Overview

overview

7

Static

static

1

Report-103.msi

windows7-x64

7

Report-103.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    158s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 12:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Report-103.msi

  • Size

    480KB

  • MD5

    41df43e56e01f43933de04bb60fc1a92

  • SHA1

    dadf7147af3422f00d7877ee3ccd51d0fffa4f8d

  • SHA256

    1adf8384033acd54b0cb29d623812c492cf5e60dd8d8caea368fd426f3105f23

  • SHA512

    a21220edf9bb74f64bf4fa55da289764ddaa8500a17258b9c5a2d56a359297f49d35fe8ab05c2a7bddaca360be7ff7b9bdfe3e13b16180744a37a12127e7d2a0

  • SSDEEP

    12288:StvRQ+gjpjegGpo8gAQHmCVAaIxUh6osx:StncpVGb9wqUM

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Report-103.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2364
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1C71348103DCF554B29F2005FCE15974
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:636
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:804
      • C:\Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 144
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1396
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2960
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C8" "00000000000002F8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2368

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files.cab
          Filesize

          235KB

          MD5

          01b3cd0ee338cd39cf7160a1280ae89c

          SHA1

          af817d4ee4db6864f65e557b7177f9add82bea52

          SHA256

          c98661a2c94cb0fc931ca67715cc4176ce788132abefdf7d40d5031fcddba840

          SHA512

          227ec116d9c4da61536de4d3d07ff9119f6a94c0064bed664ef48cbad0e5e5c690178d0655f10a998ba853613049b88e9d10c0c4742efb4015d58e0dc980250e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerIE.DLL
          Filesize

          88KB

          MD5

          880a2bced31a6a2f581225677dee2297

          SHA1

          086766e74d900357f35fc8732dfd5352b47be9eb

          SHA256

          ad0198ed6ce6631e03966768ff00f39731ba94cadaf4b19eead666e714f3e85b

          SHA512

          2def3ade285e6208bdc510f435bfec556771b6a5dedef286277fd44f6b1a0f4c162cf30f5739cd460822d47ea70451382e523a5542f4c4c615e052b91f54e251

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\msiwrapper.ini
          Filesize

          1KB

          MD5

          a2e7089c7f1c87b9cbff5f9580972a0c

          SHA1

          08aa1b16f4a32167a54c8ecaba5b929f62bd4c1b

          SHA256

          78aa126169b77cd1f7a491bfc2be79c98a76d2023605a8974a824fe4d27b454b

          SHA512

          f67191d72767789a5abeed1070e8cd089791f57de51d86701eced435cce8f0caa5f53bb17451f1b04a1fdc3788c69922c329281d4988cb3d7e5e229121a89515

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\msiwrapper.ini
          Filesize

          1KB

          MD5

          a2e7089c7f1c87b9cbff5f9580972a0c

          SHA1

          08aa1b16f4a32167a54c8ecaba5b929f62bd4c1b

          SHA256

          78aa126169b77cd1f7a491bfc2be79c98a76d2023605a8974a824fe4d27b454b

          SHA512

          f67191d72767789a5abeed1070e8cd089791f57de51d86701eced435cce8f0caa5f53bb17451f1b04a1fdc3788c69922c329281d4988cb3d7e5e229121a89515

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\msiwrapper.ini
          Filesize

          1KB

          MD5

          a2e7089c7f1c87b9cbff5f9580972a0c

          SHA1

          08aa1b16f4a32167a54c8ecaba5b929f62bd4c1b

          SHA256

          78aa126169b77cd1f7a491bfc2be79c98a76d2023605a8974a824fe4d27b454b

          SHA512

          f67191d72767789a5abeed1070e8cd089791f57de51d86701eced435cce8f0caa5f53bb17451f1b04a1fdc3788c69922c329281d4988cb3d7e5e229121a89515

          Download Submit

        • C:\Windows\Installer\MSI8EF7.tmp
          Filesize

          208KB

          MD5

          56a9b2f5afc4454ae9427aeeb010f652

          SHA1

          ee7dfd61e93d6ff86bf01d9923fb5c4232b6886f

          SHA256

          afc3a7277172025bf69f67639108b2290ddc7495ef9f65f796954c0d1cd15b65

          SHA512

          f272719a6cd15d4e7ca69f64422ea6421c0fc23e41d78cd979e123e64539d1bbaafc5eb3690433dcc477468baf6074fc716a68b80f2523f13952cfc6738ad1be

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerIE.dll
          Filesize

          88KB

          MD5

          880a2bced31a6a2f581225677dee2297

          SHA1

          086766e74d900357f35fc8732dfd5352b47be9eb

          SHA256

          ad0198ed6ce6631e03966768ff00f39731ba94cadaf4b19eead666e714f3e85b

          SHA512

          2def3ade285e6208bdc510f435bfec556771b6a5dedef286277fd44f6b1a0f4c162cf30f5739cd460822d47ea70451382e523a5542f4c4c615e052b91f54e251

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MW-017c449c-6d87-42c0-98e6-3b2bcae44773\files\KeyScramblerLogon.exe
          Filesize

          500KB

          MD5

          c790ebfcb6a34953a371e32c9174fe46

          SHA1

          3ead08d8bbdb3afd851877cb50507b77ae18a4d8

          SHA256

          fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

          SHA512

          74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

          Download Submit

        • \Windows\Installer\MSI8EF7.tmp
          Filesize

          208KB

          MD5

          56a9b2f5afc4454ae9427aeeb010f652

          SHA1

          ee7dfd61e93d6ff86bf01d9923fb5c4232b6886f

          SHA256

          afc3a7277172025bf69f67639108b2290ddc7495ef9f65f796954c0d1cd15b65

          SHA512

          f272719a6cd15d4e7ca69f64422ea6421c0fc23e41d78cd979e123e64539d1bbaafc5eb3690433dcc477468baf6074fc716a68b80f2523f13952cfc6738ad1be

          Download Submit

        • memory/1700-84-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

          Download