Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
15-12-2023 22:14
General
-
Target
Installer (1).msi
-
Size
1.4MB
-
MD5
f3805cdf687890992345aaa4577b86a4
-
SHA1
697362f0a495bc1fc692f8bc3b12a81522404cc5
-
SHA256
514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1
-
SHA512
6ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142
-
SSDEEP
24576:jn0CgtRH3nOX1FIhp5DJ4suxNVTK+ucjByw+Z5cYokzJV+H4:T0LUItD0T9KjHJzJl
Malware Config
Signatures
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
-
Loads dropped DLL 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 9 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 55 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Installer (1).msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A703F415CFA48133DCE9A1B1F324BEAC2⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003AC" "00000000000005C0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763Filesize
1KB
MD5866912c070f1ecacacc2d5bca55ba129
SHA1b7ab3308d1ea4477ba1480125a6fbda936490cbb
SHA25685666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69
SHA512f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763Filesize
326B
MD5c8f5d69df4a4fae08c6c4e356853ed65
SHA19b63db0bc073e1f312c3b6d9c8d74e95d85f07ee
SHA256129e754199bbeb6c74d73ea99ef9a784ff0b277dbd681a7351664b01ad46ccad
SHA5127a8eff6c077657f61581ae6f76fd5ffc019857ab49e6bef4aaa311ff9dbb23c31da09a33ebc4c1f6d7a59ff73bdd298ecc391b208148b8e1dcc1c326a4d2f9ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD572032e3192439c794186c07c4da745e5
SHA1cc9e6fee19617605dc864fb81bc8e542345a1a80
SHA2562febbffcc4e3a409532e2ece5b2c8ba2f75f4801e2ac4aa1a8fabdd62d65b16f
SHA512b82403c06405aa3c2f2df2101cb83d7255f100c912020778f721582c802c8362ae3f1e3345ff0b4e1ded2e090543d352f85874fd91176d60d2332211dd83f8b4
-
C:\Users\Admin\AppData\Local\Temp\Cab31EB.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar31FE.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Windows\Installer\MSI86AD.tmpFilesize
1.3MB
MD5d66c92c71ed19767fe80fd1f3d2d7d5e
SHA165c0d18dd1041d897ef92a011726566c45ab4cea
SHA256091a738da44a18105507cde061674705e8cf9deb09c90b8dc2ed7f03a137f3b4
SHA512022a6a0847fa6574a27a7d5c3895c17f831243b3dfd7af02d0a59ba3f5364665df621fa89113e121e8c605043996d0a1c837a33fb733e6d91d7af1ac57e7a4e2
-
memory/1592-262-0x0000000010000000-0x0000000010154000-memory.dmpFilesize
1.3MB
-
memory/1592-263-0x0000000002410000-0x0000000002497000-memory.dmpFilesize
540KB
-
memory/1592-265-0x0000000002290000-0x0000000002314000-memory.dmpFilesize
528KB
-
memory/1592-268-0x0000000002500000-0x0000000002584000-memory.dmpFilesize
528KB
-
memory/1592-273-0x0000000010000000-0x0000000010154000-memory.dmpFilesize
1.3MB