Overview

overview

8

Static

static

1

Installer (1).msi

windows7-x64

8

Installer (1).msi

windows10-2004-x64

8

Resubmissions

28-12-2023 13:55

231228-q77j2seeb9 10

15-12-2023 22:14

231215-15mf7shecm 8

Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2023 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer (1).msi

  • Size

    1.4MB

  • MD5

    f3805cdf687890992345aaa4577b86a4

  • SHA1

    697362f0a495bc1fc692f8bc3b12a81522404cc5

  • SHA256

    514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1

  • SHA512

    6ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142

  • SSDEEP

    24576:jn0CgtRH3nOX1FIhp5DJ4suxNVTK+ucjByw+Z5cYokzJV+H4:T0LUItD0T9KjHJzJl

Score
8/10
dave

Malware Config

Signatures

  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Installer (1).msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3020
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A703F415CFA48133DCE9A1B1F324BEAC
      2⤵
      • Loads dropped DLL
      PID:1592
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1756
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003AC" "00000000000005C0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763
    Filesize

    1KB

    MD5

    866912c070f1ecacacc2d5bca55ba129

    SHA1

    b7ab3308d1ea4477ba1480125a6fbda936490cbb

    SHA256

    85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69

    SHA512

    f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763
    Filesize

    326B

    MD5

    c8f5d69df4a4fae08c6c4e356853ed65

    SHA1

    9b63db0bc073e1f312c3b6d9c8d74e95d85f07ee

    SHA256

    129e754199bbeb6c74d73ea99ef9a784ff0b277dbd681a7351664b01ad46ccad

    SHA512

    7a8eff6c077657f61581ae6f76fd5ffc019857ab49e6bef4aaa311ff9dbb23c31da09a33ebc4c1f6d7a59ff73bdd298ecc391b208148b8e1dcc1c326a4d2f9ff

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    72032e3192439c794186c07c4da745e5

    SHA1

    cc9e6fee19617605dc864fb81bc8e542345a1a80

    SHA256

    2febbffcc4e3a409532e2ece5b2c8ba2f75f4801e2ac4aa1a8fabdd62d65b16f

    SHA512

    b82403c06405aa3c2f2df2101cb83d7255f100c912020778f721582c802c8362ae3f1e3345ff0b4e1ded2e090543d352f85874fd91176d60d2332211dd83f8b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab31EB.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar31FE.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Windows\Installer\MSI86AD.tmp
    Filesize

    1.3MB

    MD5

    d66c92c71ed19767fe80fd1f3d2d7d5e

    SHA1

    65c0d18dd1041d897ef92a011726566c45ab4cea

    SHA256

    091a738da44a18105507cde061674705e8cf9deb09c90b8dc2ed7f03a137f3b4

    SHA512

    022a6a0847fa6574a27a7d5c3895c17f831243b3dfd7af02d0a59ba3f5364665df621fa89113e121e8c605043996d0a1c837a33fb733e6d91d7af1ac57e7a4e2

    Download Submit

  • memory/1592-262-0x0000000010000000-0x0000000010154000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1592-263-0x0000000002410000-0x0000000002497000-memory.dmp

    Filesize

    540KB

    Download

  • memory/1592-265-0x0000000002290000-0x0000000002314000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1592-268-0x0000000002500000-0x0000000002584000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1592-273-0x0000000010000000-0x0000000010154000-memory.dmp

    Filesize

    1.3MB

    Download