Resubmissions

29-03-2024 07:56

240329-js6wmsde66 8

29-03-2024 07:53

240329-jq57bsde32 10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29-03-2024 07:56

General

  • Target

    setup.msi

  • Size

    8.5MB

  • MD5

    86a68878633d570e195609fe33640561

  • SHA1

    5a5355a80750693493c4ff9d4184d3234ad62b73

  • SHA256

    7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92

  • SHA512

    502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9

  • SSDEEP

    196608:zN7EYGIfVlhQ+gtODuwjWT6mPLJo/QkPM27rMr:z+3IfVlhQ+glwY6AW/h37rM

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 11 IoCs
  • Loads dropped DLL 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2332
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AD15DBC04DDF5263A70E43D327F874F1
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9F3.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9F0.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9F1.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9F2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f760736.rbs

    Filesize

    17KB

    MD5

    f0f7ef7aa6e815942a2841caa8173519

    SHA1

    e0edd7c333a9577e33e51bc52f07bb6315acf261

    SHA256

    ea5cdb578178b4e2e5cf9b3e4cfe72ec126ad3c013e82810d03a9a9c2474a83f

    SHA512

    402b47b7cbf4c06dfb3186bc1cc00518fb2bb8205d7cdb397c4685b11923eb1e309f27b1cd85afb7c0e11d991178381d3bf6ac6f22a6dbbf9d7c06046c5c4e28

  • C:\Users\Admin\AppData\Local\Temp\msi9F0.txt

    Filesize

    42B

    MD5

    0fb609a6d2027ec24eb33cf64bd95b20

    SHA1

    ec07f4535b17f362ba12924d62fd952a93e61547

    SHA256

    b9227e3366d64bcf11da5683b8fc1d5e10afa40b66434ddb7b279f835a9401c9

    SHA512

    cc522dfac8b6958b97cc495af936b7c716199d1b257f3aa4f9eaf08a78f003c5a4ea8b90ab506db46ea751988d51b0f99bea9fdbcc46037b4c0997ccb86557b3

  • C:\Users\Admin\AppData\Local\Temp\pss9F3.ps1

    Filesize

    6KB

    MD5

    30c30ef2cb47e35101d13402b5661179

    SHA1

    25696b2aab86a9233f19017539e2dd83b2f75d4e

    SHA256

    53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

    SHA512

    882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

  • C:\Users\Admin\AppData\Local\Temp\scr9F1.ps1

    Filesize

    542B

    MD5

    753240f3d0c58563dcba1244db69b0d7

    SHA1

    4a0f248fccc2431ece50f717cbf80f6681504932

    SHA256

    e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a

    SHA512

    03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9

  • C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll

    Filesize

    1.1MB

    MD5

    f74e6b15bbb4d3a8decb9fe17175d056

    SHA1

    20a67c7d020bce3adcbd34cb0044771ae0bcb2ba

    SHA256

    50235ec9328d759d9adceb1224999bcf5d602594b2c6260c4f793b84c533e6d3

    SHA512

    5c896a916537cbf6e4f6c995a240b3e651356e5a5fc549058cc60892c5905e64a3fd78cf0998149ca88f474f9ce78c94ea398bd245735a1b242f497adb44bbf4

  • C:\Windows\Installer\MSI78F.tmp

    Filesize

    738KB

    MD5

    b158d8d605571ea47a238df5ab43dfaa

    SHA1

    bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

    SHA256

    ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

    SHA512

    56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

  • C:\Windows\Installer\MSI957.tmp

    Filesize

    758KB

    MD5

    fb4665320c9da54598321c59cc5ed623

    SHA1

    89e87b3cc569edd26b5805244cfacb2f9c892bc7

    SHA256

    9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59

    SHA512

    b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

  • C:\Windows\Installer\f760732.msi

    Filesize

    8.5MB

    MD5

    86a68878633d570e195609fe33640561

    SHA1

    5a5355a80750693493c4ff9d4184d3234ad62b73

    SHA256

    7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92

    SHA512

    502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9