Analysis

  • max time kernel
    209s
  • max time network
    198s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-07-2024 14:54

General

  • Target

    123ca4e6808c427238533a0893759ff35bc4a23d9404c8ab689b8163cd391a12.msi

  • Size

    232.4MB

  • MD5

    61c2833cc970b8640db8d2d43bca6703

  • SHA1

    3aca5519f2b336ad6e1a71aaec8053074a33de60

  • SHA256

    123ca4e6808c427238533a0893759ff35bc4a23d9404c8ab689b8163cd391a12

  • SHA512

    9678f80c2bbd4e5ccf0025750ceaa9bcac5d45232ceb97328b4cc7b916d675cb8650245f036759d56aecf9724664b4881171afc888ee0fea793ed03f06fa07b5

  • SSDEEP

    6291456:PRNmz8s0sxvOQzKnjk2y/KdJRZ7nofH9Z2Tvu:hYxWQp2J/DnofH9Y

Malware Config

Signatures

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 14 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 36 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\123ca4e6808c427238533a0893759ff35bc4a23d9404c8ab689b8163cd391a12.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3892
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 16F345FB93849AB9CAB89AB875E4DFAD C
      2⤵
      • Loads dropped DLL
      PID:4804
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2644
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 3528116966E2CC5C2D3DF9454C31C883
        2⤵
        • Loads dropped DLL
        PID:3416
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 5D819D51BA51A707CD1F0FCF22EC78AA E Global\MSI0000
        2⤵
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4708
        • C:\Program Files\Windows Defenderr\xf4bG4uMOh\xf4bG4uMOh.exe
          "C:\Program Files\Windows Defenderr\xf4bG4uMOh\xf4bG4uMOh.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1172
          • C:\Users\Public\Documents\TaskLoad.exe
            C:\Users\Public\Documents\TaskLoad.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:3828
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:2208
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
        1⤵
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:1852
      • C:\Users\Admin\AppData\Roaming\xiuxiuX64—\美图秀秀.exe
        "C:\Users\Admin\AppData\Roaming\xiuxiuX64—\美图秀秀.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:4360
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3324

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57fa8d.rbs

        Filesize

        38KB

        MD5

        5487998c01f223fd9c5effec9926fc71

        SHA1

        d6fddaf8e574ac1db67f3980f29b729710d02726

        SHA256

        b3970a48d14e1c1ca1148d036e1461b0e40813bb479947bdbae56dd8875d4d3c

        SHA512

        1c1c9e9e9dd217e3677e8c3bc3359ebf1e67cd710c073120e8e82dbce2450a2789939ed67bd96268035f3ed15dbeb063d5f88d080e71bae78f5e44c267ba387d

      • C:\ProgramData\1

        Filesize

        2.0MB

        MD5

        faf4a129b091a57c3ff694dc721d4f3b

        SHA1

        7430935f501164b46b99766ed9ab68da0db50c24

        SHA256

        b1d13ed7409ca47f47d200f6b26d8da6a07e645ef49ddc9a28486f46bb8c41e7

        SHA512

        0103d9bfa27c809f978a2ac805e5eb59e07f0f0eef8aecf2713d8af1bff0d54fbc24043435cb67f550d5afdd6f0a2bc5c0026b6e920efe2ad21b619bbfbb0583

      • C:\ProgramData\11

        Filesize

        72KB

        MD5

        edb6b04b2a24933d42cd83e6d2de8074

        SHA1

        e3fdd7bcaa48912edd786c006ed8dbf9a3706be7

        SHA256

        8b6591eec900240f2530a91347936652b7921182b4a16efb23c943b9885e7799

        SHA512

        e41f0ddc836e510455e1226c43ae6fa34047e01564c9e527f6405abdb3e621bed883714ac5dac99018668fafe459356cd102c1e77f8fd96f246426fd72d8eb4c

      • C:\ProgramData\12

        Filesize

        92KB

        MD5

        e61e00f904f561ec9e6574ddec3bb65a

        SHA1

        6458b901d065848b44988bff89b8e7933a43d7fc

        SHA256

        25bff93e68ed9086a8effd7c79e01fca7d3ab228b158acd57ebf583d0054e364

        SHA512

        06ee9b0b36de98cceafa938cab3f6523be42a869d4e28ffbb1dcbdcee363eeedbf320923653cc90450d0fb8d14cbaf74768acbe78c7177747f2a637103d043ac

      • C:\ProgramData\15

        Filesize

        196KB

        MD5

        8dcba1d7e17b3e1488d8ced934f6cc89

        SHA1

        aff37e2cdba9adc6ea1be364f5c3cb602aa5d026

        SHA256

        feaa74e655bbdf22825d5af46c975252423af6e4056d346840c48eff536a9a96

        SHA512

        62ec5fb14e1b4743678d29bc1d5d73095c716d4bec5e4e910812ec627baf344e7cf4d0fb0e385281a5fac745420dab5ba6b8de60e7b4062aca7edc83dd5d5eb7

      • C:\ProgramData\2

        Filesize

        80KB

        MD5

        e472f2b8f36fda019a31b759a0eae43e

        SHA1

        abbd73eec15e820fb5bc2490f0205fa583adc2f2

        SHA256

        fcb39506b6e06d6c59e0c718457269dc77ba2f7c21cd1d68a4a99bbf36592606

        SHA512

        3810c34c4bd613e7c255e8158a4d8ffd79910cb1d3e9f62aab5149c0f394531fb0217b6ea12635b87e37353fe88f18c30d66a40161388f552e74f6aa4b8241de

      • C:\ProgramData\4

        Filesize

        340KB

        MD5

        7df01bd2cdf14bf30e3440b7bc16b6d6

        SHA1

        eab6bd36bcafdbfcb52f65508512461f225f74fb

        SHA256

        08fe9d71cbc99645200cf00f8d2ffb0b2abb3c8f6e4a05bda227ba3fc5aba3c5

        SHA512

        107aee7c2d5a88d4cf8b6e9864f501d0ba01c42238b900f83eecf7390bda477623c29820cb992a435a7597d6c90d413a2b23e10907eb992b676058503b14c634

      • C:\ProgramData\a10

        Filesize

        36KB

        MD5

        f0284892937a97caa61afcd3b6ddb6d4

        SHA1

        f3c308e7e4aaa96919882994cdd21cc9f939cabd

        SHA256

        2514913f8a6f4671a058304651289b0babe47d81c044212b3140ed1c1b643b09

        SHA512

        058845e0a9a5892a69f24f3a77086e3f9546493ad40a0e5359aed05cf8882a9f3d7aee0449648d5cb76e51530af3e46af59a9b196cc92318334116c92dde4171

      • C:\ProgramData\a3

        Filesize

        13B

        MD5

        23c49d547fe2073acaf63c3705212c82

        SHA1

        20b5e8b7e80116a1daae958ec14a3c3d6b45fed3

        SHA256

        ad0b993143bdf13ac876461d34801b262315692daaed51ebcff8ff77544ac5a5

        SHA512

        f2c8c1dbc792de08dcbe4f34efb4b750e81eedb387da1352223d625ab7ca3440e1470de332be6942f6889af81ff5b4e090373023ba7699b8f00ce429bb55ac17

      • C:\ProgramData\a5

        Filesize

        56B

        MD5

        6f10d76e583b39191028ab57f8edbed9

        SHA1

        fbaa6e99f3a88d1e4cd606ca45debed661135c1d

        SHA256

        847f6e3577892365fadc94648eabdde48b9660590ba109e8387a9cb984aee476

        SHA512

        17a2f133b321fb9ac992e03da4ada3b3e5f1e507c7656d287ea00efddc50885c9ea9f337dd6b8cd52015060b4f0f4fc7832a7a3603ed5a3b498d8da47916743c

      • C:\ProgramData\a6

        Filesize

        200KB

        MD5

        078c21b8c91b86999427aa349cf5decf

        SHA1

        b939376eaebcf6994890db24ddcb2380c1925188

        SHA256

        ed2c6bc3e77a404b8cf61176844ad19c1fdcae19881206631e3f0831a4bd919a

        SHA512

        a006a36fdcaf4c2403238475163553ba2fe7783fea200f28df46ea980a3907d2b24c854153b45b730195a133fcb28f60c157f33c865ea286ad8c354981cf5885

      • C:\ProgramData\a7

        Filesize

        494KB

        MD5

        d1205c0fd498f6e69ae1482bbc3490c8

        SHA1

        ca484f7e2838dff1071a60fdfc244a35e1bec8be

        SHA256

        d38f23f952b3180db63cf4d60131024a6c5ffeb71a3be1795077da6dbc5dfb20

        SHA512

        2fcec21ba75ee07d9f483ce745f41d4c39101d100d09bc6adf80dd5170a885e0ca48c226ab9d333471c9cb1fc2c4420793661e1aa9e492025e827419bb19c796

      • C:\ProgramData\a8

        Filesize

        21KB

        MD5

        da08e194f9a7045dbb19f6e5d5d7f609

        SHA1

        7884062382bf1e7911f7e74198ca9fecec159c61

        SHA256

        9bd52ec7e7750500de33df995fcc7e68ed1da70d125579cf76ae8f787577ef75

        SHA512

        46720cd0677064b00a9e253953b8b6cd5141a99d0090ff0d7c4a24b830ca621878bcdfec3c56880f940662bd78f408782231bdd3cb370e06dadfee71e3e2b2b0

      • C:\ProgramData\a9

        Filesize

        13KB

        MD5

        37aa892a6f35bcbe9b01f0a424f5d4f6

        SHA1

        e5d60e43a8e0a4b7371bd736e21b1a59546774af

        SHA256

        6feeb95115d7d8a51403996fee1ad219a52151662d3a01a2d17cfb77dbd51f3b

        SHA512

        a5d5ac494cba18bb5b2582310416dc2e146732ba4f2eddab6611393d61ac0ae839bacae0da1e85f0965575e6d6284b1180e2e3adb924f1e19d2d7586d2abbd83

      • C:\Users\Admin\AppData\Local\Temp\MSI7EF4.tmp

        Filesize

        588KB

        MD5

        a9941233b9415b479d3b4f3732161eab

        SHA1

        cb2d99af52b3b1c712943b13e45d85c80c732e57

        SHA256

        ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2

        SHA512

        cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

      • C:\Users\Admin\AppData\Local\Temp\nsh2335.tmp\Config.ini

        Filesize

        4KB

        MD5

        9bb5e7c1180f0b65d3374581a5694ab4

        SHA1

        8ef07c4e50f3dc1777cd90afab64633e2410ea59

        SHA256

        e60d108bb9446239540b936d7d9346bef90a8baeb55d60d09983c29e5ff5c97f

        SHA512

        65490636fd393dd047aa5f50ce6bba67c51449416dd6eff20f3166156f0fda9c4c9806d3e865aa892142ae4c1ebb0ae052b7f1578acf608c39eddde6718e74c2

      • C:\Users\Admin\AppData\Local\Temp\nsh2335.tmp\SkinEngine.dll

        Filesize

        1.2MB

        MD5

        5d71ef22e9a4afe4257ee67a7ce2c7ec

        SHA1

        3818872bfc4d6efa863892145adf80e26c2c816e

        SHA256

        0e82401f2105babf1a9c0221946025f32255a0b0f756f7cb302e0ee8b865b0a2

        SHA512

        e6bf869d2aa302b7ad1cb1e36720c3482f00fe3ed7efb6c21f319c57e5becb374a53427309ebbefb3ec269f92a81dcd315c42b68b1e8bc786b28328fdb4e53df

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

        Filesize

        26.0MB

        MD5

        5436a7b37e8a35471959fdaf7bccb063

        SHA1

        b27e4f7a68a90c3ecde3f895b95c82efa5d4b13a

        SHA256

        53d1da733725b39683fba5007e1d286779e77b9910fc0951f95a0cbbd181fa4b

        SHA512

        9101d49244c494eef9de1c179b8de7a62be68575adfafab3ac25876381a909097f5e0acd47b95e873320574ce7a73da337ae55a4b716f016195b8859be25a299

      • \??\Volume{38fc5f00-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d73704e3-630c-4dc0-b22e-2f2a20a6d100}_OnDiskSnapshotProp

        Filesize

        5KB

        MD5

        6f2d4fcaacf263d0a951e716090e3256

        SHA1

        87c12ef370250c22a568603cadf151f651ecc4a5

        SHA256

        a9bde629fd25f2690f11557e840dfdd5b75bd8783a2528e18a0027fab8bf2431

        SHA512

        929477f16753a2c0dfa6d1422feb123c401173fce80344e9e87976d06a9dfbee77701760de242599a6d5f70955c49a2d53c552a6de1329f716a7290b12387ba6

      • memory/1172-253-0x0000000002D40000-0x0000000002DD2000-memory.dmp

        Filesize

        584KB

      • memory/1172-246-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

        Filesize

        72KB

      • memory/3828-265-0x0000000002270000-0x0000000002282000-memory.dmp

        Filesize

        72KB

      • memory/3828-267-0x0000000002D60000-0x0000000002DF2000-memory.dmp

        Filesize

        584KB

      • memory/3828-270-0x0000000002D60000-0x0000000002DF2000-memory.dmp

        Filesize

        584KB

      • memory/3828-271-0x0000000002E00000-0x0000000002E33000-memory.dmp

        Filesize

        204KB