Analysis
-
max time kernel
292s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-es -
resource tags
arch:x64arch:x86image:win7-20230831-eslocale:es-esos:windows7-x64systemwindows -
submitted
02-10-2023 14:55
Static task
static1
General
-
Target
-
Size
10.3MB
-
MD5
992c82588ded6e98b3cb3722215e93f7
-
SHA1
ed8c79e631efd261b86a63bc33eb8d7b9d620f56
-
SHA256
eaf48d4a801299a857b6217d650dbedd7711482971a20cf9273813a8b2052949
-
SHA512
18cd9989a821dc299eb51b8ea255666e308479f62417b8ea53593e9a3e9c3c4ee7d1898849872d384ca60b3b2c12fdf95d20c8326db0583e923b7c9e6e6cbeae
-
SSDEEP
49152:OVfU/PIAMJQChq91XrQxsHcFTSalJ+GbBV67lj6dJ538yAVVU6a9UcZM17Iw/L8M:bIRTqbpcJ5wVVXH4rsyzA0
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2608 MsiExec.exe 5 2608 MsiExec.exe -
Executes dropped EXE 1 IoCs
pid Process 2512 Raspberry.exe -
Loads dropped DLL 5 IoCs
pid Process 2276 MsiExec.exe 2276 MsiExec.exe 2276 MsiExec.exe 2608 MsiExec.exe 2512 Raspberry.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\Raspberry = "C:\\xvlsgkzs\\Raspberry.exe" Raspberry.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\f768a36.msi msiexec.exe File opened for modification C:\Windows\Installer\f768a36.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8B7D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8F55.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8FD3.tmp msiexec.exe File created C:\Windows\Installer\f768a39.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI95CD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI963C.tmp msiexec.exe File opened for modification C:\Windows\Installer\f768a39.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2408 msiexec.exe 2408 msiexec.exe 2608 MsiExec.exe 2512 Raspberry.exe 2512 Raspberry.exe 2512 Raspberry.exe 2512 Raspberry.exe 2512 Raspberry.exe 2512 Raspberry.exe 2512 Raspberry.exe 2512 Raspberry.exe 2512 Raspberry.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2512 Raspberry.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeShutdownPrivilege 1900 msiexec.exe Token: SeIncreaseQuotaPrivilege 1900 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeSecurityPrivilege 2408 msiexec.exe Token: SeCreateTokenPrivilege 1900 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1900 msiexec.exe Token: SeLockMemoryPrivilege 1900 msiexec.exe Token: SeIncreaseQuotaPrivilege 1900 msiexec.exe Token: SeMachineAccountPrivilege 1900 msiexec.exe Token: SeTcbPrivilege 1900 msiexec.exe Token: SeSecurityPrivilege 1900 msiexec.exe Token: SeTakeOwnershipPrivilege 1900 msiexec.exe Token: SeLoadDriverPrivilege 1900 msiexec.exe Token: SeSystemProfilePrivilege 1900 msiexec.exe Token: SeSystemtimePrivilege 1900 msiexec.exe Token: SeProfSingleProcessPrivilege 1900 msiexec.exe Token: SeIncBasePriorityPrivilege 1900 msiexec.exe Token: SeCreatePagefilePrivilege 1900 msiexec.exe Token: SeCreatePermanentPrivilege 1900 msiexec.exe Token: SeBackupPrivilege 1900 msiexec.exe Token: SeRestorePrivilege 1900 msiexec.exe Token: SeShutdownPrivilege 1900 msiexec.exe Token: SeDebugPrivilege 1900 msiexec.exe Token: SeAuditPrivilege 1900 msiexec.exe Token: SeSystemEnvironmentPrivilege 1900 msiexec.exe Token: SeChangeNotifyPrivilege 1900 msiexec.exe Token: SeRemoteShutdownPrivilege 1900 msiexec.exe Token: SeUndockPrivilege 1900 msiexec.exe Token: SeSyncAgentPrivilege 1900 msiexec.exe Token: SeEnableDelegationPrivilege 1900 msiexec.exe Token: SeManageVolumePrivilege 1900 msiexec.exe Token: SeImpersonatePrivilege 1900 msiexec.exe Token: SeCreateGlobalPrivilege 1900 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1900 msiexec.exe 1900 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2276 2408 msiexec.exe 29 PID 2408 wrote to memory of 2276 2408 msiexec.exe 29 PID 2408 wrote to memory of 2276 2408 msiexec.exe 29 PID 2408 wrote to memory of 2276 2408 msiexec.exe 29 PID 2408 wrote to memory of 2276 2408 msiexec.exe 29 PID 2408 wrote to memory of 2276 2408 msiexec.exe 29 PID 2408 wrote to memory of 2276 2408 msiexec.exe 29 PID 2408 wrote to memory of 2608 2408 msiexec.exe 30 PID 2408 wrote to memory of 2608 2408 msiexec.exe 30 PID 2408 wrote to memory of 2608 2408 msiexec.exe 30 PID 2408 wrote to memory of 2608 2408 msiexec.exe 30 PID 2408 wrote to memory of 2608 2408 msiexec.exe 30 PID 2608 wrote to memory of 2512 2608 MsiExec.exe 32 PID 2608 wrote to memory of 2512 2608 MsiExec.exe 32 PID 2608 wrote to memory of 2512 2608 MsiExec.exe 32 PID 2608 wrote to memory of 2512 2608 MsiExec.exe 32
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1900
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7034D81D9518CCF24765CC04751D0562⤵
- Loads dropped DLL
PID:2276
-
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 89A8DCF8BAF51BC742AECCD01BFC6B452⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\xvlsgkzs\Raspberry.exe"C:\xvlsgkzs\Raspberry.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2512
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571B
MD52bc17eff31b5df49671f52d389ecebcb
SHA1b5a656dc45ac0f8fb9dc2ceeb69df12c4cc24fa7
SHA2568b59eb68d4284ff060f7d5964b7881bf684793f70ca2f25eff6935e356a743c0
SHA512c1b2df9bcb104c0e435f56e851d7387d103138857fb7539f50d3b8fdc18af916a4c57c20f206b5b183171b630b0b1823ca1478abe0941e549834fbebc269369c
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
9.2MB
MD5b97d11c60b8671f3fa4f0f223c380284
SHA11eec15a8d7254f64e6ef37246d5a80b8a1306c78
SHA2563faa2be8a3f2ef31038e5457bef9cbe4df43dc8d8814eb7e82fa9800e2044632
SHA51221e9c40c5b1d10bbbee3e1f897e665ba6606fb47607187db2913daefd67ce65321197db30b405b6ca5ab1c848924c7e28b99e5722796ce06f970bba845bd573b
-
Filesize
5.0MB
MD518a2da2200f4003283e21ccf4934e2f0
SHA1a89d69020672b3f19a61612001c4b36d5c8c0b8a
SHA256042e5050d9ec13604600373da1a5b513cfb1c4ec8ca13c30d1df3c81e619ad88
SHA51217e51f32a42dc5e368aba69ea70b35abb863f730586266f28b8f3d69586366203e05203e1be0fa04e78b578149e822d6f4290410876bc0caf98d8a6525cac09b
-
Filesize
5.0MB
MD518a2da2200f4003283e21ccf4934e2f0
SHA1a89d69020672b3f19a61612001c4b36d5c8c0b8a
SHA256042e5050d9ec13604600373da1a5b513cfb1c4ec8ca13c30d1df3c81e619ad88
SHA51217e51f32a42dc5e368aba69ea70b35abb863f730586266f28b8f3d69586366203e05203e1be0fa04e78b578149e822d6f4290410876bc0caf98d8a6525cac09b
-
Filesize
5.0MB
MD518a2da2200f4003283e21ccf4934e2f0
SHA1a89d69020672b3f19a61612001c4b36d5c8c0b8a
SHA256042e5050d9ec13604600373da1a5b513cfb1c4ec8ca13c30d1df3c81e619ad88
SHA51217e51f32a42dc5e368aba69ea70b35abb863f730586266f28b8f3d69586366203e05203e1be0fa04e78b578149e822d6f4290410876bc0caf98d8a6525cac09b
-
Filesize
32.2MB
MD59557b0b5c7f9a3f50803eea529363b0b
SHA100beee4299ae561038b913defd2705f6f115c343
SHA25615fc01c1bf14d19fe2e6d43ea999efd9c7d7bcc29aae38e2a71b70494621a563
SHA512b5fe44de9804f3dcdec911ee29dcd8b584d9ecb82f8d92fee8fb49688174c56bc40f1e3c7513943ba3b2dd7effba8582a1133f3023ad07feae1d8d3e11c54438
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
9.2MB
MD5b97d11c60b8671f3fa4f0f223c380284
SHA11eec15a8d7254f64e6ef37246d5a80b8a1306c78
SHA2563faa2be8a3f2ef31038e5457bef9cbe4df43dc8d8814eb7e82fa9800e2044632
SHA51221e9c40c5b1d10bbbee3e1f897e665ba6606fb47607187db2913daefd67ce65321197db30b405b6ca5ab1c848924c7e28b99e5722796ce06f970bba845bd573b
-
Filesize
32.2MB
MD59557b0b5c7f9a3f50803eea529363b0b
SHA100beee4299ae561038b913defd2705f6f115c343
SHA25615fc01c1bf14d19fe2e6d43ea999efd9c7d7bcc29aae38e2a71b70494621a563
SHA512b5fe44de9804f3dcdec911ee29dcd8b584d9ecb82f8d92fee8fb49688174c56bc40f1e3c7513943ba3b2dd7effba8582a1133f3023ad07feae1d8d3e11c54438