Overview

overview

6

Static

static

1

DFC.530.msi

windows7-x64

6

DFC.530.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    591s
  • max time network
    360s
  • platform
    windows7_x64
  • resource
    win7-20240508-es
  • resource tags

    arch:x64arch:x86image:win7-20240508-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    31-05-2024 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DFC.530.msi

  • Size

    21.6MB

  • MD5

    29bd31f6b73955c2d4891c80b57cdc38

  • SHA1

    dd5b1caa91025f847377bcbcd15e537649e605e4

  • SHA256

    132b407090ee6245110b77bee17447e2c700a3b06deffa55a0fd1605691cd17b

  • SHA512

    f2160db5ed7138de7b50dbc0e71b07741a443abb10f55213053fa3fa7c0b388065f064b6e78b179f38a1738c44a878df444c04da40c655977e4d307f73dd416b

  • SSDEEP

    196608:Snv1sPXIIh4hez5nU65YEdrZU0n/34c2p1SFWZ+fMh5AQeF:SnvHIqhi5nd2Arj34fbCWZ+fMDze

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DFC.530.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1196
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A5E1564DA0F5C1F82786D00FA703DF34
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\rieg2g4e\STEAL.exe
        "C:\rieg2g4e\STEAL.exe"
        3⤵
        • Adds Run key to start application
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7470bcf4ba2b810590c6e33f344d941d

    SHA1

    0406951b90b7681e02b6d0a99202dd7e4da7633e

    SHA256

    5c7e92243348301fcca71341ac2bffd2ec581988d790abcaf4bf0ab3f213f01a

    SHA512

    7d7eddb5373b1ef1ab980fcefb6916d1e293995fb2685d91fef408ce230c3f285505881f39566767e2e8b80c9a947ae42d6c61b5c1f860a64a1f1ba42868f68d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2534.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\Installer\MSI2962.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI2CA1.tmp
    Filesize

    20.4MB

    MD5

    82ae9c41bde2721eeac6b6a945793bd6

    SHA1

    edc21041c456116c63074adc0ff35697a032e1b1

    SHA256

    a8e34860b9d3e0b66504616984a17e2a3bb125bc11bad04e148dead9577b9954

    SHA512

    e02793e2d7db73a9202690c8f6d66a75098c6fa2ca9c9a10fdb48d954f845882422d515161575e6c6005603ea736f00c2850b5cc4ec8d4d5dfcb58ecb2c010b1

    Download Submit

  • C:\rieg2g4e\HumbillQT5.dll
    Filesize

    1.5MB

    MD5

    9e5aa15a31eb279cc89aa4aab29e5611

    SHA1

    8534d576fa9e9b1b5d4cfe697b71d0a87a379381

    SHA256

    d76c62368c4460ba683893adea061652900ba9cc923fe30585b8a169f58baa8a

    SHA512

    2c0fdd5170ba82a47884ceefa0c83d9cd9d740eb7fb18a7ec3baec76c8c6f890e2397dff65baf6197e1690e2e8765bb081c6a1d91bcc7f4ea2a34616832a9ea6

    Download Submit

  • C:\rieg2g4e\STEAL.exe
    Filesize

    9.1MB

    MD5

    74d3f521a38b23cd25ed61e4f8d99f16

    SHA1

    c4cd0e519aeca41e94665f2c5ea60a322deb3680

    SHA256

    1d822b3faabb8f65fc30076d32a95757a2c369ccb64ae54572e9f562280ae845

    SHA512

    ec1c8b0eb895fd8947cad6126abc5bca3a712e42475228b9dcb3496098e720abb83d4cba4621edbd8d3ad7f306a5f57ced9c2c98fe2c2d0c8ebbbf99d7faf0f1

    Download Submit

  • C:\rieg2g4e\unrar.dll
    Filesize

    174KB

    MD5

    4289541be75e95bcfff04857f7144d87

    SHA1

    5ec8085e30d75ec18b8b1e193b3d5aa1648b0d2e

    SHA256

    2631fcdf920610557736549e27939b9c760743a2cddec0b2c2254cfa40003fb0

    SHA512

    3137a7790de74a6413aca6c80fd57288bcc30a7df3a416f3c6e8666041cd47a9609136c91405eee23224c4ae67c9aebbba4dd9c4e5786b09b83318755b4a55fd

    Download Submit

  • memory/376-234-0x000000000A2D0000-0x000000000A454000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/376-223-0x000000000A2D0000-0x000000000A454000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/376-215-0x000000000A290000-0x000000000A291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/376-221-0x000000000A2D0000-0x000000000A454000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/376-222-0x000000000A2D0000-0x000000000A454000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/376-224-0x000000000A2D0000-0x000000000A454000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/376-276-0x0000000005F80000-0x0000000007B68000-memory.dmp

    Filesize

    27.9MB

    Download

  • memory/376-232-0x000000000A2D0000-0x000000000A454000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/376-231-0x000000000A2D0000-0x000000000A454000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/376-210-0x0000000005F80000-0x0000000007B68000-memory.dmp

    Filesize

    27.9MB

    Download

  • memory/376-233-0x000000000A2D0000-0x000000000A454000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/376-235-0x0000000000400000-0x0000000000D36000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/376-236-0x0000000005F80000-0x0000000007B68000-memory.dmp

    Filesize

    27.9MB

    Download

  • memory/376-238-0x0000000005F80000-0x0000000007B68000-memory.dmp

    Filesize

    27.9MB

    Download

  • memory/376-250-0x0000000005F80000-0x0000000007B68000-memory.dmp

    Filesize

    27.9MB

    Download

  • memory/376-254-0x0000000005F80000-0x0000000007B68000-memory.dmp

    Filesize

    27.9MB

    Download

  • memory/376-262-0x0000000005F80000-0x0000000007B68000-memory.dmp

    Filesize

    27.9MB

    Download

  • memory/376-272-0x0000000005F80000-0x0000000007B68000-memory.dmp

    Filesize

    27.9MB

    Download

  • memory/376-274-0x0000000005F80000-0x0000000007B68000-memory.dmp

    Filesize

    27.9MB

    Download

  • memory/1768-172-0x0000000072450000-0x000000007397A000-memory.dmp

    Filesize

    21.2MB

    Download