Overview

overview

8

Static

static

1

[email protected]

windows7-x64

8

[email protected]

windows10-2004-x64

8

Analysis

  • max time kernel
    299s
  • max time network
    275s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    02/10/2023, 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    10.3MB

  • MD5

    992c82588ded6e98b3cb3722215e93f7

  • SHA1

    ed8c79e631efd261b86a63bc33eb8d7b9d620f56

  • SHA256

    eaf48d4a801299a857b6217d650dbedd7711482971a20cf9273813a8b2052949

  • SHA512

    18cd9989a821dc299eb51b8ea255666e308479f62417b8ea53593e9a3e9c3c4ee7d1898849872d384ca60b3b2c12fdf95d20c8326db0583e923b7c9e6e6cbeae

  • SSDEEP

    49152:OVfU/PIAMJQChq91XrQxsHcFTSalJ+GbBV67lj6dJ538yAVVU6a9UcZM17Iw/L8M:bIRTqbpcJ5wVVXH4rsyzA0

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4728
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A8727CD33E2BA15F620130F666C11FF1
      2⤵
      • Loads dropped DLL
      PID:2072
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 40E85F03B646E073BB7E20E085A70B5A
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3248
      • C:\xvlsgkzs\Raspberry.exe
        "C:\xvlsgkzs\Raspberry.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e577514.rbs
    Filesize

    571B

    MD5

    910d6c8a82bea35842801545c1223190

    SHA1

    e6d78afccf58cdc36fc20781b0d7fd45c88dae7b

    SHA256

    81549cd26da12bcefef5b23928974b74f95a17e865d6f2f894ada621202d90b5

    SHA512

    0ec29e10600a63d2b7894dc11e14f7c770f1d6f8a857494f2281c3793c9932b23c6fb42026b5a9a798cf7e6fbde619f1252ca583ddf57cacd8d0c5e42da09075

    Download Submit

  • C:\Windows\Installer\MSI758E.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI758E.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI77E0.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI77E0.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI78AC.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI78AC.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI78AC.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI78CD.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI78CD.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI7B11.tmp
    Filesize

    9.2MB

    MD5

    b97d11c60b8671f3fa4f0f223c380284

    SHA1

    1eec15a8d7254f64e6ef37246d5a80b8a1306c78

    SHA256

    3faa2be8a3f2ef31038e5457bef9cbe4df43dc8d8814eb7e82fa9800e2044632

    SHA512

    21e9c40c5b1d10bbbee3e1f897e665ba6606fb47607187db2913daefd67ce65321197db30b405b6ca5ab1c848924c7e28b99e5722796ce06f970bba845bd573b

    Download Submit

  • C:\Windows\Installer\MSI7B11.tmp
    Filesize

    9.2MB

    MD5

    b97d11c60b8671f3fa4f0f223c380284

    SHA1

    1eec15a8d7254f64e6ef37246d5a80b8a1306c78

    SHA256

    3faa2be8a3f2ef31038e5457bef9cbe4df43dc8d8814eb7e82fa9800e2044632

    SHA512

    21e9c40c5b1d10bbbee3e1f897e665ba6606fb47607187db2913daefd67ce65321197db30b405b6ca5ab1c848924c7e28b99e5722796ce06f970bba845bd573b

    Download Submit

  • C:\xvlsgkzs\Raspberry.exe
    Filesize

    5.0MB

    MD5

    18a2da2200f4003283e21ccf4934e2f0

    SHA1

    a89d69020672b3f19a61612001c4b36d5c8c0b8a

    SHA256

    042e5050d9ec13604600373da1a5b513cfb1c4ec8ca13c30d1df3c81e619ad88

    SHA512

    17e51f32a42dc5e368aba69ea70b35abb863f730586266f28b8f3d69586366203e05203e1be0fa04e78b578149e822d6f4290410876bc0caf98d8a6525cac09b

    Download Submit

  • C:\xvlsgkzs\Raspberry.exe
    Filesize

    5.0MB

    MD5

    18a2da2200f4003283e21ccf4934e2f0

    SHA1

    a89d69020672b3f19a61612001c4b36d5c8c0b8a

    SHA256

    042e5050d9ec13604600373da1a5b513cfb1c4ec8ca13c30d1df3c81e619ad88

    SHA512

    17e51f32a42dc5e368aba69ea70b35abb863f730586266f28b8f3d69586366203e05203e1be0fa04e78b578149e822d6f4290410876bc0caf98d8a6525cac09b

    Download Submit

  • C:\xvlsgkzs\Raspberry.exe
    Filesize

    5.0MB

    MD5

    18a2da2200f4003283e21ccf4934e2f0

    SHA1

    a89d69020672b3f19a61612001c4b36d5c8c0b8a

    SHA256

    042e5050d9ec13604600373da1a5b513cfb1c4ec8ca13c30d1df3c81e619ad88

    SHA512

    17e51f32a42dc5e368aba69ea70b35abb863f730586266f28b8f3d69586366203e05203e1be0fa04e78b578149e822d6f4290410876bc0caf98d8a6525cac09b

    Download Submit

  • C:\xvlsgkzs\dragdropfilesdll.dll
    Filesize

    32.2MB

    MD5

    9557b0b5c7f9a3f50803eea529363b0b

    SHA1

    00beee4299ae561038b913defd2705f6f115c343

    SHA256

    15fc01c1bf14d19fe2e6d43ea999efd9c7d7bcc29aae38e2a71b70494621a563

    SHA512

    b5fe44de9804f3dcdec911ee29dcd8b584d9ecb82f8d92fee8fb49688174c56bc40f1e3c7513943ba3b2dd7effba8582a1133f3023ad07feae1d8d3e11c54438

    Download Submit

  • C:\xvlsgkzs\dragdropfilesdll.dll
    Filesize

    32.2MB

    MD5

    9557b0b5c7f9a3f50803eea529363b0b

    SHA1

    00beee4299ae561038b913defd2705f6f115c343

    SHA256

    15fc01c1bf14d19fe2e6d43ea999efd9c7d7bcc29aae38e2a71b70494621a563

    SHA512

    b5fe44de9804f3dcdec911ee29dcd8b584d9ecb82f8d92fee8fb49688174c56bc40f1e3c7513943ba3b2dd7effba8582a1133f3023ad07feae1d8d3e11c54438

    Download Submit

  • C:\xvlsgkzs\dragdropfilesdll.dll
    Filesize

    32.2MB

    MD5

    9557b0b5c7f9a3f50803eea529363b0b

    SHA1

    00beee4299ae561038b913defd2705f6f115c343

    SHA256

    15fc01c1bf14d19fe2e6d43ea999efd9c7d7bcc29aae38e2a71b70494621a563

    SHA512

    b5fe44de9804f3dcdec911ee29dcd8b584d9ecb82f8d92fee8fb49688174c56bc40f1e3c7513943ba3b2dd7effba8582a1133f3023ad07feae1d8d3e11c54438

    Download Submit

  • memory/1860-75-0x00000000103C0000-0x00000000103C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1860-79-0x00000000101D0000-0x000000001027B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/1860-52-0x0000000003B40000-0x0000000005C0C000-memory.dmp

    Filesize

    32.8MB

    Download

  • memory/1860-66-0x0000000001A20000-0x0000000001A21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1860-65-0x0000000003B40000-0x0000000005C0C000-memory.dmp

    Filesize

    32.8MB

    Download

  • memory/1860-71-0x00000000101D0000-0x000000001027B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/1860-72-0x0000000010380000-0x0000000010381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1860-73-0x00000000101A0000-0x00000000101A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1860-74-0x00000000101D0000-0x000000001027B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/1860-107-0x0000000003B40000-0x0000000005C0C000-memory.dmp

    Filesize

    32.8MB

    Download

  • memory/1860-76-0x00000000103B0000-0x00000000103B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1860-77-0x0000000001A20000-0x0000000001A21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1860-78-0x0000000003B40000-0x0000000005C0C000-memory.dmp

    Filesize

    32.8MB

    Download

  • memory/1860-106-0x0000000003B40000-0x0000000005C0C000-memory.dmp

    Filesize

    32.8MB

    Download

  • memory/1860-80-0x00000000101D0000-0x000000001027B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/1860-88-0x0000000003B40000-0x0000000005C0C000-memory.dmp

    Filesize

    32.8MB

    Download

  • memory/1860-94-0x0000000003B40000-0x0000000005C0C000-memory.dmp

    Filesize

    32.8MB

    Download

  • memory/1860-100-0x0000000003B40000-0x0000000005C0C000-memory.dmp

    Filesize

    32.8MB

    Download

  • memory/3248-56-0x000001D1ECAB0000-0x000001D1ECAB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3248-51-0x00000000655B0000-0x0000000065EF8000-memory.dmp

    Filesize

    9.3MB

    Download