Analysis

  • max time kernel
    149s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-04-2024 23:00

General

  • Target

    OFFICE2016/dcf.es-es/dcfmui.msi

  • Size

    2.3MB

  • MD5

    a0543b894c018380cc5e868f3f168069

  • SHA1

    583ec7da66ba57ba1fb4415380259614117e74ae

  • SHA256

    42de4102487e0ca49c4968f1109ba98abb970600eda32ac0eb11e489bd9fb8d0

  • SHA512

    c51e9ff337a37a593dbc91a34de66d16a045862f0d735c8dea65fb8885ce9f21bb55940643315a357a56de5db4a2de41571d44fef073b7cd93bd715ea32bc932

  • SSDEEP

    49152:IhIu+svi4ut1yFXyzEKqle+93GwtF2VbIPk9u:IhIuFvPut1WKM3Gw7Yb

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\OFFICE2016\dcf.es-es\dcfmui.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5000
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1864
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F004E45279A080F77DA0BE207F17193C
      2⤵
      • Loads dropped DLL
      PID:1884
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSIB362.tmp
    Filesize

    95KB

    MD5

    acfd123d0e36411b9c1f556853dd9ea5

    SHA1

    812025408e21687dcd6e8eeb1667025a7b7abcbf

    SHA256

    d89dd83af50bfc6e325e2b4e7eecd982ec3ddee9ccb9cfef86d8a5593907c317

    SHA512

    e01da6d2867ca5a029d60bac781cef6639485255ce515bc8e094a43fa107b0d8c120b7bb3de75457407479de71585dfd9475b1b1f39d2d82d303586ccdb9024d

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    81051e40e06647ebd9e7652c8b800efa

    SHA1

    2699d955e7f7756a39e4820d5c8f6802edeafd84

    SHA256

    f2d5e5ce80f55b5fe739deb7e11531164be3bfda18010b51ef4ea7af918317c2

    SHA512

    e5a9c453aa14d6607b7f5422f372a6293257d84f2dc6b7057460b2cd0d35c0edd52d345d313a4b15377aaea51852cda0716c01f6ebe98c59f5ea38d5faf3e489

  • \??\Volume{df05fbf6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a15a221b-beee-4a2c-84f8-3380c324def0}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    07d8ee3d8c4aac70c16af3ed33141ace

    SHA1

    89d4271d6f022936e484243a865866208e5ec332

    SHA256

    6157a06adcc43c764e95d218ee4b71f154923c9b882d78e524c88692f494f5ef

    SHA512

    11541d450008b4d7e7eb6fda1a500898af4a0b0844b260295bdcd89c8c0127cb67665b4d94c1907fb349ac94d1c58ea61aebe4bc9c5cf172d6e19c4541323234