Overview

overview

6

Static

static

1

09d845e1fb...4b.msi

windows7-x64

6

09d845e1fb...4b.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    600s
  • max time network
    605s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/04/2024, 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09d845e1fb3d1e2ba905c5d4403fd3f01454202d037d943c44cab0ccc288604b.msi

  • Size

    3.2MB

  • MD5

    3985fe5de06eb8e0c7b1a6768632d02a

  • SHA1

    903ae670ed8a6c15c9b134d2bc6e50c765654a79

  • SHA256

    09d845e1fb3d1e2ba905c5d4403fd3f01454202d037d943c44cab0ccc288604b

  • SHA512

    adad86947288538092714e54af492a3dec96e649c385899ed7724b9b3915f40bc6b1b1a9eed1c611c195fb3e129817690693f20760c650b33b6145fc4a7359e1

  • SSDEEP

    49152:WYqSl5xCjk+q4o5q8g73ijhdndJf2R7vKo/Aj5zEKjzuscfzpznX81ED+E45n:KSYQ+XAPn/8/OtNcfzZBDQ

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 21 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\09d845e1fb3d1e2ba905c5d4403fd3f01454202d037d943c44cab0ccc288604b.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2192
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8512FB411CA238E6C3BABCC078F2E50D
      2⤵
      • Loads dropped DLL
      PID:2648
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6140CA7D6A78229662AF383E9E54DE40 E Global\MSI0000
      2⤵
      • Drops file in Windows directory
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pss23C3.ps1" -propFile "C:\Windows\SystemTemp\msi23B0.txt" -scriptFile "C:\Windows\SystemTemp\scr23B1.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scr23B2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
        3⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5152
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath C:\Users\Public\Documents
          4⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5440
    • C:\Users\Public\Documents\GameStarup.exe
      "C:\Users\Public\Documents\GameStarup.exe" start
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5800
      • C:\Users\Public\Documents\Launcher.exe
        C:\Users\Public\Documents\\Launcher.exe wangwei
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:5868
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4404
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:5960
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2352

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e581924.rbs
        Filesize

        215KB

        MD5

        9f8a2327142e37f2ae1c8b4d9a76fb48

        SHA1

        f20200e055d23d8ef704ddc7f7494d21dfa2016f

        SHA256

        6cfb57eb0c15427b35f3ab715908eb0d31fa636973c78037d43e8b4bf957f3f9

        SHA512

        bf093fae76a81286fc8253ac0c94b119befe31db808b58965b79016912714190a403982e83bc13fd621c2ec60cfe404c146e86e67a01d62929173fcbb56951f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        3d086a433708053f9bf9523e1d87a4e8

        SHA1

        b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

        SHA256

        6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

        SHA512

        931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        e1a88e2d10b10b520b25c9c2b2698297

        SHA1

        92bdeb5023e55cba05f9b5adf7a013acc2d18ffc

        SHA256

        f3bba773f6ce7919b355e530794371c772992faff223885fb6e9960c21dc30be

        SHA512

        12aed9bee63a15f2342a99e67a56b115cffd71f4827df2dfa9e57b67d330627f224591ac8d5c0e2c6de8ac80fbd2cb73c70c6a74c6594380e3170d4782405e7c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_etjo4nil.vxf.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Public\Documents\GameStarup.exe
        Filesize

        472KB

        MD5

        01939cde70178c637bf107aa2ccacba3

        SHA1

        55d00a27fb8793f20b0f53c5a4dcb5d202b9186d

        SHA256

        16726de347a767c3f8c7ebfa08fb29824cae211783fcc1d4043c8ddb2ef62777

        SHA512

        432ba28da65ab638df263f608f054156d4067075939bab946ed85b4087646498d270eb17202ebf4ad99170958bf0904cae86e6cbc8b4f2e74299ad156c455356

        Download Submit

      • C:\Users\Public\Documents\GameStarup.ini
        Filesize

        1KB

        MD5

        0cef167d51c82067037fd6d555072db8

        SHA1

        2ac3b543e0e8a30a9c0bb67f0c81090479a47ba7

        SHA256

        7c736711b7a38dd60651df546a340f693d149e0f2907afe7f181d39ae4a74601

        SHA512

        d77898e4e253a033ddcf04609f9381447bed766dcab8715253d3c871ca60aa62b565c82b50faa1a252e48e7a57d0ae4dc0e7ec7c3098d356c477be37dd2c0ddc

        Download Submit

      • C:\Users\Public\Documents\Launcher.exe
        Filesize

        1.3MB

        MD5

        a6cec84c2399238630463f4ba2946a94

        SHA1

        14457e5c7af3c0963ddd84799bdf1baa850ab6f9

        SHA256

        b1ac49862e17863954b557731910739e23e1e433093912cd0b5bdc36ef29667b

        SHA512

        a51456144264c5c4f706be949953dcbde8e5fbbdea06093d24e3952c9deef49e126f18cfa88316b7bb0480aa810efe8ea0fffd60106ce54d4864209f567bc810

        Download Submit

      • C:\Users\Public\Documents\ppq.dll
        Filesize

        1.3MB

        MD5

        d630b859486260789184cdc5603d005a

        SHA1

        8cfa34f53cdbbf4d856fe4a5c690f91d97a1ddfb

        SHA256

        40b9f4371d3ac691d9c55161ca63edf98629db8c931b6e226945336bb6bab162

        SHA512

        135619f23bacded6e43acb14b12fea82d5e481ba37ec770fa8b5ecfffa5fcd25cb327a5930c486ef631f7ae4d81560fe039861bca0cbd16789cc768d7e4a9083

        Download Submit

      • C:\Users\Public\Documents\ppq.html
        Filesize

        2KB

        MD5

        aa23cd7bdd121c0e116d10454eaa02a9

        SHA1

        ce8aa92cac74e51ede5934ad96edbe6bec43b857

        SHA256

        719938c1a06e7675bcdb2bf84165f3e8303c73cff574f5dc5afbe4ae09c0a3b0

        SHA512

        c352cd8d9f037cad6b57a628a5fb83bfee69bda841d77a6f91d7c73d086e6a75d95baadc2c32188c0af993d3fa76f50016c8fe035297bd0cd78eed3bf452cd52

        Download Submit

      • C:\Windows\Installer\MSI19DC.tmp
        Filesize

        588KB

        MD5

        a9941233b9415b479d3b4f3732161eab

        SHA1

        cb2d99af52b3b1c712943b13e45d85c80c732e57

        SHA256

        ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2

        SHA512

        cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

        Download Submit

      • C:\Windows\Installer\MSI21D1.tmp
        Filesize

        206KB

        MD5

        0464c0e5733be630237b6929e3ee60c4

        SHA1

        c80e210dbc641ab0685452b802f1ea7c65a52e7e

        SHA256

        f7b1376bb21170b32a9f182a83c20ffb219e248b40305c46961564c0e1f2d9eb

        SHA512

        f2bae28eec9326838a4fdece73ed65af32d71549ccae4aa07108ccc93d5d2b9a726e5022bed351d1fb172de95ebb8cdb25114990ef42fc0d7d5e112c73547051

        Download Submit

      • C:\Windows\Installer\MSI235A.tmp
        Filesize

        649KB

        MD5

        64836df93bfbe30b4ea155de7bfcea70

        SHA1

        c69e6048bdd3871a3cde4b96eb8867c8146c4510

        SHA256

        7c4fa903521f191c01fd54b186e8c37eac753639ca1128f5cb41aa5d48828dde

        SHA512

        0765938503ed4b9a66cca331a0d078f746c7184a1f77c2a2c9a18e8001a0710c7b15e89a33c7a9064403bb8910ae45b467366cf3c8245aab60fae18fe2c15437

        Download Submit

      • C:\Windows\Installer\e581921.msi
        Filesize

        3.2MB

        MD5

        3985fe5de06eb8e0c7b1a6768632d02a

        SHA1

        903ae670ed8a6c15c9b134d2bc6e50c765654a79

        SHA256

        09d845e1fb3d1e2ba905c5d4403fd3f01454202d037d943c44cab0ccc288604b

        SHA512

        adad86947288538092714e54af492a3dec96e649c385899ed7724b9b3915f40bc6b1b1a9eed1c611c195fb3e129817690693f20760c650b33b6145fc4a7359e1

        Download Submit

      • C:\Windows\SystemTemp\pss23C3.ps1
        Filesize

        6KB

        MD5

        30c30ef2cb47e35101d13402b5661179

        SHA1

        25696b2aab86a9233f19017539e2dd83b2f75d4e

        SHA256

        53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

        SHA512

        882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

        Download Submit

      • C:\Windows\SystemTemp\scr23B1.ps1
        Filesize

        190B

        MD5

        2ac6ee4560aa04c57bcf3194f577f2db

        SHA1

        91ae721496e7f6f2f36abe0c0674fad9b3730248

        SHA256

        a537afef398ad1fa4963b48bc4055eea07a92e371db24543688efef565da7277

        SHA512

        c2487fa20337ca5dbc1dae5192be2a8dee4ca2213c6a7f827d22b2846e710ac6a1f56812e4f387aedff0d43e28257361afad3ef642a5866e61d86e8c03cbf665

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.7MB

        MD5

        08ae6c462863974127524155b420ab44

        SHA1

        a31fe8e90594e82da22e65896e8bc33aae1bf368

        SHA256

        a52a2ceb15f3bc62db8453a10d8981e33edb40570a9378a5ea8df3d279eccf59

        SHA512

        6faf57de9e2046de1e678f90e13f029a3d9dbade6f2d1c380cb95fb1b3c014a0dda159d84e61aeb6efe3879a274169a538998c8e7538488ba988b8994f22d981

        Download Submit

      • \??\Volume{b1ac2038-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{03699327-3c59-40b2-8404-9094f406f2e8}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        f677918ac9dc5cbc80e1840bfb7dbffb

        SHA1

        04090a1ff93dfb82b9d2dc4d3d9c2596c9e40c03

        SHA256

        d093a2548b209d99cd4f15b2503a91a23c67f00bb821f135e1a536a0d8f515a0

        SHA512

        cb142a7fe3b3a6c03a42d87fc719cd82c15e70b824d6814994c6adc88006889e9693e5105896b43ad73165f30de1bd99464fa3d74da3a899ddefb7e4a1cf2b14

        Download Submit

      • memory/5152-64-0x0000000007F50000-0x00000000085CA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5152-59-0x0000000006310000-0x0000000006664000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5152-66-0x0000000007820000-0x00000000078B6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/5152-67-0x00000000077B0000-0x00000000077D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5152-68-0x00000000085D0000-0x0000000008B74000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5152-63-0x0000000005350000-0x0000000005360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5152-42-0x00000000031D0000-0x0000000003206000-memory.dmp

        Filesize

        216KB

        Download

      • memory/5152-43-0x0000000073390000-0x0000000073B40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5152-44-0x0000000005350000-0x0000000005360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5152-45-0x0000000005350000-0x0000000005360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5152-46-0x0000000005990000-0x0000000005FB8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/5152-47-0x0000000005880000-0x00000000058A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5152-48-0x0000000006130000-0x0000000006196000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5152-65-0x0000000006D40000-0x0000000006D5A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5152-111-0x0000000073390000-0x0000000073B40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5152-61-0x0000000006830000-0x000000000687C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5152-60-0x00000000067E0000-0x00000000067FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/5152-54-0x00000000061A0000-0x0000000006206000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5152-100-0x0000000073390000-0x0000000073B40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5440-95-0x00000000070C0000-0x0000000007163000-memory.dmp

        Filesize

        652KB

        Download

      • memory/5440-102-0x00000000074C0000-0x00000000074D4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/5440-103-0x0000000007510000-0x000000000752A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5440-104-0x0000000007500000-0x0000000007508000-memory.dmp

        Filesize

        32KB

        Download

      • memory/5440-107-0x0000000073390000-0x0000000073B40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5440-101-0x0000000007410000-0x000000000741E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/5440-99-0x00000000073E0000-0x00000000073F1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/5440-96-0x0000000007230000-0x000000000723A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/5440-94-0x0000000006430000-0x000000000644E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/5440-84-0x000000006F870000-0x000000006F8BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5440-83-0x0000000007080000-0x00000000070B2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/5440-82-0x0000000000D50000-0x0000000000D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5440-72-0x0000000000D50000-0x0000000000D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5440-70-0x0000000073390000-0x0000000073B40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5440-71-0x0000000000D50000-0x0000000000D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5868-143-0x0000000000400000-0x00000000004CD000-memory.dmp

        Filesize

        820KB

        Download

      • memory/5868-155-0x0000000003130000-0x0000000003162000-memory.dmp

        Filesize

        200KB

        Download

      • memory/5868-145-0x0000000062840000-0x0000000062913000-memory.dmp

        Filesize

        844KB

        Download

      • memory/5868-147-0x00000000007A0000-0x0000000000821000-memory.dmp

        Filesize

        516KB

        Download

      • memory/5868-146-0x0000000000190000-0x00000000001B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5868-148-0x0000000000190000-0x00000000001B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5868-151-0x0000000000190000-0x00000000001B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5868-152-0x0000000000190000-0x00000000001B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5868-154-0x0000000000190000-0x00000000001B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5868-140-0x0000000000400000-0x00000000004CD000-memory.dmp

        Filesize

        820KB

        Download

      • memory/5868-156-0x00000000033B0000-0x00000000033E8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/5868-157-0x00000000033B0000-0x00000000033E8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/5868-158-0x00000000033B0000-0x00000000033E8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/5868-161-0x00000000033B0000-0x00000000033E8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/5868-162-0x00000000033B0000-0x00000000033E8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/5868-165-0x0000000000190000-0x00000000001B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5868-171-0x00000000033B0000-0x00000000033E8000-memory.dmp

        Filesize

        224KB

        Download