Overview

overview

10

Static

static

1

Setup.msi

windows7-x64

10

Setup.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2023, 05:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.msi

  • Size

    67KB

  • MD5

    30e7fb6c0637531e9c13bab0a328e8df

  • SHA1

    3afdfda8fafbb21f2bafe2afd02440c83c5186a2

  • SHA256

    aed0e8ecc08f9832929c639c9ef96905c57905ddb757e66e4a1409297902b4aa

  • SHA512

    27ab0ae1e498e08aab8861e9267b6d8ac86fb40d5886a0803c336af1026beb4ae31d74522bf0eee67f2c20fe21735d14d8f4a662c87bb8323f5aeeb633a0f358

  • SSDEEP

    768:ZHLzyKrqJqTc5rrjHCh7fIASUHlrTShGMnaB9YmI2TvgomhpjKdByxixI0UsiAj:ZHWFtC7FSUHlXAcY8midBEi+0sA

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.google.com/

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2752
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Program Files (x86)\Google\Install\install.cmd""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -File "C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic/ru.ps1"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic" --new-window https://www.google.com/
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feefe09758,0x7feefe09768,0x7feefe09778
            5⤵
              PID:1660
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1388,i,952883181212006932,3410849601238048894,131072 /prefetch:2
              5⤵
                PID:2460
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1388,i,952883181212006932,3410849601238048894,131072 /prefetch:8
                5⤵
                  PID:2364
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1388,i,952883181212006932,3410849601238048894,131072 /prefetch:8
                  5⤵
                    PID:2180
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1388,i,952883181212006932,3410849601238048894,131072 /prefetch:1
                    5⤵
                      PID:2300
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1388,i,952883181212006932,3410849601238048894,131072 /prefetch:1
                      5⤵
                        PID:2164
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2868 --field-trial-handle=1388,i,952883181212006932,3410849601238048894,131072 /prefetch:1
                        5⤵
                          PID:1688
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3256 --field-trial-handle=1388,i,952883181212006932,3410849601238048894,131072 /prefetch:1
                          5⤵
                            PID:1316
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1388,i,952883181212006932,3410849601238048894,131072 /prefetch:2
                            5⤵
                              PID:1516
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 --field-trial-handle=1388,i,952883181212006932,3410849601238048894,131072 /prefetch:8
                              5⤵
                                PID:1704
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2760
                      • C:\Windows\system32\DrvInst.exe
                        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B0" "00000000000005C0"
                        1⤵
                        • Drops file in Windows directory
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2600
                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                        1⤵
                          PID:932

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Config.Msi\f769a8f.rbs
                                Filesize

                                9KB

                                MD5

                                5fcece63e6a54a5152d3e3d020a48542

                                SHA1

                                01d41323f41db21134323723597fcc5989f41e8b

                                SHA256

                                e5c946e486743b9599e53ac3757807949afee31b6ace12414e7c8f1aecc25f82

                                SHA512

                                7158de0a15c659e27eaddda7d540f040137643fce7c3b18442f268d3b6b0d00027c29823e164e76fb303a6353a20bcfd9cf8c37d0e5e7a1da4fc7781d10bd915

                                Download Submit

                              • C:\Program Files (x86)\Google\Install\install.cmd
                                Filesize

                                111B

                                MD5

                                b0cad96680199d661392b2f7ddff5887

                                SHA1

                                152a66d5d621da12952145543a7c91152e88e67d

                                SHA256

                                0f8a46a6e210fc91970fb967179607ead10ad8c1c73fd63888a94727d0736707

                                SHA512

                                9de96eccab57254a7bcecb03cce11a1e294c2129aafcc4a85398e6fe00fc8bce6917b0de135fd8e3867b68caf7ee24f068eb925bfb1eda917324ccb3b8e9cbd7

                                Download Submit

                              • C:\Program Files (x86)\Google\Install\install.cmd
                                Filesize

                                111B

                                MD5

                                b0cad96680199d661392b2f7ddff5887

                                SHA1

                                152a66d5d621da12952145543a7c91152e88e67d

                                SHA256

                                0f8a46a6e210fc91970fb967179607ead10ad8c1c73fd63888a94727d0736707

                                SHA512

                                9de96eccab57254a7bcecb03cce11a1e294c2129aafcc4a85398e6fe00fc8bce6917b0de135fd8e3867b68caf7ee24f068eb925bfb1eda917324ccb3b8e9cbd7

                                Download Submit

                              • C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\background.js
                                Filesize

                                16KB

                                MD5

                                9faf3dae3ad81e80825d3a1b9dfb2876

                                SHA1

                                5a30e4e6ce5897221bf3bc7ba4ed8b5f5d3f3729

                                SHA256

                                2bf4b2c624a2e6a8a2be22c9f1788f564f741c1a8cb64f1f050167322c4875ef

                                SHA512

                                89e2d752dfbfec74f49a52f7a75278957879f12ea6abda8dc4ee62f58b45abb5d9c115817eb9a873d35162fcaf929316e5f2c6c306b1e24dda7408f241413dd3

                                Download Submit

                              • C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\content.js
                                Filesize

                                258B

                                MD5

                                4d53e2f9289e4d01cb88e277bba25c72

                                SHA1

                                a54fc0fd884a33229216eebd93d868f0c43eec0d

                                SHA256

                                ff5cc0f88e7f10993ac60437a74ca9224ae13c9d15b86677991d053242237195

                                SHA512

                                25d96794904b7e5401eb6789ea0f2f22b535b9b6aa69d119a5f65115c06556e156abb66de17f889986940400904d262e744057e4e0daa7aba0505906d6b98cff

                                Download Submit

                              • C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\favicon.png
                                Filesize

                                2KB

                                MD5

                                8be1facb79791a064862a61399b6dfea

                                SHA1

                                93bc1b7172e9a3aa7c7d7b24b7be53c992e4566f

                                SHA256

                                89ff11a2237f9ec798ed4493738b14be76f11f282c5ab755847779fe241ef857

                                SHA512

                                6bdbb91648377ff2af465973c85021085ff413ab0b8da3c59127f46e5b58e9116c5227ed4c8e923d98185f8a85471e84007c927b58a21a06f081e702d0e731ab

                                Download Submit

                              • C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\manifest.json
                                Filesize

                                714B

                                MD5

                                162ce37b0f293f4cfad78aeffa7028a5

                                SHA1

                                4633122a48f30074e75379aee0eabdc2a934846f

                                SHA256

                                f7ae9888bbfb60d6598fe9247fef9edebc8928593f4e4032292d846e40b50254

                                SHA512

                                888a4c2e7108ea31d29dab5314daae5729fb1f9e0b538db1aa272443499fe321d95d0e0c912ae262e2058acf81a15adbd5ae64c76485ddd9251bc75e974dbc44

                                Download Submit

                              • C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic\ru.ps1
                                Filesize

                                1KB

                                MD5

                                223e95458caff3342b91b7bce4b1cfba

                                SHA1

                                773a912ff6d08d23756eec1d38064bf76c709a0d

                                SHA256

                                259c48e7c9eb8d1e9e41373ab6b3b7f669a4733e2692d5bb74a5ce76a7d156e9

                                SHA512

                                52cdce4279f61c8bf7ceb90e6b3263d55e1bb3a867ad187a0bd65a4883549a11d97f71cc1c46025b278064689b2019ff61101cb0e96f0cb08f18de0de4157b1e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT~RFf76b165.TMP
                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp
                                Filesize

                                16B

                                MD5

                                18e723571b00fb1694a3bad6c78e4054

                                SHA1

                                afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                SHA256

                                8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                SHA512

                                43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000004.dbtmp
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                Filesize

                                264KB

                                MD5

                                f50f89a0a91564d0b8a211f8921aa7de

                                SHA1

                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                SHA256

                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                SHA512

                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                6d80eec5347c1172c8948d043d81de36

                                SHA1

                                b558f1e5135bbf9a9fb215230a18d365cb356da1

                                SHA256

                                407916aac19b7b99f1227ead80a80a228d8213d46cef600bf93ab75512c42c56

                                SHA512

                                6120a737b688d4ccdafe926ae6b40c61ee6427d0e74d47f97d6ad69fddfa1b395d5ca1621f3b5313ea82e4341cef36fe2b780dca5e1945796e173bbfa652a71e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                5ef6d92f440c5f16e41cdcb372c8eac7

                                SHA1

                                5001e93f0a17e0e2468043f457d20020a0a6136c

                                SHA256

                                63b2101756856caf4ce26eaa4f916e5f07b6e206f4618f9c9914f0a0c5354d3c

                                SHA512

                                780ca6eca4dac0ff0096d3a131abe5268a1764eb027b654dbf821a19a7d2232cd53d08a308d867e1587c1cad4d691fb66d50ada931e14bdecf263d79ae7fc703

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000002.dbtmp
                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                Download Submit

                              • C:\Windows\Installer\f769a8b.msi
                                Filesize

                                67KB

                                MD5

                                30e7fb6c0637531e9c13bab0a328e8df

                                SHA1

                                3afdfda8fafbb21f2bafe2afd02440c83c5186a2

                                SHA256

                                aed0e8ecc08f9832929c639c9ef96905c57905ddb757e66e4a1409297902b4aa

                                SHA512

                                27ab0ae1e498e08aab8861e9267b6d8ac86fb40d5886a0803c336af1026beb4ae31d74522bf0eee67f2c20fe21735d14d8f4a662c87bb8323f5aeeb633a0f358

                                Download Submit

                              • memory/1396-43-0x0000000002670000-0x00000000026F0000-memory.dmp

                                Filesize

                                512KB

                                Download

                              • memory/1396-50-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

                                Filesize

                                9.6MB

                                Download

                              • memory/1396-47-0x0000000002670000-0x00000000026F0000-memory.dmp

                                Filesize

                                512KB

                                Download

                              • memory/1396-45-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

                                Filesize

                                9.6MB

                                Download

                              • memory/1396-44-0x0000000002670000-0x00000000026F0000-memory.dmp

                                Filesize

                                512KB

                                Download

                              • memory/1396-42-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

                                Filesize

                                9.6MB

                                Download

                              • memory/1396-41-0x0000000002560000-0x0000000002568000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/1396-40-0x000000001B330000-0x000000001B612000-memory.dmp

                                Filesize

                                2.9MB

                                Download