c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1

Resubmissions

22-01-2025 14:45

250122-r45fys1mdw 6

22-01-2025 14:10

250122-rgyd5azlhy 6

11-12-2023 14:13

231211-rjk7ksacb3 7

Analysis

max time kernel
11s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
11-12-2023 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1.msi
Size

836KB
MD5

e79180380997a855c8d19be02d035b7f
SHA1

8fabc9d73f32c0c01083b438ffc6f0d3bee6e80e
SHA256

c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1
SHA512

356665d2b08c652f9bb0cc3c6b441d6bcfcb02bccef876ad6c79150641ad4aa83923338b7fd085b0296b622f746daefc1eeef93869cf0b407d384c689b2a309e
SSDEEP

24576:j2XSjbixTs21LN5w6yfygtF9M5ZXn3lftfsATt:y/42Yy8vs3ftfz

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	3016	msiexec.exe
Token: SeTakeOwnershipPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	3016	msiexec.exe
Token: SeCreateTokenPrivilege	1208	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1208	msiexec.exe
Token: SeLockMemoryPrivilege	1208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1208	msiexec.exe
Token: SeMachineAccountPrivilege	1208	msiexec.exe
Token: SeTcbPrivilege	1208	msiexec.exe
Token: SeSecurityPrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeLoadDriverPrivilege	1208	msiexec.exe
Token: SeSystemProfilePrivilege	1208	msiexec.exe
Token: SeSystemtimePrivilege	1208	msiexec.exe
Token: SeProfSingleProcessPrivilege	1208	msiexec.exe
Token: SeIncBasePriorityPrivilege	1208	msiexec.exe
Token: SeCreatePagefilePrivilege	1208	msiexec.exe
Token: SeCreatePermanentPrivilege	1208	msiexec.exe
Token: SeBackupPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeShutdownPrivilege	1208	msiexec.exe
Token: SeDebugPrivilege	1208	msiexec.exe
Token: SeAuditPrivilege	1208	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1208	msiexec.exe
Token: SeChangeNotifyPrivilege	1208	msiexec.exe
Token: SeRemoteShutdownPrivilege	1208	msiexec.exe
Token: SeUndockPrivilege	1208	msiexec.exe
Token: SeSyncAgentPrivilege	1208	msiexec.exe
Token: SeEnableDelegationPrivilege	1208	msiexec.exe
Token: SeManageVolumePrivilege	1208	msiexec.exe
Token: SeImpersonatePrivilege	1208	msiexec.exe
Token: SeCreateGlobalPrivilege	1208	msiexec.exe
Token: SeBackupPrivilege	2248	vssvc.exe
Token: SeRestorePrivilege	2248	vssvc.exe
Token: SeAuditPrivilege	2248	vssvc.exe
Token: SeBackupPrivilege	3016	msiexec.exe
Token: SeRestorePrivilege	3016	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1208	msiexec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1208

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016
- C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe
  C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe
  2⤵
  PID:2108
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\郭台銘選擇賴佩霞為總統副手深層考量.pdf"
    3⤵
    PID:2484
- - C:\Users\Public\SamsungDriver\OnesNotem.exe
    C:\Users\Public\SamsungDriver\OnesNotem.exe 63
    3⤵
    PID:652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000003AC"
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76829a.rbs

Filesize
8KB

MD5
ef9dfb33f0a42ee6fe4b2ed8d270c1ae

SHA1
f99de243c4aa67b20b632eab3ce01d4da3ce9a35

SHA256
c361e6a26872b070b48571209b0c55135bfab488aaee24f00ee284bd12352317

SHA512
f8285913c817361d3b0a84a0bb03511337a1c4132f24f9b51d6964a799a6fe84f99e36e8798a5215d7677dc479ca83333fe74b7ecbaa6b4e6a14a6a28ef23a79

Download Submit
C:\Users\Admin\AppData\Local\MUxPOTy\NoteLogger.dat

Filesize
576KB

MD5
e360a3cbe0d40d11341fd9117ba92b4f

SHA1
14b9f2e9261a28b32526218942ad7b049827993d

SHA256
9b33f2da229482b996449402729c2be0a3b8d6aef0f8110480918d1e84682239

SHA512
8318ddb84ec982a6d4b6176ab48238422dfacd530703d3b926ca36bde5c34c5428e5ada56cd08ce22877f97d5815730f212c80b835bbf8d16cb20c91d789e0ec

Download Submit
C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe

Filesize
95KB

MD5
32c26797ab646074a2bb562f9d10adb5

SHA1
f478d70bc193f7c24da563e9eda7eb86239bbe12

SHA256
b9836265c6bfa17cd5e0265f32cedb1ced3b98e85990d000dc8e1298d5d25f93

SHA512
e68f541ef999a0ff91e24090ea80ace97e8e8a600e1f1063954cf575f431cada9b501fdab9c87b1b9da8cb779b5f351e36ccba998e24fb7c75ded387a913fe2d

Download Submit
C:\Users\Admin\AppData\Local\MUxPOTy\msi.dll

Filesize
88KB

MD5
5f39a964af306f40536aa6ac57b66758

SHA1
b84a5a5837e8aa5e5c8181f4589f9ad490acb55f

SHA256
651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859

SHA512
9b33dd995ed714e490e564c6d8e1fe85c382d2e9f20e24adc831af3f390c3a52d3f3a53172e07d5461665fb3d092b230481cecaf19b8aa0ebc9b1b84c3581230

Download Submit
C:\Users\Admin\AppData\Local\Temp\郭台銘選擇賴佩霞為總統副手深層考量.pdf

Filesize
96KB

MD5
153f31b1dbe2d7b6a3aa41ba6338e129

SHA1
87731dff3f5aa93fbb9161cc51381b36d7824ed5

SHA256
c6ef220d0c6e9015bdfb7977ff15e7f2c4c0dbfcd3b28ffb3066fe6d21251322

SHA512
ac817f3e544bc1f2ac4784432ea12f948cafc4e4fbd9fd69d5c86b9116c72ff6d3652c851f5b8358e7c6ecb3d26d3bd856ea1d5124866ad1f4b42df15ef40d48

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
467f9f4dc05311d9b701a06b9168e8b5

SHA1
7c1cd00b1aab0a81bebd54d60fdd6b3c5175504f

SHA256
c130e2e107a5bc3d6c493b84e0a21e97480172fe02c63ed2c8e834cbf7d179a2

SHA512
8736868f666a5bac3d4e661ae74a326735304b9d6ced28ee3644eaf897eb24220248bee9d9fadcab5e6f96b943f5fe9f287baea20a3bf30f27ec51f115b300b7

Download Submit
C:\Users\Public\.vscodes\NoteLogger.dat

Filesize
718KB

MD5
b143e9814f3ce07fa7176ecdd4dfda89

SHA1
cb8314e9a25116f698ea74300cfdb35855f48905

SHA256
908ff3a80ef065ab4be1942e0d41583903f6aac02d97df6b4a92a07a633397a8

SHA512
038c5947f631e1143e3ffe6807d26755e7c39c8af7d5f95575859ab4841a1f4f1f1cc67ee7ab31b7a6f37667df32921cb1c12d6c0f53baa151fab66f350c032d

Download Submit
C:\Windows\Installer\f768298.msi

Filesize
836KB

MD5
e79180380997a855c8d19be02d035b7f

SHA1
8fabc9d73f32c0c01083b438ffc6f0d3bee6e80e

SHA256
c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1

SHA512
356665d2b08c652f9bb0cc3c6b441d6bcfcb02bccef876ad6c79150641ad4aa83923338b7fd085b0296b622f746daefc1eeef93869cf0b407d384c689b2a309e

Download Submit
memory/652-87-0x0000000073F80000-0x0000000073FA6000-memory.dmp

Filesize
152KB

Download
memory/652-89-0x0000000073F80000-0x0000000073FA6000-memory.dmp

Filesize
152KB

Download
memory/652-68-0x0000000002520000-0x00000000061C6000-memory.dmp

Filesize
60.6MB

Download
memory/652-83-0x0000000073F80000-0x0000000073FA6000-memory.dmp

Filesize
152KB

Download
memory/652-69-0x0000000073F80000-0x0000000073FA6000-memory.dmp

Filesize
152KB

Download
memory/652-49-0x0000000002520000-0x00000000061C6000-memory.dmp

Filesize
60.6MB

Download
memory/652-66-0x0000000002520000-0x00000000061C6000-memory.dmp

Filesize
60.6MB

Download
memory/2108-30-0x00000000023D0000-0x0000000002484000-memory.dmp

Filesize
720KB

Download
memory/2108-44-0x0000000002590000-0x0000000006236000-memory.dmp

Filesize
60.6MB

Download
memory/2108-50-0x0000000075030000-0x0000000075056000-memory.dmp

Filesize
152KB

Download
memory/2108-31-0x0000000002590000-0x0000000006236000-memory.dmp

Filesize
60.6MB

Download
memory/2108-29-0x0000000002590000-0x0000000006236000-memory.dmp

Filesize
60.6MB

Download