Overview

overview

7

Static

static

1

WindowsAgent.msi

windows7-x64

7

WindowsAgent.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14-02-2024 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WindowsAgent.msi

  • Size

    28.6MB

  • MD5

    6285950894413022e257973b89be83bc

  • SHA1

    287e930cac8b1bbf40cdd56c85e9b52e97a8a6bd

  • SHA256

    30f991c5d2a6cc0456567c20cf32473a5ff173c4dc0f0ea7ba81c9a70801b051

  • SHA512

    3d995ca2af0da380b215b81d0cf69ea722589ae73c1526243c433459da6a0bedcb3e2b8a55a4a03b83967dfdd841841ca0f78d4782ce1d549ccec39d29f8c51d

  • SSDEEP

    786432:P0nSK22i0QPYKrVdWt3gpw5A1TqTwI1sDrS:cnxE0jK/WG+uTqcp

Score
7/10
discovery

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 17 IoCs
    installer
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WindowsAgent.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1812
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F853A51771DCFC22E93C5E15B6F3F599
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1356
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:1500
      • C:\Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files\nraccessInst.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files\nraccessInst.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2464
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files"
        3⤵
          PID:2316
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:2004
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000398" "00000000000004A4"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2468

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
      Filesize

      471B

      MD5

      b94f30a5988e6f213c2a04302df21de5

      SHA1

      efc651a274263593eaef0df77dd9d32ca87e4ff3

      SHA256

      ebf623e188418efe9c820e145f0f86cb9f42d0ac7427c0e0d97019bb83e91a8b

      SHA512

      97ea3938ce4f61cd2c11dfb606c52689890e04d78e078e6ef86567a37fd3f635af2866d7f9904f3b0f16add005b301656f921acad74b2535add63e7a306fddea

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D23A670108001603BCDD132336F19794
      Filesize

      727B

      MD5

      cebd6a3ee89ff5fcb3403f5a85f158ec

      SHA1

      da5af6a83663b226a609094c1bc716ff083fc78c

      SHA256

      f15b2b2b7bb36714c4ab3b0546f57ec594a542268a53a78036d22b82411f7fc7

      SHA512

      cf154021928b932fb39d78d514d61540a4b79ce4df31ce5d81d33d8abb451899617daa107fc73e6abc5319e795864f1259b0c11341839232316b534cf6965e3e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
      Filesize

      727B

      MD5

      07be3d60b7ed629c615e368656d1583e

      SHA1

      c60121ca1b0161eb87bb1c5d6b5a415d022505b1

      SHA256

      5777fab5a9d0fb429ab73cde719e68ce168103392305aa5af2864d904febe6ad

      SHA512

      3c8d54a4c8599cc98e370033733a948cda09362337ebe00c97df158a0f5f8b6cc79de0a088bbf9308b15a38cebe51295402519d03bbd0f305c0cc8a69152c888

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
      Filesize

      400B

      MD5

      a028131f23423b5aa9cf79c81deabd45

      SHA1

      248e5e16621f115ae47f366a4d905f9f1e2b64dc

      SHA256

      247f05cd256afcb8ef975298b9a374bff4078e73e66f20d75a929fd02307b727

      SHA512

      a9f51767dd8aca7e197b85d9b85fc01dd0207087eb3772bd9f8c6895b5bfdcdd6c771b8e0c8f3a8aa90a5e7df3e414b22c9da61a8762a297b84156182a039171

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D23A670108001603BCDD132336F19794
      Filesize

      404B

      MD5

      b264d33f91d6d06736d30047b960739f

      SHA1

      ba35c85950a0889feb25d4877d232b2f72a20e24

      SHA256

      a4958733beafe3ac7ba2246ed7a9980d6dcfd403460d027effdb8bcc2448f033

      SHA512

      b0a5480d2d90576e8452bbdfd47b31afed54ebfa3e1d823c0b083dcd8f43258b28396cc2ac07fd1d7ec6fcafc794d31f61b9171f689d9c633611b9ee987f028e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      5dc6d03ff60a7fd78dd4159962d7eb6f

      SHA1

      e4b9f7ebd3790b4c998adc245e3bf27b3f68c132

      SHA256

      eb75c34219a6d3355c9be1bf6fdaba25cb5a9b0b0bea2c0af83cbb9507d56a64

      SHA512

      8b5514c5067fc47540d2c30edd70788df7bd1dff24db5186a0d42636ef7ae2ebe83944d128df637d51f6a9d50efc1a1833dbfa74e10f8784b0b0e17d89fb8085

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
      Filesize

      412B

      MD5

      49d94bdc2c78189f22adb3cb731c30f8

      SHA1

      5c386dc39ce0c190812a2b57199e547031f10aaa

      SHA256

      38aa09e6a1be0c00ab4907987e17caf1d201757d23e7033ab4e45e8da82e61a0

      SHA512

      b1792094057b00faf2471a89174145ac71a3f9f5b433a5f6ab76e5f180e77b04aac12c9e1a408e563daa6acdec1d341b8154082f4487e3b94a1577fe55ecf20a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab40CA.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files.cab
      Filesize

      28.2MB

      MD5

      5c27e2effb670b737b7100607a907d53

      SHA1

      b75a7241b44196c49ce47176d41807cb71c547b3

      SHA256

      8b9fd5afef8de387b67350da9c7f1edf5cc2982a568f732cf566e698b9be345f

      SHA512

      7ae31c6ace43d68fe589a316d9497f08ebde7f98a3c90020abbbee2f559bf7f605ce66e51deb89d3f659c61c0f273bda78093880bb525ca49cf4cc8ee2450a97

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files\nraccessInst.exe
      Filesize

      6.4MB

      MD5

      94b66cfad7208dde9ad25b76e3aaad54

      SHA1

      ff53e8bf85777337299b8e53993ad575bb0b81f1

      SHA256

      8f0774d22b8baf2de1b79d87d95f692872718b36dca65df5ead0c912b6fff13f

      SHA512

      533472c3dbd0750f988174f469655cdd1237bd484a8deba68e8138bb76a59030bd209ade2c441b91fc44cda3000ca59cff47e33521e2e1064e79293b6a65f986

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files\nraccessInst.exe
      Filesize

      5.8MB

      MD5

      16e2e66fce5095d44748e23f5d733cc0

      SHA1

      e2efbfd325c334a0085f9a5fb75d75e0ce97bcd5

      SHA256

      b86e9bbc4d0df8aa585aef9c9a8490a05ea4430df418bdfa1a9f63513e9e2d86

      SHA512

      4921834a6db3a3c7baed83160eb109b927046aa758eddf1d3fcbcf711a2135ffc16d9112ce186bea28d04300d81637f95f981383bb6c24bd154138a294d3b669

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\msiwrapper.ini
      Filesize

      1KB

      MD5

      84821435ba734841e15793218ba40c2e

      SHA1

      559590cda1a41986903d37f9b1ad443a56a21fb5

      SHA256

      1f07a19965387e52f5c7b27cb581a86cf2fbdfc6ed8b17b86e886a6d3c23ad01

      SHA512

      8c7fcd780a426066d7db61d03bb098a23c211021d6b5f273a4c59cd4f5945e74fa01146297a311d238a0715932807b4f7019857652cc97c912e3536a769c0ba4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\msiwrapper.ini
      Filesize

      1KB

      MD5

      be1e3b38568143688317e1aeb8ef773f

      SHA1

      69350ffe98a4efa9dd4edf566c6217f5accacde1

      SHA256

      c3c53b4577d9cf028c3492b323f2d6a695731e56a05b252903de7c05fb91983d

      SHA512

      faa1ccebd36495d37b213d39b4b52b2a9ffa6f7e9a51f575289c18b3283c9305d732ac8dab7e7a451ef0bc32ed1cacbc68ad78f1ddb1ef8e86347c8a95480a6f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar42A1.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • C:\Windows\Installer\MSI8CF6.tmp
      Filesize

      208KB

      MD5

      4caaa03e0b59ca60a3d34674b732b702

      SHA1

      ee80c8f4684055ac8960b9720fb108be07e1d10c

      SHA256

      d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

      SHA512

      25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files\nraccessInst.exe
      Filesize

      7.1MB

      MD5

      6b3e2d615e39470ca3909ca34111d06d

      SHA1

      04fa8b3f96065988d1b47df8b604c90b3f1e6960

      SHA256

      da51290851ebcb4f82e967010221d14f022fbca17b719bec5bbc815f3e52b1b1

      SHA512

      aa52a48c4a3fc1224cd15997ef246c04ccb2b7eb8b720a006276dc757ebb9f80de165510e55eafbb0e46a2e449ba930930d498d9ed03059e72f211d61a0a69d2

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files\nraccessInst.exe
      Filesize

      6.1MB

      MD5

      c960b19ef75e48fc5da0d1b8a7a0ade7

      SHA1

      c10e51bae354d21334aafb60df25023ab40049da

      SHA256

      17db3f961d0a66e534496f5b08d277548a725d7dfc9c0043b20ea65b3838b003

      SHA512

      4271210cc481585e788570a837e421493737a79c2932993d34f401924399b88a3e40570ad3458de9f377a2bbda7c66aca5f44caf399c7d22a109a76725236d8b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files\nraccessInst.exe
      Filesize

      5.4MB

      MD5

      d569ac04296ab2b24d723d15c78e2d14

      SHA1

      aa79eb9358939ae8e9b9235b3b5a1874cfdb56bb

      SHA256

      01ff1d12a27a9bac1f9deffd6450b2c94700fbd2870b1f641d1346d7b8d5eefb

      SHA512

      0225b83274d39dd72bd276e1e97a8692e68e8dda43f775279b2859249b1816662a2dfe95406f14b6bfb61030e866e20dc3b383da732360e0c45e7874a38e33c5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files\nraccessInst.exe
      Filesize

      4.6MB

      MD5

      fc7641729eac0d0b4d30e1c9de483834

      SHA1

      087bacee45dbfca7ec9718fb51ceabda1b2aee89

      SHA256

      1c57e79e9ab6bb83040a2701cbdca353b2e98e324ffe7f2e99cb534b81f74930

      SHA512

      e21754449be41fcf193a4fda91d464c86dd1ebb71f00e738e9f79cdfcb96e86dc4fe34deee75bc7461b0d572f9a374dd5a27b9b9636a5fcf70d1559b5ad8dea7

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files\nraccessInst.exe
      Filesize

      4.8MB

      MD5

      8cbf5b81021911df0264643d29cab6fc

      SHA1

      2cac5d23cb9b9f4894d12a4ec671e11c9dabefb6

      SHA256

      081251766034345205f43b46dc461263ca794e19aa7f39d9fd899935b200b088

      SHA512

      595fd0ff65e82bcf7be8096094b09785e55888dbd3ca85c3203931bf47f3887a057474057e1330482c84f2310343d29f2a733c83d1c0a24bf45544fa1f3eca4e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-1be9a0f1-3c85-4b83-820e-c4c8e7e5ac0c\files\nraccessInst.exe
      Filesize

      5.0MB

      MD5

      7efcfcab791edc5d4a69c661a8dcd419

      SHA1

      f0bb3ca3752e27134d6b77b9988436c4447b7685

      SHA256

      aa3880d365bdc40eb2a7019ba2a704b53c728f1d926bc5abc3288ede4a45cd0f

      SHA512

      69a67c9e943e34a77aa6a623b463a81aad93408f6fd518942e693f5f3bdedd1c9b5675fcc9134486a2293bcab66eb0fc4d0bce7d64bb65b1064c81f32e78901a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nseDEAE.tmp\System.dll
      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nseDEAE.tmp\UserInfo.dll
      Filesize

      4KB

      MD5

      7579ade7ae1747a31960a228ce02e666

      SHA1

      8ec8571a296737e819dcf86353a43fcf8ec63351

      SHA256

      564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

      SHA512

      a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

      Download Submit