Overview

overview

6

Static

static

1

node_expor...porter

ubuntu-22.04-amd64

6

prometheus...nu.vbs

windows7-x64

1

prometheus...nu.vbs

windows10-2004-x64

1

prometheus...om.vbs

windows7-x64

1

prometheus...om.vbs

windows10-2004-x64

1

prometheus...u.html

windows7-x64

1

prometheus...u.html

windows10-2004-x64

1

prometheus...k.html

windows7-x64

1

prometheus...k.html

windows10-2004-x64

1

prometheus...w.html

windows7-x64

1

prometheus...w.html

windows10-2004-x64

1

prometheus...e.html

windows7-x64

1

prometheus...e.html

windows10-2004-x64

1

prometheus...w.html

windows7-x64

1

prometheus...w.html

windows10-2004-x64

1

prometheus...s.html

windows7-x64

1

prometheus...s.html

windows10-2004-x64

1

prometheus...etheus

ubuntu-22.04-amd64

3

prometheus...us.wsf

windows7-x64

1

prometheus...us.wsf

windows10-2004-x64

1

prometheus...omtool

ubuntu-22.04-amd64

3

windows_ex...nt.msi

windows7-x64

6

windows_ex...nt.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    50s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 06:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windows_exporter-Agent.msi

  • Size

    10.1MB

  • MD5

    7096892e6330a1630ac9c588aa01e3a2

  • SHA1

    3adbaa05e9def1d97823615f2f47669bcb1d8395

  • SHA256

    822166c33ce415436a287f4f5bf34c9737da5201cda3b6a31ffc5b2be5023679

  • SHA512

    73462b1b03ee2b81eb421e13fc466224666db2c6312e4424cf6451001f2d94ea5006f71957ab1a5c9617a862bb44f27f919dffc370637345a5b17fe7f885e540

  • SSDEEP

    196608:djo2fy0hWWpfeZdkW2ijrtlT95y0DalZEM/Jbr1ZOONCbLmUo2hWN:dES/UWQdz24R2JbrzOsamU+N

Score
6/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 14 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\windows_exporter-Agent.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4480
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4956
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 0BF04B7C8F57319E8C3F83E0C7CA4661
        2⤵
        • Loads dropped DLL
        PID:3184
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding D1B8530D94B5D913608EED043D24B4DC E Global\MSI0000
        2⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:4204
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:904
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:4252
      • C:\Program Files\windows_exporter\windows_exporter.exe
        "C:\Program Files\windows_exporter\windows_exporter.exe" --log.format logger:eventlog?name=windows_exporter
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:5072

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e578f12.rbs
        Filesize

        329KB

        MD5

        a897f8b8240e9893ebe2b542fac1dd63

        SHA1

        afc81d238e7ec533aacb013f8588748fa28d5556

        SHA256

        0508ae59ff8b9f684265d65ae24a13eba79b0b9278b7558687d8559d865ab854

        SHA512

        12d187da96dce14d8e4c6f454f271c00d7ef50325f34176df90ce489c0a4ec807b0560b8f79fc4160dc0d5319fcb436f79f47f4ccb7ed576bdea1c71a9cfa998

        Download Submit

      • C:\Program Files\windows_exporter\windows_exporter.exe
        Filesize

        19.5MB

        MD5

        8a41cd83c16f6e9d060036ffee985f88

        SHA1

        0f90cc3cc01f3b96c74314dc562675948f5c89b1

        SHA256

        e99bcd3b0b4cc65c7ac40e95eb8a43c0ffa769fcb6b733a9ebc6c9f9d4ff69eb

        SHA512

        6eadb6dc7e8c79e8df88100643d86780a14bdcfd3617adfd4959c118493e1bb92bbf15b0969c645bb9502e1ca4caec9c866be309a565f784ac6085ef9f9c6d19

        Download Submit

      • C:\Windows\Installer\MSI8FFC.tmp
        Filesize

        118KB

        MD5

        f2d47929b432a0be6db3b25ac5f50ae6

        SHA1

        dbbd61fb1379e1d94dc0384f0c2e908c9c632d42

        SHA256

        0eae25d188cd1589844050135065aa302e716a2b691dda27d6ed18140aedef4f

        SHA512

        97601fd72456409ad3dc7aa816e29e53f6e7be80368fcc95c5fee90ff03fc7f36f8b105a705eea0e1af3d612b86c7793e74371d436ffa866d399c386078be58d

        Download Submit

      • C:\Windows\Installer\MSI90BA.tmp
        Filesize

        202KB

        MD5

        ba84dd4e0c1408828ccc1de09f585eda

        SHA1

        e8e10065d479f8f591b9885ea8487bc673301298

        SHA256

        3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

        SHA512

        7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

        Download Submit

      • C:\Windows\Installer\e578f11.msi
        Filesize

        10.1MB

        MD5

        7096892e6330a1630ac9c588aa01e3a2

        SHA1

        3adbaa05e9def1d97823615f2f47669bcb1d8395

        SHA256

        822166c33ce415436a287f4f5bf34c9737da5201cda3b6a31ffc5b2be5023679

        SHA512

        73462b1b03ee2b81eb421e13fc466224666db2c6312e4424cf6451001f2d94ea5006f71957ab1a5c9617a862bb44f27f919dffc370637345a5b17fe7f885e540

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.7MB

        MD5

        8580605c010e8bc5c3538bdc9af9ae78

        SHA1

        06ece6074f74dd92615b292bfd598229a2caacc7

        SHA256

        7559d05a097aaab8601391b2cd737638089208f2b2edde58af25243cc827bfc4

        SHA512

        57397a808094e878043fcf515a0db2be8d56cff755fe88f16e8fed5f3c30d692fc0449451dfbb831d4b27dae109d9612bb903df2e6b593a8a99095e04e9a1e78

        Download Submit

      • \??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2ec6e0e8-a7b4-4061-89bd-440d639bc250}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        b0294751ccf3964db40ea53073e6bcf0

        SHA1

        084862580a9354ee025a08559a69561f49b31328

        SHA256

        ec16b61343ff91dbe35f0b9adccf5b3817db0e1b3a3ba8ca6cd2a6d3a429ce50

        SHA512

        e32b257c862f6edf389c250c97d654ddeccaf936a3c14736073ebaf68944892366543d108d196ddf7e2a8e20ad5e528c0557f964de1c7631058cfb2ea09a69fc

        Download Submit