Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 12:14

General

  • Target

    Microsoft Visual C++/vcredist2005_x64.exe

  • Size

    4.1MB

  • MD5

    524da2fb61a1361e77704e9466bcd74e

  • SHA1

    90a3d2a139c1a106bfccd98cbbd7c2c1d79f5ebe

  • SHA256

    bb9e8606e26c2b76984252182f7db0d6e9108b204b81d2a7b036c9b618c1f9f1

  • SHA512

    78a29872ed0a6fd871bc31ca23c579204705ba1bca997e55267889b41f93679b025f4e77c68e012eb49e4e9807809039ce6c446148f3ad4e6176dd6d2ad2bfdb

  • SSDEEP

    98304:y4+PG8W44ij9RvbGOZUR241QZgC51B+PRPM:yPG8W4HhbVURp11CjgJM

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 59 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++\vcredist2005_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++\vcredist2005_x64.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec /i vcredist.msi
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Event Triggered Execution: Installer Packages
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2740
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B6B75E85D04E2E05540E99A0D903F433
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:572
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2140
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A0" "00000000000005A4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735

    Filesize

    558B

    MD5

    3cc0012f96f8f44164c18d7de05023d9

    SHA1

    c8feb560d751fe720c8bdb53f5e78aa92abb9a9e

    SHA256

    2654c273c211ae1afc60a7736153a853142e3db028417206948576d1d57bf5d5

    SHA512

    626746176663e2460b18f1eb245306107060c172c4e65ad710dd75ec0b348d8f000342c0dd2f7ea3bb2e0796f61e1ddd2cd77c312d6a177ff2e70a10b68cc6af

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    86e5ffdd8a41db940624061acb193a2e

    SHA1

    4078ca685c8f302cf57e6318c4e94bfaecdeec24

    SHA256

    8876cd4fa098ba23774328cf7ee26b7a00da7f7e31e1a5cfb4e3f35afbcac97a

    SHA512

    6e513aedfc037721b7d3216d579f29f547a1fc0fe1d930d166da9ba9629c5633d9978b8488fef35f96c478e1b236ea6fee90c741595095bab3bec66e8134f1b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735

    Filesize

    232B

    MD5

    ce19816d007e534e6ab1c9b99e4833f4

    SHA1

    a76f3fd4199348847cbd77f242d5a1840065570b

    SHA256

    bb8410415457223c5c10344f562b5b9ae7e597389aac4c344242973a9f63fd05

    SHA512

    4501ae41688cdf0a68a9d31d5e7aa7e6340ff4d2c0e202a6b01ee0a63fc0d346a3c37a83954b0ab34ff8be7e07dd0607f76312d80c866508b4230ba7b4a851d3

  • C:\Users\Admin\AppData\Local\Temp\CabC3DB.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cab

    Filesize

    309KB

    MD5

    1f759e1b809cc291bbea00b43c6e9f74

    SHA1

    4038059d53fd925a9142642bbfd800e196ed888f

    SHA256

    044969556a9ff7bfeb95cf1cc30fee41e57417814192749a6e7b2820ea1803c8

    SHA512

    23682155c290c46c4673a80b6775f9e92ba1c855c4609454ed258d23f7a97cd5adff3a709a7348759755aeb941b71f4f13c7cd7288be4270aa772ef679774fdf

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi

    Filesize

    3.8MB

    MD5

    fa135204bb6146fca799cf06d30c444c

    SHA1

    774b9fd7ca76502ae6c732432377d71dfd75a15a

    SHA256

    cd7eb3fe76c008e2af85cab033f620e04e22af941797083a5fb51e269bb8fcbb

    SHA512

    b2c20573b92766353db601a31d4409397fd5de3a32f9bde4b3e627b48c5b859d33c93f96ecb0c177eb16768f5dd744394857a078a7302fdf0f0e4f5d2543b73a

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE

    Filesize

    4.1MB

    MD5

    45109081338654c25e42aea404b7d40c

    SHA1

    7474003f1dffb4439381cb628ded660d28a41bdd

    SHA256

    00fbdecf2f47d72cdd20a60d685d5d0f56e1f5ec571a7e43eebe1b178285eb76

    SHA512

    cb89ea354aacf4560ab59ccbf1ae5f9d4913b0b4b6130bdaeb6f8eced7844c416875d0303e0f141165ca1681f6b9728d46a96fa44b3a2eb45616d904658179e2

  • \Windows\Installer\MSIC4D7.tmp

    Filesize

    24KB

    MD5

    7bfa56d222ecc4267e10c01462c6d0d9

    SHA1

    9b3236a45673ff3bb89df3e690784b673ae02038

    SHA256

    6eeb255e1d5333a7b4f1b62e36afa1bea5cfd6c7e32058bb3a9efebc4d9f2ad6

    SHA512

    10cec6bfd08a8b7cac1acbc3627cb014554ba71f44eb4bfe5b1471b81d6d292fd83a352d553af0de75fc1668a1f13d7f6f6c7bf1c6524117f363a3a7fc9b09e9