Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
bim.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bim.msi
Resource
win10v2004-20240226-en
General
-
Target
bim.msi
-
Size
1.3MB
-
MD5
f83ed040b4e52088817df73ef51fe0d3
-
SHA1
3d011c54ae9a66ef2a865afd694712b338feed5d
-
SHA256
a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417
-
SHA512
c4fe6171f4590a3f588bba5818d05ed525619fc3333f911ea785bebea11788f144b71974254f6dbf270a2b89f9c21698d882d378274cf63005223fe5618d15f0
-
SSDEEP
24576:ezTxLN3YlMvZCFlp8zBQSc0ZoCvqKox0ECIgYmfLVYeBZr7AL7EveuFPY:ezz3YuW8zBQSc0ZnSKmZKumZr7AfEvLY
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f76f651.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f76f650.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF6EC.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIF9BD.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f76f650.msi msiexec.exe File created C:\Windows\Installer\f76f651.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF95D.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 1440 MSIF9BD.tmp -
Loads dropped DLL 10 IoCs
pid Process 2852 MsiExec.exe 2852 MsiExec.exe 2852 MsiExec.exe 2852 MsiExec.exe 2852 MsiExec.exe 1964 MsiExec.exe 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2840 msiexec.exe 2840 msiexec.exe 1440 MSIF9BD.tmp 2024 rundll32.exe 2024 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2504 msiexec.exe Token: SeIncreaseQuotaPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2840 msiexec.exe Token: SeTakeOwnershipPrivilege 2840 msiexec.exe Token: SeSecurityPrivilege 2840 msiexec.exe Token: SeCreateTokenPrivilege 2504 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2504 msiexec.exe Token: SeLockMemoryPrivilege 2504 msiexec.exe Token: SeIncreaseQuotaPrivilege 2504 msiexec.exe Token: SeMachineAccountPrivilege 2504 msiexec.exe Token: SeTcbPrivilege 2504 msiexec.exe Token: SeSecurityPrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeLoadDriverPrivilege 2504 msiexec.exe Token: SeSystemProfilePrivilege 2504 msiexec.exe Token: SeSystemtimePrivilege 2504 msiexec.exe Token: SeProfSingleProcessPrivilege 2504 msiexec.exe Token: SeIncBasePriorityPrivilege 2504 msiexec.exe Token: SeCreatePagefilePrivilege 2504 msiexec.exe Token: SeCreatePermanentPrivilege 2504 msiexec.exe Token: SeBackupPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeShutdownPrivilege 2504 msiexec.exe Token: SeDebugPrivilege 2504 msiexec.exe Token: SeAuditPrivilege 2504 msiexec.exe Token: SeSystemEnvironmentPrivilege 2504 msiexec.exe Token: SeChangeNotifyPrivilege 2504 msiexec.exe Token: SeRemoteShutdownPrivilege 2504 msiexec.exe Token: SeUndockPrivilege 2504 msiexec.exe Token: SeSyncAgentPrivilege 2504 msiexec.exe Token: SeEnableDelegationPrivilege 2504 msiexec.exe Token: SeManageVolumePrivilege 2504 msiexec.exe Token: SeImpersonatePrivilege 2504 msiexec.exe Token: SeCreateGlobalPrivilege 2504 msiexec.exe Token: SeCreateTokenPrivilege 2504 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2504 msiexec.exe Token: SeLockMemoryPrivilege 2504 msiexec.exe Token: SeIncreaseQuotaPrivilege 2504 msiexec.exe Token: SeMachineAccountPrivilege 2504 msiexec.exe Token: SeTcbPrivilege 2504 msiexec.exe Token: SeSecurityPrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeLoadDriverPrivilege 2504 msiexec.exe Token: SeSystemProfilePrivilege 2504 msiexec.exe Token: SeSystemtimePrivilege 2504 msiexec.exe Token: SeProfSingleProcessPrivilege 2504 msiexec.exe Token: SeIncBasePriorityPrivilege 2504 msiexec.exe Token: SeCreatePagefilePrivilege 2504 msiexec.exe Token: SeCreatePermanentPrivilege 2504 msiexec.exe Token: SeBackupPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeShutdownPrivilege 2504 msiexec.exe Token: SeDebugPrivilege 2504 msiexec.exe Token: SeAuditPrivilege 2504 msiexec.exe Token: SeSystemEnvironmentPrivilege 2504 msiexec.exe Token: SeChangeNotifyPrivilege 2504 msiexec.exe Token: SeRemoteShutdownPrivilege 2504 msiexec.exe Token: SeUndockPrivilege 2504 msiexec.exe Token: SeSyncAgentPrivilege 2504 msiexec.exe Token: SeEnableDelegationPrivilege 2504 msiexec.exe Token: SeManageVolumePrivilege 2504 msiexec.exe Token: SeImpersonatePrivilege 2504 msiexec.exe Token: SeCreateGlobalPrivilege 2504 msiexec.exe Token: SeCreateTokenPrivilege 2504 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2504 msiexec.exe 2504 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2852 2840 msiexec.exe 29 PID 2840 wrote to memory of 2852 2840 msiexec.exe 29 PID 2840 wrote to memory of 2852 2840 msiexec.exe 29 PID 2840 wrote to memory of 2852 2840 msiexec.exe 29 PID 2840 wrote to memory of 2852 2840 msiexec.exe 29 PID 2840 wrote to memory of 2852 2840 msiexec.exe 29 PID 2840 wrote to memory of 2852 2840 msiexec.exe 29 PID 2840 wrote to memory of 1964 2840 msiexec.exe 35 PID 2840 wrote to memory of 1964 2840 msiexec.exe 35 PID 2840 wrote to memory of 1964 2840 msiexec.exe 35 PID 2840 wrote to memory of 1964 2840 msiexec.exe 35 PID 2840 wrote to memory of 1964 2840 msiexec.exe 35 PID 2840 wrote to memory of 1964 2840 msiexec.exe 35 PID 2840 wrote to memory of 1964 2840 msiexec.exe 35 PID 2840 wrote to memory of 1440 2840 msiexec.exe 36 PID 2840 wrote to memory of 1440 2840 msiexec.exe 36 PID 2840 wrote to memory of 1440 2840 msiexec.exe 36 PID 2840 wrote to memory of 1440 2840 msiexec.exe 36 PID 2840 wrote to memory of 1440 2840 msiexec.exe 36 PID 2840 wrote to memory of 1440 2840 msiexec.exe 36 PID 2840 wrote to memory of 1440 2840 msiexec.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bim.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2504
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5753C7A5E1AE5900DAA4C1851C1503D0 C2⤵
- Loads dropped DLL
PID:2852
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 75B22485C4C1990E7B81CE0FD7D488DC2⤵
- Loads dropped DLL
PID:1964
-
-
C:\Windows\Installer\MSIF9BD.tmp"C:\Windows\Installer\MSIF9BD.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Local\glosar\beta.dll, homq2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1440
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2668
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "00000000000004DC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2408
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\glosar\beta.dll, homq1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56e6190b6a3e9b88a102c44f801aa9f72
SHA16a6eb3c64967df099e218a0f3d60d5f4bc9b7628
SHA256d930f51bf9244234eeff6f10e7df348c739629c3648f6815bce292d40902b979
SHA512a8594996344a07e16daff1bb38596c0522d55d40e2ba031b724f227bf76f96fd85c169d4828cbfcbec05e04850fb10f7b380632a0156284be9271fd3333ac5ad
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
364KB
MD5a1c84c14a82f2cbb7e9a5f253d721159
SHA13aa5e70111c290c45daac06984281dfb5439115b
SHA25653e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081
SHA512f76691853fa45d93246dfd8569af5ec7e66fdd7536241b92ee10bb9202b0502e66dfd030fe539956fb28fe20e71b33cae524038c356facf555d4a130c64665ed
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04