cf6fe3e88580bf31a1cbecb62a22e632c622da4ba9370bd7804f8e06c12aac5e

Analysis

max time kernel
24s
max time network
23s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dnf2024098992xml.msi
Size

18.9MB
MD5

adbc9edef9f65786ff7be64b6c721446
SHA1

1ff08d5235fa69d450c1b92d1308e8567b2251c9
SHA256

93c737e02b4b290af46956efc8992aed68656d1e886bc9f4293300979a4e5b21
SHA512

4f4c4ef0cf88ef4bd250b29b2a486aec7ec48bcbba22c68aacb2d2a858e44b026fe78dfcdf61cbe6a81d41db31cd968f64e62594b8cdbdc3f59a9c1a5ef57ed5
SSDEEP

393216:aLLMsEwlmGkG7Nvy+4sbKSvGy80nqUXRN5sktd5LSSCCpsJhqNO:aveS6G7NDTwfwXRUktDACp6q

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MediaPlay = "C:\\Users\\Admin\\Contacts\\CDshost.exe"	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76cea5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF12.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID01C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0B9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76cea8.ipi	msiexec.exe
File created	C:\Windows\Installer\f76cea5.msi	msiexec.exe
File created	C:\Windows\Installer\f76cea8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID491.tmp	msiexec.exe
File created	C:\Windows\Installer\f76ceaa.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	CDshost.exe

Loads dropped DLL 4 IoCs

pid	Process
568	MsiExec.exe
568	MsiExec.exe
568	MsiExec.exe
2160	CDshost.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2004	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	CDshost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	CDshost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1940	msiexec.exe
1940	msiexec.exe
2160	CDshost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeSecurityPrivilege	1940	msiexec.exe
Token: SeCreateTokenPrivilege	2004	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2004	msiexec.exe
Token: SeLockMemoryPrivilege	2004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2004	msiexec.exe
Token: SeMachineAccountPrivilege	2004	msiexec.exe
Token: SeTcbPrivilege	2004	msiexec.exe
Token: SeSecurityPrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeLoadDriverPrivilege	2004	msiexec.exe
Token: SeSystemProfilePrivilege	2004	msiexec.exe
Token: SeSystemtimePrivilege	2004	msiexec.exe
Token: SeProfSingleProcessPrivilege	2004	msiexec.exe
Token: SeIncBasePriorityPrivilege	2004	msiexec.exe
Token: SeCreatePagefilePrivilege	2004	msiexec.exe
Token: SeCreatePermanentPrivilege	2004	msiexec.exe
Token: SeBackupPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeShutdownPrivilege	2004	msiexec.exe
Token: SeDebugPrivilege	2004	msiexec.exe
Token: SeAuditPrivilege	2004	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2004	msiexec.exe
Token: SeChangeNotifyPrivilege	2004	msiexec.exe
Token: SeRemoteShutdownPrivilege	2004	msiexec.exe
Token: SeUndockPrivilege	2004	msiexec.exe
Token: SeSyncAgentPrivilege	2004	msiexec.exe
Token: SeEnableDelegationPrivilege	2004	msiexec.exe
Token: SeManageVolumePrivilege	2004	msiexec.exe
Token: SeImpersonatePrivilege	2004	msiexec.exe
Token: SeCreateGlobalPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2004	msiexec.exe
2004	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2160	CDshost.exe
2160	CDshost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 568	1940	msiexec.exe	31
PID 1940 wrote to memory of 568	1940	msiexec.exe	31
PID 1940 wrote to memory of 568	1940	msiexec.exe	31
PID 1940 wrote to memory of 568	1940	msiexec.exe	31
PID 1940 wrote to memory of 568	1940	msiexec.exe	31
PID 1940 wrote to memory of 568	1940	msiexec.exe	31
PID 1940 wrote to memory of 568	1940	msiexec.exe	31
PID 1940 wrote to memory of 2160	1940	msiexec.exe	32
PID 1940 wrote to memory of 2160	1940	msiexec.exe	32
PID 1940 wrote to memory of 2160	1940	msiexec.exe	32
PID 1940 wrote to memory of 2160	1940	msiexec.exe	32

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Dnf2024098992xml.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2004

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3129F81591B6ADBB17C7A0D7FCA79649
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:568
- C:\Users\Admin\Contacts\CDshost.exe
  "C:\Users\Admin\Contacts\CDshost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76cea9.rbs

Filesize
10KB

MD5
86301a8282b15cfbb8d32153abf7f861

SHA1
66c4452cc0d5feff17a992edb09f2d72d3ee1dbb

SHA256
ff209169aa999a9c890b19386c287e2f8bc8289331201f55d300bfdfe74da4aa

SHA512
b411af6ee0158a3361e6102ad2dcb1b42db250599be17ca4eeef0583eda12f2349b6d52c6cb4a696ab580cea80d2df40146e92fc6066ebba4e1ec7326210f28d

Download Submit
C:\Users\Admin\Contacts\CDshost.exe

Filesize
1.6MB

MD5
bdc0cff1e6e3db489864041a623f0d1e

SHA1
cf1beeec71abbfbe8a6f47abaaa6c1af2fee37dc

SHA256
585741ca3c4041bb39d107f1f159d908650967fbccac3a491bca389cc4ba0769

SHA512
aeaf1d2da43584ae91ea032c59a945ab91f721cc3b5bb98c2c7096dfd8c728b4ebf735491e06e934b4b1c9f1ccc719f950ad6f45e212f638b52c7af5efcc18db

Download Submit
C:\Users\Admin\Contacts\STARBURN.DLL

Filesize
17.5MB

MD5
659095ba011fba7c2c10ed159e06637d

SHA1
e39b325797c50ba896e82d3efc7f0afec7196685

SHA256
ed8b71abcb89dec8178217b4a3c9438706fb3e844b30374f19550e3516df60c3

SHA512
694d294741a43c6a81f5403f2a8c768dcdd9c51c69c92e95e73e2eab8280ae04f18669e02dde9722f0a49f94305dcf417d5d98c7f568f0f16d8be67dc6f1443a

Download Submit
C:\Windows\Installer\MSICF12.tmp

Filesize
738KB

MD5
ee45c6dffaf86ed2a76d8f969c390c08

SHA1
ff5b2942ffa7d28ed3f72208e8e76391b2991b5a

SHA256
118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca

SHA512
a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664

Download Submit
C:\Windows\Installer\f76cea5.msi

Filesize
18.9MB

MD5
adbc9edef9f65786ff7be64b6c721446

SHA1
1ff08d5235fa69d450c1b92d1308e8567b2251c9

SHA256
93c737e02b4b290af46956efc8992aed68656d1e886bc9f4293300979a4e5b21

SHA512
4f4c4ef0cf88ef4bd250b29b2a486aec7ec48bcbba22c68aacb2d2a858e44b026fe78dfcdf61cbe6a81d41db31cd968f64e62594b8cdbdc3f59a9c1a5ef57ed5

Download Submit
memory/2160-47-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2160-54-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2160-39-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2160-44-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2160-42-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2160-40-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2160-45-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2160-35-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2160-49-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2160-37-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2160-52-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2160-57-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2160-59-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2160-62-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2160-64-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2160-67-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2160-69-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2160-71-0x0000000070240000-0x0000000073EB8000-memory.dmp

Filesize
60.5MB

Download
memory/2160-72-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download