Overview

overview

7

Static

static

1

b172b565dc...6d.msi

windows7-x64

7

b172b565dc...6d.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 03:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b172b565dc16b29af83689cf6a26f62372e33f2640109a4ddb15d89f6bff3e6d.msi

  • Size

    2.3MB

  • MD5

    a6b76f7da9d91576084c7d221327c662

  • SHA1

    6186cf54c44bf03a5ca03584e422f7e3b520758f

  • SHA256

    b172b565dc16b29af83689cf6a26f62372e33f2640109a4ddb15d89f6bff3e6d

  • SHA512

    429cce1be05317d3e1898295f9c4c96d98aa8f86414a0436be8b198dbc25efc1195c6041ba2929e27bf3f66776794c8c744ea67b0cdc18a8076b57fb9d6fadb5

  • SSDEEP

    49152:yBmjBI2riRojPOJJzhHC9th5U8aYUYtAY9ALLz+OW35ocqcMm6c5HFYw2:3jGJJ09T5U8aBYtrGz+OWJocqcIcD8

Score
7/10
persistenceprivilege_escalationupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b172b565dc16b29af83689cf6a26f62372e33f2640109a4ddb15d89f6bff3e6d.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2304
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C7C1D7A5F5D047CEA8423C31F186AAF4
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe" /c copy /b /y "C:\Program Files (x86)\Microsoft Thunder\1" + "C:\Program Files (x86)\Microsoft Thunder\2" + "C:\Program Files (x86)\Microsoft Thunder\d" "C:\Program Files (x86)\Microsoft Thunder\wuaucltsCHS.dll"
        3⤵
        • Drops file in Program Files directory
        PID:2944
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe" /c copy /b /y "C:\Program Files (x86)\Microsoft Thunder\1" + "C:\Program Files (x86)\Microsoft Thunder\2" + "C:\Program Files (x86)\Microsoft Thunder\e" "C:\Program Files (x86)\Microsoft Thunder\wuauclts.exe" && start "" "C:\Program Files (x86)\Microsoft Thunder\wuauclts.exe"
        3⤵
        • Drops file in Program Files directory
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Program Files (x86)\Microsoft Thunder\wuauclts.exe
          "C:\Program Files (x86)\Microsoft Thunder\wuauclts.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1892
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe" /c copy /b "C:\Program Files (x86)\Microsoft Thunder\1" + "C:\Program Files (x86)\Microsoft Thunder\2" + "C:\Program Files (x86)\Microsoft Thunder\5" "C:\Program Files (x86)\Microsoft Thunder\zzsbas2.exe" && start "" "C:\Program Files (x86)\Microsoft Thunder\zzsbas2.exe"
        3⤵
        • Drops file in Program Files directory
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Program Files (x86)\Microsoft Thunder\zzsbas2.exe
          "C:\Program Files (x86)\Microsoft Thunder\zzsbas2.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Users\Admin\Downloads\ToDesk_Setup.exe
            "C:\Users\Admin\Downloads\ToDesk_Setup.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:292
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2824
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B8" "0000000000000594"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f7875ff.rbs
    Filesize

    8KB

    MD5

    7dcbdeb7c8cd258774d9755e0a8d6817

    SHA1

    58ae0d854eb8e1d056fddd38530a0fdc0c360bda

    SHA256

    06562623a32e66b12f66d45e36e97cb18306ff1b61f94e844ee405afc5c66193

    SHA512

    e2c8ff44f430141ec70dd5ebde3762d3b0c419124da3e79d5f480a3521698d8fa78aaa0881dfebecd7db037a5d150f82b21086ad4b4a0bbcb58a425ac1acd389

    Download Submit

  • C:\Program Files (x86)\Microsoft Thunder\1
    Filesize

    1B

    MD5

    69691c7bdcc3ce6d5d8a1361f22d04ac

    SHA1

    c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

    SHA256

    08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

    SHA512

    253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

    Download Submit

  • C:\Program Files (x86)\Microsoft Thunder\2
    Filesize

    1B

    MD5

    21c2e59531c8710156d34a3c30ac81d5

    SHA1

    909f99a779adb66a76fc53ab56c7dd1caf35d0fd

    SHA256

    bbeebd879e1dff6918546dc0c179fdde505f2a21591c9a9c96e36b054ec5af83

    SHA512

    3225dff071cd0ccff736b0b159cc722963310c008472be814669451a062c25c5f7654f079d3e0ae1cf2fda1551a5a0b1f5e988383be7d383d57f73d4012c4024

    Download Submit

  • C:\Program Files (x86)\Microsoft Thunder\3
    Filesize

    312KB

    MD5

    723084dc960935fd88e95d7223699e53

    SHA1

    35a41d2c056852d5c1e118f6699238446c6ca5a6

    SHA256

    8ca7f45f638fa2680020d13b78f58349f5584ab26c473a823c30fb96e9114ed1

    SHA512

    d0cf007febcb3c1066d656f0d26485f281772e61c1e47489ce910bae2afa0dc9cb33f3a4c845bf0bc5cbdc3f8c07d31680cb5b08c51f1071f8f8b1ae55c37017

    Download Submit

  • C:\Program Files (x86)\Microsoft Thunder\5
    Filesize

    1.5MB

    MD5

    ef12dcaca96f9d128b285f02ebd8066a

    SHA1

    99ddb3b0585c193876628bceaebd059753d62cb1

    SHA256

    613be57bb5a6cd308b56ba76d506bfbdfcc47e163d13622fe9ed5a062da26158

    SHA512

    a2aed544ee743c51eba7e8d380fd80782063e87974d4fd8998d3e8fda3aaf880a637ea03596ba5e790800e27dffe54a4c625b32588ec59d28206ebf39b03006b

    Download Submit

  • C:\Program Files (x86)\Microsoft Thunder\d
    Filesize

    608KB

    MD5

    f294394cee9d4324edc61e7287c432f1

    SHA1

    eaa7700d0866eae156eaf04c6c3578fdd98662e1

    SHA256

    fa5cca6ad0e484a907aa870d3cbe8dce45bb36d150d7779b575a231c5f0e350d

    SHA512

    be480cbd5405234ea3d69613221b3ad3b73d3b9d5f80df2ebbd58b91aa726527c262ce292d9796d54e7f4148cd984a959e42c46f9168448b38dd6d785faaba95

    Download Submit

  • C:\Program Files (x86)\Microsoft Thunder\e
    Filesize

    1000KB

    MD5

    101f4387e45aa6c2deed946a7e6aef37

    SHA1

    99c707373e30f10b33790bf99906afa44ef17c57

    SHA256

    2e2543997a45c257db305846a5a85bffbf2a6f00f7eae2c8683dc59a90d59caf

    SHA512

    b62a851fc06e749946200afcc69eb4325bd4afa4b0033da6855342d2cdd3334b04563b9da63be64c35db42c732c8bc9b973fdb858de19af26914be0b59bb9853

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskFFE3.tmp\skin.zip
    Filesize

    733KB

    MD5

    948fe68ee9b8c8439488064aafd7fa14

    SHA1

    1d3c1836103a331a163772ec4e4ccb9796cfae46

    SHA256

    76d2aa1741af236e62428ae5732f305a8a945dd2318eea97dade0765e9241301

    SHA512

    d9d97a209050a71f7801f8023aabb950e5f7ccc8a7d75e36aa1ae5151d729ba7eec6584c664e87d84723386e01c290153c1427399f6bdd1f7fc247d710a2d544

    Download Submit

  • C:\Windows\Installer\f7875fb.msi
    Filesize

    2.3MB

    MD5

    a6b76f7da9d91576084c7d221327c662

    SHA1

    6186cf54c44bf03a5ca03584e422f7e3b520758f

    SHA256

    b172b565dc16b29af83689cf6a26f62372e33f2640109a4ddb15d89f6bff3e6d

    SHA512

    429cce1be05317d3e1898295f9c4c96d98aa8f86414a0436be8b198dbc25efc1195c6041ba2929e27bf3f66776794c8c744ea67b0cdc18a8076b57fb9d6fadb5

    Download Submit

  • \Program Files (x86)\Microsoft Thunder\wuauclts.exe
    Filesize

    1000KB

    MD5

    ef0b478c1900bada8c62d5fe87af5256

    SHA1

    cfb9127848898dac833e91d160b17806967f01f9

    SHA256

    df05aa6d969bb64da9e0a1128d86e53c6411da927aa82454fb518215d35fbd6e

    SHA512

    b071597df9a9b25d9d548f15f0215d55b8bef1e9b2f9caa722bb2533942aca63f68e7227e473740b8c3791ab183395e4cd933297f2eba5fa7d5010a24805a50e

    Download Submit

  • \Program Files (x86)\Microsoft Thunder\zzsbas2.exe
    Filesize

    1.5MB

    MD5

    9f096dd198d6bc62de3c1ce83fd0515b

    SHA1

    e90953f5d8e7d960545578461d7bec5910618712

    SHA256

    7d4da056d28a57a4c26eee1b36e59df55ea4f22bcf805d46482e5c91874fbf76

    SHA512

    b8e06b7b57e5470049816f11df78e7589ddcbb99e25b4667f3e711e235584245cc7204a2fe9c555382646260f2f733cd4f75ead1197608da789adb523d890d95

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nskFFE3.tmp\System.dll
    Filesize

    12KB

    MD5

    8cf2ac271d7679b1d68eefc1ae0c5618

    SHA1

    7cc1caaa747ee16dc894a600a4256f64fa65a9b8

    SHA256

    6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

    SHA512

    ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nskFFE3.tmp\nsNiuniuSkin.dll
    Filesize

    287KB

    MD5

    bb0cdff5ac2d64723007a0b4f7962a02

    SHA1

    410889522ee8ea7308b054f71bc4cab078295e06

    SHA256

    33e460a080a621cda7896e96b6f1beee802b485cf99e18b27463cd362c484b08

    SHA512

    b4dc2614f01f5f01d5dec9e6a41e072d01e924d8a94ac0dc1050399fd1dc3cc8d53d7ccf162d750d166fca200771b0850191b30c7caada8edea9ba6d686e2402

    Download Submit

  • memory/292-67-0x0000000074BC0000-0x0000000074C7A000-memory.dmp

    Filesize

    744KB

    Download

  • memory/292-107-0x0000000074BC0000-0x0000000074C7A000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1512-45-0x0000000001E30000-0x0000000002196000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3064-46-0x0000000000CF0000-0x0000000001056000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3064-47-0x0000000000CF0000-0x0000000001056000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3064-106-0x0000000000CF0000-0x0000000001056000-memory.dmp

    Filesize

    3.4MB

    Download