Overview

overview

8

Static

static

1

HTTPDebuggerPro.msi

windows10-2004-x64

8

HTTPDebuggerPro.msi

windows11-21h2-x64

8

Analysis

  • max time kernel
    45s
  • max time network
    24s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/08/2024, 19:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HTTPDebuggerPro.msi

  • Size

    10.4MB

  • MD5

    da7e08ef168ee4662ff1878202303a36

  • SHA1

    df3bc617162a0f5f5e854403f5dc1e00e093e498

  • SHA256

    ed9e8f5fda10a14fbce76252b111a031bc4f3351e9eb342ea4edf6b6d16add69

  • SHA512

    bd248c68077a6aa1d6120cd3401770b09762cd75010a30b40cdd46196c726bce2fffa9036a2e3f47bbdbe4b935b9252c7ea38f4947d5ef187831d274a13b8974

  • SSDEEP

    196608:I0juQ6vXkAs3lJiZvWFsd0EMdPfR9kngqVepxvwyd+wNQ3jOPw8pJN6sR:I0jT6vXj2I+FifM5Bqcvvu3jgJN6sR

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 24 IoCs
  • Drops file in Windows directory 15 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\HTTPDebuggerPro.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4808
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DC3AEE1DF55A21568726D2738EFD5CAA C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe
        "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:420
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2152
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding A3FBBA32E0DF05B95E7330CFC2D071D5
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2996
      • C:\Windows\syswow64\MsiExec.exe
        "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerBrowser.dll"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:3528
      • C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe
        "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe" /install
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4196
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4732
    • C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe
      "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe"
      1⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:2976

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      c.pki.goog
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.179.131
    • flag-us
      DNS
      23.149.64.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.149.64.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      146.26.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      146.26.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      233.38.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      233.38.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      131.179.250.142.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      131.179.250.142.in-addr.arpa
      IN PTR
      Response
      131.179.250.142.in-addr.arpa
      IN PTR
      ams17s10-in-f31e100net
    • flag-nl
      GET
      http://c.pki.goog/r/gsr1.crl
      HTTPDebuggerUI.exe
      Remote address:
      142.250.179.131:80
      Request
      GET /r/gsr1.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1739
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Thu, 08 Aug 2024 19:43:18 GMT
      Expires: Thu, 08 Aug 2024 20:33:18 GMT
      Cache-Control: public, max-age=3000
      Age: 235
      Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
    • flag-nl
      GET
      http://c.pki.goog/r/r4.crl
      HTTPDebuggerUI.exe
      Remote address:
      142.250.179.131:80
      Request
      GET /r/r4.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 436
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Thu, 08 Aug 2024 19:43:18 GMT
      Expires: Thu, 08 Aug 2024 20:33:18 GMT
      Cache-Control: public, max-age=3000
      Age: 235
      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
    • 104.21.26.146:443
      www.httpdebugger.com
      tls
      HTTPDebuggerUI.exe
      3.0kB
       13.7kB
       27
      26
    • 142.250.179.131:80
      http://c.pki.goog/r/r4.crl
      http
      HTTPDebuggerUI.exe
      510 B
       3.8kB
       6
      5

      HTTP Request

      GET http://c.pki.goog/r/gsr1.crl

      HTTP Response

      200

      HTTP Request

      GET http://c.pki.goog/r/r4.crl

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      122 B
       197 B
       2
      2

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      c.pki.goog

      DNS Response

      142.250.179.131

    • 8.8.8.8:53
      23.149.64.172.in-addr.arpa
      dns
      144 B
       268 B
       2
      2

      DNS Request

      23.149.64.172.in-addr.arpa

      DNS Request

      146.26.21.104.in-addr.arpa

    • 8.8.8.8:53
      233.38.18.104.in-addr.arpa
      dns
      146 B
       246 B
       2
      2

      DNS Request

      233.38.18.104.in-addr.arpa

      DNS Request

      131.179.250.142.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57e60b.rbs
      Filesize

      13KB

      MD5

      cb00ca4a47752348f2ef239beb870028

      SHA1

      40cc28a3ff90405701e31bd9af8a2f93f26c6976

      SHA256

      a47c14e0ca557e1c488c5083612c4e825a455d92e1c5d8adc12910d8b26d56af

      SHA512

      10b15ad383d92ab81582920f5b4c5a6a5c1fdfb461548a01fb32c309822cfc662210f102ef4f7d6e4238aa21d0df143b34167a8474659d69e3584ba29ca225c1

      Download Submit

    • C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerBrowser.dll
      Filesize

      575KB

      MD5

      4facbaab17f633d153a7b53fb483b22f

      SHA1

      9e0e7bfbe927b1a77133380a2f76531b9416962a

      SHA256

      c557b766a00fd4ba6950c08c6133c20e4dd800139a19d271d46d6feb31ebf870

      SHA512

      86cccef12998201c28c257204cdcfdd339ac5e65c5d6627ffa6e5d88f57bdd94812dd7f657bbd3b01b88679abe92343496be775f2d7ac1f3d59573a0b696d832

      Download Submit

    • C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe
      Filesize

      1.5MB

      MD5

      5b3c641fd1b48108810cc12b1971ffc2

      SHA1

      0d38bdd2d0654391b4737db591f2f1e19a9d8a3f

      SHA256

      f6c8009319b95d3d94c8858d831563b2568f98dda478b6a784ba5a828374e7fb

      SHA512

      4c2888ad3632bcb9efe06fc15c65c7a0ff9f5382e272ff7402f00a701a8aa3a4d9e467630085dc47fb9735ded898e995af1e6259472f0f4954d77b55f2f8944a

      Download Submit

    • C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe
      Filesize

      8.1MB

      MD5

      d6ab0e25b4f76ca11acb71eb290938d5

      SHA1

      0269f40ec4936edf9eed2b1065a631dd895776e4

      SHA256

      555b66eabf40ca228d6a285862e622b662a528ffb68aa01a3bb27b4132188de0

      SHA512

      5417a45ef64accfc7fc5b282c089b2046677f74249436ab4112ff5626cd6ffe5e9524012f093faf13eb108199a0c281ed5f5f7feef6a7db38ed1408d10e6039d

      Download Submit

    • C:\Program Files (x86)\HTTPDebuggerPro\Styles\Office2016.dll
      Filesize

      3.9MB

      MD5

      591dde57b17d9fcbdbc892cf1a7d3610

      SHA1

      1c2c32d101010165c471c6d5b01ef67c3224f6ff

      SHA256

      7d7d55ab604078e69070e2d162d77ee286e2faf748a52401a64f79824cb3b59d

      SHA512

      fc4bb5858a2b568c344a9b419176ed6e239e468c4eec9e76eba5a35c8bc97b5947bf1f7055544c5fd5b4d67d11e1ade5496057168b0fcf53afffc4595fb67bc6

      Download Submit

    • C:\Program Files (x86)\HTTPDebuggerPro\cximagecrt.dll
      Filesize

      1023KB

      MD5

      a2fe19b6b766a12017c8be442ad0cef2

      SHA1

      9e5bed747e57e7c7141fabe3d9cb12c863d4b2f5

      SHA256

      35b71d192854edc95248f77deb824f034e903447319459aaf454269650fd51d3

      SHA512

      9969acf85432029810cd1eb2f7a65a3bc19d603749ecdcd2301645ad342bfc29d977c067a081a395afea4f9a5d199c982c4374d2fe6a2cedd9ff659af2101c7e

      Download Submit

    • C:\Program Files (x86)\HTTPDebuggerPro\drv\Win8\HttpDebuggerSdk64.sys
      Filesize

      97KB

      MD5

      947c624c4bd48f8c66fcd00fc0f947d4

      SHA1

      5266036308e0d0eb837cc3126dba5a0b6ec270fc

      SHA256

      2e89606775ed719b9d950ae9d37e819a2567426fbe5c3e0aad8d86fec693b67b

      SHA512

      2fd940253eb2c4f9da9ceb9516b811f28bd8187fb3d819a86f0ec37f98c30d0a9b510652b0f615fe15cdcec1bfeff435da7b42407bb29faf2b1d58ce13508fc6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
      Filesize

      765B

      MD5

      01065a09c71d25c6c7602f826b45f3da

      SHA1

      4fb03bf1ca148a3717c108f00b40a7a9456a0216

      SHA256

      ad27a1045d9cf5a5fbf5dd3257c22eba09b13acfe3e59e9785e76fac904bdbb5

      SHA512

      fe5ca37a416965b28573cf7cba1d37aabee715c8d0f00fe4345191471c27f7831134be20e5dfa662005e2ed53c69052cdba812a82752684fa1dbc8655564a384

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_76733C28E3E87E78CF09C0BB924E316A
      Filesize

      638B

      MD5

      8a024a9e772de6cd991ee0ec49f70d87

      SHA1

      bcafcecf42175dd2f70f89e68d8fb42f8da6b10e

      SHA256

      9291d3ed7d1436ced91df4373b9cc1accc02f869d1bed24780f0ff8e8017659a

      SHA512

      8a1a5bb139dd94280024ed32478049230c3d92a342c070985cbcf7c7a061d2c6491a01fc370f2a31367200f2bd3be1ca575fb5605cc06a3e3b6d6811c5655285

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
      Filesize

      1KB

      MD5

      c118ce3b46def8ae281049aa1bdce687

      SHA1

      03a2ddd41d9cf5637f388970d995eefaf6e2b2a2

      SHA256

      f480be175b0c2b894f609dbf9d4defc789dd56bb81673d7168bb97e91396cf71

      SHA512

      51279b72b2f38950239218972fdd7549e9bc66325bf0aebb85feec909a01dafa2cf9c5ce789eaa9fbaf979b5f4a77899d41eafe4cd7166ec8d05bbf5c4fe73d3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
      Filesize

      484B

      MD5

      d685ee3b2a9e2c9f4e7f7b65032e920c

      SHA1

      f30ee0720a78b92cd4b7276ef2c12937f043482e

      SHA256

      a7c72f1649fce848cb345a7b83f8e9b2c60ff5ad5d5090993f9e94d629f604f4

      SHA512

      02abd113f7077e2a0a61b23029c48544fbdef0383f6c6c887482b98bec361e50a394deee88bb9d8b15256da464a8d25a20acd49b899ab6dd4efa72dae433bf7e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_76733C28E3E87E78CF09C0BB924E316A
      Filesize

      496B

      MD5

      9d886d02d66d788f63deb608220acf18

      SHA1

      b152198c787ac2c8f4a48c0a8b9dc507a191ae88

      SHA256

      7e8f4374f10aca18fca32d159f58cdbd1bd5e86711ff886bf9d3f0eee4d7f270

      SHA512

      699be013a978d1feb86c48a66ab0deb9402b08c7894ee5f6473e0fa74ff98b28284482e04c9effafe04932af029ea6cfa14f3539b9f54b6706758cd0a478d50e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
      Filesize

      482B

      MD5

      268ec11dd8552a486b097df2a61b4111

      SHA1

      f6430ed03059c9793edf6c70c23600cebde18e52

      SHA256

      dd5a1d169d207d3db62a07304b7649adc6b654b3d707c0ef7150fd827392c831

      SHA512

      473b56aecea9ae73c2d5744e624df1844ef9f0bbd38a0d2e560df16d41372c208490df0dd00121220011e2b6883ef7a8c028ce44fda6b488348237f4d7aa19a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIAE51.tmp
      Filesize

      90KB

      MD5

      6a9c36332255fca66c688c75aa68e1de

      SHA1

      2a03e2a5e6a8d9e2b0cfb4e2cc1923d9c08578c1

      SHA256

      7b7ebada5da99a20c44eaf77e6d673985da42d9b7cb4f5e4235b7579581ae170

      SHA512

      a638c48026f2a0b565b34d7d0dfacfec4f582e698f88234521a6fcff1ed90c134f39aa3311cca2a67e401de01f81cac01d9f792f189127e0f87a345076827627

      Download Submit

    • C:\Windows\Installer\e57e60a.msi
      Filesize

      10.4MB

      MD5

      da7e08ef168ee4662ff1878202303a36

      SHA1

      df3bc617162a0f5f5e854403f5dc1e00e093e498

      SHA256

      ed9e8f5fda10a14fbce76252b111a031bc4f3351e9eb342ea4edf6b6d16add69

      SHA512

      bd248c68077a6aa1d6120cd3401770b09762cd75010a30b40cdd46196c726bce2fffa9036a2e3f47bbdbe4b935b9252c7ea38f4947d5ef187831d274a13b8974

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      12.8MB

      MD5

      fa33d66feb147e2b78f0c0332c054622

      SHA1

      59b357b98b307c9f0de0d3972bd98c2c2dd62e95

      SHA256

      2111ae90771f38a54b87f4c9e9bc0500adeabeaf9b9df7e2ffa5f3cf9335ed07

      SHA512

      f6266368dd3c76304c3ec3b5f168572d0c3f5a3c646ddc5ccc3c529e1fbcd5e61eb4ecf36597af3f296295864d64441bd7345ea391d75f3fe5d46a48e1fe2137

      Download Submit

    • \??\Volume{6e183fb6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6ac28c79-d287-4cfe-a4fb-2ae464d7113c}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      3c88e1805f8ef0e1bceac718c335cd8f

      SHA1

      cad1e070262c3166497116748a93dc2051b8025e

      SHA256

      6b856b68c4236e9a1fe0c58e5f40c5cd6a5cd2bf92d92d4653c4798d03ca5d29

      SHA512

      9acd56a9cfdd9f1e82a3e1f761abd3b4bc01b5dc09ca42de616c31b2db5a6620d8bd6841ebe4548c568b3abfa4f27d406e91cf01174165ef92388e59459985e3

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.