Analysis
-
max time kernel
89s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
16/03/2024, 02:52
General
-
Target
תוכנת תיירות.msi
-
Size
2.6MB
-
MD5
c381c2cb8fdd6acf1636280b9424f573
-
SHA1
7918e2c9c6f2847078bb736968f8f21b7e70a0af
-
SHA256
ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909
-
SHA512
2740b78b04d88981db065138f1962dcee5b867c5aa6216cca4a3ad2773194c5956270664875575c3a31c014f64d4135ffa762a79ebbe5cddd0696d1edb7bd119
-
SSDEEP
49152:k51VAM5R2KAHlcp8qFmmzDza2Rqr+kMdPTEe/pjO8xn+ch/TlOFNOnUI:kPCMr2NMRmk/XeM9TEeRvx+ch/TlAr
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 14 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 17 IoCs
-
Drops file in Windows directory 16 IoCs
-
Executes dropped EXE 3 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Loads dropped DLL 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 22 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\תוכנת תיירות.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EE869E4925DFE29965418E484E649F242⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI7D0F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240614937 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 17293E1B6B2E5F51031BBBA3F4E3AF04 E Global\MSI00002⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000008qXbDIAU"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" df5e2947-fb0b-4ec7-b23e-da4ae853157c "c35ec309-8b71-4f0a-8b0e-5cbd40b15c43" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD59504cad3b9758f9e5487df4d33707f44
SHA17edaa035845d097b4ff1880ee8ba691f5f14adb9
SHA25644939fa3f5a5983400a9f2f9ae7933867f77045b0e087850725bec2f44492582
SHA5127bceea3d72280dcfd2e847b47448d7f6866dae8a6c6191d1d42af0b1f22bc8ddeb386fd5310b5921513e9d5e63b0f502746d9be95844840ba3a5737bce32379c
-
Filesize
140KB
MD52899046a979bf463b612b5a80defe438
SHA121feaa6f3fbb1afa7096c155d6b1908abf4ea3b9
SHA256486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8
SHA5128c60eb0d9e82326543f2fbcd08783e041a7f5598723666b1c9ea5df7808d0c4947e8e64c2dcd46331bc3dbc38c6ec8b85ed2fcc5b97eaf0465ea624167829368
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
209KB
MD5a41c23558b3c07f8c749844bb553d545
SHA18473013cf5f2be8158c13f1056675d1cbd10586f
SHA256a6193fc0a09ad7145fe38494bcf67fecbc10c07a5f3936e419895b018e85a766
SHA5125930f14f3be4aed70a1ff93dbb75022c2d947a0a2344031992167d72192e0a51d207fc2255cb0ca1fb21b20b1277a528bbf739bbdf8676f7a0786efd132b436f
-
Filesize
693KB
MD564e122b28a1e548c1cca376e32cdd248
SHA14506de40b8422c9be58333f35325a86674ca650c
SHA2560ee2dd095b1cc4c3cda44a237a188e16c8614c107ad9d37ad8a581473ad42215
SHA51236fc7dd056303822b23f9173b43522dee23431a419bdbae43a850e87f37b936b34ed2ef5013997d6d8b59d74627d55b0cc622da751d3ed828c850c7982a0d8fa
-
Filesize
12B
MD5e1d717a53b79233000376e06e7e818fa
SHA1e9f5a584cc49acaf36d4837802b9a3ea7b5144e8
SHA256b670eba39ceb4441a7c9b00d2ad56c22c762a985ab3620fa2df94af6a05d3bc0
SHA512759a6ecbc46bac091a9c712f69125ea739651b185d1ffb26f79bffaf0d5c79ec10f9cb42408e098a89f0408f434919500cf07314ac4eae0948e4aba7a099178f
-
Filesize
163KB
MD53723dec9f9f58e9548cf705a08272aa7
SHA10eb60973068ba24edd449bed2be05c64a17c46e7
SHA2562906684ef97d39b4aba921be2728dc50458b66045c328adedc33fe483a7ca877
SHA512469b8ca4a0dc6433c90c141320ddcdf77e6b529f660326b249fd4a9d8bc22281079fde6ab71e02b03656f13f5af6d1c4185ac62ce470786091794b33d1433530
-
Filesize
546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
Filesize
94KB
MD53ca5eae6bc6b5b68e86d7e94da6680b4
SHA18b1506e53cd0cc830450cf864bc300b9b249899d
SHA256d297eb8b6b451e47bdd5118a311c30220a392c2e1c606004d822b8db978f6855
SHA512c7d19f1e66d50a0891284c9aedea9bbed9fa82c0aa119c6c6b1e3ef23167727db89c741a70d8673d29aa652b1f97c61f821e5609d16151749f05b83816cdd16d
-
Filesize
687KB
MD574b54353c4e2834907dcf55d0c329050
SHA1bdf81278635673ed3c3f7d9243c56338b18ba950
SHA256a0fcf15c913a9871724f36fd280aa3654a1325c24c46da42704fb79c72860608
SHA5126b4d54bd31310fb5c1936e64c5d1fc7213fa672db1ee18953b62491724c6c407632f9999d8edcab9f15a8b99479572e11e00194b2be3008ba238a5675cdc44f1
-
Filesize
588KB
MD582b17dc9838e1e21e5c6f53d2867e94a
SHA1a09bfe6582bff9193337cc7dbab79d0b6b723205
SHA2568e7210c1cd0955aeb4cbbdce362d4c450e0bf1be47bdf263fbf2789a4d98fd00
SHA512c1b259655e2514449366f2d150d020a1eabb0e67af29c5e26c3a00f1d84d805216016c306d48e37354de09d4a056dc071c0d0d0d36f8ec9775843e6ae2712430
-
Filesize
168B
MD539d0829413495b02fa925ae231ba986f
SHA1d65452465945396157db7c1d2f6059904cc4f2cf
SHA25649c8f53c815d823c5fd4f01cca839615849bda299aab320acfa2a8fd4d990afe
SHA512e80b52339d8e38e8ceb8c5fb65e51a7643424d83e4d98de6c156270a5bd46bd184971f0f36a0b5f5c192263efe0c4d30e47f1b8ab8736bc89dd842e39879175c
-
Filesize
471B
MD5656018322dd4a0a1d0d45d6e1afd9aa8
SHA150c52d392a825057aaa8cdf7487767983dc4049d
SHA25659b0d523749dff91a8eb4424146519ec4421b3740c253dbb04c04500d1c39087
SHA512876ccc4d2fc518b2e85270d455817f57abcc8adb7897aa1f219c751d996379062ac9a4c2284b0aa15ced977a638441447db5b2d97ec6a41b9b7c601535f95de3
-
Filesize
727B
MD5d3fb75bc3f62760e845038cb33832c47
SHA1bdf0989f892f6343c7d812bf9dba133a2954945f
SHA256e54911ea2be4223154f66d3006974901a875a51b6c6dd3338d770f5a87cf24e3
SHA5121d287a5667ba214b223da29575041abd94c1acd4aa3d9ae88e81590d83bda2751e5631a5369474e51e8d6633be106a4f1899ce31fba8d3a1f96cd358c3216d91
-
Filesize
727B
MD5df0fafa65c94099f93f04e3af9573a01
SHA1566a75e7b0ac6b0ed2833a043d0a3a5567bbf75b
SHA2564c3baccaef5b8ea5d78155a59c275a0ca1d8f461111b0ff2fe186d1733007333
SHA51257af4e6573501282919a506349220611aee40d8208787952800b51f081a978b52943caae0c7ca8cb238ccfbb24a566a47166259c6ccd7745663037aa79eb4deb
-
Filesize
400B
MD54a8d684c0b42f6cba4113e4aba4b99b9
SHA12b0070c6db9a81c94c048bba2d23a1030d264e6e
SHA256e65e52b244ef1567da833da1016b91be943de013947a22f2791f62dafe1f5180
SHA51220e3be57709ce20450cbe35c1d34345f434baf731638208ad04052ab886a87de99cac93915a7e63a5609153af214fc79bc1b5eedcb100d08a39aef102c26d4b1
-
Filesize
404B
MD56eab1b9ca1aec40808f77df381a7c927
SHA1246dc5ac9983a2f90c51000b3cba7e3690e9b5a9
SHA256ca0549f7e194d645a4791ac7a42cf805fc66b8e398de0cbb7e8b683d79836512
SHA51296dec6269669fb1c14a99b06d55388648e5abbd08c69fd2f2c6300e44544e7fb5bf65a4493096ea061f4df701e248018ea93e0f2addbf39f6f4f1632cb2ca123
-
Filesize
412B
MD59b64f1ecdf30f256c024f9c1500e251e
SHA1ea0ad0650b8aa0ec1efa4a6df9135005581ac6b9
SHA2565e7a25b2b79e2b80cbdf4b6e18d80b1a9429c43bdf1c84c990ec151ac173bd69
SHA51275f198c6e67b307b6cee7051e9ba1d834422708aedaa29d083ed8b7c6f8c58dfc9737ea46f5cc2a20318f6d8ce5a184f9426e0cce8bfe856548b34026f4e32dc
-
Filesize
275KB
MD5672e03b9d7a2d50f3e935909a198928b
SHA16cc8a45126243c6ad8a6336ef1789e6a8b5dd33f
SHA256c4772f8a8761f052bd0336923539699ba2f358ac203beb197cda576146e05a0d
SHA512bf5833ea48942319d560fb4dad62997fa5495e0d9c634361d919d3328364d0f4a999dfb56590d48227c3690d8a867b022f6d5fd01c46f27d2ad6421d88380372
-
Filesize
19KB
MD54db38e9e80632af71e1842422d4b1873
SHA184fe0d85c263168487b4125e70cd698920f44c53
SHA2564924aad650fa0f88c6fc6ca77068d73f70f0d0866a98212b615290ffb0b04efa
SHA5129ce1e75b11e43369fe2320cf52bef856170385a8e898a934c735cb92a8399e5e612a54b248579687c372dae58e47e05d9095116313aea9555cf2358944252d77
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.6MB
MD5c381c2cb8fdd6acf1636280b9424f573
SHA17918e2c9c6f2847078bb736968f8f21b7e70a0af
SHA256ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909
SHA5122740b78b04d88981db065138f1962dcee5b867c5aa6216cca4a3ad2773194c5956270664875575c3a31c014f64d4135ffa762a79ebbe5cddd0696d1edb7bd119
-
Filesize
727B
MD5a051c646f7b037c1dc5ad69dfe818b8a
SHA14b3a867949a4802fe4ef470350758adb6e0cc192
SHA256293b6af3d459141198d758555341fda00f7e3bb33f0eba6ffa3dc765c361592a
SHA5128924aff3c23439ca0a8624686390f5b622713559a40d2d3bc68359352b9aa76236ba099afd27969b154aa744d829b8be4aef66e8db1c022cff23d9f55fda97d3
-
Filesize
408B
MD5a566c319dffe96642014ef90ac087f46
SHA11acd85252596a5fd6e7e74f34a4ecf7668fae78b
SHA25657da487d0148ff711411e7eb9990fbed6971a4db7b4cea98643e4214ad5c529d
SHA51249921b8bec86114aea47bf14384e85c2bae86f5063a73b83043ee69fe03a1a518890d22687c104357eec53f4053be315fbcff57504b38846bd8f7c822e5bdbf9
-
Filesize
412B
MD5f7aca9865a318395e9b14f2b89b3b7c6
SHA1144733ebc013425cb9c38860022ecbea9d2f6a9a
SHA2568f555630c21cd9ad3b4bbb5e6c7b2d31dc982d524537eb04e72251341afbd439
SHA512256d7ff0c829449a3d3013a435fe14c96f0284ab4f6093fd6664988071c24528f5dbc9cba52a380c7c1e5bb098c457fb9f80d07f072cfed417fc04b5e1006b15
-
Filesize
23.0MB
MD5448b71e1523affcee6de5a9370e004de
SHA1c5c33d47a33237c6302e60c9073142c54b33e080
SHA2569cee36f3ffb744c9528f50f362b63d525e459e039ab2d02a836949f21c1b8f3d
SHA5129714f7c7caa91e9ddd5c3282746a0cc4255d299b01452a22a01ede6a17117ccb3d9f2d6535e8571cc3dbc6e173ad938d8164ee0d2bc7b44c11671f3804b30db4
-
Filesize
6KB
MD5edb9ce529a5966802aa5339e58dde477
SHA1376dc3afc9b199be8baf064cfe3a4ee661520597
SHA25655c0a770dfdfb94df03924c87e949aaa8a8f11ac597dbd9506debe4c0f45dd71
SHA512fd8a5bf37d87bb3720e6af4937eb58959f878540b0a8afa6160663360d9fbe94e4f06305958a574175acebd4ccbc8f6bb6bf126bc3868cf0c1d662998e9d7a08
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
176KB
-
Filesize
10.8MB
-
Filesize
704KB
-
Filesize
10.8MB
-
Filesize
224KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
712KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
608KB
-
Filesize
10.8MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
152KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
184KB
-
Filesize
7.7MB