Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 18:19

General

  • Target

    bim.msi

  • Size

    1.3MB

  • MD5

    f83ed040b4e52088817df73ef51fe0d3

  • SHA1

    3d011c54ae9a66ef2a865afd694712b338feed5d

  • SHA256

    a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417

  • SHA512

    c4fe6171f4590a3f588bba5818d05ed525619fc3333f911ea785bebea11788f144b71974254f6dbf270a2b89f9c21698d882d378274cf63005223fe5618d15f0

  • SSDEEP

    24576:ezTxLN3YlMvZCFlp8zBQSc0ZoCvqKox0ECIgYmfLVYeBZr7AL7EveuFPY:ezz3YuW8zBQSc0ZnSKmZKumZr7AfEvLY

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bim.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2504
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5753C7A5E1AE5900DAA4C1851C1503D0 C
      2⤵
      • Loads dropped DLL
      PID:2852
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 75B22485C4C1990E7B81CE0FD7D488DC
      2⤵
      • Loads dropped DLL
      PID:1964
    • C:\Windows\Installer\MSIF9BD.tmp
      "C:\Windows\Installer\MSIF9BD.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Local\glosar\beta.dll, homq
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1440
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2668
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "00000000000004DC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2408
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\glosar\beta.dll, homq
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f76f652.rbs

      Filesize

      1KB

      MD5

      6e6190b6a3e9b88a102c44f801aa9f72

      SHA1

      6a6eb3c64967df099e218a0f3d60d5f4bc9b7628

      SHA256

      d930f51bf9244234eeff6f10e7df348c739629c3648f6815bce292d40902b979

      SHA512

      a8594996344a07e16daff1bb38596c0522d55d40e2ba031b724f227bf76f96fd85c169d4828cbfcbec05e04850fb10f7b380632a0156284be9271fd3333ac5ad

    • C:\Users\Admin\AppData\Local\Temp\MSI9CBC.tmp

      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    • C:\Users\Admin\AppData\Local\glosar\beta.dll

      Filesize

      364KB

      MD5

      a1c84c14a82f2cbb7e9a5f253d721159

      SHA1

      3aa5e70111c290c45daac06984281dfb5439115b

      SHA256

      53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081

      SHA512

      f76691853fa45d93246dfd8569af5ec7e66fdd7536241b92ee10bb9202b0502e66dfd030fe539956fb28fe20e71b33cae524038c356facf555d4a130c64665ed

    • C:\Windows\Installer\MSIF9BD.tmp

      Filesize

      389KB

      MD5

      b9545ed17695a32face8c3408a6a3553

      SHA1

      f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

      SHA256

      1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

      SHA512

      f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

    • memory/1440-37-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.