Overview

overview

8

Static

static

1

VMBHNCF{68...fc.msi

windows7-x64

VMBHNCF{68...fc.msi

windows10-2004-x64

Analysis

  • max time kernel
    70s
  • max time network
    77s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2023, 16:36

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    VMBHNCF{68111D07-1E25-4791-835A-CA847E8E5AA0}®vnfc.msi

  • Size

    1.2MB

  • MD5

    779319fcf4fb23620d0ced2b28263714

  • SHA1

    be1587efa66030b9725b49b90795e6647532661b

  • SHA256

    b9f6bae7ebc13ec7ed5e40a4e70674a66f1af23b6582b40c89faefb70a5576cf

  • SHA512

    96cf7620e7bd4cdb92373bcd5c4f0db23f8e4ef2eb5f327586277540c364dba216495662e82e02b5babb26f04c2387d5f7fad061bccf4560a3faac0c5f38f5e1

  • SSDEEP

    24576:IXUxLNIYVNMvZCFlp8zBQSc0ZoCEqKlqS0Ygll5RRYM/ZXAAM:IXgIY4W8zBQSc0ZnRKr8RRYGZXAA

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VMBHNCF{68111D07-1E25-4791-835A-CA847E8E5AA0}®vnfc.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2100
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2A581CF34DCADF67F27BA3F0A313CC74
      2⤵
      • Loads dropped DLL
      PID:436
    • C:\Windows\Installer\MSI2BB4.tmp
      "C:\Windows\Installer\MSI2BB4.tmp" /DontWait /HideWindow "C:\Users\Admin\AppData\Roaming\TWOCNOMBEXPRE6YNI6n4rb6lgPj5i7CcOp7xGxRyB0re8YLdg1yQZTrjE0AzYw0qq®vtnfmb\TWOCNOMBEXPRE6YNI6n4rb6lgPj5i7CcOp7xGxRyB0re8YLdg1yQZTrjE0AzYw0qq®vtnfmb\Rpo8eBEvGEss4ê.cmd"
      2⤵
      • Executes dropped EXE
      PID:3160
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\TWOCNOMBEXPRE6YNI6n4rb6lgPj5i7CcOp7xGxRyB0re8YLdg1yQZTrjE0AzYw0qq®vtnfmb\TWOCNOMBEXPRE6YNI6n4rb6lgPj5i7CcOp7xGxRyB0re8YLdg1yQZTrjE0AzYw0qq®vtnfmb\Rpo8eBEvGEss4ê.cmd" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo %Xzkfe??5??LbNIHC% "
      2⤵
        PID:3556
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -NoProfile -windowstyle hidden -ExecutionPolicy Bypass -nop -NoExit -Command -
        2⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Windows\system32\shutdown.exe
          "C:\Windows\system32\shutdown.exe" -r -f -t 10 -c "Windows Updated Successfully"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2640
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39b3855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e581173.rbs
      Filesize

      3KB

      MD5

      3c8f4b1603ed674d7c228d41bdaf60db

      SHA1

      07379dc74d31e2b67416df190e8c002181003da2

      SHA256

      29ac50834f8596730294cfa9e9a494bdc4526a3250a0c4150c7e44d14c48f1ae

      SHA512

      ea250a5e97491a77ba2395e0f6cee8c7bc6825b59944aa30a06aaf167696997b0c8b633df300c8981384d2ef7d407854afda53a7ed9b864f15a55c5fea48ccc4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5vmfnpk.qv4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\AMD64_\MyDoct07321E8®\6C47A48D272.zip
      Filesize

      16.7MB

      MD5

      500fbd78159ce8c3326bdbf9dbc8df7c

      SHA1

      e229eb17c6dfb11a34894cc794de80f3af83eb95

      SHA256

      bfba0ed474bd5fdcd98a3eafdcde50f45bfddff915e58f0d03465cdc39a0f729

      SHA512

      8f6bfbcc3e6143dfeb48618f916afe7a3e1bcbad47bf7ce80b61f12333754696aa15515b227783d885676503c6d24dfeb52e72527ab3cd118d5e531352fbb3e5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\AMD64_\MyDoct07321E8®\UsicsunattenderBEBroker3d02©.exe
      Filesize

      21KB

      MD5

      cc09bb7fdefc5763ccb3cf7dae2d76cf

      SHA1

      8610d07f27a961066134d728c82eb8e5f22e7e8f

      SHA256

      f8f00900edba2f64bf136dd0b6c83caf07c72f24f3d49c78b7ea24757fdbc6d0

      SHA512

      0c518487aa5bad357bd19ad09c6cfe0b8bb522d74a916d36cf01f1bd194b59cd8457784b199dc953570ad7ef8ce67464d066bda51e31b055c9d4d5ca060d45c5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\TWOCNOMBEXPRE6YNI6n4rb6lgPj5i7CcOp7xGxRyB0re8YLdg1yQZTrjE0AzYw0qq®vtnfmb\TWOCNOMBEXPRE6YNI6n4rb6lgPj5i7CcOp7xGxRyB0re8YLdg1yQZTrjE0AzYw0qq®vtnfmb\Rpo8eBEvGEss4ê.cmd
      Filesize

      30KB

      MD5

      83354a7cb285d411c9e2d885b9ba5d30

      SHA1

      863916b1517db58db9b44b8c46550782f7864e26

      SHA256

      d052766289b2bab38035161a7955ee1595fd7883bc9593585d2dc04ffe873a64

      SHA512

      22b8d29efa380db5a84510e575517109a91b19d5e6f257248e2db57bcaf4937c91868f17aab6ded92040da7f6ddf3b7643ac155112641a5e91c681d5a020393c

      Download Submit

    • C:\Windows\Installer\MSI13E1.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI13E1.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI25D4.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI25D4.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI2865.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI2865.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI2865.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI28E3.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI28E3.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI2BB4.tmp
      Filesize

      389KB

      MD5

      377c83c6f0f37653ff911dc06e6c4274

      SHA1

      ce1e53b5bf0a220346ab7379b93c4341c24fdd8a

      SHA256

      c290a133b60220479acf0469781de847eb7e4a6b0c92de45ee9223be5e0ca769

      SHA512

      47bed026ef3d3e1a88a8cec3e0e2904029ec6f2e0ed9bb8d8836564fa713e882cf9bbf0d1e1dc7887072804578edd6af21b047d579f85f27bba733a20125fdd8

      Download Submit

    • C:\Windows\Installer\MSI2BB4.tmp
      Filesize

      389KB

      MD5

      377c83c6f0f37653ff911dc06e6c4274

      SHA1

      ce1e53b5bf0a220346ab7379b93c4341c24fdd8a

      SHA256

      c290a133b60220479acf0469781de847eb7e4a6b0c92de45ee9223be5e0ca769

      SHA512

      47bed026ef3d3e1a88a8cec3e0e2904029ec6f2e0ed9bb8d8836564fa713e882cf9bbf0d1e1dc7887072804578edd6af21b047d579f85f27bba733a20125fdd8

      Download Submit

    • memory/4896-51-0x000001CA73D00000-0x000001CA73D44000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4896-50-0x000001CA72EA0000-0x000001CA72EB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-49-0x000001CA72EA0000-0x000001CA72EB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-52-0x000001CA73DD0000-0x000001CA73E46000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4896-54-0x00007FFE3A4B0000-0x00007FFE3AF71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4896-55-0x000001CA72EA0000-0x000001CA72EB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-48-0x00007FFE3A4B0000-0x00007FFE3AF71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4896-47-0x000001CA72CE0000-0x000001CA72D02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4896-99-0x00007FFE3A4B0000-0x00007FFE3AF71000-memory.dmp

      Filesize

      10.8MB

      Download