Overview

overview

8

Static

static

1

1602a807b1...bf.msi

windows10-2004-x64

6

1602a807b1...bf.msi

windows11-21h2-x64

8

Analysis

  • max time kernel
    100s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf.msi

  • Size

    5.0MB

  • MD5

    0deea78b6ac2236f701fa82cb5c10918

  • SHA1

    93d39ca0a3047db121460ad61057fadc059b6c3d

  • SHA256

    1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf

  • SHA512

    d5393c01ee510397cbce9264b4f87ed6d79f2b3ee4cea3f9b4fca4e5ce70c08ddb3f210327375f9cdca267408125274362ebe6cf79270881bb73dc5154e24587

  • SSDEEP

    98304:sVHYDgFMyclbrPcGJ1Ea2x3PoFpSSgGN6o:QNMyI/t0foFpngGN6o

Score
6/10
executionpersistenceprivilege_escalation

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 17 IoCs
  • Loads dropped DLL 18 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2120
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7C5920B7C9E8D5CD5B844A7E87671899 C
      2⤵
      • Loads dropped DLL
      PID:1236
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:364
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding A86ACC9B0DBC971EBD1273AF9AC6BCA4
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3108
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD0E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiCDC.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrCDD.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrCDE.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:224
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4260

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe
      Filesize

      275KB

      MD5

      3e34fe938047483111053beb4bada320

      SHA1

      6bc5b1d97ec9f6efe792c7c4600191a75c437e8c

      SHA256

      d79db4add67490ec6070fb0750ab667becec4751d5316c81f8e2c6813d0fcbcd

      SHA512

      8ec758c9ea9a4aa066f3641d3ee3ed41d5c3417273081f65f355d28e47b11556b2457ad3770af3fef1491977f9d6c1d91be849a1eb73e1ecbc10c5ab80e66cf7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSI90D6.tmp
      Filesize

      738KB

      MD5

      d0c9613582605f3793fdad7279de428b

      SHA1

      8b3e9fb67c7beb20706544d360ee13c3aad9c1d1

      SHA256

      8bd84f1156ebdfa44afaac8a4579ba56a8c7513e3d51e00822167ea144923726

      SHA512

      3640a0f53730cad7323473f99a2049833db58eaed00f94b75b4a03b07cc8af99c104a40b2e888307055a5c9740b5fea4b394aa15bc78a3102088cc0770713eac

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qpwd40xh.g30.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\pssD0E.ps1
      Filesize

      36KB

      MD5

      7dc43ea8bb420287894f3fc68efd4d15

      SHA1

      f6b0f90586986f968cfa7958f917db8dda54de34

      SHA256

      579c430cd0bb6c24e614076155e245ff7acd74e8b429854acdc61e200c205395

      SHA512

      21a29042ac2b8796390b13ecbe5526485c420dc07da918de732b1c8088dc54198c349f2612cc4d800025e6fb4aa00db12997e46454cc2ccf9ad5efc51271ab3c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\scrCDD.ps1
      Filesize

      31KB

      MD5

      df9bb699dfb6aa697c3263769529b815

      SHA1

      100ef96b36711304020d60535c4d1a2bf2b235b3

      SHA256

      ba6d2b558c6021fc77cb888a174137d9c9874777ab3e8caa804cf9c3e2e60733

      SHA512

      2498780c7bcce850f44e6a211e9b83781d8df546ef1147d383aba51dc71e72249089484f9d4c4f841c0afdd98f13348940b9209eab8093ef5e748e272f73a54a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\scrCDE.txt
      Filesize

      326B

      MD5

      f776e6b7ddeb8374229f0bf55233df89

      SHA1

      1905d3af75b68aceda6424b792aaf2fe944cdce9

      SHA256

      ded8e2ac37eeb7c78679c99e4ad4cf3390167855c8939b1458c4246de4a2addb

      SHA512

      470bfd9705cd5548f157bde578a0496aea8f723e338bdabc0bffc7f68feda5db95f4d5f825529a546d0eedde3dcb50797200061a0826c1bd9c2a879d2faf967d

      Download Submit
    • C:\Windows\Installer\MSI1A5E.tmp
      Filesize

      512KB

      MD5

      d1395cc27fabb23ff098c0954b7725a7

      SHA1

      b782d01c84471849d92e130e5af448de8040bd58

      SHA256

      a2f7155c0ce5e3c69fdcff6d89df011a6d4715eae2853104f2480800d63eb69e

      SHA512

      a5c531d4cb099e91a498dd738804eaf8f47573bb802d15bc550c438ca117ea61258cc886ede7b91f83b9570f73f3bd3c08718819868a1e92249fcb3d5bcdb914

      Download Submit
    • C:\Windows\Installer\MSI1AAD.tmp
      Filesize

      757KB

      MD5

      5a72f5f620d7363c21dac3c062225203

      SHA1

      e083f31c15020d54e42103099dc240be4cbb7430

      SHA256

      b312faf20d72a4e44be87530beb446298c85fef73c79130c6d13aae6720f585c

      SHA512

      c742314859a75672f8e049ef52db54e48d34b48b9ee6c6e8677ae376d6f0aef6589ffdce90b37c9f8b987ea35d2ec42a07937ce0ba05f3158bf0c79a4f0db987

      Download Submit
    • C:\Windows\Installer\MSIBA3.tmp
      Filesize

      759KB

      MD5

      a2317ebf66616e3b13218b2b9739cf74

      SHA1

      9fbdf90fb9d2bc93f025c16c94347eb817908d9d

      SHA256

      d6a3c9c614fa4491a1bd988d86687515e15edf7e0cfde2159d0850bf2c5c7c89

      SHA512

      8d11a2174e3ac7eefc776ff3d95ac65517c4af78f2880b84c6ce1ed65990e769cdbd5cc3d5755cc0dd9fc69a7c2408b32dde6205503f9a67ec96008c87b1f2e3

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      3e28aef8cfdeb41ac4628a83d16391f9

      SHA1

      d785dc24a9697302b5386aeb56d75ba60df93457

      SHA256

      f03213f633a59086cfdf6db6e73eabca6c24d2cbc0328f47f7e31240d7d07b16

      SHA512

      5a0439b8c0ea6ca13b5b8dfe8408d0826fdca70cea02b6e8d1f3623ff2956aedb09dcd74b85d45b22b31e5a99ff04f944f212fb39b938b5e4561b4abda96084e

      Download Submit
    • \??\Volume{5110105b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5e1874a8-dc95-4cd2-90a6-d81934f8cf82}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      11aa4d49c499fcb62c55d5f8fbc66c41

      SHA1

      df5d95bfa96e5ffe7fbf4bb5a3afeee342a75e54

      SHA256

      806959639b27d39a2f99b80fab56ae81c808dbc3eddc0ef48d4d6811b821b18d

      SHA512

      0d27b9c7fb41950af4a907fef07b56240ba9f842a337bcfd60b334c42f7e29ae70a603d8c0887d1a900f44829025f134e6b7db5c0c4adc51b1ecec487143b1bc

      Download Submit
    • memory/224-64-0x0000000006700000-0x000000000674C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/224-70-0x00000000086C0000-0x0000000008C64000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/224-62-0x0000000006100000-0x0000000006454000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/224-66-0x0000000008040000-0x00000000086BA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/224-67-0x0000000006C30000-0x0000000006C4A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/224-68-0x00000000076C0000-0x0000000007756000-memory.dmp
      Filesize

      600KB

      Download
    • memory/224-69-0x0000000006CC0000-0x0000000006CE2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/224-63-0x00000000066E0000-0x00000000066FE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/224-52-0x0000000006090000-0x00000000060F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/224-51-0x0000000006020000-0x0000000006086000-memory.dmp
      Filesize

      408KB

      Download
    • memory/224-73-0x0000000007D30000-0x0000000007EF2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/224-74-0x00000000091A0000-0x00000000096CC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/224-75-0x0000000007C70000-0x0000000007D02000-memory.dmp
      Filesize

      584KB

      Download
    • memory/224-50-0x0000000005730000-0x0000000005752000-memory.dmp
      Filesize

      136KB

      Download
    • memory/224-49-0x0000000005980000-0x0000000005FA8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/224-48-0x0000000002DB0000-0x0000000002DE6000-memory.dmp
      Filesize

      216KB

      Download