
MD5e7c3b16ed93b760546ae6756b12644da
SHA199b3b1af70b45b4b815a814f61f9b6e509cd3bb6
SHA256659733a584c52078ac6b568dfb34a089bef2b3835a5ea737d32c1623a468b743
SHA512b6eeaaeeb1f7c8335076075bc8033d5d4744544f3937eeaddcbef5f7ba257a64c20a47f8388c1e8f10c5821da8abe0683be8fd60c3e1a9aea25e4a705e2f8b41
-
C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\files\Autoit3.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\files\Autoit3.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\files\UGtZgHHT.au3Filesize
757KB
MD51b524d03b27b94906c1a87b207e08179
SHA18fbad6275708a69b764992b05126e053134fb9e9
SHA2561af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622
SHA5121e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e
-
C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\msiwrapper.iniFilesize
1KB
MD5b2d4a4fe202a8f1a2f0a2988cc7c151f
SHA1aba8f6bb140ff1cda22b3bc022dc2255cbf7bdaf
SHA2568165606431f61d8fad08f99f9fb31242d420adab55b5daf9410ef668532c7895
SHA5129b3df9f0c94fb3b4bbf52979cb9a8a2d92a3e9255ff6554c1537d1914cbd85ae0e725d6fd9cc4f6c8feee3a0d4c754dc695bd01423b741ff7a88ad7aceb4c257
-
C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\msiwrapper.iniFilesize
438B
MD5fcd43cf4f8bb0e2968e01d1636d4600f
SHA1ac56a1271bdae70b7d660c0d3ce8e5e6d6bad90f
SHA256ce2d4868c1b55ca485f89ea136993cb6252916f01061c451d8ca275f91776ec5
SHA5129228ae8273c065f540f846bb07c51bf70a763bc33d4797f010d413e5691b7b90777809bd08bd79d3fc8acb713bb01f084a75223e886169a4ac8cb8a203feae4c
-
C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\msiwrapper.iniFilesize
1KB
MD5c3b90ffcae57715721182842d023cdc9
SHA149b80a8463fc4196fa4260a04aea386827d41712
SHA256ba7a8e1d578136e58009c92a06e4ca44519b849c66564b81709e862d8584f002
SHA5125c2fad16604a07c940d9c80195095b1a2b34c8aaae3a3d2d90ff3cce1733b1b3b7e0770ee1023a2765f59fd639be633253bf6ff2dd6c7521c6166c768d4b66ef
-
C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\msiwrapper.iniFilesize
1KB
MD5764e1c3360a11d0b3cfd73f37c851c4b
SHA18182c026cc021e1dbed7572fdc714df2340e07d4
SHA2569a5cfe46c9fb79070de5634ed53cbf428b418990dbb4868251f3d53951772e02
SHA5127cbfa496e9d024469dbd3e6eef59561d880e2c469a0b4f2151f93b2d96a9b34723a31e828e19a809917835fa1f928da9c38c5f182f30a5aff2ff03a177260bd4
-
C:\Users\Admin\AppData\Local\Temp\MW-d47ec42c-c65f-45f5-aad2-2d7294f60646\msiwrapper.iniFilesize
1KB
MD5764e1c3360a11d0b3cfd73f37c851c4b
SHA18182c026cc021e1dbed7572fdc714df2340e07d4
SHA2569a5cfe46c9fb79070de5634ed53cbf428b418990dbb4868251f3d53951772e02
SHA5127cbfa496e9d024469dbd3e6eef59561d880e2c469a0b4f2151f93b2d96a9b34723a31e828e19a809917835fa1f928da9c38c5f182f30a5aff2ff03a177260bd4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bfbecfe.lnkFilesize
647B
MD5958bb89fe3627f2d6d2e8e7e04404eaa
SHA145cd93a6b82e39c48e7a98e4e9460ef77e8cac95
SHA2560010bfd0945798787895e5e23855ffec2ba1e0af49a223e4104cd909c4a6f7c8
SHA51271ee90bc98d436032810904da60f58dded9d950e7d9c8afedc1d004c0ad828ff3b3d3cb581e28009d008b599171dd6ad15c2c384162be52bc2dc01566424094a
-
C:\Windows\Installer\MSI1A0B.tmpFilesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
C:\Windows\Installer\MSI1A0B.tmpFilesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
C:\Windows\Installer\MSI588D.tmpFilesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
C:\Windows\Installer\MSI588D.tmpFilesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5f74221d04c474262bc4f0b552e0bc92a
SHA1c48819cc3bd00e4c8714bc995867cca5eb941c8c
SHA25614f5ace6fc15d12c6c3f73c37b6fdfe116db2e75d2706e74e5154d5f40bfc5b2
SHA51215499f5ba5ad66163ee9709e67d9528eef633bf452accd9c97b9cf864275341edcadbdf6b2fece4822ffe42b22b342f2d2d2ae036e8fd226c5468e67575f3560
-
\??\Volume{1f21c27e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cf1edcd7-e4fd-4195-ac23-5ebb0dd90f3f}_OnDiskSnapshotPropFilesize
5KB
MD50a56b7c5c2d4cb7c0728199f4f21f831
SHA1f22aa51b206ae5e874c3d8d4ded3e7a74dbbb3db
SHA25615988b95d57a3f28a135ca78c77273b19e9c5a9d2a68aa84a77d7022e4e16693
SHA5126b0184317416063b41b654d8373e896b368b26ab3192a6a124a2495b4685d34b61c2dfda3d30a70126a6128eb1457d482cd1f5f77e3b5a3ead37608b3700dcd8
-
\??\c:\temp\ebdgcde.au3Filesize
757KB
MD51b524d03b27b94906c1a87b207e08179
SHA18fbad6275708a69b764992b05126e053134fb9e9
SHA2561af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622
SHA5121e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e
-
memory/1204-214-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/1204-215-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/2008-1089-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/2008-1684-0x0000000010410000-0x000000001048E000-memory.dmpFilesize
504KB
-
memory/2008-1707-0x0000000010410000-0x000000001048E000-memory.dmpFilesize
504KB
-
memory/2008-1087-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4636-1061-0x0000000004760000-0x0000000004939000-memory.dmpFilesize
1.8MB
-
memory/4636-224-0x0000000001610000-0x0000000001A10000-memory.dmpFilesize
4.0MB
-
memory/4636-212-0x0000000004760000-0x0000000004939000-memory.dmpFilesize
1.8MB
-
memory/4636-208-0x0000000004760000-0x0000000004939000-memory.dmpFilesize
1.8MB
-
memory/4636-207-0x0000000003F40000-0x0000000004035000-memory.dmpFilesize
980KB
-
memory/4636-206-0x0000000001610000-0x0000000001A10000-memory.dmpFilesize
4.0MB
-
memory/4636-228-0x0000000004760000-0x0000000004939000-memory.dmpFilesize
1.8MB
-
memory/4736-1060-0x0000000010490000-0x000000001050E000-memory.dmpFilesize
504KB
-
memory/4736-1541-0x0000000010490000-0x000000001050E000-memory.dmpFilesize
504KB
-
memory/4736-1852-0x000000000A870000-0x000000000AB20000-memory.dmpFilesize
2.7MB