Overview

overview

6

Static

static

1

SSU(1).msi

windows10-2004-x64

6

SSU(1).msi

windows11-21h2-x64

6

Analysis

  • max time kernel
    63s
  • max time network
    69s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11/05/2024, 13:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SSU(1).msi

  • Size

    444KB

  • MD5

    314a43278376557ef8d9d0c6212fb2c8

  • SHA1

    215199d4b9e14dde22c13a95583f1d8b70add5dd

  • SHA256

    07c5ef50753ddb404b9ac1dcf0e6b2e611bd017df879995f865f07e5698caa0c

  • SHA512

    019baf1af9e0d444f357684cc921cea68c52091967fb3652097a264cee3971e93d13b70ae66ab1e52f94fd88c14b9379cc239a1fdc7834c3586244a25f7c417e

  • SSDEEP

    12288:NF6siOAjzFpv5loz+8jOZy2KsGU6a4Ksh:WV3/FpChOE2Z34K6

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 13 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 11 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SSU(1).msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1960
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4916
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1D1E2DE66E5C7FFC826DC30AE91CDA13
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Program Files (x86)\SSU\SSU.exe
          "C:\Program Files (x86)\SSU\SSU.exe"
          3⤵
          • Writes to the Master Boot Record (MBR)
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3356
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" wlan show interfaces
            4⤵
              PID:328
            • C:\Windows\System32\dxdiag.exe
              "C:\Windows\System32\dxdiag.exe" /t dx_info_3356.txt
              4⤵
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • Registers COM server for autorun
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:4728
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:4140

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Config.Msi\e57904a.rbs
              Filesize

              7KB

              MD5

              f991d79c2ec1fab7d64bd230fdbc9386

              SHA1

              088f614f139a550f1b92e87e9140ba079a12b903

              SHA256

              d9f2104a1543485d763b0cd276cda5524f002ccd21664680e3d043c701df12c1

              SHA512

              b1f51695cec5f480bd6d9bd27ddd902740e9dab7e97ffa93a8459d8efe8c55bfb3a4a2b5f84ecf5b42d8635ee228f513a4b92c3a7fd3daa85ebd3aa9b5ee6f1c

              Download Submit

            • C:\Program Files (x86)\SSU\SSU.exe
              Filesize

              608KB

              MD5

              5f4af50e1f9e2152173de2924d2ecc4a

              SHA1

              7ada7dcb2d8ac652425466dd9b8c90d8b4789574

              SHA256

              1c020b1d3c43b5dac12ac332f6dc622bea5df603f1518d03d0959df30446abaa

              SHA512

              f0cf2ed6359f2d7478825bd1a8462b7f92d88abf62d950f8adeaee214cb098f711fb9d5ce070f2c1f36d7ef0467bc9253cb6291d7f3cc53a845d6c55fb7b4e43

              Download Submit

            • C:\Program Files (x86)\SSU\SSU.exe.config
              Filesize

              4KB

              MD5

              80aa5d362e1c7cbc1970b694cc304cfd

              SHA1

              7a83ce733c6ecaf4da85c11aa0e752aaf0505df3

              SHA256

              6145cf4b6277cfbe066181419a627e09b0944619d18ac7f668861aac8d386cf8

              SHA512

              7136bb4037f97ead39b3eab6d905eb53172748a9863c33636c44a34af5bcc41b8219c8d1b9e172f01a7b5a92abaa90ccf53ed1d448bda9dbc8484fc00e56c7db

              Download Submit

            • C:\Program Files (x86)\SSU\dx_info_3356.txt
              Filesize

              86KB

              MD5

              d5e2e1addb7739d18e1d34427f12b1b1

              SHA1

              8e2e736cc3d47ea7c2b1b2f360712b470f999f1d

              SHA256

              2dd72b7f5ac07756fa3e33fcf82eb42726a483fc4037a448d748cea271bc56f9

              SHA512

              2440dee9a5bcf4b2308bfa5c230be9eb445fcad13f139f1998acc9423165ef07643d7c321780141a682a054db74ef82790c57bb5352c944958830bd22e350707

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
              Filesize

              765B

              MD5

              2dc6e83976f7d2f4f25413741b628116

              SHA1

              8e1f6a8a1b4e30fa9deaca5c28a9ae8b147975e7

              SHA256

              cc1112e52ad4aa34420e93dcc10b775721a0a4a8987a352d383f1ae466c61e3e

              SHA512

              83aa5e2b119960cd5d036e99795ef8f85119c3793797f763489c3bbec08b1ac2e4c634fd754736924e63a69355cd1e8ed2bb245c8154b314bc30b811203f4f67

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_E21B5BEB23BEBE7382FCF6C12428D922
              Filesize

              638B

              MD5

              68786998cbaa25a3f9b5968872ba4da1

              SHA1

              3f49ae8b90f45ac88ce0ce92b54645fac41223fe

              SHA256

              aebae16a8078a05969816182f914338a7abc9d491b158e551662546ad46fe06d

              SHA512

              6ea8130ef38774d4a2678cf22d5ee406074ab06991990c2827d20d4b18ed275282f6d983b14dd3fa30ab3bba59337f67c80821057fd91135966f12c283b5c77c

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
              Filesize

              1KB

              MD5

              543f380bb5a4307e72b011e9a015564b

              SHA1

              26a06119b1257d5429f8a8e03faaca711059383c

              SHA256

              45d445a40f93cdf26a15a1376e2656cae9d2dcce8a0b21fcd57cfcd6d6272760

              SHA512

              89d765811aad21ca748b249dd088b0a57a0a50cd59677f721971f7c084dc44fa2c66bc1f56a0f53dac6c13ba78fefb35060bb8988f1a2a400a5fa0de270e5d0d

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
              Filesize

              484B

              MD5

              4fa72611506330d8aa311d90500829dc

              SHA1

              6170585440f4046ccf6096de5b4a27a9e7fc7e39

              SHA256

              2bfbee3a73896eb3cffe70163739d601ae2479c5f0b733a2b4e7a8bdf7d1446a

              SHA512

              051471826a8795fa6adea76d65d2dd918d2e403d7c355f74c85e4521d5c4a0024a3e092327273c3d3b0e639a368bd5125ade2a4560edec5bc229f1a541457c1e

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_E21B5BEB23BEBE7382FCF6C12428D922
              Filesize

              484B

              MD5

              cac323884806b59efa9d2fb39f002366

              SHA1

              cf8b7d597e6a70f230b67335f32c2272e15d92ac

              SHA256

              15e688df2656e6362c158239e49eb73f1d5235e992de4d7ed92b21a3920b2d5e

              SHA512

              3a6fa0da8b5a348ab1fbcdb3070e2efcfd8ee2fc34652148276c4038f4ef0bd6105b8e37e72b62c2e1e957c62a27c83e31fd7ce16268a96843c0fcc2c64f09b7

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
              Filesize

              482B

              MD5

              9bf3f564e2b5cce1a411349bfde4e4f1

              SHA1

              b1474bf8b9e0e351759daf6da236907bf34cbe47

              SHA256

              41826c6497549f69a38efd0abc95519a7b2123a177945aa0e6e6f7ac853c6818

              SHA512

              959158e6bb15dfa995df1ff7750d8af63f6fd649c6af0e4f67f95930f0fcc4598813fe59ff45dc120290b87dc259b18a0d4cbd05c9a6a4434bdd4167e0370563

              Download Submit

            • C:\Windows\Installer\MSI9200.tmp
              Filesize

              211KB

              MD5

              a3ae5d86ecf38db9427359ea37a5f646

              SHA1

              eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

              SHA256

              c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

              SHA512

              96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

              Download Submit

            • C:\Windows\Installer\e579049.msi
              Filesize

              444KB

              MD5

              314a43278376557ef8d9d0c6212fb2c8

              SHA1

              215199d4b9e14dde22c13a95583f1d8b70add5dd

              SHA256

              07c5ef50753ddb404b9ac1dcf0e6b2e611bd017df879995f865f07e5698caa0c

              SHA512

              019baf1af9e0d444f357684cc921cea68c52091967fb3652097a264cee3971e93d13b70ae66ab1e52f94fd88c14b9379cc239a1fdc7834c3586244a25f7c417e

              Download Submit

            • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
              Filesize

              12.8MB

              MD5

              b62939cdba5337a0cf351242a9122430

              SHA1

              e092d76324aa79a04e29774336777de9b7c1f249

              SHA256

              1d9501604fee792cd914ea617078bba1e969d0ab65d0c5937993b4cbb89f389f

              SHA512

              b448f93348b002a92aae1aca8bb35b7ce3a825eb5619cddaafc065126326633ebb71d469a6ae831093b8537b72b1bc3b7ceae47ee8710cbc92d6a50caa306268

              Download Submit

            • \??\Volume{d8a97479-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5727f915-64d0-4aed-a472-ae626af68534}_OnDiskSnapshotProp
              Filesize

              6KB

              MD5

              59976e6c324315966b0e28cc525f8a28

              SHA1

              f5e9e5af64b540c06d8b5d0aa68151271e2bb589

              SHA256

              e418e56772614ed54882ff419aa15727b12ff7a3088926263a1666d05018033e

              SHA512

              8f6ccaa8b415c1418c6b0790b69405033ad5c60862d3fcd480c55a0bca83be1131dc25fbccf7575eea0bdb12058d51bf06c978770825eabfeb5696baf2630d80

              Download Submit

            • memory/3356-56-0x000000001C270000-0x000000001C2D2000-memory.dmp

              Filesize

              392KB

              Download

            • memory/3356-55-0x000000001B100000-0x000000001B108000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3356-54-0x000000001C070000-0x000000001C10C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/3356-53-0x000000001BB00000-0x000000001BFCE000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4728-68-0x00000181C9180000-0x00000181C9181000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-60-0x00000181C9180000-0x00000181C9181000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-69-0x00000181C9180000-0x00000181C9181000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-61-0x00000181C9180000-0x00000181C9181000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-67-0x00000181C9180000-0x00000181C9181000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-66-0x00000181C9180000-0x00000181C9181000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-65-0x00000181C9180000-0x00000181C9181000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-71-0x00000181C9180000-0x00000181C9181000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-70-0x00000181C9180000-0x00000181C9181000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-59-0x00000181C9180000-0x00000181C9181000-memory.dmp

              Filesize

              4KB

              Download