086cfceeba52ec0e5effd32321b9fdbcf7b3f674839b30749059e4275af08363

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shure64x.msi
Size

86.2MB
MD5

58f442aa99f04239cb7d1da33bd89612
SHA1

82d0c3a408ee9d235f8c6145ec1597eac3ec0fec
SHA256

13aad31e3a1bec69fab1729867e6f7819d2741f7c7ef34cc789c8f195b641b91
SHA512

e282f9d8a79581c9c0d8a220bfa0e28c899ab1d8e18072271fad54b218ef5d4ba886dde8b3d547dd1f625b2c66974805569e2186f9efb385ad0fd7d39913307f
SSDEEP

1572864:sTg79nEDugaAModrO12nW/sCmFTJdtFHLAvHlYy3peYGg0IWM9f/QGsv:sE79IurAMerW/56Ndte2y3MgtWG/

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76c15d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c15d.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76c15c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c15c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC246.tmp	msiexec.exe
File created	C:\Windows\Installer\f76c15f.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Executes dropped EXE 1 IoCs

pid	Process
664	Shure64x.exe

Loads dropped DLL 5 IoCs

pid	Process
1728	msiexec.exe
1728	msiexec.exe
1228	Process not Found
1728	msiexec.exe
664	Shure64x.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2540	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1728	msiexec.exe
1728	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2540	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeSecurityPrivilege	1728	msiexec.exe
Token: SeCreateTokenPrivilege	2540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2540	msiexec.exe
Token: SeLockMemoryPrivilege	2540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2540	msiexec.exe
Token: SeMachineAccountPrivilege	2540	msiexec.exe
Token: SeTcbPrivilege	2540	msiexec.exe
Token: SeSecurityPrivilege	2540	msiexec.exe
Token: SeTakeOwnershipPrivilege	2540	msiexec.exe
Token: SeLoadDriverPrivilege	2540	msiexec.exe
Token: SeSystemProfilePrivilege	2540	msiexec.exe
Token: SeSystemtimePrivilege	2540	msiexec.exe
Token: SeProfSingleProcessPrivilege	2540	msiexec.exe
Token: SeIncBasePriorityPrivilege	2540	msiexec.exe
Token: SeCreatePagefilePrivilege	2540	msiexec.exe
Token: SeCreatePermanentPrivilege	2540	msiexec.exe
Token: SeBackupPrivilege	2540	msiexec.exe
Token: SeRestorePrivilege	2540	msiexec.exe
Token: SeShutdownPrivilege	2540	msiexec.exe
Token: SeDebugPrivilege	2540	msiexec.exe
Token: SeAuditPrivilege	2540	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2540	msiexec.exe
Token: SeChangeNotifyPrivilege	2540	msiexec.exe
Token: SeRemoteShutdownPrivilege	2540	msiexec.exe
Token: SeUndockPrivilege	2540	msiexec.exe
Token: SeSyncAgentPrivilege	2540	msiexec.exe
Token: SeEnableDelegationPrivilege	2540	msiexec.exe
Token: SeManageVolumePrivilege	2540	msiexec.exe
Token: SeImpersonatePrivilege	2540	msiexec.exe
Token: SeCreateGlobalPrivilege	2540	msiexec.exe
Token: SeBackupPrivilege	1696	vssvc.exe
Token: SeRestorePrivilege	1696	vssvc.exe
Token: SeAuditPrivilege	1696	vssvc.exe
Token: SeBackupPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	2828	DrvInst.exe
Token: SeRestorePrivilege	2828	DrvInst.exe
Token: SeRestorePrivilege	2828	DrvInst.exe
Token: SeRestorePrivilege	2828	DrvInst.exe
Token: SeRestorePrivilege	2828	DrvInst.exe
Token: SeRestorePrivilege	2828	DrvInst.exe
Token: SeRestorePrivilege	2828	DrvInst.exe
Token: SeLoadDriverPrivilege	2828	DrvInst.exe
Token: SeLoadDriverPrivilege	2828	DrvInst.exe
Token: SeLoadDriverPrivilege	2828	DrvInst.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2540	msiexec.exe
2540	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 664	1728	msiexec.exe	36
PID 1728 wrote to memory of 664	1728	msiexec.exe	36
PID 1728 wrote to memory of 664	1728	msiexec.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Shure64x.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe
  "C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005F8" "00000000000003A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c15e.rbs

Filesize
20KB

MD5
ebb4e6f74bebe84caac8718131fced51

SHA1
dfd93f43d8de125d6cc29b2c144041806c3c9300

SHA256
a756b15d4489168ddea80d260ca89d953a2edf72ff99fd8db5eda0db3d43c703

SHA512
92a82cf739e4c3212c09391d639d6196143f8148897d487816003bf9712f0a7c9819f194d8b880cd93c523da14b5c87ed221be5c83af2272832f45450f4473cd

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\ffmpeg.dll

Filesize
2.7MB

MD5
d49e7a8f096ad4722bd0f6963e0efc08

SHA1
6835f12391023c0c7e3c8cc37b0496e3a93a5985

SHA256
f11576bf7ffbc3669d1a5364378f35a1ed0811b7831528b6c4c55b0cdc7dc014

SHA512
ca50c28d6aac75f749ed62eec8acbb53317f6bdcef8794759af3fad861446de5b7fa31622ce67a347949abb1098eccb32689b4f1c54458a125bc46574ad51575

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Shure64x.lnk

Filesize
2KB

MD5
2f1ffd1d7c0168be4b58503acaa9fddd

SHA1
0a9bbe5e683aa438daf6d3f870271f1813b0889a

SHA256
071a83bb1a54d995a11709d06723ae379a5f13c00c3074135a136dd7ebe43805

SHA512
75ceaffd0eaeed6079d984c71b74990e29d16274a7f4c958af27745b56428a75b04ac916da13ab13e3bcad6f9f3b1d7e2884b1cae4f300823a484c5e3031ebd8

Download Submit