Overview

overview

8

Static

static

1

Installer (1).msi

windows7-x64

8

Installer (1).msi

windows10-2004-x64

8

Resubmissions

28-12-2023 13:55

231228-q77j2seeb9 10

15-12-2023 22:14

231215-15mf7shecm 8

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2023 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer (1).msi

  • Size

    1.4MB

  • MD5

    f3805cdf687890992345aaa4577b86a4

  • SHA1

    697362f0a495bc1fc692f8bc3b12a81522404cc5

  • SHA256

    514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1

  • SHA512

    6ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142

  • SSDEEP

    24576:jn0CgtRH3nOX1FIhp5DJ4suxNVTK+ucjByw+Z5cYokzJV+H4:T0LUItD0T9KjHJzJl

Score
8/10
dave

Malware Config

Signatures

  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Installer (1).msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4252
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:608
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 129B0917CB507D60B50E5F901888694D
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\SysWOW64\SearchProtocolHost.exe
        "C:\Windows\System32\SearchProtocolHost.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4328
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57b893.rbs
    Filesize

    8KB

    MD5

    604be854098ea56b0ffe96149df10fa4

    SHA1

    1c4a039c0e238b6d73b4b20b146f3b3d635a295e

    SHA256

    0dd672ed036989622cd8e7bf23a3793c8355b4fbddc75cccfb3335c55d2be748

    SHA512

    6c1dcdf131acd91aaf49d6d2efd69cd4d5d37e5a393c2b73194259062ad7228ae3fd0664cef0f56fc2f48676c02781b1aff8d89547fd1e0d9e276636360625a7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
    Filesize

    45KB

    MD5

    54e857dd1a4084de788109a3cab9e6ba

    SHA1

    a10620c1476985d6607c996a0a05df6b813d593b

    SHA256

    d946ab96679149852c7b2c563edac033320db84d84749374378334321ee874be

    SHA512

    1f8b421af003bd3a64ac2b2ff45726efa71f6a5407c01c21a557961dce0b8ef346adbe1243047fe7c121f026a8939d2942f976e4d464f172c0ab6929261814d5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
    Filesize

    727B

    MD5

    7a3b8457313a521e0d44f91765a4e041

    SHA1

    4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

    SHA256

    2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

    SHA512

    7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
    Filesize

    314B

    MD5

    557d99eda45ddd12385385e4f14ced9a

    SHA1

    ff5d40b0a3219daa1f6f136619722e67987bf022

    SHA256

    16ea7b2368a2e5a8dd3c48f9e1259d132954b51922421a95608ba32622436edb

    SHA512

    f0f310ec6f1bb95efd859213669050e0f7638e59a1828e5cf72a1e3804bb083a8a5bd5655c9f421d0bba4a483cc0dbb9bc6774a915228bdfbc522366e8bd70ce

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
    Filesize

    478B

    MD5

    9eccb71bd5c3c9326d8f4c577b3fe142

    SHA1

    7c6aa540eb495de0217d55204eb0a330ba6cd6cf

    SHA256

    9f6624002335039ddd7eab390400ecc5fd2cf0a157a8869735f66adef0da8187

    SHA512

    b083d639bf52c78abadbded5a7207c4a0a144307f9ef7c4d4f5bd6ba71f1cf3df763839d578755c3cd177dcad5a74b0e008f769204bdad51c77171f3521fc58a

    Download Submit

  • C:\Windows\Installer\MSIBBDF.tmp
    Filesize

    1.3MB

    MD5

    d66c92c71ed19767fe80fd1f3d2d7d5e

    SHA1

    65c0d18dd1041d897ef92a011726566c45ab4cea

    SHA256

    091a738da44a18105507cde061674705e8cf9deb09c90b8dc2ed7f03a137f3b4

    SHA512

    022a6a0847fa6574a27a7d5c3895c17f831243b3dfd7af02d0a59ba3f5364665df621fa89113e121e8c605043996d0a1c837a33fb733e6d91d7af1ac57e7a4e2

    Download Submit

  • C:\Windows\Installer\e57b892.msi
    Filesize

    1.4MB

    MD5

    f3805cdf687890992345aaa4577b86a4

    SHA1

    697362f0a495bc1fc692f8bc3b12a81522404cc5

    SHA256

    514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1

    SHA512

    6ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142

    Download Submit

  • memory/1956-17-0x0000000002DA0000-0x0000000002E27000-memory.dmp

    Filesize

    540KB

    Download

  • memory/1956-22-0x0000000002E30000-0x0000000002EB4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1956-20-0x0000000002D10000-0x0000000002D94000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1956-16-0x0000000010000000-0x0000000010154000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4328-26-0x00000000005B0000-0x0000000000601000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4328-27-0x00000000005B0000-0x0000000000601000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4328-44-0x00000000005B0000-0x0000000000601000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4328-45-0x00000000005B0000-0x0000000000601000-memory.dmp

    Filesize

    324KB

    Download