53622dbd226353cc26e93cc0e03899087d29e1b2fb930d4f79f282ae135a69cc

Analysis

max time kernel
324s
max time network
276s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13/09/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fera Setup.msi
Size

1.1MB
MD5

1b0d3430da9f13665cc979fa3fde3154
SHA1

89943104c94bcef9ade2e80e50ce390001d4089c
SHA256

53622dbd226353cc26e93cc0e03899087d29e1b2fb930d4f79f282ae135a69cc
SHA512

ea0449fd38a7d589abc36ecbfc3985448c9c4db26da02d975ed0995d6f14c231c531ffb94c4054de369b9f64ec86d80c294c8b56f5270746792c0988c85c8d57
SSDEEP

24576:AqFOxtwYXZBm6kYWkpuSOVSocyRTKYIT/Pzg2B:AqFEt/ZBxkYXuXw40rbg2

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Project Fera\Fera Setup\INIFileParser.dll	msiexec.exe
File created	C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.dll	msiexec.exe
File created	C:\Program Files (x86)\Project Fera\Fera Setup\FERA Logo Launcher.ico	msiexec.exe
File created	C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.exe	msiexec.exe
File created	C:\Program Files (x86)\Project Fera\Fera Setup\WindowsAPICodePack.Shell.CommonFileDialogs.dll	msiexec.exe
File created	C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.pdb	msiexec.exe
File created	C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.runtimeconfig.json	msiexec.exe
File created	C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.deps.json	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e580702.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF42614AF420A7BC32.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B3D67081-6A29-40FE-BEFE-C60A498416FA}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC902AB07A3885B31.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA35B3E9BCC322113.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e580700.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73E.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81B.tmp	msiexec.exe
File created	C:\Windows\Installer\e580700.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5F3FC3CBACF5B08F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DC.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	Fera Launcher.exe

Loads dropped DLL 4 IoCs

pid	Process
2808	MsiExec.exe
2808	MsiExec.exe
1224	MsiExec.exe
1224	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b63f186ec435d5ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b63f186e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b63f186e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db63f186e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b63f186e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4376	msiexec.exe
4376	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1912	msiexec.exe
Token: SeSecurityPrivilege	4376	msiexec.exe
Token: SeCreateTokenPrivilege	1912	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1912	msiexec.exe
Token: SeLockMemoryPrivilege	1912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1912	msiexec.exe
Token: SeMachineAccountPrivilege	1912	msiexec.exe
Token: SeTcbPrivilege	1912	msiexec.exe
Token: SeSecurityPrivilege	1912	msiexec.exe
Token: SeTakeOwnershipPrivilege	1912	msiexec.exe
Token: SeLoadDriverPrivilege	1912	msiexec.exe
Token: SeSystemProfilePrivilege	1912	msiexec.exe
Token: SeSystemtimePrivilege	1912	msiexec.exe
Token: SeProfSingleProcessPrivilege	1912	msiexec.exe
Token: SeIncBasePriorityPrivilege	1912	msiexec.exe
Token: SeCreatePagefilePrivilege	1912	msiexec.exe
Token: SeCreatePermanentPrivilege	1912	msiexec.exe
Token: SeBackupPrivilege	1912	msiexec.exe
Token: SeRestorePrivilege	1912	msiexec.exe
Token: SeShutdownPrivilege	1912	msiexec.exe
Token: SeDebugPrivilege	1912	msiexec.exe
Token: SeAuditPrivilege	1912	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1912	msiexec.exe
Token: SeChangeNotifyPrivilege	1912	msiexec.exe
Token: SeRemoteShutdownPrivilege	1912	msiexec.exe
Token: SeUndockPrivilege	1912	msiexec.exe
Token: SeSyncAgentPrivilege	1912	msiexec.exe
Token: SeEnableDelegationPrivilege	1912	msiexec.exe
Token: SeManageVolumePrivilege	1912	msiexec.exe
Token: SeImpersonatePrivilege	1912	msiexec.exe
Token: SeCreateGlobalPrivilege	1912	msiexec.exe
Token: SeCreateTokenPrivilege	1912	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1912	msiexec.exe
Token: SeLockMemoryPrivilege	1912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1912	msiexec.exe
Token: SeMachineAccountPrivilege	1912	msiexec.exe
Token: SeTcbPrivilege	1912	msiexec.exe
Token: SeSecurityPrivilege	1912	msiexec.exe
Token: SeTakeOwnershipPrivilege	1912	msiexec.exe
Token: SeLoadDriverPrivilege	1912	msiexec.exe
Token: SeSystemProfilePrivilege	1912	msiexec.exe
Token: SeSystemtimePrivilege	1912	msiexec.exe
Token: SeProfSingleProcessPrivilege	1912	msiexec.exe
Token: SeIncBasePriorityPrivilege	1912	msiexec.exe
Token: SeCreatePagefilePrivilege	1912	msiexec.exe
Token: SeCreatePermanentPrivilege	1912	msiexec.exe
Token: SeBackupPrivilege	1912	msiexec.exe
Token: SeRestorePrivilege	1912	msiexec.exe
Token: SeShutdownPrivilege	1912	msiexec.exe
Token: SeDebugPrivilege	1912	msiexec.exe
Token: SeAuditPrivilege	1912	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1912	msiexec.exe
Token: SeChangeNotifyPrivilege	1912	msiexec.exe
Token: SeRemoteShutdownPrivilege	1912	msiexec.exe
Token: SeUndockPrivilege	1912	msiexec.exe
Token: SeSyncAgentPrivilege	1912	msiexec.exe
Token: SeEnableDelegationPrivilege	1912	msiexec.exe
Token: SeManageVolumePrivilege	1912	msiexec.exe
Token: SeImpersonatePrivilege	1912	msiexec.exe
Token: SeCreateGlobalPrivilege	1912	msiexec.exe
Token: SeCreateTokenPrivilege	1912	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1912	msiexec.exe
Token: SeLockMemoryPrivilege	1912	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1912	msiexec.exe
1912	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 2808	4376	msiexec.exe	84
PID 4376 wrote to memory of 2808	4376	msiexec.exe	84
PID 4376 wrote to memory of 2808	4376	msiexec.exe	84
PID 4376 wrote to memory of 440	4376	msiexec.exe	89
PID 4376 wrote to memory of 440	4376	msiexec.exe	89
PID 4376 wrote to memory of 1224	4376	msiexec.exe	91
PID 4376 wrote to memory of 1224	4376	msiexec.exe	91
PID 4376 wrote to memory of 1224	4376	msiexec.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Fera Setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F2075D50E1458E0AEF36A371E09E2B84 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 78D0D8E76281850BF131F3DC92DB6E26
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:236

C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.exe
"C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.exe"
1⤵
- Executes dropped EXE
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e580701.rbs

Filesize
10KB

MD5
5b4f58dbfb817fdb1e4b013261ef6f1a

SHA1
1663e30daf878fcdce1ee5203df8bad3817f9e20

SHA256
53ccee5914ee7c1ce1ea98ddaea92a473b54f8e21368c50d4e22a8fcc292684c

SHA512
f6d1a2078760f0c42f1b2d3dbab8e4b2c1e17e38ea2cdc9805c0c28afcd2b6e5f9ccf13de09f86f2369665ff57ca1989729a2d650f42aae08d6ea7d0a72bf819

Download Submit
C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.deps.json

Filesize
1KB

MD5
8412fb72a84841f36c3c275779f6b3e4

SHA1
066c0c12d71e9e2848add2f32dc0177cff204bff

SHA256
f267430eda9534c5a34564aca7545a6f559048f8e98ec084d4b90e9778737ca5

SHA512
b352ddb5206c965ff99156673504064b8bdceb2325dc31c3abf496bd481cb0900fa214306df713d639a2a4429433899429446cdecea0af3a6e7353cfcc10bc03

Download Submit
C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.dll

Filesize
483KB

MD5
ac1521aefebf6db34b4656e7e62b8d62

SHA1
d20682898e563ee8570e93bf42e224bde4809fe7

SHA256
715aec17986a9863b2cba61f55e252381eefbcfebce9a5a3e663ba34dd33da62

SHA512
3513a5ef46e968709bd0a41ed44b794f2ec3799d70d9d5db19e34a5fa5d0614af4cea4b177db1bc190f123d933d8a4e784f86b0732c4951c2242ca571b7478a2

Download Submit
C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.exe

Filesize
154KB

MD5
8da13f1de060553d4c7b8c4d1c1f8587

SHA1
c1e9e78806812f752c53778895c81d50ec84e834

SHA256
fd22760f7920445f7be30d63c4192abcc381e14782de33a3bc60e1bbc212ca6f

SHA512
1306b3d856e0ed38272ce684f91ad32aad9731a9f80d17fe925fcf16e6d831e045c95c1af0081d7ba52bbbd71d05b53a8d5d230fde49930f8fa9fbe5cc64da4f

Download Submit
C:\Program Files (x86)\Project Fera\Fera Setup\Fera Launcher.runtimeconfig.json

Filesize
458B

MD5
07b9a30265ca4e69c7016a1b6e3ffc27

SHA1
3a4af82a2695b1423aedd8b60a5c86793c011b02

SHA256
c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782

SHA512
efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAAC7.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
C:\Windows\Installer\e580700.msi

Filesize
1.1MB

MD5
1b0d3430da9f13665cc979fa3fde3154

SHA1
89943104c94bcef9ade2e80e50ce390001d4089c

SHA256
53622dbd226353cc26e93cc0e03899087d29e1b2fb930d4f79f282ae135a69cc

SHA512
ea0449fd38a7d589abc36ecbfc3985448c9c4db26da02d975ed0995d6f14c231c531ffb94c4054de369b9f64ec86d80c294c8b56f5270746792c0988c85c8d57

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
df15151ac4b62e9606551eed311791d6

SHA1
92af50292d7f7fcec0a87d0834818277ad9b7cb9

SHA256
c6e0901dc542aa97b5114138406ede3603ae4964cbfb1e670fb8d4283850ac22

SHA512
2b790acef090ecf0ee1cbf990cd302c5022a3e79f0a3f677ec203bc6655033faa3fdaa39f016268e340d7992fac148ca7162dab6f054e03c048fe890d20bfd65

Download Submit
\??\Volume{6e183fb6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b3de50f9-7caf-403c-bc5b-53a560801a1c}_OnDiskSnapshotProp

Filesize
6KB

MD5
9134f581da724f3de297b74b41f8ed27

SHA1
8daf9166399dd92d54efd3125cc850fcaf619b0a

SHA256
d177f2e869b8d210a983357c4f8137db3d69aa8cd4a45ff4c656a7056bb2ba2f

SHA512
b119e1db6e5414e7ba2333c70739bd222df0db1b5ce1f5f6c2f2bde1c4d1310d1cb408bc6bf5022fe33124f87e591dec2474b7c567733327596cd776c900642d

Download Submit