Analysis
-
max time kernel
184s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-ja -
resource tags
-
submitted
23-05-2024 02:32
General
-
Target
test.msi
-
Size
2.1MB
-
MD5
bfd00224b00b9f6f07f424f75cff6836
-
SHA1
2bf889bcc9b413cec07925bac78610391faecaad
-
SHA256
c6b1b984ea4cd7a1ac0c717afe91c3cc78bd2893f7e6a0ad661f7869d4289635
-
SHA512
eab303bd75a18948c7d2e0572f7ffbc1f9165972ec06163bd7e7274b3b743103b3d160d0c1d5b4a0d92735f34f6f6c6a5b9ec6e9c7fbc33494eaf18f564dbd90
-
SSDEEP
49152:p5yULiNbhfDc7yEq9WRhd9Itc71hE7T8XX5UpAH7uidqFWV63hTI97qjfAj:e05q2t7vGA5bkWkRTI9qjY
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=ja --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=856 --field-trial-handle=2008,i,6187163678980365832,2290078537353632866,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffdc92f2e98,0x7ffdc92f2ea4,0x7ffdc92f2eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2236 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ja --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3136 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ja --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3320 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=ja --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=ja --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ja --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4360 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ja --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4616 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ja --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4364 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD5b4e5d8666f99040594ea4ff5e982502f
SHA1f23c44bbb074c30b9ebce038f86ae8b3993b72cd
SHA2568e2da0c8859d1d933c063808613a173c170e6f0a0fec0b35d117f5a1c8bc9df4
SHA5125b102b9addae24a184ab7475e18c36cf801e98cf8e667d571350e58981ddef11a7fb02bae404ed47a05018a4b769c8d4747ca5798fdf8cc8267e153f7694f8f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5eb4691f5cafc4c8649443e913009c514
SHA112b84e1752a4348daf51ac3bd4ac3b31b69aabbc
SHA25621270b366f1089d029ed7047025b03ecad2e30253cc395ec697b5e631141ec5e
SHA512cf68c7242c3a8f5634d9d34e5f560fb73358115be35f7c9456287ec0e42e88f1fe72991084476970582595bc96e7477f766223bd790c4b3931d0a3fd4fbe1c36
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD59cd51da77636b5f2218d5533ac645cbb
SHA12fd828f848c7637cf22ca78489b408a305fec5ca
SHA25618793ebd7c22e803f4c5b9ed5c66c15a43ede44379c59a05e226508d8aa76739
SHA5126f47373b2780230842713f16b4c97bf815b29a24e340b647513a7492daefe4eb6ee9e28657814fcb20ba28951f6c689f236975ee7da61af28ad7e86f7cb89ef6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
30KB
MD54e80e171a6d821c08d06249574c5e193
SHA137ed81ccd21a2a2353aa48abea3eb110565abae1
SHA256f067ef6ba9599451c1328c6d4e2f2299348147215f96b09a125eba1c93d6753f
SHA5126019074ace7756321bd57cb183a63555f6a8068715361b0fd90e4878819be4b0f53a1f154d167ecbc8944cd00725005329956ff29c32c054654c962845d2069f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
43KB
MD5f31f18ce61dd43da2fa4fce215b3b370
SHA191a26193f7fb388214c8120c33cdf5a68c6ce346
SHA256e9dc1c534096a6f33fc25ea04c4aaf7b9289e287113039ab884fedd963b56bdb
SHA5126b3eeccf5c48f95487f19d1e3534bed4238a0de0f8065b3837c43cb401fd71cca880dc3ec31236055ab0f6554f6188aed5c443902e65b762a8b9a3a7e73d19a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
33KB
MD51976a2bc35f057052b215ccb91c69571
SHA1815a4f9aeed68828cdbb4203a2231d76be0f93bb
SHA256d4419b06a7c9e4874428d877b33993e97739e00ab2692811c5a904a0929bc804
SHA512478c1fe03b4f520f330e28fc69331c039530288cea8bf0bb2a2aab2384b5120a7ae99c4379268fb224a7771dcbdc805de9561863257449c46d0b0d44aa4040c6
-
\??\pipe\crashpad_4456_NNFCPCWQWPFGRKDTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e