Analysis

  • max time kernel
    25s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:39

General

  • Target

  • Size

    860KB

  • MD5

    b3dce5c3f95a18fd076fad0f73bb9e39

  • SHA1

    e80cc285a77302ee221f47e4e94823d4b2eba368

  • SHA256

    df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff

  • SHA512

    c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c

  • SSDEEP

    24576:TkRBL2LYcyvue73Ze+RrM31N0vhMN0T4+ZI:TkRBLgiue73Ze+SWI+Z

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 14 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 49 IoCs
  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2088
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1CA0AD245359E96357DBF35FBBD452D9 M Global\MSI0000
      2⤵
      • Adds Run key to start application
      • Modifies WinLogon for persistence
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
        3⤵
          PID:600
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
          3⤵
            PID:1520
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
            3⤵
            • Modifies registry class
            PID:1552
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 /f
            3⤵
            • Modifies registry class
            PID:632
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\SysWOW64\cmd.exe" /C "DEL /F /Q C:\Windows\Prefetch\pcdef*"
            3⤵
              PID:1916
            • C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
              "C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0"
              3⤵
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              • Suspicious use of WriteProcessMemory
              PID:3040
              • C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
                "C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0" 1
                4⤵
                • Executes dropped EXE
                PID:1284
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2120
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000048C" "00000000000005A8"
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:2464
        • C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe
          "C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe"
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
            "C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2128
            • C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
              "C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1804
          • C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
            "C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" pcdef.exe
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2000

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Config.Msi\f764406.rbs

                Filesize

                14KB

                MD5

                649c88dd120aa4261771978ccac4bc24

                SHA1

                a9a2573b4acd6b61abfdf58a03711b5fefe63080

                SHA256

                18031a3ce68b8ad3fd7f7343aab29d4940bf2b9353e3ff72b743b8c6397377b7

                SHA512

                e797dcdc9366dc65ac2a8ef17e0a6afc052cca4b17ab5a70e13a0623b19da9abd56f8fa439ba0d4616906dea8c311a50585ecb350803855f78db2be3f700c252

              • C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe

                Filesize

                1.2MB

                MD5

                f37c2e31bd57905b90de048c58221dd4

                SHA1

                95d3972a5c6cf223e70d01e11e04a798eea59f8a

                SHA256

                352492ae2be4b4fcfe97a76f5318abe2351d9c4d33d6438a8f2fc87ed6601a06

                SHA512

                8bb6548c9a8ab47e9380ef0d01fd824c84a12469b29f5874de2969359a81d122aa379973608592ccee556b6639bfe85f920346e2f2c104ba5c333c57ce091680

              • C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

                Filesize

                93KB

                MD5

                d96a5175eecd752ca22f41bad80870c0

                SHA1

                00f68eee206c2a6b07dd86e1cbf008c082a8032f

                SHA256

                c3ab412d3ea0232bb891319fe9ac79b1ed0a61d9251a574c9502a6cef0b1f5b5

                SHA512

                918db6e7728d2890fbd3afd8a9f4da2636d6eabe0cbeaeacb379db9ea779d7ba6133ed4b367725487bf18c10874f5700be5d252d527116ccf879842afadbe13c

              • C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe

                Filesize

                86KB

                MD5

                46b816356a5e05f65bfaed216106e7a0

                SHA1

                e7c55d7b4d2887a93ea55e55ed45ee57f8fbe9fa

                SHA256

                7eb8eecdf4654171f721a58a44d19ba2a1f35d8bbdabf38bff9f1c3c31fc1d19

                SHA512

                54cc8b6e56bba14608c95e5c678c00ed363e7e0cff77f9799ed3654022e13c883136b6477e2aa4b753c7ef8331033369168900f61bd36b35384dc72c4e60e3be

              • C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe

                Filesize

                43KB

                MD5

                c05ccc260692e8bfb5b6ba7238dbb943

                SHA1

                4ad185a7acb1c4ffcb3c03daa77cc77a833ae7e6

                SHA256

                0d58d2b03e3f6d5f32216e74badae8ad0d7f94cc4f207d06883ba953a1594cba

                SHA512

                7707d1c3f9085a710527e2d1559c8268ca3a1fb70fca9f1cf391a02cd81002193c6971cefd7b00b371e14adf5ae7b83b63206b88ead13b04a20ad08c7154ac22

              • C:\Windows\Installer\f764402.msi

                Filesize

                860KB

                MD5

                b3dce5c3f95a18fd076fad0f73bb9e39

                SHA1

                e80cc285a77302ee221f47e4e94823d4b2eba368

                SHA256

                df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff

                SHA512

                c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c

              • memory/2832-20-0x00000000001E0000-0x00000000001E2000-memory.dmp

                Filesize

                8KB