Overview

overview

10

Static

static

10

7538dd6e69...18.msi

windows7-x64

10

7538dd6e69...18.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7538dd6e69d0c65d2dc0eb091c3ced18.msi

  • Size

    3.8MB

  • MD5

    7538dd6e69d0c65d2dc0eb091c3ced18

  • SHA1

    9d91e4cc3c59c258ae2655119692c13c899d68d2

  • SHA256

    142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4

  • SHA512

    935aed41fbc1bb42cdc4b2c10fd306286642428c017248a71297d7674439415a410464a75b0529eec4b7a98f052408afcde24a501f6970fa405d642aafadb6c6

  • SSDEEP

    98304:D77Pmq33rE/JDLPWZADUGer7B6iY74M/mmlwXVZaFB:L+R/eZADUXR

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7538dd6e69d0c65d2dc0eb091c3ced18.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1596
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Windows\Installer\MSI7991.tmp
      "C:\Windows\Installer\MSI7991.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5048
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/5048-16-0x0000000075140000-0x0000000075179000-memory.dmp

    Filesize

    228KB

    Download

  • memory/5048-17-0x00000000754C0000-0x00000000754F9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/5048-18-0x00000000754C0000-0x00000000754F9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/5048-21-0x00000000754C0000-0x00000000754F9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/5048-22-0x00000000754C0000-0x00000000754F9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/5048-23-0x00000000754C0000-0x00000000754F9000-memory.dmp

    Filesize

    228KB

    Download