Analysis

  • max time kernel
    193s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/04/2024, 15:06

General

  • Target

    CyberSpike-Setup-V1.2.8.msi

  • Size

    70.7MB

  • MD5

    a1f44ab3a671c97af4be10ea09eac393

  • SHA1

    d226a85cfa5b744e94e52abc9341173287c4104a

  • SHA256

    ac14ef2a4ee7b383bad45efa5030034394876013c7258d179e5f1657eeff39bd

  • SHA512

    092b3f17b3f75d402979535b10042eb29ad113eb3246c70f23f945d63da60cbaf2f117d6228543baa0c4fb5bdc3f80972ad88817a4bb2cc877e8007e71efa2e8

  • SSDEEP

    1572864:sUJZMWWS8KaAkws3GmoAcHIhHEc2PsoNWL1eDj+0QV2qS/MdMC9NRNl5NS:h745AkwsFNEDnNIeH+LV2FsMCXN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 47 IoCs
  • Drops file in Windows directory 12 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CyberSpike-Setup-V1.2.8.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1956
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 85E132D04D5CB9DC5F59DBB6B84200C9 C
      2⤵
      • Loads dropped DLL
      PID:2036
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 9652C2F417DBC047275E08C718A88CB6
      2⤵
      • Loads dropped DLL
      PID:1008
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2592
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "0000000000000574"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2420

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f764c1f.rbs

      Filesize

      32KB

      MD5

      c11cd1113d3d22ae7aba91854c49bf2e

      SHA1

      f8f74dff649eebb7741ed0801ac77efbea491d64

      SHA256

      eeb714b0647802cb0dfbb444dd0ed6f02046bfe8e85821e69b3e5343f0fabd9b

      SHA512

      b350fd97a45fcb83bc1009df471a456181b5a292ddce18365fb8049b4b8a61b7a8e7f353a66e2b86a642880ae88033d1797b5243ff97f1d0606c47a18af94005

    • C:\Program Files (x86)\CyberSpike Studio\CyberSpike\Plugins\System.Management.Automation.dll

      Filesize

      6.1MB

      MD5

      4e83c528d307d3b5da2aed5abbe3ffe8

      SHA1

      2e84ceccecb30378f84be898711f15b4e157e045

      SHA256

      0208b783efaf3854f07a31f9bcbb46f9afcd80b12e2ddb8001a9faeccfc2d0f0

      SHA512

      378f75db718891fd214776d7d5a2bad0c493dcf5c4413308554d2fe3283170aef55de1ff4bdbc0d417e5bef4f6acd3370c48bb33c37f360a606baeff12e6f72a

    • C:\Users\Admin\AppData\Local\Temp\MSI1BF9.tmp

      Filesize

      285KB

      MD5

      b77a2a2768b9cc78a71bbffb9812b978

      SHA1

      b70e27eb446fe1c3bc8ea03dabbee2739a782e04

      SHA256

      f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

      SHA512

      a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

    • C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{003B9766-E418-4C8D-9945-7D37225CAD95}\_57A0FCAA677BC563120477.exe

      Filesize

      66KB

      MD5

      04525535dd0b6a0206afe4fb3fa5c829

      SHA1

      c4829cca26792a27811980bdb1223b924b6e90b0

      SHA256

      bac4051d19a839ada5493c61aad6809fa585c9165da1067053bc5932efead0b7

      SHA512

      f8417d3f873119a2f7578c79988f293e44c6778c9d7037f875e3f1460a376ae2a964b92a8102ebc28f0d9beab1a4a785756db59955d236fb362ba40310deba6f

    • C:\Windows\Installer\f764c1d.msi

      Filesize

      70.7MB

      MD5

      a1f44ab3a671c97af4be10ea09eac393

      SHA1

      d226a85cfa5b744e94e52abc9341173287c4104a

      SHA256

      ac14ef2a4ee7b383bad45efa5030034394876013c7258d179e5f1657eeff39bd

      SHA512

      092b3f17b3f75d402979535b10042eb29ad113eb3246c70f23f945d63da60cbaf2f117d6228543baa0c4fb5bdc3f80972ad88817a4bb2cc877e8007e71efa2e8