Overview

overview

8

Static

static

1

bed2e803af...df.msi

windows7-x64

8

bed2e803af...df.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    721s
  • max time network
    726s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bed2e803af396cf8cc937dd23ce7c198ea33a0718858cdf747293d8375b0a2df.msi

  • Size

    5.7MB

  • MD5

    d6d529277bb2807a69b86d0cc93a9a1f

  • SHA1

    693fcff06cd0af61a31ea05e373aec5c7f3e3549

  • SHA256

    bed2e803af396cf8cc937dd23ce7c198ea33a0718858cdf747293d8375b0a2df

  • SHA512

    26547b26ac6ba66db40a898d5aae1fae8a723e6f6e27be291059b48346c092d3537f24c72f582ebc5a5f61ed493cfb3f10156c1fbbfd3c5774728b29756197eb

  • SSDEEP

    98304:coVHYDgF9ycl9HPcGJ4Ea2Uk9RE8xmqqSRZxdKJkLT11N:csN9yIZASRELqqEzdKiXXN

Score
8/10
executionpersistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 18 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 18 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bed2e803af396cf8cc937dd23ce7c198ea33a0718858cdf747293d8375b0a2df.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3008
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 15491BD03CADA0F54EDCF3853231A159 C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssA798.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiA785.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrA786.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrA787.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1864
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8620DCC7223838C0436BA45E241C3CE9
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3862.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi3830.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr3831.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr3842.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1484
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\PDFFlex\pss8E4F.ps1" -propFile "C:\Users\Admin\AppData\Local\PDFFlex\msi8E1D.txt" -scriptFile "C:\Users\Admin\AppData\Local\PDFFlex\scr8E1E.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\PDFFlex\scr8E1F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2204
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1812
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000068" "00000000000004B4"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2256
    • C:\Users\Admin\AppData\Local\PDFFlex\PDFFlex.exe
      "C:\Users\Admin\AppData\Local\PDFFlex\PDFFlex.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f79315f.rbs
      Filesize

      1.8MB

      MD5

      25fb97f2246e07265a063ce8d13c7b63

      SHA1

      1c673adbc9cd3ac84bddf18b52e1634d31c80041

      SHA256

      8d2c744c05e3e1fd7555bd46a57f2581b4c6cd222215d6ebbc43d929bb1a79c9

      SHA512

      d1f6e72db8382dc2e39d9a4e1a31992d4be122882434de2496d4bf61c150eb54035c30366f81770cd3e14dae04149c258b0d4ae9bb05c5fd3c007dbde156d1d9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560
      Filesize

      1KB

      MD5

      e94fb54871208c00df70f708ac47085b

      SHA1

      4efc31460c619ecae59c1bce2c008036d94c84b8

      SHA256

      7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

      SHA512

      2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      dad0f0668838c147f99ecd0cf2639686

      SHA1

      a90cdff9db1905abc531cb7c093db36ac41b7878

      SHA256

      48e481b1adb78f050316e2bd8d99e67ca7a3fd949d61b4be12809a185ad0c904

      SHA512

      9333cc2e63605d86a5052794f4257c4c35cef887364b8f475b9793157f22c9e15ae54464c3ba183ad761893ef1216b7cd725fd53b778856a874cc3c619bb0958

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      398de5d470c3e1256c676eca613df313

      SHA1

      3885c130154e73c4febd4fce51725c7bf282d35f

      SHA256

      bf28f7243fc340757a73aef30a31a2936910908374e33fb8091a197d595f9dfa

      SHA512

      149921ccc0c9e6e5b99f185ffa0ae087d4d3ed4c9fcb7c80f614464fa2e331efc1b6077989671724a2891017446485cff922da6c12b9ede30666f87fd83081fe

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e91d061bf38ace81b9103b0e253c3107

      SHA1

      ea3c6f69f42570c4e0dce3fa4712345dd9456a3f

      SHA256

      62107a2a1d01220445b582463f2fbcc2234f996400ea34d05a180aa2f715272b

      SHA512

      5e64fc89cde942b4ae0eda1d3b76c3cce224473f2322554031e5a22c5aa4bf6e9e21cb968b737e1d8469c80073e586d509a02aa4176ca5de1bc4081c1d58b0de

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560
      Filesize

      264B

      MD5

      4786e6367b8194ad720d69e98047b088

      SHA1

      93769c70b7d0a316db07ea291c9a922645b41b9e

      SHA256

      745dc66135dd001e5a57e904d6624e4a2d0fe6b5a485a3380890ed2906eea39e

      SHA512

      76f8a17e879f9076c18166e0cfbc81be0dc72f2565d49a29d73c96737d441a18a3820b156c4045b530677e36d2eb3de410455bbe902294071f28849ee7dc7d67

      Download Submit

    • C:\Users\Admin\AppData\Local\PDFFlex\PDFFlex.exe
      Filesize

      2.8MB

      MD5

      e90d4e0374818290b3ea5a13a53b7f7a

      SHA1

      28e319c9d03375c620ec61c6d324644390e3f784

      SHA256

      ba16281157dcce95ea428e20473e13bb33345da89c43d0832cb11901c93a4e3b

      SHA512

      c89fb9e7aacb9868d89c0f16bacbfca05f4f5aff950b3566bf168dc3e6509686f28151e5b26a6689144861f82160b29fa1ed3244eb829079ee50abe184742b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\PDFFlex\pss8E4F.ps1
      Filesize

      35KB

      MD5

      3c8602f77bda13ed084bc7fdc8f6426b

      SHA1

      ded137bb1dcb9f747c65f4769cfbccc54923b4be

      SHA256

      757a5fcdaf5cdd065c6c6134f0ee169e93d7bcaa4aa874f7fe35bc1b88f0f12d

      SHA512

      3794442d07e5bdb1ea19ae57a710aae42cb82434e7b9f57eb15819a17cbea77fefeb84620c7740ffa5eea5af439524d94782c2e0a7990fd9c186660c6a1ecd59

      Download Submit

    • C:\Users\Admin\AppData\Local\PDFFlex\scr8E1E.ps1
      Filesize

      31KB

      MD5

      c16c685bd3c54148e3858cfd4cf40610

      SHA1

      6620d71cb7659a1269cf4bd30b61b3ef16f90bdc

      SHA256

      21ebb34bd7012ce68b3cf9166763578870844eea692db623f38458f9921990e8

      SHA512

      25977007a64464c5bdaa2d0f27f0d6c2065577f8b5f6ee5695bf3290e02f95854a2c5270e6e4fd9da4f87768dafa6d0258996698974fad8f268c03102f115cd7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab9C13.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIA103.tmp
      Filesize

      738KB

      MD5

      d0c9613582605f3793fdad7279de428b

      SHA1

      8b3e9fb67c7beb20706544d360ee13c3aad9c1d1

      SHA256

      8bd84f1156ebdfa44afaac8a4579ba56a8c7513e3d51e00822167ea144923726

      SHA512

      3640a0f53730cad7323473f99a2049833db58eaed00f94b75b4a03b07cc8af99c104a40b2e888307055a5c9740b5fea4b394aa15bc78a3102088cc0770713eac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIA4DC.tmp
      Filesize

      759KB

      MD5

      a2317ebf66616e3b13218b2b9739cf74

      SHA1

      9fbdf90fb9d2bc93f025c16c94347eb817908d9d

      SHA256

      d6a3c9c614fa4491a1bd988d86687515e15edf7e0cfde2159d0850bf2c5c7c89

      SHA512

      8d11a2174e3ac7eefc776ff3d95ac65517c4af78f2880b84c6ce1ed65990e769cdbd5cc3d5755cc0dd9fc69a7c2408b32dde6205503f9a67ec96008c87b1f2e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar9D4E.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pss3862.ps1
      Filesize

      35KB

      MD5

      b245d96a56234193ca04748bbee16b22

      SHA1

      96f2ee9f8c9e4562bf3557158b048e2b9e11717d

      SHA256

      63bdf6b66fa14d04a7afd29d6d021b0105173eed3b5a602952eb2768f3b1e7fd

      SHA512

      4e96262a60b942f9ee5c0c21942020cf21d05f2941b6b76cdcb860f7dbbca0e9d7aee4dc2eaa7937a681ffed73dc4383320314ddb169bc7a88f473cdd42c2c92

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pssA798.ps1
      Filesize

      35KB

      MD5

      5685e2229088a3d1ab15900f086471d4

      SHA1

      c4b448907901c2a3ce65e97c0898c0fd8ee14860

      SHA256

      25f5305a280ab8b960c396bfa335776bd4da78b41e77961c636bf646173d2ebc

      SHA512

      e5e7bc437fcc4248687de82360e4fd4614b93f367beb39f05ac46f0c812256462d9c3be310e83be235aa89c37a0d689cd6ce1437dd6e0b983f03368a42ab1763

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scr3831.ps1
      Filesize

      31KB

      MD5

      918e43c67149ed4e7b2d27b8b6b34f4c

      SHA1

      aaec9a93e6607c730ee53089640d343d4f7bb6cc

      SHA256

      4062431e7ec186dfc60a1d05faa4b0db4ddf2113636a9435728cf332efec09bd

      SHA512

      5c531ae5f767c78a8a75306fa4c2690f8e634bee502c419c47447bd52c8cf16857ad2a02106855bdb08f26c5a5f6efd597a7867eac579c2c22da2d1fd04dde1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scr3842.txt
      Filesize

      318B

      MD5

      14643dc506a289d18575cfae8a8253b2

      SHA1

      60793e82d4b7adbc434d2b6f9115e5abe28d1520

      SHA256

      8afd7e47e6ccead6a37f6193eeca2295e7ea36f39d75b202df822a7153b3c724

      SHA512

      8d455a45b1317168ed66404e19e27e07ecc3c613e9a32902020c5253225df710d5d4c2753341feaa0b30722fd8c69df91f1a2972f0d3463e13b016c6be4199b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scrA786.ps1
      Filesize

      32KB

      MD5

      74358ce8e6bf38add2d593e8e31456bb

      SHA1

      a8e6fc7b60e27f3c936b39990c213e74251695d8

      SHA256

      32939b9f7d28e87e2bed73f67b144145bd4e3f9ac5936cbe4c0e68e7b6ef380e

      SHA512

      c6d87d14b4fdf457e8f5a01fedc954b56903202403fac67ee2c0f06322d8e9342887f3df68cd7974dcb9ec5b4befe0fc8e866e50f33f517dcb897b6204b289b8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scrA787.txt
      Filesize

      238B

      MD5

      d0a4e858bfe0ee5efeb8e01158006521

      SHA1

      6163bd5f6cd8c23a6ce21185106d36c72f840edb

      SHA256

      41618177c2098258397686fb33d3f7ecd0b0f1ec8156cb35f70db38ee5b93d49

      SHA512

      21c2be203d1c1934706ea488e75e6b07a634161ff52698fc5ba30a8e61f0a718e93f86de835ba961de21c40bc20fcce6ad540cc09ba55a11096648097044e41e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      3049eef44a33f4a1d6b5778fdce92da4

      SHA1

      d5e4f47c03fb42f05fd9696a8e28dd221b8f0b3c

      SHA256

      de40c0fbf5789629fad5f15c63d8d46179f85ef3f55f3a6084abd041d6638138

      SHA512

      ff752d0ed35ae4478a71d4fb8b0b9b70b00d81f0595ead50958db85256ade87290ed95b3501c6877496bf32df1ab052a8da62737b09f0f4b5bf1c97a6aafd15a

      Download Submit

    • C:\Windows\Installer\MSI4836.tmp
      Filesize

      512KB

      MD5

      d1395cc27fabb23ff098c0954b7725a7

      SHA1

      b782d01c84471849d92e130e5af448de8040bd58

      SHA256

      a2f7155c0ce5e3c69fdcff6d89df011a6d4715eae2853104f2480800d63eb69e

      SHA512

      a5c531d4cb099e91a498dd738804eaf8f47573bb802d15bc550c438ca117ea61258cc886ede7b91f83b9570f73f3bd3c08718819868a1e92249fcb3d5bcdb914

      Download Submit

    • C:\Windows\Installer\MSI498F.tmp
      Filesize

      757KB

      MD5

      5a72f5f620d7363c21dac3c062225203

      SHA1

      e083f31c15020d54e42103099dc240be4cbb7430

      SHA256

      b312faf20d72a4e44be87530beb446298c85fef73c79130c6d13aae6720f585c

      SHA512

      c742314859a75672f8e049ef52db54e48d34b48b9ee6c6e8677ae376d6f0aef6589ffdce90b37c9f8b987ea35d2ec42a07937ce0ba05f3158bf0c79a4f0db987

      Download Submit

    • C:\Windows\Installer\f79315d.msi
      Filesize

      5.7MB

      MD5

      d6d529277bb2807a69b86d0cc93a9a1f

      SHA1

      693fcff06cd0af61a31ea05e373aec5c7f3e3549

      SHA256

      bed2e803af396cf8cc937dd23ce7c198ea33a0718858cdf747293d8375b0a2df

      SHA512

      26547b26ac6ba66db40a898d5aae1fae8a723e6f6e27be291059b48346c092d3537f24c72f582ebc5a5f61ed493cfb3f10156c1fbbfd3c5774728b29756197eb

      Download Submit

    • \Users\Admin\AppData\Local\PDFFlex\WebView2Loader.dll
      Filesize

      113KB

      MD5

      80243b7f55a36f54b0c1c3735e883861

      SHA1

      06800e33619b24c60292aab984df47489ce4d64b

      SHA256

      7cddfcd327290d5f1b997ea9636a4595b5188c8a5ab495a4251bad46709a0c62

      SHA512

      06dd2a24e898d11dbf3b03df208ac9822e4ccadd6a38c424b17ed94cb00b1372ba5794fe4fa93ddf7175455c950301c0bcb3134748d5494f089d01fe8c68ba07

      Download Submit

    • memory/2664-428-0x0000000000410000-0x0000000000412000-memory.dmp

      Filesize

      8KB

      Download