Analysis
-
max time kernel
219s -
max time network
237s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-es -
resource tags
arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
11/01/2024, 04:02
Static task
static1
Behavioral task
behavioral1
Sample
RebornInstaller.exe
Resource
win10v2004-20231215-es
General
-
Target
RebornInstaller.exe
-
Size
100.6MB
-
MD5
9813c03f3b82d1186378164e77cda452
-
SHA1
67ae5bbc33a00318e50c3a55b3994a7dfab8beee
-
SHA256
560a3d3cbd8df41cfa82df18f18af9d4ff8dbe05ca1cb044457b94c23386fcd0
-
SHA512
c5b8d9d6b6547cb12417bbeefccb5d8bece105fd68ac9bf639c0883d00b8c131fc10a7de4d44c55c7088966e4f2e023f06f519c9d22037124b97014e929e0de4
-
SSDEEP
3145728:/WVWbmcXONa59sar9okKjKzQAgLmgQfD:OQbHOA9NrrBQRaD
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 4712 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003462af5746133e160000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003462af570000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003462af57000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3462af57000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003462af5700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4344 msiexec.exe Token: SeIncreaseQuotaPrivilege 4344 msiexec.exe Token: SeSecurityPrivilege 4932 msiexec.exe Token: SeCreateTokenPrivilege 4344 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4344 msiexec.exe Token: SeLockMemoryPrivilege 4344 msiexec.exe Token: SeIncreaseQuotaPrivilege 4344 msiexec.exe Token: SeMachineAccountPrivilege 4344 msiexec.exe Token: SeTcbPrivilege 4344 msiexec.exe Token: SeSecurityPrivilege 4344 msiexec.exe Token: SeTakeOwnershipPrivilege 4344 msiexec.exe Token: SeLoadDriverPrivilege 4344 msiexec.exe Token: SeSystemProfilePrivilege 4344 msiexec.exe Token: SeSystemtimePrivilege 4344 msiexec.exe Token: SeProfSingleProcessPrivilege 4344 msiexec.exe Token: SeIncBasePriorityPrivilege 4344 msiexec.exe Token: SeCreatePagefilePrivilege 4344 msiexec.exe Token: SeCreatePermanentPrivilege 4344 msiexec.exe Token: SeBackupPrivilege 4344 msiexec.exe Token: SeRestorePrivilege 4344 msiexec.exe Token: SeShutdownPrivilege 4344 msiexec.exe Token: SeDebugPrivilege 4344 msiexec.exe Token: SeAuditPrivilege 4344 msiexec.exe Token: SeSystemEnvironmentPrivilege 4344 msiexec.exe Token: SeChangeNotifyPrivilege 4344 msiexec.exe Token: SeRemoteShutdownPrivilege 4344 msiexec.exe Token: SeUndockPrivilege 4344 msiexec.exe Token: SeSyncAgentPrivilege 4344 msiexec.exe Token: SeEnableDelegationPrivilege 4344 msiexec.exe Token: SeManageVolumePrivilege 4344 msiexec.exe Token: SeImpersonatePrivilege 4344 msiexec.exe Token: SeCreateGlobalPrivilege 4344 msiexec.exe Token: SeCreateTokenPrivilege 4344 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4344 msiexec.exe Token: SeLockMemoryPrivilege 4344 msiexec.exe Token: SeIncreaseQuotaPrivilege 4344 msiexec.exe Token: SeMachineAccountPrivilege 4344 msiexec.exe Token: SeTcbPrivilege 4344 msiexec.exe Token: SeSecurityPrivilege 4344 msiexec.exe Token: SeTakeOwnershipPrivilege 4344 msiexec.exe Token: SeLoadDriverPrivilege 4344 msiexec.exe Token: SeSystemProfilePrivilege 4344 msiexec.exe Token: SeSystemtimePrivilege 4344 msiexec.exe Token: SeProfSingleProcessPrivilege 4344 msiexec.exe Token: SeIncBasePriorityPrivilege 4344 msiexec.exe Token: SeCreatePagefilePrivilege 4344 msiexec.exe Token: SeCreatePermanentPrivilege 4344 msiexec.exe Token: SeBackupPrivilege 4344 msiexec.exe Token: SeRestorePrivilege 4344 msiexec.exe Token: SeShutdownPrivilege 4344 msiexec.exe Token: SeDebugPrivilege 4344 msiexec.exe Token: SeAuditPrivilege 4344 msiexec.exe Token: SeSystemEnvironmentPrivilege 4344 msiexec.exe Token: SeChangeNotifyPrivilege 4344 msiexec.exe Token: SeRemoteShutdownPrivilege 4344 msiexec.exe Token: SeUndockPrivilege 4344 msiexec.exe Token: SeSyncAgentPrivilege 4344 msiexec.exe Token: SeEnableDelegationPrivilege 4344 msiexec.exe Token: SeManageVolumePrivilege 4344 msiexec.exe Token: SeImpersonatePrivilege 4344 msiexec.exe Token: SeCreateGlobalPrivilege 4344 msiexec.exe Token: SeCreateTokenPrivilege 4344 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4344 msiexec.exe Token: SeLockMemoryPrivilege 4344 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4344 msiexec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2412 wrote to memory of 4344 2412 RebornInstaller.exe 89 PID 2412 wrote to memory of 4344 2412 RebornInstaller.exe 89 PID 2412 wrote to memory of 4344 2412 RebornInstaller.exe 89 PID 4932 wrote to memory of 4712 4932 msiexec.exe 97 PID 4932 wrote to memory of 4712 4932 msiexec.exe 97 PID 4932 wrote to memory of 4712 4932 msiexec.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RebornInstaller.exe"C:\Users\Admin\AppData\Local\Temp\RebornInstaller.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI5D3E.tmp2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4344
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6465C53CB2488B124D0644999AB656C7 C2⤵
- Loads dropped DLL
PID:4712
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74.2MB
MD5cceafa9a96d517f6950fc90ceaadce46
SHA1c625f8565e75c8022c67858c6bde2bb52bac8a89
SHA256204d0ea8ff729c8cc839d2ef12e23601b5ee47ec85e8f8bb037c2b7c9ea68068
SHA512a2f986e638be472c99bbaaaddcff7b20214250a60b38faa414a940e5e41a440c43dcb451ac6ddbb2669b825e964730bff48beadcbdf4a17296671d631a021237
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600