Overview

overview

8

Static

static

1

ReF_SaT589.msi

windows7-x64

7

ReF_SaT589.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    136s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    18-08-2023 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ReF_SaT589.msi

  • Size

    12.3MB

  • MD5

    9b61bbdf8d85729e4ebe0785fe6436c9

  • SHA1

    ec07c46d7a3903cc7bd9b868efec4aba81548332

  • SHA256

    e7d27ef86adb6f7d75a19675742a12f7390bfafb60bfeb17a16d80ec211761db

  • SHA512

    592104b2208347953c96431b9cbb36813d62d068a380e1956cd0bbbda85da2d2073f916307f9e742d2ba44ae6523ed02645e43fbd3f926fa7305ffd9f8a78d9f

  • SSDEEP

    98304:07mwfue/kPH85N5a91u83vTezizUZ8e5PWPz4SX5zXX9qYAe7z9KCdHgTTMrZUxT:07mQeLecNPz4yRXcaz5dHSIrZVWPEi

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ReF_SaT589.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4184
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1763A1BE0EAD711688F3A8A4B0A49004
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3912
      • C:\fcvx\BlueBirdInit.exe
        C:\fcvx\BlueBirdInit.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies Control Panel
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:932
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          4⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          PID:5104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSIAE80.tmp
    Filesize

    557KB

    MD5

    e1423fc5ddaedc0152a09f4796243e31

    SHA1

    c92cec1fb6093d6922fe64719e583048fca12153

    SHA256

    3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

    SHA512

    fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

    Download Submit

  • C:\Windows\Installer\MSIAE80.tmp
    Filesize

    557KB

    MD5

    e1423fc5ddaedc0152a09f4796243e31

    SHA1

    c92cec1fb6093d6922fe64719e583048fca12153

    SHA256

    3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

    SHA512

    fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

    Download Submit

  • C:\Windows\Installer\MSIB20B.tmp
    Filesize

    557KB

    MD5

    e1423fc5ddaedc0152a09f4796243e31

    SHA1

    c92cec1fb6093d6922fe64719e583048fca12153

    SHA256

    3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

    SHA512

    fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

    Download Submit

  • C:\Windows\Installer\MSIB20B.tmp
    Filesize

    557KB

    MD5

    e1423fc5ddaedc0152a09f4796243e31

    SHA1

    c92cec1fb6093d6922fe64719e583048fca12153

    SHA256

    3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

    SHA512

    fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

    Download Submit

  • C:\Windows\Installer\MSIB2B8.tmp
    Filesize

    557KB

    MD5

    e1423fc5ddaedc0152a09f4796243e31

    SHA1

    c92cec1fb6093d6922fe64719e583048fca12153

    SHA256

    3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

    SHA512

    fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

    Download Submit

  • C:\Windows\Installer\MSIB2B8.tmp
    Filesize

    557KB

    MD5

    e1423fc5ddaedc0152a09f4796243e31

    SHA1

    c92cec1fb6093d6922fe64719e583048fca12153

    SHA256

    3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

    SHA512

    fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

    Download Submit

  • C:\Windows\Installer\MSIB2B8.tmp
    Filesize

    557KB

    MD5

    e1423fc5ddaedc0152a09f4796243e31

    SHA1

    c92cec1fb6093d6922fe64719e583048fca12153

    SHA256

    3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

    SHA512

    fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

    Download Submit

  • C:\Windows\Installer\MSIB326.tmp
    Filesize

    1.0MB

    MD5

    5566149fc623f29d55ca72018369c780

    SHA1

    8ae947ab0ae9182f1c09bd266ff360c0e8b88326

    SHA256

    a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

    SHA512

    f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

    Download Submit

  • C:\Windows\Installer\MSIB326.tmp
    Filesize

    1.0MB

    MD5

    5566149fc623f29d55ca72018369c780

    SHA1

    8ae947ab0ae9182f1c09bd266ff360c0e8b88326

    SHA256

    a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

    SHA512

    f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

    Download Submit

  • C:\Windows\Installer\MSIB366.tmp
    Filesize

    557KB

    MD5

    e1423fc5ddaedc0152a09f4796243e31

    SHA1

    c92cec1fb6093d6922fe64719e583048fca12153

    SHA256

    3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

    SHA512

    fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

    Download Submit

  • C:\Windows\Installer\MSIB366.tmp
    Filesize

    557KB

    MD5

    e1423fc5ddaedc0152a09f4796243e31

    SHA1

    c92cec1fb6093d6922fe64719e583048fca12153

    SHA256

    3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

    SHA512

    fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

    Download Submit

  • C:\Windows\Installer\MSIB617.tmp
    Filesize

    9.6MB

    MD5

    94988aa1e2a8eaa357f4ddbe2c2ecc56

    SHA1

    84cec5a8ac354d1b5f168d920e41f8feb39732c2

    SHA256

    6b7d993fc6be7abb1accc93fb46e6ea020879da9a3ed19b43f340fb0dc9563f5

    SHA512

    9bc54ed7d9a8d38a7fe21ccc84f4ba47e17bfb8a798b6ccc46098c4f1b493055f1ddcd4d46934346fa2408c53b51de0fc59a98160d41c0c7bee0158c93667d32

    Download Submit

  • C:\Windows\Installer\MSIB617.tmp
    Filesize

    9.6MB

    MD5

    94988aa1e2a8eaa357f4ddbe2c2ecc56

    SHA1

    84cec5a8ac354d1b5f168d920e41f8feb39732c2

    SHA256

    6b7d993fc6be7abb1accc93fb46e6ea020879da9a3ed19b43f340fb0dc9563f5

    SHA512

    9bc54ed7d9a8d38a7fe21ccc84f4ba47e17bfb8a798b6ccc46098c4f1b493055f1ddcd4d46934346fa2408c53b51de0fc59a98160d41c0c7bee0158c93667d32

    Download Submit

  • C:\Windows\Installer\MSIB617.tmp
    Filesize

    9.6MB

    MD5

    94988aa1e2a8eaa357f4ddbe2c2ecc56

    SHA1

    84cec5a8ac354d1b5f168d920e41f8feb39732c2

    SHA256

    6b7d993fc6be7abb1accc93fb46e6ea020879da9a3ed19b43f340fb0dc9563f5

    SHA512

    9bc54ed7d9a8d38a7fe21ccc84f4ba47e17bfb8a798b6ccc46098c4f1b493055f1ddcd4d46934346fa2408c53b51de0fc59a98160d41c0c7bee0158c93667d32

    Download Submit

  • C:\fcvx\BlueBirdInit.exe
    Filesize

    3.2MB

    MD5

    4896e3838be5a54eaffb99992467c4f5

    SHA1

    cb1f6d8f36219816572df76885da9e6898e1c5a9

    SHA256

    1f0ec73a9817b77ce6f6c2deca5a2241a2457849ce6b76720ef165aa1f0ee142

    SHA512

    2358f420e29d756d71452efeb37d86712e746a3ccea727bf890f1cb3a61e897c46703fa6148fd0927e29b4b86c009070160c6cd741abd17bef46a2a210a8ef86

    Download Submit

  • C:\fcvx\BlueBirdInit.sys
    Filesize

    3.8MB

    MD5

    e3d7c3b1829dc59e5ff05c7a5991da11

    SHA1

    9b69512c90792a7e6302915440f130b813bd3b6e

    SHA256

    a799413e470966b8abd51e369658676304b5885dd7a041170b24ffc3f64292e4

    SHA512

    1615d937163d93044469be8d54333f6f43fd4f7faba1a9067ae763df4940ff9707e89b4ae5ff5b8d9173c42c26fa9002be47fe6d9d8563568d72510c94c1e02e

    Download Submit

  • C:\fcvx\msimg32.dll
    Filesize

    30.2MB

    MD5

    091404caefce6c561065f3c7b7757389

    SHA1

    830527d7ab47a1d024c8c56513c02d453cac1f3b

    SHA256

    7ab8faeee9e3689fb5b6b4716c01ac7857cd641a3f9b0e267c6775f4b33cbdb0

    SHA512

    c7a226e89ad3bc53057d1f33829ddfb2f562ce7a4e0de2b356c9fc2e53eec0516cef6d79a23525998b68ca7ac0a4bbe1622f7d3ddad366c0fe5f69e66d16d25b

    Download Submit

  • C:\fcvx\msimg32.dll
    Filesize

    30.2MB

    MD5

    091404caefce6c561065f3c7b7757389

    SHA1

    830527d7ab47a1d024c8c56513c02d453cac1f3b

    SHA256

    7ab8faeee9e3689fb5b6b4716c01ac7857cd641a3f9b0e267c6775f4b33cbdb0

    SHA512

    c7a226e89ad3bc53057d1f33829ddfb2f562ce7a4e0de2b356c9fc2e53eec0516cef6d79a23525998b68ca7ac0a4bbe1622f7d3ddad366c0fe5f69e66d16d25b

    Download Submit

  • C:\fcvx\msimg32.dll
    Filesize

    30.2MB

    MD5

    091404caefce6c561065f3c7b7757389

    SHA1

    830527d7ab47a1d024c8c56513c02d453cac1f3b

    SHA256

    7ab8faeee9e3689fb5b6b4716c01ac7857cd641a3f9b0e267c6775f4b33cbdb0

    SHA512

    c7a226e89ad3bc53057d1f33829ddfb2f562ce7a4e0de2b356c9fc2e53eec0516cef6d79a23525998b68ca7ac0a4bbe1622f7d3ddad366c0fe5f69e66d16d25b

    Download Submit

  • C:\fcvx\msimg32.dll
    Filesize

    30.2MB

    MD5

    091404caefce6c561065f3c7b7757389

    SHA1

    830527d7ab47a1d024c8c56513c02d453cac1f3b

    SHA256

    7ab8faeee9e3689fb5b6b4716c01ac7857cd641a3f9b0e267c6775f4b33cbdb0

    SHA512

    c7a226e89ad3bc53057d1f33829ddfb2f562ce7a4e0de2b356c9fc2e53eec0516cef6d79a23525998b68ca7ac0a4bbe1622f7d3ddad366c0fe5f69e66d16d25b

    Download Submit

  • memory/932-227-0x0000000000D50000-0x0000000000F68000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/932-222-0x0000000000D50000-0x0000000000F68000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/932-216-0x0000000000D50000-0x0000000000F68000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/932-240-0x0000000000D50000-0x0000000000F68000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/932-218-0x0000000000400000-0x000000000077B000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/932-219-0x0000000000D50000-0x0000000000F68000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3912-163-0x0000000002980000-0x0000000003004000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3912-161-0x0000000002980000-0x0000000003004000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3912-164-0x0000000002980000-0x0000000003004000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3912-160-0x0000000002980000-0x0000000003004000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3912-217-0x0000000002980000-0x0000000003004000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/5104-234-0x0000000076F50000-0x0000000077040000-memory.dmp

    Filesize

    960KB

    Download

  • memory/5104-235-0x00000000777C3000-0x00000000777C4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5104-236-0x00000000777D8000-0x00000000777D9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5104-237-0x0000000000010000-0x0000000000228000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/5104-238-0x00000000777C2000-0x00000000777C3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5104-241-0x0000000076F50000-0x0000000077040000-memory.dmp

    Filesize

    960KB

    Download

  • memory/5104-242-0x0000000001280000-0x0000000001281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5104-243-0x0000000001280000-0x0000000001281000-memory.dmp

    Filesize

    4KB

    Download