Overview

overview

6

Static

static

1

b5eff0ea9b...46.msi

windows7-x64

6

b5eff0ea9b...46.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    27/04/2024, 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5eff0ea9b3f64f0753e9a0c94d25783dfe0fd4581d8152445ee1aa5e409d046.msi

  • Size

    4.4MB

  • MD5

    62db092b81779e1111fc850ed153c67f

  • SHA1

    8f54951de3a53b33432d415d97ad96c979b2f1eb

  • SHA256

    b5eff0ea9b3f64f0753e9a0c94d25783dfe0fd4581d8152445ee1aa5e409d046

  • SHA512

    baf9fedab20e25e0f059dcd55453395c532b172e99e1ab065f56e0fac19b0acc7ec826f3c176585a535041c1bc6985b5ede7fc746daff976ff47c2e6592842e9

  • SSDEEP

    98304:SjaRY3ue9SPixM8tFVmAcpmWqEzKy9+WV:WQt3ixM8fVmAcpmJHe+WV

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b5eff0ea9b3f64f0753e9a0c94d25783dfe0fd4581d8152445ee1aa5e409d046.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2200
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 56D0DFA76F178EF1BB0533DB0EC103D0
      2⤵
      • Loads dropped DLL
      PID:2664
    • C:\Users\Admin\AppData\Roaming\FomsTudioª.exe
      "C:\Users\Admin\AppData\Roaming\FomsTudioª.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f760a22.rbs
    Filesize

    1KB

    MD5

    fe809675e3c79a94c93d890cba5e77f7

    SHA1

    df8c94157092bdb60e36d7d74483ef8a33cf32bc

    SHA256

    b80fee9ccef8d3e2c513a93e7f3dc8ce33666e73b8382b88f0f2e5b9dc6f8026

    SHA512

    c37b3e14019306880c4cacbf3c4d7c77f88dac2687924d79deb85e8ed002437c07238b51b4e813e2e0143cf902ec1e0355cdbf80978ce93db2ae0ffc170ab749

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DTCommonRes.dll
    Filesize

    4.8MB

    MD5

    9d51f30870fd792b2072cb09952d0ea9

    SHA1

    03fd5f5cdba17de2ba0f4df503fbb112c2c390c5

    SHA256

    2bcb35fdea08c99b2eef2733e474d151685724981408521ea15a74e34faf8241

    SHA512

    445dbd210b0537ff35132822328a1a8e126841ea72368edacc850e72ffe59bb9f414ed11de48f19eb0dbbf24e90e084ba2e42ce59b63b9d587b7b9be4ae890cd

    Download Submit

  • C:\Windows\Installer\MSIA7C.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • \Users\Admin\AppData\Roaming\FomsTudioª.exe
    Filesize

    3.9MB

    MD5

    8a242aeba83c7da62dff095417cccd31

    SHA1

    2f93e5c9e75e4de7d9a82826ace4dfaa763e6db7

    SHA256

    51915ee49701927a930a033ac2b84c3303b8cf7ac88869b0d2ba6aabc5fa66f8

    SHA512

    b91742f74367f7bcbb4f3956fdbbb27edf1589c7badb9a835391c6c003f7ddd52c73632c92d272aca0a056b54801a9f9e0b5faead7242170c5c7d2c261fe614b

    Download Submit

  • memory/2568-37-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-41-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-35-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-36-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-33-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-39-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-40-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-34-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-42-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-43-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-44-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-45-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-46-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-47-0x0000000074280000-0x000000007475B000-memory.dmp

    Filesize

    4.9MB

    Download