Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
15-12-2023 22:14
General
-
Target
Installer (1).msi
-
Size
1.4MB
-
MD5
f3805cdf687890992345aaa4577b86a4
-
SHA1
697362f0a495bc1fc692f8bc3b12a81522404cc5
-
SHA256
514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1
-
SHA512
6ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142
-
SSDEEP
24576:jn0CgtRH3nOX1FIhp5DJ4suxNVTK+ucjByw+Z5cYokzJV+H4:T0LUItD0T9KjHJzJl
Malware Config
Signatures
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
-
Loads dropped DLL 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Installer (1).msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 129B0917CB507D60B50E5F901888694D2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e57b893.rbsFilesize
8KB
MD5604be854098ea56b0ffe96149df10fa4
SHA11c4a039c0e238b6d73b4b20b146f3b3d635a295e
SHA2560dd672ed036989622cd8e7bf23a3793c8355b4fbddc75cccfb3335c55d2be748
SHA5126c1dcdf131acd91aaf49d6d2efd69cd4d5d37e5a393c2b73194259062ad7228ae3fd0664cef0f56fc2f48676c02781b1aff8d89547fd1e0d9e276636360625a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05Filesize
45KB
MD554e857dd1a4084de788109a3cab9e6ba
SHA1a10620c1476985d6607c996a0a05df6b813d593b
SHA256d946ab96679149852c7b2c563edac033320db84d84749374378334321ee874be
SHA5121f8b421af003bd3a64ac2b2ff45726efa71f6a5407c01c21a557961dce0b8ef346adbe1243047fe7c121f026a8939d2942f976e4d464f172c0ab6929261814d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1Filesize
727B
MD57a3b8457313a521e0d44f91765a4e041
SHA14ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267
SHA2562b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c
SHA5127349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05Filesize
314B
MD5557d99eda45ddd12385385e4f14ced9a
SHA1ff5d40b0a3219daa1f6f136619722e67987bf022
SHA25616ea7b2368a2e5a8dd3c48f9e1259d132954b51922421a95608ba32622436edb
SHA512f0f310ec6f1bb95efd859213669050e0f7638e59a1828e5cf72a1e3804bb083a8a5bd5655c9f421d0bba4a483cc0dbb9bc6774a915228bdfbc522366e8bd70ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1Filesize
478B
MD59eccb71bd5c3c9326d8f4c577b3fe142
SHA17c6aa540eb495de0217d55204eb0a330ba6cd6cf
SHA2569f6624002335039ddd7eab390400ecc5fd2cf0a157a8869735f66adef0da8187
SHA512b083d639bf52c78abadbded5a7207c4a0a144307f9ef7c4d4f5bd6ba71f1cf3df763839d578755c3cd177dcad5a74b0e008f769204bdad51c77171f3521fc58a
-
C:\Windows\Installer\MSIBBDF.tmpFilesize
1.3MB
MD5d66c92c71ed19767fe80fd1f3d2d7d5e
SHA165c0d18dd1041d897ef92a011726566c45ab4cea
SHA256091a738da44a18105507cde061674705e8cf9deb09c90b8dc2ed7f03a137f3b4
SHA512022a6a0847fa6574a27a7d5c3895c17f831243b3dfd7af02d0a59ba3f5364665df621fa89113e121e8c605043996d0a1c837a33fb733e6d91d7af1ac57e7a4e2
-
C:\Windows\Installer\e57b892.msiFilesize
1.4MB
MD5f3805cdf687890992345aaa4577b86a4
SHA1697362f0a495bc1fc692f8bc3b12a81522404cc5
SHA256514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1
SHA5126ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142
-
memory/1956-17-0x0000000002DA0000-0x0000000002E27000-memory.dmpFilesize
540KB
-
memory/1956-22-0x0000000002E30000-0x0000000002EB4000-memory.dmpFilesize
528KB
-
memory/1956-20-0x0000000002D10000-0x0000000002D94000-memory.dmpFilesize
528KB
-
memory/1956-16-0x0000000010000000-0x0000000010154000-memory.dmpFilesize
1.3MB
-
memory/4328-26-0x00000000005B0000-0x0000000000601000-memory.dmpFilesize
324KB
-
memory/4328-27-0x00000000005B0000-0x0000000000601000-memory.dmpFilesize
324KB
-
memory/4328-44-0x00000000005B0000-0x0000000000601000-memory.dmpFilesize
324KB
-
memory/4328-45-0x00000000005B0000-0x0000000000601000-memory.dmpFilesize
324KB