Overview

overview

8

Static

static

1

e217c48c43...a8.msi

windows7-x64

6

e217c48c43...a8.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 14:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e217c48c435a04855cf0c439259a95392122064002d4881cf093cc59f813aba8.msi

  • Size

    5.9MB

  • MD5

    c5c0829df294cc4fd701df5d5c55718f

  • SHA1

    fd581050fe011ff6e71463c9dcc68de14571ef04

  • SHA256

    e217c48c435a04855cf0c439259a95392122064002d4881cf093cc59f813aba8

  • SHA512

    0d40fd22298a5f5537402392ccc707a3fa5421e3501a4867efc8d39c9d343f22f9c0476e427a53b28e02d43e8533c587e590a8716c75a6a5b21c0e65d4505d1b

  • SSDEEP

    98304:GAC9AGDm8MytOY9woKC4BDBwWlKylZ/FxCeMxlGV9GZRik9VI5TMwGP2KEqT:w9mzytc/CKDllTllCeue6STzKT

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 50 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e217c48c435a04855cf0c439259a95392122064002d4881cf093cc59f813aba8.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1728
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Local\Temp\Installer.exe
      "C:\Users\Admin\AppData\Local\Temp\Installer.exe" --msi --key CdycOB2hlD1SvDitJAz-KQ --customerid 01018025 --policyid 0 --folderid 02824915
      2⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe" --msi --key CdycOB2hlD1SvDitJAz-KQ --customerid 01018025 --policyid 0 --folderid 02824915
        3⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1168
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2900
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D4" "000000000000005C"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1328

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Syncro\logs\MasterInstaller.log
          Filesize

          922B

          MD5

          a1b70b715d1ec3d84033e792429648eb

          SHA1

          ba5f9fab0bb3cb0273f12e1f31717b3c4c33e706

          SHA256

          f5661e06c3f075bf9e7b159e44b64feef8e3d6b9a8cb4ce1e4bed870e8099af7

          SHA512

          b08b922a3384f2033875bc76e822b7cafdffdf5a9a50d4e65ba8e78078ca701e344a57dceff315774a746dd6d81784211b39114345a685ba71e00318ec0d9608

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
          Filesize

          2KB

          MD5

          60f0e64111e920147fb1ed5d0359e3eb

          SHA1

          bf1d8bd074ab6885d0e68d75413fd20b2e1d479c

          SHA256

          8b335f0fb25d1eb787e7ef0da3ae96464ced878ff0c686520e4590b163c344fd

          SHA512

          650a858b21282e91c70faa9f321cf71f8932064cf2f72518dbd0a68cc227da7e0b9d33625665cf44c6b251fb3092ae4f09ea576bb5a9187e08541257eeb67824

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
          Filesize

          1KB

          MD5

          a7555763ca886bbc82b670be9c75afab

          SHA1

          8ab5c0e28b1e24eb43126e7c7fe66de9e06a90d7

          SHA256

          0dd1fb24434dd051af6ab8f8565c5ddf84e2c1e9c7b86eb1e15b592675f13686

          SHA512

          4884ed03f6b504e297b3af0563e45d7213c22daacec8f5ec2c18307c15c4368bf70b22dd318038fcbea075b49a5797b458dbb25e33564811b1f7f9582f520df2

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C
          Filesize

          510B

          MD5

          754cb896058a365f654e118aeff3a99f

          SHA1

          6ef440d86cb545dbb0f45a88285b34122f52571a

          SHA256

          8bf98f4b83b1972bf979095f34fee01dd404ae9a29b3156d2d5f16e637775526

          SHA512

          a39b8a9d7e808e2e0fcd14d9d212e20e3f86142889853752382a7cced76c6183f53cc8a2e68b3ed0308d151893aa431d6e0466f7616cddd738c263d9edda7b69

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
          Filesize

          488B

          MD5

          c84de2cc818a3da091757b13942e968b

          SHA1

          8e3369f9e919fa345f3c6107caa3cb4c7a434fc4

          SHA256

          0d5c3b0420345d9a0e2613be27c2f0886d5dbe240a051405a0ef3393ffba7f0d

          SHA512

          d31dbd1d047dd5fadfe70bed31e73358d55a89911979d215bf7acd406374e6db1625de1e9f21f9bfb339fd1ac9ecf0f596c0d762d8f6673ab9a344a9b86d7d32

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          e20abfc305093f7207b3541b9982c809

          SHA1

          c28604bc290f26c086ecad851ccddbe60d66ed2c

          SHA256

          a83697ef53cdff617e9e254452b694b6792dc82fae7447230e0aacb075af28ab

          SHA512

          25862d635c6fbb1ae1e038ca3ddcc0de1bf33442433d0fd0e9f2f3fe88fc684123aff91df9bba38d76e266cea8d1d566433f6f7998a1874925d2ee0d28cec643

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
          Filesize

          482B

          MD5

          f22e5dca156895fc3780d9b5d37bad59

          SHA1

          62d6f070e1dd2048496afe7f1880e1af5bc8459b

          SHA256

          c66addc1d32378bf5f71235715927f7a2d198f9cb0ddabe95a3a0212f82684b6

          SHA512

          51b62e448a1ca7e2a2123701c0955163a8f30f92ba6220a0069e5cb8514c0dac6eda57a7f534be0416626e7e15a8bc6033de43800f2bb122dffb8b68f64e1618

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_52894DBA51C2BA5ACE3EE5577FB04C4C
          Filesize

          480B

          MD5

          463cacfdafd5d25001bee302f46336d0

          SHA1

          d53ce5ddb522a722deb0dbfb9bf6d0c679cff694

          SHA256

          d395b4bb4e7d9db646a582da2568fe1dc17b159dbc3f1f5164ca2fcf2ef23180

          SHA512

          bf9cb95c8d17e6b9459ca7609a2477de8512e1e823806e310144831265f3125cbfe80074b2815b50f183360c579a76a2e90491d5352cff1cf334ab30b46b49c1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Installer.exe
          Filesize

          7.1MB

          MD5

          5fdc21287fa2a976bb5a661e6a2a4d85

          SHA1

          3bb03dca0de6961b0be9403979a3847d8ba4466d

          SHA256

          09ac0ed20fdc3cb6b6ff969d18d94f28031d6992fb49f739d0db61d2486cbc54

          SHA512

          f86827404b703f915ad055604cf8d8d533ed3fe7e9856c77809cf7aa13967844c1dc0716bfc27386f5ac1fa2c0d3c70f25bc1791f3957325893322088fcdd9bc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Syncro.Installer.exe
          Filesize

          7.0MB

          MD5

          7bb45f8522187b26bbef2d9957bbe5fa

          SHA1

          4f4bbc74fe99a4f8f288a28cdfbc86441d182f0f

          SHA256

          6547e5d392ed49b02c9afff77cd9c7d36f29193e7c2b511b7e2f31e5650a853c

          SHA512

          1b535e99ea81007eb47cfcb51bbd6c054a4dd312624ef9047d3293e5fa3c0a3a646f737268275a9bb6af1028d1e2607164daffd484a0bb2c01b47305d5517be1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar3FA6.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          Download Submit

        • memory/1168-116-0x0000000000900000-0x000000000095C000-memory.dmp

          Filesize

          368KB

          Download

        • memory/1168-124-0x0000000000F50000-0x0000000000F58000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1168-112-0x0000000000FF0000-0x00000000016F8000-memory.dmp

          Filesize

          7.0MB

          Download

        • memory/1168-113-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1168-114-0x000000001BAA0000-0x000000001BB20000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1168-115-0x0000000000540000-0x0000000000566000-memory.dmp

          Filesize

          152KB

          Download

        • memory/1168-134-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1168-117-0x0000000000C70000-0x0000000000CC4000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1168-118-0x0000000000CC0000-0x0000000000CE4000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1168-119-0x0000000000CE0000-0x0000000000CFA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1168-120-0x0000000000D00000-0x0000000000D20000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1168-121-0x00000000006E0000-0x00000000006EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1168-122-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1168-133-0x000000001AE80000-0x000000001AE88000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1168-123-0x0000000000F30000-0x0000000000F3A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1168-126-0x0000000000F80000-0x0000000000F8E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1168-125-0x0000000000F60000-0x0000000000F68000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1168-127-0x0000000000F70000-0x0000000000F78000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1168-128-0x0000000000F90000-0x0000000000F9C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1168-129-0x000000001B270000-0x000000001B31A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1168-130-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1168-131-0x0000000000FC0000-0x0000000000FD4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1168-132-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2940-92-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2940-91-0x0000000000910000-0x0000000001030000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/2940-136-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

          Filesize

          9.9MB

          Download