Overview

overview

7

Static

static

3

X2-2022-PA...22.exe

windows7-x64

7

X2-2022-PA...22.exe

windows10-2004-x64

1

X2-2022-PA...ck.dll

windows7-x64

1

X2-2022-PA...ck.dll

windows10-2004-x64

1

X2-2022-PA...SC.dll

windows7-x64

1

X2-2022-PA...SC.dll

windows10-2004-x64

1

X2-2022-PA...LY.exe

windows7-x64

1

X2-2022-PA...LY.exe

windows10-2004-x64

1

X2-2022-PA...aa.exe

windows7-x64

4

X2-2022-PA...aa.exe

windows10-2004-x64

4

X2-2022-PA...sh.exe

windows7-x64

3

X2-2022-PA...sh.exe

windows10-2004-x64

3

X2-2022-PA...ek.exe

windows7-x64

7

X2-2022-PA...ek.exe

windows10-2004-x64

7

X2-2022-PA...es.rtf

windows7-x64

4

X2-2022-PA...es.rtf

windows10-2004-x64

1

install_all.bat

windows7-x64

7

install_all.bat

windows10-2004-x64

7

vcredist2005_x64.exe

windows7-x64

7

vcredist2005_x64.exe

windows10-2004-x64

7

vcredist2005_x86.exe

windows7-x64

7

vcredist2005_x86.exe

windows10-2004-x64

7

vcredist2008_x64.exe

windows7-x64

7

vcredist2008_x64.exe

windows10-2004-x64

7

vcredist2008_x86.exe

windows7-x64

7

vcredist2008_x86.exe

windows10-2004-x64

7

X2-2022-PA...ll.bat

windows7-x64

7

X2-2022-PA...ll.bat

windows10-2004-x64

7

X2-2022-PA...64.exe

windows7-x64

7

X2-2022-PA...64.exe

windows10-2004-x64

7

X2-2022-PA...86.exe

windows7-x64

7

X2-2022-PA...86.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    157s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    X2-2022-PACKAGE/X2-2022/X2-2022-EmvSolutions/DRIVERS/vcredist2005_x64.exe

  • Size

    3.1MB

  • MD5

    abde5e0a22a46434bd0df652a63fff44

  • SHA1

    c5088da4be3f72b4af2f3156893bf1d2b1f6f6ec

  • SHA256

    b1cbcde3791e0b1c6df3def43d8c05035c60fe2f6a2d8ba091abb4509fb43ef1

  • SHA512

    4ebd8971dea1efb9a72fee071694da7c9d8c797b3564cec7e0044d24b01a13009013f4a43719b7e223214a6c43d50d56790751b9e91cd324d40809bf0d605d9f

  • SSDEEP

    49152:RVgGXsOTkzq69oXxerpduZ6xJftGEkU0oEBL/txTroHENHTpPE6fIr6VAVP04PLJ:R7XFcDehoLtXEBv11TqZl04P5PqE

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 57 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\X2-2022-PACKAGE\X2-2022\X2-2022-EmvSolutions\DRIVERS\vcredist2005_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\X2-2022-PACKAGE\X2-2022\X2-2022-EmvSolutions\DRIVERS\vcredist2005_x64.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec /i vcredist.msi
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4588
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3428
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding C2F2D0881A163EF719D04413392F419E
        2⤵
        • Loads dropped DLL
        PID:4640
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e598a96.rbs
      Filesize

      65KB

      MD5

      5c9e8c7ffdad40fd68519429d00b9ac9

      SHA1

      2f374a1d06bfb4d58b217963d90b9578df19ad39

      SHA256

      ea513f0a8d4ff571e61a657d72c6c401aff39faf50a73ee520956e746ef571ca

      SHA512

      088d129fc13f5c40408e63e5c0b94ffe473d7cd32a5ff9e212424fdf294c61630fa9802ccc1d89d6b94a344e71b20fae641c84363bc41be22c0310213b7d7ba7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
      Filesize

      3.0MB

      MD5

      5734983a4cb513efbcccc357641c4d7c

      SHA1

      5650512cd0c8ae451032a795a4e881c9cdc50776

      SHA256

      bfc68a9e609ee8a850c21be8c459b99f09e34309b8113e43b12be7a27f0b445a

      SHA512

      93da04b2f7a3f64dca8c2c5b4c62be1ba867e46424130af19f9f88e668fd6ee10db354ed3921605df936a1248be51fe8e8612f9542b01de3e0ef54be3356f2a8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
      Filesize

      3.0MB

      MD5

      5734983a4cb513efbcccc357641c4d7c

      SHA1

      5650512cd0c8ae451032a795a4e881c9cdc50776

      SHA256

      bfc68a9e609ee8a850c21be8c459b99f09e34309b8113e43b12be7a27f0b445a

      SHA512

      93da04b2f7a3f64dca8c2c5b4c62be1ba867e46424130af19f9f88e668fd6ee10db354ed3921605df936a1248be51fe8e8612f9542b01de3e0ef54be3356f2a8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cab
      Filesize

      312KB

      MD5

      0aa0da68a91e9133715d9cde2a180ffb

      SHA1

      892e941bed49b3404dad2aa33cd36b708e1443a9

      SHA256

      64570910e03c337d4e1f8ab1b9fb8e4dc46fdccb93857a1e9c73b296c6850fe0

      SHA512

      247dc48b39844fcfbfd46ef8eb1c72375b183f2d54361f5fe857d3a1b7275145cd0a9be8f287e037b46912a496a39a8855c20a63a8c663b60fc620b0b35e2313

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi
      Filesize

      3.0MB

      MD5

      391dddd564a9e8a20576fe05e5e1f25b

      SHA1

      84f17830075abea6e6a369dee6b93ac16a71f025

      SHA256

      a9a8dac04e3b38c2f8d33ee7cf6d658fa4ea089bbf9f4014eb61b9d5de7dc6a2

      SHA512

      10358d52620178296c9033b257db960d3bf9b1219fa5b6f02f1173234686930616da708c5ac051b0c0c8892b3b66164093fc64698de43e56cf3b6f1d875e418f

      Download Submit

    • C:\Windows\Installer\MSI9021.tmp
      Filesize

      28KB

      MD5

      85221b3bcba8dbe4b4a46581aa49f760

      SHA1

      746645c92594bfc739f77812d67cfd85f4b92474

      SHA256

      f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

      SHA512

      060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

      Download Submit

    • C:\Windows\Installer\MSI9021.tmp
      Filesize

      28KB

      MD5

      85221b3bcba8dbe4b4a46581aa49f760

      SHA1

      746645c92594bfc739f77812d67cfd85f4b92474

      SHA256

      f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

      SHA512

      060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

      Download Submit

    • C:\Windows\Installer\e598a93.msi
      Filesize

      3.0MB

      MD5

      391dddd564a9e8a20576fe05e5e1f25b

      SHA1

      84f17830075abea6e6a369dee6b93ac16a71f025

      SHA256

      a9a8dac04e3b38c2f8d33ee7cf6d658fa4ea089bbf9f4014eb61b9d5de7dc6a2

      SHA512

      10358d52620178296c9033b257db960d3bf9b1219fa5b6f02f1173234686930616da708c5ac051b0c0c8892b3b66164093fc64698de43e56cf3b6f1d875e418f

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      ed9e4d2ebab16a7e827da91589dd8e4b

      SHA1

      12eb78f3c3ceb7fcc49f1179a39dc658f419f13f

      SHA256

      043f69545ed132b153bf8e488a5ed0e493b4676d734778d75ad89d7079b11c61

      SHA512

      bb0392f8948757d4f2937e6a209bb5cedfab745384311c35648341c8dbbda58562e11f0657273c7f57257621e9c945af1b292006564edf48aa2360918f39c900

      Download Submit

    • \??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{11756cd5-eddc-48e1-9c46-e03f3cf4634e}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      b52cef6fab08009ae43a5b6fb51f71b9

      SHA1

      503931742661bda0a7520985cf1760b55a0367e9

      SHA256

      29f9b555bfca7d771f2a2001b701833a83d5753d6501226559e839ea1d17d162

      SHA512

      118dbb389a4ed0fd602435d28ccefb7a065ccdeb56c9bb9b8ceba55f2c86f4b277397f6323c682289fcc43136b9977c7ba3e12a31b9c864edc101af3c8a22d2b

      Download Submit