Overview

overview

7

Static

static

1

MeTSetup (1).exe

windows7-x64

7

MeTSetup (1).exe

windows10-2004-x64

7

Analysis

  • max time kernel
    172s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2024, 07:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    MeTSetup (1).exe

  • Size

    77.7MB

  • MD5

    f0c83297881486535346fc2b7e12f1fd

  • SHA1

    18c22e11378cca745750a9302e17495b48d6ce90

  • SHA256

    c2c04f7a5b75da5fe87f100d9f8b92b340b66148dbef0c6314a54f2a8b8cb4cd

  • SHA512

    f4cf463b428c4115eb5042db37e3896a039b916259951f64778f6aa6101941f187abe348b6f3e4f30746ceba6c003e76d8aa2266f2183f07f52606a2633277ee

  • SSDEEP

    1572864:OGubpsnuEY7TBXuTCQlGuoeHxdEOH+PrJ+4YvQsD2s6FJ:OWnuEWVX+RlnDSOQhJ

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\MeTSetup (1).exe
    "C:\Users\Admin\AppData\Local\Temp\MeTSetup (1).exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\MET_SETUP_a02444\setup.exe
      setup.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\MET_a02760\setup.msi"
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2424
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Program Files\Microsec\MeT\MscKSPRegist.exe
      "C:\Program Files\Microsec\MeT\MscKSPRegist.exe" -register
      2⤵
      • Executes dropped EXE
      PID:2764
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DCA1F57417525E29DF3C5C2246DBA349 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      PID:1920
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1568
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C0" "0000000000000338"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f78954f.rbs
    Filesize

    20KB

    MD5

    fa715454245aa56f8a183aeb957d0889

    SHA1

    979f7e09d1f9fa9b546593376e29a8499eb40fe2

    SHA256

    7b53e030e289c8c00e978841ffea9ab128856d8a31575d9cd0b4fe6c6d4f60d5

    SHA512

    3aff756383412b9c9b964575c0e3bd55db149d47cad7bcf63af733ee75e358ef8468e535ed2cf82dadc111c847f5e69a946323afbc33761d541b157b699e2b2c

    Download Submit

  • C:\Program Files (x86)\Microsec\MeT\MscCertificateManager.exe
    Filesize

    7.5MB

    MD5

    089cd1cef36a26e1a24c3b6cb427821f

    SHA1

    1565c489fb6e4663fc09cad10abe32c8227b796d

    SHA256

    d99c70b0bf9ebbcbd2494415f43ab26c699a1acc5c7995c82d9debf770b8b5f8

    SHA512

    06c01593c39014b7d7df90d791be88ced8bc2d0166313adf26b98ba3939c2a218124726d3e2ae58e102720600d395fa87eabf71b406f2d00b7e8708f24c53ae9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CE8B5763061589BB1835A4B6566F644D
    Filesize

    580B

    MD5

    de1ff69e84aea7b421ce1e587dd18498

    SHA1

    89d483034f9e9a48805f7237d4a9a6efcb7c1fd1

    SHA256

    beb00b30839b9bc32c32e4447905950641f26421b15ed089198b518ae2ea1b99

    SHA512

    b47857b84854b2e6c73bc883554fd42077d060d115696f005131e94e60badbe6e750ca88995f53edd9abdbdb8d19c2d7b341358f61fa068c840864fd066c27cd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5563f4d1b25414f192a044f4ff0e1802

    SHA1

    10807e007c5479b04daf5e46466722d68bdaf52f

    SHA256

    2358250cbf8ff227995e417c9aff5825920d1a1f527471cf287b16e44fc8df5a

    SHA512

    39cdc0b68eebfd24dc90c7bf7e85c99feb49b13c8f61a60f8f98ad3c16c1a703c797ce3f018058f1e382d5d4ede50b34c23fc62d25ee67187d18b96befce65f4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CE8B5763061589BB1835A4B6566F644D
    Filesize

    254B

    MD5

    af766c59ec90c404f72d0ab6a1c8cec4

    SHA1

    e8097b1887936521f5b0d32aaeed55f9f16de249

    SHA256

    07743371822a25ac2b2fed56df1ebad9c3edfdd6909ffcf4adef323497768b81

    SHA512

    959288f102f0b0d8a6a49fb4a61b61eec30c13b86faf39d87f3f4f7fed01b8b1ddae7bd1abaecf4208cdafe1d8de811529d1b4279e050467c1a9228126d11710

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab73DB.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MET_a02760\setup.msi
    Filesize

    43.9MB

    MD5

    80f780f89273fed90c84d7ba9901437d

    SHA1

    70106b845e69a69e9e98229a4a7942c1b77ec20d

    SHA256

    96e65c40e476ad1a6c32b4af0c1378fabb8f86577d7a6fbe984981fd460b0739

    SHA512

    f4b079a8cb53c0437aca51d77c5d8d8c915c142acff67043f25b563bfeafd735848a3d8c9e5c4231319a8e5b5dcc513512df7e44461967728a7e1f06cec277cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar7600.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar77F9.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • C:\Windows\Installer\MSIBE6F.tmp
    Filesize

    1.9MB

    MD5

    641c3181c7d469d68d934c56dd6bba09

    SHA1

    305d139560cbefd6de48184ac0086502b036ce94

    SHA256

    1d2660f3d6fd3b6b245b383fab30466af1e521bee31884092b8442c12d84b48a

    SHA512

    4a91e4d05de7bd66258f5c07fe928a1edbe46dbffeaaafc522622a61e72c2e5504bb9da98452dd701355a51092ca22fded29907c3cd68bd09c4bdede1488d1c2

    Download Submit

  • \Program Files\Microsec\MeT\MscKSPRegist.exe
    Filesize

    134KB

    MD5

    fa8aba7e52cf9c1422b71b2543dc814e

    SHA1

    3ba2e62a2b3e56da05dfe9b06e1b59620c430a8f

    SHA256

    05b44932ed728b108d3f23906b69de2deedb5b72b5a2e7bbb926d31ecebb48e2

    SHA512

    f9528f30188ce3cd17f3b05059190d254ff91333bd4ea1bb8f54da9df941d6e197f1e49666fa73f3335982754d0ee7511c16855e0c6b3154816bf12c98559bc9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MET_SETUP_a02444\setup.exe
    Filesize

    77.4MB

    MD5

    67ce46f5508574cbeca12583960b4717

    SHA1

    96130fc87ad6657eb62adac61655613c9d267e6f

    SHA256

    4969f7f0653c2f9353a878be2577664d68110090ea503efffb75ff5e6cac820c

    SHA512

    d89d7cb7b0d1fdf198d8dd0f8cd900c353ef3359314e9a326e195f61eeb770c36d67b19e1eca2c6d92446f6eddc6a918002be589285c3c34ce387ed65696149e

    Download Submit