13aad31e3a1bec69fab1729867e6f7819d2741f7c7ef34cc789c8f195b641b91

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shure64x.msi
Size

86.2MB
MD5

58f442aa99f04239cb7d1da33bd89612
SHA1

82d0c3a408ee9d235f8c6145ec1597eac3ec0fec
SHA256

13aad31e3a1bec69fab1729867e6f7819d2741f7c7ef34cc789c8f195b641b91
SHA512

e282f9d8a79581c9c0d8a220bfa0e28c899ab1d8e18072271fad54b218ef5d4ba886dde8b3d547dd1f625b2c66974805569e2186f9efb385ad0fd7d39913307f
SSDEEP

1572864:sTg79nEDugaAModrO12nW/sCmFTJdtFHLAvHlYy3peYGg0IWM9f/QGsv:sE79IurAMerW/56Ndte2y3MgtWG/

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76ebb6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76ebb9.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76ebb6.msi	msiexec.exe
File created	C:\Windows\Installer\f76ebb7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED5B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ebb7.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
2936	Shure64x.exe
300	Shure64x.exe
1240	Shure64x.exe

Loads dropped DLL 7 IoCs

pid	Process
2004	msiexec.exe
2004	msiexec.exe
1196	Process not Found
2004	msiexec.exe
2936	Shure64x.exe
300	Shure64x.exe
1240	Shure64x.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2524	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2004	msiexec.exe
2004	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2524	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2524	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeSecurityPrivilege	2004	msiexec.exe
Token: SeCreateTokenPrivilege	2524	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2524	msiexec.exe
Token: SeLockMemoryPrivilege	2524	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2524	msiexec.exe
Token: SeMachineAccountPrivilege	2524	msiexec.exe
Token: SeTcbPrivilege	2524	msiexec.exe
Token: SeSecurityPrivilege	2524	msiexec.exe
Token: SeTakeOwnershipPrivilege	2524	msiexec.exe
Token: SeLoadDriverPrivilege	2524	msiexec.exe
Token: SeSystemProfilePrivilege	2524	msiexec.exe
Token: SeSystemtimePrivilege	2524	msiexec.exe
Token: SeProfSingleProcessPrivilege	2524	msiexec.exe
Token: SeIncBasePriorityPrivilege	2524	msiexec.exe
Token: SeCreatePagefilePrivilege	2524	msiexec.exe
Token: SeCreatePermanentPrivilege	2524	msiexec.exe
Token: SeBackupPrivilege	2524	msiexec.exe
Token: SeRestorePrivilege	2524	msiexec.exe
Token: SeShutdownPrivilege	2524	msiexec.exe
Token: SeDebugPrivilege	2524	msiexec.exe
Token: SeAuditPrivilege	2524	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2524	msiexec.exe
Token: SeChangeNotifyPrivilege	2524	msiexec.exe
Token: SeRemoteShutdownPrivilege	2524	msiexec.exe
Token: SeUndockPrivilege	2524	msiexec.exe
Token: SeSyncAgentPrivilege	2524	msiexec.exe
Token: SeEnableDelegationPrivilege	2524	msiexec.exe
Token: SeManageVolumePrivilege	2524	msiexec.exe
Token: SeImpersonatePrivilege	2524	msiexec.exe
Token: SeCreateGlobalPrivilege	2524	msiexec.exe
Token: SeBackupPrivilege	3032	vssvc.exe
Token: SeRestorePrivilege	3032	vssvc.exe
Token: SeAuditPrivilege	3032	vssvc.exe
Token: SeBackupPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2848	DrvInst.exe
Token: SeRestorePrivilege	2848	DrvInst.exe
Token: SeRestorePrivilege	2848	DrvInst.exe
Token: SeRestorePrivilege	2848	DrvInst.exe
Token: SeRestorePrivilege	2848	DrvInst.exe
Token: SeRestorePrivilege	2848	DrvInst.exe
Token: SeRestorePrivilege	2848	DrvInst.exe
Token: SeLoadDriverPrivilege	2848	DrvInst.exe
Token: SeLoadDriverPrivilege	2848	DrvInst.exe
Token: SeLoadDriverPrivilege	2848	DrvInst.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe
Token: SeTakeOwnershipPrivilege	2004	msiexec.exe
Token: SeRestorePrivilege	2004	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2524	msiexec.exe
2524	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2936	2004	msiexec.exe	36
PID 2004 wrote to memory of 2936	2004	msiexec.exe	36
PID 2004 wrote to memory of 2936	2004	msiexec.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Shure64x.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe
  "C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "00000000000003B4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe
"C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:300

C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe
"C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ebb8.rbs

Filesize
20KB

MD5
6b15628995502308f71ef7a5c67cb445

SHA1
9893d2ecac92bdbf6c59f9d886aec19db6bf98f1

SHA256
2ab44b66c91d6662a786b408fcda47383ce5ac4a68a3ad72ff4b8439bb535c68

SHA512
92f03f9e52c951418d1aac1610b8997e4db264a18bace8dcd6f658bc46bacaebff3e21014acb40fcd12f2d3e45dfa2a8fbda671aa45d712f88eddaddd750b65a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\ffmpeg.dll

Filesize
2.7MB

MD5
d49e7a8f096ad4722bd0f6963e0efc08

SHA1
6835f12391023c0c7e3c8cc37b0496e3a93a5985

SHA256
f11576bf7ffbc3669d1a5364378f35a1ed0811b7831528b6c4c55b0cdc7dc014

SHA512
ca50c28d6aac75f749ed62eec8acbb53317f6bdcef8794759af3fad861446de5b7fa31622ce67a347949abb1098eccb32689b4f1c54458a125bc46574ad51575

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Shure64x.lnk

Filesize
2KB

MD5
9a51893fc1ec99bb3473aeeffffed2ad

SHA1
43d75ed8356db91c1b2afc70a6f346f6d537070a

SHA256
81c828779afe9ce3788cf3e30ede48bddff5c48571186551d9e78b2ca4efc1a2

SHA512
2df168b77432785e6875e945e7ead7f5e223d3b14898ed7a0fdc63d983494ed5074e0c84cffcd54915f7106579d3c408c2650b553ddf5fdbb4892a3cc5167397

Download Submit