560a3d3cbd8df41cfa82df18f18af9d4ff8dbe05ca1cb044457b94c23386fcd0

Resubmissions

11/01/2024, 04:02

240111-ematssfba6 6

11/01/2024, 03:40

240111-d79yysdhcq 6

Analysis

max time kernel
219s
max time network
237s
platform
windows10-2004_x64
resource
win10v2004-20231215-es
resource tags

arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
11/01/2024, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RebornInstaller.exe
Size

100.6MB
MD5

9813c03f3b82d1186378164e77cda452
SHA1

67ae5bbc33a00318e50c3a55b3994a7dfab8beee
SHA256

560a3d3cbd8df41cfa82df18f18af9d4ff8dbe05ca1cb044457b94c23386fcd0
SHA512

c5b8d9d6b6547cb12417bbeefccb5d8bece105fd68ac9bf639c0883d00b8c131fc10a7de4d44c55c7088966e4f2e023f06f519c9d22037124b97014e929e0de4
SSDEEP

3145728:/WVWbmcXONa59sar9okKjKzQAgLmgQfD:OQbHOA9NrrBQRaD

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
4712	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003462af5746133e160000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003462af570000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003462af57000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3462af57000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003462af5700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4344	msiexec.exe
Token: SeSecurityPrivilege	4932	msiexec.exe
Token: SeCreateTokenPrivilege	4344	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4344	msiexec.exe
Token: SeLockMemoryPrivilege	4344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4344	msiexec.exe
Token: SeMachineAccountPrivilege	4344	msiexec.exe
Token: SeTcbPrivilege	4344	msiexec.exe
Token: SeSecurityPrivilege	4344	msiexec.exe
Token: SeTakeOwnershipPrivilege	4344	msiexec.exe
Token: SeLoadDriverPrivilege	4344	msiexec.exe
Token: SeSystemProfilePrivilege	4344	msiexec.exe
Token: SeSystemtimePrivilege	4344	msiexec.exe
Token: SeProfSingleProcessPrivilege	4344	msiexec.exe
Token: SeIncBasePriorityPrivilege	4344	msiexec.exe
Token: SeCreatePagefilePrivilege	4344	msiexec.exe
Token: SeCreatePermanentPrivilege	4344	msiexec.exe
Token: SeBackupPrivilege	4344	msiexec.exe
Token: SeRestorePrivilege	4344	msiexec.exe
Token: SeShutdownPrivilege	4344	msiexec.exe
Token: SeDebugPrivilege	4344	msiexec.exe
Token: SeAuditPrivilege	4344	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4344	msiexec.exe
Token: SeChangeNotifyPrivilege	4344	msiexec.exe
Token: SeRemoteShutdownPrivilege	4344	msiexec.exe
Token: SeUndockPrivilege	4344	msiexec.exe
Token: SeSyncAgentPrivilege	4344	msiexec.exe
Token: SeEnableDelegationPrivilege	4344	msiexec.exe
Token: SeManageVolumePrivilege	4344	msiexec.exe
Token: SeImpersonatePrivilege	4344	msiexec.exe
Token: SeCreateGlobalPrivilege	4344	msiexec.exe
Token: SeCreateTokenPrivilege	4344	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4344	msiexec.exe
Token: SeLockMemoryPrivilege	4344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4344	msiexec.exe
Token: SeMachineAccountPrivilege	4344	msiexec.exe
Token: SeTcbPrivilege	4344	msiexec.exe
Token: SeSecurityPrivilege	4344	msiexec.exe
Token: SeTakeOwnershipPrivilege	4344	msiexec.exe
Token: SeLoadDriverPrivilege	4344	msiexec.exe
Token: SeSystemProfilePrivilege	4344	msiexec.exe
Token: SeSystemtimePrivilege	4344	msiexec.exe
Token: SeProfSingleProcessPrivilege	4344	msiexec.exe
Token: SeIncBasePriorityPrivilege	4344	msiexec.exe
Token: SeCreatePagefilePrivilege	4344	msiexec.exe
Token: SeCreatePermanentPrivilege	4344	msiexec.exe
Token: SeBackupPrivilege	4344	msiexec.exe
Token: SeRestorePrivilege	4344	msiexec.exe
Token: SeShutdownPrivilege	4344	msiexec.exe
Token: SeDebugPrivilege	4344	msiexec.exe
Token: SeAuditPrivilege	4344	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4344	msiexec.exe
Token: SeChangeNotifyPrivilege	4344	msiexec.exe
Token: SeRemoteShutdownPrivilege	4344	msiexec.exe
Token: SeUndockPrivilege	4344	msiexec.exe
Token: SeSyncAgentPrivilege	4344	msiexec.exe
Token: SeEnableDelegationPrivilege	4344	msiexec.exe
Token: SeManageVolumePrivilege	4344	msiexec.exe
Token: SeImpersonatePrivilege	4344	msiexec.exe
Token: SeCreateGlobalPrivilege	4344	msiexec.exe
Token: SeCreateTokenPrivilege	4344	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4344	msiexec.exe
Token: SeLockMemoryPrivilege	4344	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4344	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 4344	2412	RebornInstaller.exe	89
PID 2412 wrote to memory of 4344	2412	RebornInstaller.exe	89
PID 2412 wrote to memory of 4344	2412	RebornInstaller.exe	89
PID 4932 wrote to memory of 4712	4932	msiexec.exe	97
PID 4932 wrote to memory of 4712	4932	msiexec.exe	97
PID 4932 wrote to memory of 4712	4932	msiexec.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RebornInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RebornInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI5D3E.tmp
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6465C53CB2488B124D0644999AB656C7 C
  2⤵
  - Loads dropped DLL
  PID:4712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI5D3E.tmp

Filesize
74.2MB

MD5
cceafa9a96d517f6950fc90ceaadce46

SHA1
c625f8565e75c8022c67858c6bde2bb52bac8a89

SHA256
204d0ea8ff729c8cc839d2ef12e23601b5ee47ec85e8f8bb037c2b7c9ea68068

SHA512
a2f986e638be472c99bbaaaddcff7b20214250a60b38faa414a940e5e41a440c43dcb451ac6ddbb2669b825e964730bff48beadcbdf4a17296671d631a021237

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIACE5.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads