Overview

overview

7

Static

static

1

systemutilities.msi

windows7-x64

6

systemutilities.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-04-2024 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    systemutilities.msi

  • Size

    9.9MB

  • MD5

    41eda719c231e212e02b2683d36edfa4

  • SHA1

    7257a3350b7b856c16b146ff063f002b42903543

  • SHA256

    1c6191ddeb164efff30358f7de88022577b6bfe0dfbe0a29ab0f3a2b25637bd2

  • SHA512

    1d7382b75d1b12a690d2caeead05c74c3fe83f7888be1bee1bbcfec31d0675967473393b39af87d97ad10c91d2ad6420ad0be8ac58b45d88779ec8e9c4403e77

  • SSDEEP

    196608:mkBx8XfML5Nf7QJ91JUREHYtDBkXfML5D9qdSK:mw8XfMvy91JUgyDOXfM1I

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 16 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\systemutilities.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Program Files (x86)\System Utilities\autorun.exe
      "C:\Program Files (x86)\System Utilities\autorun.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Program Files (x86)\System Utilities\SystemUtilities.exe
        "C:\Program Files (x86)\System Utilities\SystemUtilities.exe"
        3⤵
        • Drops file in Windows directory
        • Executes dropped EXE
        PID:2204
    • C:\Users\Admin\AppData\Local\DiagnosticDriver\DiagnosticDriver.exe
      "C:\Users\Admin\AppData\Local\DiagnosticDriver\DiagnosticDriver.exe"
      2⤵
      • Executes dropped EXE
      PID:896
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 24A00E9142F85A1722F4C0D0DB89A37D C
      2⤵
      • Loads dropped DLL
      PID:2352
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A58ED05C7115A1965EB2EBAE05F6D086
      2⤵
      • Adds Run key to start application
      • Blocklisted process makes network request
      • Drops file in Program Files directory
      • Loads dropped DLL
      PID:1724
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1224
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "000000000000058C"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2192

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f765d3f.rbs
      Filesize

      130KB

      MD5

      7b1b73c71e16edf0eda1d7eb467e88e8

      SHA1

      a10e6febc9b57fc5eca0a011b94380d5a3793421

      SHA256

      2efa3edd6580ed362dd13c2a8e7afa974afec050cbf80743055b6a37e23fb6e3

      SHA512

      99f4cee8462f0dc8f329eb537574a7d4ac75c14c230f088c72145a1c2def2a38d30e14e6c74c483de99a1116d608e6f1ec36ce70a9493a646ee1354269cc9577

      Download Submit
    • C:\Program Files (x86)\System Utilities\Installer.dll
      Filesize

      104KB

      MD5

      10e3b8cdb5ea0edccc1e0b530aa86728

      SHA1

      1130df082a5c4e76996a9cd5f592dab241d1d5b9

      SHA256

      17e36de345871c2af2575ddcbbd0a8f30da15ae2dedeca5a094fb57bd9e0d71a

      SHA512

      5b34f3f7c10b8266f8773c5771f9fa5e1aab8799a8bf0db0fb23e54c047417005a8cf97169e7e7eb825983c59125d4fa07e3157a693d32b15a4de1234bbc11ff

      Download Submit
    • C:\Program Files (x86)\System Utilities\SystemUtilities.exe
      Filesize

      1.9MB

      MD5

      cb597b9b40c93cfe74cd8a0775905a38

      SHA1

      1111ab2f4dccfd9f333cb234fae8063167d0c9ad

      SHA256

      31934a61620f3a9bf2de6f67fda177991abd1ec78b8cc37f0ce31e263290285e

      SHA512

      eeb19899f0bcdf3256c8e8d4bfa16e0acefa0802c06b4fce64fee1d74c9409571697affa4dce2259433f00fe0a7abf9a77799667bfe86a3f07307db76125b10e

      Download Submit
    • C:\Program Files (x86)\System Utilities\SystemUtilities.exe.config
      Filesize

      176B

      MD5

      21fa0b1d75c0cc7369f1e735fe90c7a9

      SHA1

      e2d01a1b6aa66e5d3ed575aca79560b014bbfefe

      SHA256

      ad8267122c40d37dcd9d99e1412d763187a1825732f378db8867f3ecf675cf70

      SHA512

      60f6704cd1b3035a1a3403ee3870c7cbc13d6e601172745336ebbffa2ee3dc21785702470ab006c69dbbde0d5525625bb25ade5c641c80c8165fbc46fdad2ad0

      Download Submit
    • C:\Program Files (x86)\System Utilities\autorun.exe
      Filesize

      17KB

      MD5

      f0c37252c88c7030cbf9cf30e5fb6048

      SHA1

      5ae57e47270aed2ea22dc1c28914442a99f59fc6

      SHA256

      15fa6afa5d20085b42c84ba131abf7553fa538efeaa53d7b7c866ff9e3458bb7

      SHA512

      93a102954dafe1fa883f77ed4b1b6a049f0ef641f97d5b18e739d58b652d2eba20ec85a6123b565cd8954cefca41175a5038fdc00791fd6d81794c58e73c2c1c

      Download Submit
    • C:\Program Files (x86)\System Utilities\autorun.exe.config
      Filesize

      189B

      MD5

      9dbad5517b46f41dbb0d8780b20ab87e

      SHA1

      ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

      SHA256

      47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

      SHA512

      43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9216db24080d1ba77e75eb7f917d59b4

      SHA1

      daef94b8020656275782291658fb06a1574aef66

      SHA256

      e84f34d1dab1270e58d8561c0bf6425de6857fa51c319d2afaa713b67cf38437

      SHA512

      e607736e2f3e6d84e2e0bbb5338faeb810b4d1fda87a907e088ee1594644ab08eda6d53b7cfd47b6b59f9e69cc850e7a3c7f7ca0774282672a31da6549fec950

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ecd1469457c534191545d300e8736db7

      SHA1

      e8ab8802d090304afb24f08ffa7269cec1cb66b5

      SHA256

      bae3eeb8d57f2a668cff23b0b7e4b5b05ca5b1f7067d17dfa167e85031c13481

      SHA512

      e3ca5a0c82db91cbd4fc4b453f47890963b04c639496dbdfcb880e2980eb4f1ec2a5a3e8fecf5c30639dcf76eab636f5820c11dda7b3f8ab18b65d5e363bb850

      Download Submit
    • C:\Users\Admin\AppData\Local\DiagnosticDriver\Config.txt
      Filesize

      296B

      MD5

      23bc669aa82b3cf8c4e8243eae7be74f

      SHA1

      ed4e56a75682046e2d8dc867952b6485435bf800

      SHA256

      984d1ce3ffcc988d27b739f6f41dfd959c617e51c459ed72e08b81c1243004fe

      SHA512

      88f57a851f88a966339ffe565770e310ed804b51c3b0af3261d4729c1a5f3c0f6703a3591eed0104bce5e2be58a42f37b9129d8dfe2f5199417f4aaca4d3da15

      Download Submit
    • C:\Users\Admin\AppData\Local\DiagnosticDriver\DiagnosticDriver.exe
      Filesize

      160KB

      MD5

      ab4441a5f23e443a4c1ab843930c586c

      SHA1

      b03227d6915e33bb123548a257951a131f022191

      SHA256

      2670ec42a59de4be83ddb4593fa3ae740864323dcf5e2bd31e341835c00a6446

      SHA512

      72442465a0cca56b6cfc8156ee5625ab6e551a5e2319ecfea7df85b68a531dc1f96830830e0eece24d98e22f2597a339d7a41d016998b0a91a326d547ab41b30

      Download Submit
    • C:\Users\Admin\AppData\Local\SystemUtilities\Sources
      Filesize

      64B

      MD5

      d655a9d947b6a782a09a29614510ab26

      SHA1

      1cb8a73db6fb02d89d00870685363c6595382832

      SHA256

      9103a3bf0c3a98076b030e6528714c92306dc27938b18a337c5fbcbeb9cc0e77

      SHA512

      23b7a6171bfb95368c915c0b45d02bd2567cb2fa5b0be1b36f4dc455f6ae5defa91548718d1595dc4352e51e46e665e855e32160b2a7fd488443cb5ef9abb2f0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CFG61BF.tmp
      Filesize

      152B

      MD5

      68675e0d405c8c76102802fa624eb895

      SHA1

      f8cf5e4a678b4574365057ff91019adeb2f9d4a0

      SHA256

      b839cdd1c3f55651cd4d0e54a679bce5ac60ed7618a7b74bfc8ef8ca311e53ed

      SHA512

      c712c1bc97c9b7282262622367f399c18dd73156acd09c80d151a92c78d4119af9101bf902678b3fe767e9cc9fff95b6aafb858d179c7ff7d2721d1e9171cc3d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab24E1.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSI28BE.tmp
      Filesize

      285KB

      MD5

      b77a2a2768b9cc78a71bbffb9812b978

      SHA1

      b70e27eb446fe1c3bc8ea03dabbee2739a782e04

      SHA256

      f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

      SHA512

      a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar2503.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar2674.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Windows\Installer\MSI64B9.tmp
      Filesize

      106KB

      MD5

      77c9fc2bca8737f2de4d1d31ac0e385d

      SHA1

      4eb76332e4cfb9d217cd42b7a0a31fc1b092be98

      SHA256

      f9f945ef8cf84de18a4c2a5fabf14f425bec19225f99164684ef3f65e9eeadbd

      SHA512

      867b2d0b59c54b909076120f7a92bb7d1d3e86e098dfb0284d50592cf9ed6a03b5c9d24e6bba7d424c67a4b9c0564095a28f744af393fa276053073a7cdbb45f

      Download Submit
    • C:\Windows\Installer\f765d3d.msi
      Filesize

      9.9MB

      MD5

      41eda719c231e212e02b2683d36edfa4

      SHA1

      7257a3350b7b856c16b146ff063f002b42903543

      SHA256

      1c6191ddeb164efff30358f7de88022577b6bfe0dfbe0a29ab0f3a2b25637bd2

      SHA512

      1d7382b75d1b12a690d2caeead05c74c3fe83f7888be1bee1bbcfec31d0675967473393b39af87d97ad10c91d2ad6420ad0be8ac58b45d88779ec8e9c4403e77

      Download Submit
    • \??\PIPE\lsarpc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • memory/896-480-0x00000000002A0000-0x00000000002AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/896-577-0x000007FEF4C90000-0x000007FEF567C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/896-474-0x00000000000B0000-0x00000000000DC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/896-477-0x000007FEF4C90000-0x000007FEF567C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/896-479-0x000000001B1C0000-0x000000001B240000-memory.dmp
      Filesize

      512KB

      Download
    • memory/896-481-0x00000000002A0000-0x00000000002AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1724-439-0x00000000004C0000-0x00000000004DE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2204-659-0x0000000000880000-0x000000000088A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2204-478-0x0000000005070000-0x00000000050B0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2204-476-0x0000000074560000-0x0000000074C4E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2204-472-0x0000000000E30000-0x0000000001014000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/2204-660-0x0000000000880000-0x000000000088A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2204-663-0x0000000005070000-0x00000000050B0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2204-662-0x0000000074560000-0x0000000074C4E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2204-664-0x0000000005070000-0x00000000050B0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2204-665-0x0000000000880000-0x000000000088A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2204-666-0x0000000074560000-0x0000000074C4E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2960-467-0x0000000000A10000-0x0000000000A18000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2960-473-0x0000000074560000-0x0000000074C4E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2960-661-0x0000000074560000-0x0000000074C4E000-memory.dmp
      Filesize

      6.9MB

      Download