Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 08:02

General

  • Target

    7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi

  • Size

    2.2MB

  • MD5

    3a89cbfce7da515333b8782597515329

  • SHA1

    7c878ce7a17ac30498ec06fcc2cc0477a88a9243

  • SHA256

    7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682

  • SHA512

    b14222a1cec22e0b037491ff1f71d468f0455d262e65e18208096ecbb111f01cd61e7230aa614d6a29a27ad688e8e0ed9dd451120b6e83cad3bab5e09f385812

  • SSDEEP

    49152:OzXYFfV5tQPGYzLFoc25e6+f/8y05wXIARgguIGUMBz5HxcIT:HlWPG6L8IGUA

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 21 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies data under HKEY_USERS 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3056
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F3525796222729E933869F1B3843B218
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4D77.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4D74.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4D75.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4D76.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1520
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DBC9D01589302793DFC0A8354E620EA4 M Global\MSI0000
      2⤵
      • Drops file in Windows directory
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pss5238.ps1" -propFile "C:\Windows\SystemTemp\msi5235.txt" -scriptFile "C:\Windows\SystemTemp\scr5236.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scr5237.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath "C:\Program` Files\Windows` Defenderr"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          PID:1676
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2844
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "0000000000000598"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2564
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {86084E34-9A18-450B-95AC-A5EB7FB48FF4} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Program Files\Windows Defenderr\vc.exe
      "C:\Program Files\Windows Defenderr\vc.exe"
      2⤵
      • Enumerates connected drives
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f764889.rbs

    Filesize

    217KB

    MD5

    caf51b0902c06394629f5850987af191

    SHA1

    970292035e324b78330b13c22bce5640f3fee087

    SHA256

    eeeec7e199cc58f784f998cc7f68122a8d36513d0700a111cd7ca420ac65b2ec

    SHA512

    6aa8091190bb873d8e5645b88126a6bd38e779334ae26ea71d30982f8f5efc80a743e2a0f46fa51b90ecc7617173059fd9f5b20ab11d21a03da170f5b884be0d

  • C:\Program Files\Windows Defenderr\cc.xml

    Filesize

    2KB

    MD5

    77d8e23e5fa59f96e69b9d483d4a3a2c

    SHA1

    6c10cb3e89c8c1f925363e3f517129187b575cd3

    SHA256

    693a4c081eb1f52d5eb0659701c289f6422344777d4f00270f75fa82166b04dc

    SHA512

    b6ea21810586467f97af2d8e2d26aa12ad9e00283f619b768db836d705e548d309a6126ae1d036325dc903eb76f223de0ecbcbb0bdb6adaad627905fc43db7b9

  • C:\Program Files\Windows Defenderr\vc.exe

    Filesize

    102KB

    MD5

    c8de233601e5dd254517522a275b661c

    SHA1

    15eef70b3ada2b55aebd526446be9a32fd41a796

    SHA256

    d3449e60c02258d03b42b06c5eb0a2f759dd7b1433b565d5cd9a6be7ccc523ea

    SHA512

    a16d0a59029455b1b6d8d9d165b6ab10a9eb4cff2c7bdbf6738e9be6badbfa8ab12d39fa94b7b4f8705c69b56d89ea71a2c55e649f27e9c8baf35c7b50bc3cde

  • C:\Users\Admin\AppData\Local\Temp\pss4D77.ps1

    Filesize

    6KB

    MD5

    30c30ef2cb47e35101d13402b5661179

    SHA1

    25696b2aab86a9233f19017539e2dd83b2f75d4e

    SHA256

    53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

    SHA512

    882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

  • C:\Users\Admin\AppData\Local\Temp\scr4D75.ps1

    Filesize

    134B

    MD5

    7ef79aff6608fd03a304a1a87344c576

    SHA1

    9c57ed39cec3a1c0278ff50d536da34d55f52162

    SHA256

    a56cba74db063b4996549de89fec07432fb7470724ec292dab8b97e73c567c51

    SHA512

    36c5fd4a6d3c875cb311b8b454c39952a36146f2f000926324e0cf16c162409f49c675c575479222a7c28ce26390f473474107859073b37a1813c6aae0e617e6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y50LNP5532IB5UXB9PUO.temp

    Filesize

    7KB

    MD5

    197b1c46f2c2f1bb3100ebf1e65d49d1

    SHA1

    55a2bdf8779141a92a2de65853cd818ca03e32fd

    SHA256

    9a10f90e465602ef3f155cebd896231e511d270ee1fe6310a327b2fd0baac431

    SHA512

    9f70f70308b50de882a258fe3602744693c6740d02e2b813b0abda85d1bab85dd5bbd72818097e5795fd3ca298630aa143b1736f3bc4ac77abb39808c2181eff

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    f3b123a03bced7f45af1e67c078d127a

    SHA1

    b45d2a55e6bb92b08d5baf4522ab3290ab112923

    SHA256

    b8f03a256c54054edbaabcae77645b8daac1f1566d926fb1bc34cc559a816717

    SHA512

    ff66b35c557e41c3a48562d4c67aa5f573a58773e31f44810016ff02097eeef52150e5c7dfa42bd0ef22f8772bcabe60107145db294dc1c2e4b8bab972372279

  • C:\Windows\Installer\MSI48D3.tmp

    Filesize

    738KB

    MD5

    ee45c6dffaf86ed2a76d8f969c390c08

    SHA1

    ff5b2942ffa7d28ed3f72208e8e76391b2991b5a

    SHA256

    118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca

    SHA512

    a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664

  • C:\Windows\Installer\MSI4C6F.tmp

    Filesize

    215KB

    MD5

    fa6cf27d72756d6a0794c65d1133befa

    SHA1

    90949a22d68347f6834c581abc88faf63e7cb8c0

    SHA256

    d058a04e0b5550db64d816485d9d25411fba27d3b9a4ef1d2dfe47e98c4a054b

    SHA512

    6ecc9b610325f015659c2a79deaac50f879f0261236a54c76468150f5194ae8c1a7ff284d13818908fae26ea2a2077f982e97ecc5d7264d7c77d74610ad1dede

  • C:\Windows\Installer\MSI4CAF.tmp

    Filesize

    758KB

    MD5

    743c67416aa1d2568679f45ef36e0179

    SHA1

    dc7163deb7e0d0e493f0ced46fb2fd0b29e19910

    SHA256

    58800c0b1f916f5ac032ab6e9410d2e5d687eebc95c2955bded68ac97dacd639

    SHA512

    f35f5a19aa3fe6fc723b771e7199e35cff4de5ed26a5a0a86377288f9487875bbdb19231743f2a7a019642f59ab57ed7cc02e7b4b9a6ec3c11b595596aa6066c

  • C:\Windows\SystemTemp\scr5236.ps1

    Filesize

    220B

    MD5

    0a4a4ecab6e633aa2b189c9fdca38f1f

    SHA1

    81d0d5e4f77de2c33cd72d812b7a5d3b7b02b2ad

    SHA256

    3e51b88f2e7f6d26e2b6b1a6403044af1d8b6c1805affee19848bf0d1b3a03e5

    SHA512

    ee53f855d8ca9cf72b76bde7f4cf5e674201f85095ee60f4f515e49ce12e08d5303932e364338be2d9206a37ec84e874f2f458afa36164fc7d1a35d460fd702e

  • memory/1644-90-0x00000000003D0000-0x00000000003F2000-memory.dmp

    Filesize

    136KB

  • memory/1644-88-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/1644-87-0x00000000003D0000-0x00000000003F2000-memory.dmp

    Filesize

    136KB

  • memory/1644-91-0x00000000003D0000-0x00000000003F2000-memory.dmp

    Filesize

    136KB

  • memory/1644-92-0x00000000003D0000-0x00000000003F2000-memory.dmp

    Filesize

    136KB

  • memory/1644-93-0x0000000002850000-0x0000000002888000-memory.dmp

    Filesize

    224KB

  • memory/1644-94-0x0000000002850000-0x0000000002888000-memory.dmp

    Filesize

    224KB

  • memory/1644-98-0x0000000002850000-0x0000000002888000-memory.dmp

    Filesize

    224KB

  • memory/1644-97-0x0000000002850000-0x0000000002888000-memory.dmp

    Filesize

    224KB

  • memory/1644-100-0x00000000003D0000-0x00000000003F2000-memory.dmp

    Filesize

    136KB

  • memory/1644-101-0x00000000003D0000-0x00000000003F2000-memory.dmp

    Filesize

    136KB