Overview

overview

7

Static

static

1

Citric Installer.msi

windows7-x64

7

Citric Installer.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    05/11/2023, 06:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Citric Installer.msi

  • Size

    9.1MB

  • MD5

    1ffd85bb7326be4ca11fa950f9f6e65e

  • SHA1

    9c0cd827d9c8930beece29b9741a79d3a43ee053

  • SHA256

    09c61a5f060f45a4fd5e7c2d4b3c5a6ffae4c21d83cb0d4d84858944cdf40c7b

  • SHA512

    7102ee1dbd1fdb793eab9c12c0758353d25df7f7d206f62d69f07531f2cd6f52ac7210b2f883c77fbf9b57fac04b57b78d3c479a5fcb4ba3fff7d1a386f76bec

  • SSDEEP

    196608:tLGsJhHv8xDMMv00DomHHuiObiKcUR6j9r6AI242:5Gchh58oUuT+UCwA

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 27 IoCs
  • Drops file in Windows directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Citric Installer.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:536
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 99D0CF4E8E71F42EA746003CFCA4517B C
      2⤵
      • Loads dropped DLL
      PID:3044
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B1D7D9B2A3DCBAB6A524317AE1D656B6
      2⤵
      • Loads dropped DLL
      PID:584
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2632
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000300" "00000000000003D8"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2552
    • C:\Program Files (x86)\Gota7\Citric Composer\Citric Composer.exe
      "C:\Program Files (x86)\Gota7\Citric Composer\Citric Composer.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1744

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Config.Msi\f76c351.rbs
            Filesize

            66KB

            MD5

            0b5cb09b5d8868f66cb7a8e5a02256af

            SHA1

            da9148e0e28a48b773c11b0e6b3eb52f6e393d9c

            SHA256

            79e6619d630822182c8db53227bd30a869953fd1527b7365b3a466134e35e909

            SHA512

            06ef6f74ae232565d8a4a85b30a03946d1d7a4baad60a120242e636bd0626abd0df22a8d395df2b608980cdb504f04cdbe877d6b7fcf928eaff84921b64f1aef

            Download Submit

          • C:\Program Files (x86)\Gota7\Citric Composer\Citric Composer.exe
            Filesize

            8.5MB

            MD5

            2bcc7f6dc8df6b201fbefeab92afb401

            SHA1

            195b622a95a8abb7244f5635f570f8b450e3efbf

            SHA256

            58d68f2c32d7c488219aa1d23da6f523f0f21c2fd67a6836173406bb5ca2a0f0

            SHA512

            db62ebb2fdb95c0134ba38dbc628a65fd0c67a078fcbe3be2e5c2f4633b581d7888ce62a961fb485325f4946dfd6ec4b8814a50485cbb38f09f4d662f17c1d7b

            Download Submit

          • C:\Program Files (x86)\Gota7\Citric Composer\Citric Composer.exe
            Filesize

            8.5MB

            MD5

            2bcc7f6dc8df6b201fbefeab92afb401

            SHA1

            195b622a95a8abb7244f5635f570f8b450e3efbf

            SHA256

            58d68f2c32d7c488219aa1d23da6f523f0f21c2fd67a6836173406bb5ca2a0f0

            SHA512

            db62ebb2fdb95c0134ba38dbc628a65fd0c67a078fcbe3be2e5c2f4633b581d7888ce62a961fb485325f4946dfd6ec4b8814a50485cbb38f09f4d662f17c1d7b

            Download Submit

          • C:\Program Files (x86)\Gota7\Citric Composer\Citric Composer.exe.config
            Filesize

            184B

            MD5

            52639fb99722ea7b6cb91acb33ea3ff0

            SHA1

            b7b3b0da0676efe42a9bbf402aa22f6f780c8394

            SHA256

            c0d7aeba3b28ab01bca0428d05e1d1c83c655cf7949a3179d27ad80554e33c03

            SHA512

            114f1e8deec01a6487658d6a3f448730c970f9fcca10c04c40192535f2349a29d0f09069b2d6600d8d0f1b5dd5f836c9c7c0d72e05801ac4979b051eb1d1a7e1

            Download Submit

          • C:\Program Files (x86)\Gota7\Citric Composer\ScintillaNET.dll
            Filesize

            1.3MB

            MD5

            9166536c31f4e725e6befe85e2889a4b

            SHA1

            f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae

            SHA256

            ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163

            SHA512

            113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MSI4AF5.tmp
            Filesize

            301KB

            MD5

            48941bf44e6b3e17c15b05edd0e3191d

            SHA1

            fb1e586d7aa2e2faabe35eaa37c61d4941900f2d

            SHA256

            34cab9b8388ffdbcc14d61ecb81bc2044eefffbc9db0728e986278b343502f2b

            SHA512

            04b06239e1deea0af4c54f496e7f577b25d986f7dd476ed7648a2d0b723ad319e6c3c16ce4de52a977c63747e7fae2fd06e7c5fd044d1b258f196bd9caeb7b4c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MSI4DA4.tmp
            Filesize

            301KB

            MD5

            48941bf44e6b3e17c15b05edd0e3191d

            SHA1

            fb1e586d7aa2e2faabe35eaa37c61d4941900f2d

            SHA256

            34cab9b8388ffdbcc14d61ecb81bc2044eefffbc9db0728e986278b343502f2b

            SHA512

            04b06239e1deea0af4c54f496e7f577b25d986f7dd476ed7648a2d0b723ad319e6c3c16ce4de52a977c63747e7fae2fd06e7c5fd044d1b258f196bd9caeb7b4c

            Download Submit

          • C:\Windows\Installer\MSIC449.tmp
            Filesize

            301KB

            MD5

            48941bf44e6b3e17c15b05edd0e3191d

            SHA1

            fb1e586d7aa2e2faabe35eaa37c61d4941900f2d

            SHA256

            34cab9b8388ffdbcc14d61ecb81bc2044eefffbc9db0728e986278b343502f2b

            SHA512

            04b06239e1deea0af4c54f496e7f577b25d986f7dd476ed7648a2d0b723ad319e6c3c16ce4de52a977c63747e7fae2fd06e7c5fd044d1b258f196bd9caeb7b4c

            Download Submit

          • C:\Windows\Installer\MSIC449.tmp
            Filesize

            301KB

            MD5

            48941bf44e6b3e17c15b05edd0e3191d

            SHA1

            fb1e586d7aa2e2faabe35eaa37c61d4941900f2d

            SHA256

            34cab9b8388ffdbcc14d61ecb81bc2044eefffbc9db0728e986278b343502f2b

            SHA512

            04b06239e1deea0af4c54f496e7f577b25d986f7dd476ed7648a2d0b723ad319e6c3c16ce4de52a977c63747e7fae2fd06e7c5fd044d1b258f196bd9caeb7b4c

            Download Submit

          • C:\Windows\Installer\MSIC534.tmp
            Filesize

            301KB

            MD5

            48941bf44e6b3e17c15b05edd0e3191d

            SHA1

            fb1e586d7aa2e2faabe35eaa37c61d4941900f2d

            SHA256

            34cab9b8388ffdbcc14d61ecb81bc2044eefffbc9db0728e986278b343502f2b

            SHA512

            04b06239e1deea0af4c54f496e7f577b25d986f7dd476ed7648a2d0b723ad319e6c3c16ce4de52a977c63747e7fae2fd06e7c5fd044d1b258f196bd9caeb7b4c

            Download Submit

          • C:\Windows\Installer\f76c34f.msi
            Filesize

            9.1MB

            MD5

            1ffd85bb7326be4ca11fa950f9f6e65e

            SHA1

            9c0cd827d9c8930beece29b9741a79d3a43ee053

            SHA256

            09c61a5f060f45a4fd5e7c2d4b3c5a6ffae4c21d83cb0d4d84858944cdf40c7b

            SHA512

            7102ee1dbd1fdb793eab9c12c0758353d25df7f7d206f62d69f07531f2cd6f52ac7210b2f883c77fbf9b57fac04b57b78d3c479a5fcb4ba3fff7d1a386f76bec

            Download Submit

          • C:\Windows\Installer\{E570723A-A79A-4106-A591-6979938CA824}\_107AD139FD77177BB6D094.exe
            Filesize

            123KB

            MD5

            3ca522457fa9c110262f5d2674d5d2cf

            SHA1

            1c3a308ba7b1f4635728c58165965bc3875b6d7e

            SHA256

            1b8d00826f23749ac20a46a24d59bcbe3ff5414098c82be9844422df51418b64

            SHA512

            a0991716ec895bc53b857d5ce0c75d39632a4fe6b5ace98c0e243527912686c9ddda50a0dfab13c687e87ebfc66495e358cbbd63f724fce602e324e5ff261c55

            Download Submit

          • C:\Windows\Installer\{E570723A-A79A-4106-A591-6979938CA824}\_AF6A3F376A05B7CA408B0C.exe
            Filesize

            1KB

            MD5

            2bb8ba822c4bac82508952bd26f1e4c7

            SHA1

            db7e78f6d2d82a456049d9e93588ad1e5d07c0cb

            SHA256

            df61f578dbdad018e4fef49b6299c02031fafc2fbf1f46ef0aae02401d477fcc

            SHA512

            68cc2e0e2dd54d7d4e812b3b90672f38a8383734ea801c0501bfb9088940d0d00259c74ce90edb467af42ceb693c7cb76d8ac4f8f934193977a62eea97ab3d3b

            Download Submit

          • \Program Files (x86)\Gota7\Citric Composer\ScintillaNET.dll
            Filesize

            1.3MB

            MD5

            9166536c31f4e725e6befe85e2889a4b

            SHA1

            f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae

            SHA256

            ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163

            SHA512

            113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562

            Download Submit

          • \Program Files (x86)\Gota7\Citric Composer\ScintillaNET.dll
            Filesize

            1.3MB

            MD5

            9166536c31f4e725e6befe85e2889a4b

            SHA1

            f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae

            SHA256

            ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163

            SHA512

            113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562

            Download Submit

          • \Users\Admin\AppData\Local\Temp\MSI4AF5.tmp
            Filesize

            301KB

            MD5

            48941bf44e6b3e17c15b05edd0e3191d

            SHA1

            fb1e586d7aa2e2faabe35eaa37c61d4941900f2d

            SHA256

            34cab9b8388ffdbcc14d61ecb81bc2044eefffbc9db0728e986278b343502f2b

            SHA512

            04b06239e1deea0af4c54f496e7f577b25d986f7dd476ed7648a2d0b723ad319e6c3c16ce4de52a977c63747e7fae2fd06e7c5fd044d1b258f196bd9caeb7b4c

            Download Submit

          • \Users\Admin\AppData\Local\Temp\MSI4DA4.tmp
            Filesize

            301KB

            MD5

            48941bf44e6b3e17c15b05edd0e3191d

            SHA1

            fb1e586d7aa2e2faabe35eaa37c61d4941900f2d

            SHA256

            34cab9b8388ffdbcc14d61ecb81bc2044eefffbc9db0728e986278b343502f2b

            SHA512

            04b06239e1deea0af4c54f496e7f577b25d986f7dd476ed7648a2d0b723ad319e6c3c16ce4de52a977c63747e7fae2fd06e7c5fd044d1b258f196bd9caeb7b4c

            Download Submit

          • \Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x86\SciLexer.dll
            Filesize

            943KB

            MD5

            2ff7acfa80647ee46cc3c0e446327108

            SHA1

            c994820d03af722c244b046d1ee0967f1b5bc478

            SHA256

            08f0cbbc5162f236c37166772be2c9b8ffd465d32df17ea9d45626c4ed2c911d

            SHA512

            50a9e20c5851d3a50f69651bc770885672ff4f97de32dfda55bf7488abd39a11e990525ec9152d250072acaad0c12a484155c31083d751668eb01addea5570cd

            Download Submit

          • \Windows\Installer\MSIC449.tmp
            Filesize

            301KB

            MD5

            48941bf44e6b3e17c15b05edd0e3191d

            SHA1

            fb1e586d7aa2e2faabe35eaa37c61d4941900f2d

            SHA256

            34cab9b8388ffdbcc14d61ecb81bc2044eefffbc9db0728e986278b343502f2b

            SHA512

            04b06239e1deea0af4c54f496e7f577b25d986f7dd476ed7648a2d0b723ad319e6c3c16ce4de52a977c63747e7fae2fd06e7c5fd044d1b258f196bd9caeb7b4c

            Download Submit

          • \Windows\Installer\MSIC534.tmp
            Filesize

            301KB

            MD5

            48941bf44e6b3e17c15b05edd0e3191d

            SHA1

            fb1e586d7aa2e2faabe35eaa37c61d4941900f2d

            SHA256

            34cab9b8388ffdbcc14d61ecb81bc2044eefffbc9db0728e986278b343502f2b

            SHA512

            04b06239e1deea0af4c54f496e7f577b25d986f7dd476ed7648a2d0b723ad319e6c3c16ce4de52a977c63747e7fae2fd06e7c5fd044d1b258f196bd9caeb7b4c

            Download Submit

          • memory/1744-105-0x00000000053F0000-0x0000000005430000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1744-104-0x0000000000BE0000-0x0000000001468000-memory.dmp

            Filesize

            8.5MB

            Download

          • memory/1744-109-0x0000000005240000-0x0000000005394000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1744-103-0x0000000074670000-0x0000000074D5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1744-113-0x00000000053F0000-0x0000000005430000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1744-114-0x0000000008FC0000-0x0000000009046000-memory.dmp

            Filesize

            536KB

            Download

          • memory/1744-115-0x00000000053F0000-0x0000000005430000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1744-116-0x00000000097B0000-0x00000000098B0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1744-124-0x0000000074670000-0x0000000074D5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1744-125-0x00000000053F0000-0x0000000005430000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1744-126-0x00000000097B0000-0x00000000098B0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1744-130-0x000000000A670000-0x000000000A671000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1744-131-0x000000000A740000-0x000000000A742000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1744-132-0x000000000A670000-0x000000000A671000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1744-133-0x0000000074670000-0x0000000074D5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1744-134-0x00000000053F0000-0x0000000005430000-memory.dmp

            Filesize

            256KB

            Download