Analysis

  • max time kernel
    142s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 17:12

General

  • Target

    f119f1e813cdb8dba30bd3348ef97cd8bf5213b3e1a9f25f008337e8b34eaee5msi.msi

  • Size

    1.5MB

  • MD5

    5ba3dd339379dd640002ca9dee880ce0

  • SHA1

    d68b36f919b3f131f7c25c0d0cfa0ee22f79aa23

  • SHA256

    f119f1e813cdb8dba30bd3348ef97cd8bf5213b3e1a9f25f008337e8b34eaee5

  • SHA512

    3527a3f738e084c8522d8976594eb9d3d38642296b9794b6e58ea1a40850c52794e498fb72f997695d12aac800327370edccc2b6fcc97d3d4ab76b1ca4fb66ed

  • SSDEEP

    24576:A5LWW2cDo6vLV15xTHfCIr43Hm2pDA9mtByVcNPEuXggR89g:OKW306vLV15AFGJ9uB0cBRXfp

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 15 IoCs
  • Loads dropped DLL 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f119f1e813cdb8dba30bd3348ef97cd8bf5213b3e1a9f25f008337e8b34eaee5msi.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2544
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 57B65F52B2B1A85627C1FC1CD7A44D94
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI5AA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259458569 1 test.old.cs!Test.CustomActions.MyAction
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpCAE.dll",Enter
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2808
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2936
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "0000000000000060"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f77016a.rbs

    Filesize

    8KB

    MD5

    32f260ffdb68af2607271e7e3b155f37

    SHA1

    4e971b56a25a36caa5e9d60903f224d502f7dfc9

    SHA256

    8716dcc5b7b93c34cf449ddee6e2709ddcec1087d5d9b8045307b3538a3a9af4

    SHA512

    a054e05b5dc092838cc316d4ca18ee1e20ba67b9071fec37c55450a0f43fcc9041886d1d847d454c6d7f78004dbed48b177fa820078412f8e67f1592b9160f0a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763

    Filesize

    1KB

    MD5

    866912c070f1ecacacc2d5bca55ba129

    SHA1

    b7ab3308d1ea4477ba1480125a6fbda936490cbb

    SHA256

    85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69

    SHA512

    f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763

    Filesize

    326B

    MD5

    3ffcd9fad71fec35e894e6fc88adb116

    SHA1

    c346497682a2e6725b6bf8a9f4735afc5e0e936c

    SHA256

    e50d26f039a3accfa099b3e1b2299dc6b6ff5cfa338cc3021f419a87f66b8623

    SHA512

    0e1cd2a86d858927e9905077ec11942a4070c85c57c862566c1ba5a3152b1961e80c8d56c6e2bde0f90f4e519d1200d4e2270e5717f588e83ccb4323c427b0a3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a1cf310a08d93692c86507f8e339b654

    SHA1

    e5529f52e248ea11f6accc79e6ad2a88c2a3d00a

    SHA256

    5760fa6e3829380897659a6ac4581bf0e9a7128bfad7b6d23676cc1e0d6a647e

    SHA512

    b25e1c3e0dfb51793d6949218aff3e83295081a649afd68470f173b0755b4663fe2a91549474e9d572d00b1a8cac131fd544c846b536bc5a0518227e52460c3a

  • C:\Users\Admin\AppData\Local\Temp\CabE2F2.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE2F5.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\tmpCAE.dll

    Filesize

    1.1MB

    MD5

    56573f3b6ec3fc757a9586e5ff4b4fd5

    SHA1

    08fc58ac9b7da11b70802fe838115e4b4d651bb9

    SHA256

    2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756

    SHA512

    35553ee65127ab50adb5af4efdd41a549d46e0b90735f75de6df2bd5fc37639570fa446b711fd09eb0bec2ee2e0db6c4f3b33aec5e2a260befd832fc449fcc75

  • C:\Windows\Installer\MSI5AA.tmp

    Filesize

    386KB

    MD5

    d1e6f2ac7b55f285bc080a3d8eb9617a

    SHA1

    1c9c739b227ff40f4d543422e55c30cab95d31d5

    SHA256

    84b9d246d329c0f7463956a978b782011c30f5ee9bb3e7968f4789c195290202

    SHA512

    168dcddcf29476522c560996d50a2d830d22177eaaa469d10b0ee217c69deea3ba9a981c42097f672c121224342e6a1ff642dc1170637610f3c7796d1b3734a2

  • \Windows\Installer\MSI5AA.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Filesize

    172KB

    MD5

    4e04a4cb2cf220aecc23ea1884c74693

    SHA1

    a828c986d737f89ee1d9b50e63c540d48096957f

    SHA256

    cfed1841c76c9731035ebb61d5dc5656babf1beff6ed395e1c6b85bb9c74f85a

    SHA512

    c0b850fbc24efad8207a3fcca11217cb52f1d08b14deb16b8e813903fecd90714eb1a4b91b329cf779afff3d90963380f7cfd1555ffc27bd4ac6598c709443c4

  • \Windows\Installer\MSI5AA.tmp-\WixSharp.dll

    Filesize

    425KB

    MD5

    ea800f52639d12279a3e602e43a07636

    SHA1

    e997386cc618aed516169111ba3ca7ceae91783d

    SHA256

    7eea616ea886145913c13d239f3e0ead58ace3a226e5aa330e67bbdd16673510

    SHA512

    33d46c6980743eb319b74bf89c300c5b886a960c222efcb2e66339b4eb7467cbf6546deef28a34ab09c4ed2c170efe76f38e4bc724603485e5e776d8e0457ccf

  • \Windows\Installer\MSI5AA.tmp-\test.old.cs.dll

    Filesize

    13KB

    MD5

    3b8ed94e66516498a7adaaa3716b6c93

    SHA1

    b4a62ec489fbbcd1cf3186cba65f3586aaab08aa

    SHA256

    59befc71c0412fa3d5ffe0432bdca3bb35bfc877c19402fbb41b61753d7f5904

    SHA512

    6e0c56c1064fae872703262e936df0b2a35e88d9f9e8c7b1a00efe7c50b7afd249ce87e4e1fef5ce65e7b9706ef24c879ae1c2020361ba5b3ced4f485777f2ac

  • memory/2684-272-0x00000000007F0000-0x000000000081E000-memory.dmp

    Filesize

    184KB

  • memory/2684-276-0x0000000000B50000-0x0000000000B5A000-memory.dmp

    Filesize

    40KB

  • memory/2684-280-0x0000000000BB0000-0x0000000000C20000-memory.dmp

    Filesize

    448KB

  • memory/2808-295-0x0000000000AA0000-0x0000000000BBB000-memory.dmp

    Filesize

    1.1MB

  • memory/2808-310-0x00000000026F0000-0x00000000027A1000-memory.dmp

    Filesize

    708KB

  • memory/2808-311-0x00000000026F0000-0x00000000027A1000-memory.dmp

    Filesize

    708KB

  • memory/2808-312-0x0000000000AA0000-0x0000000000BBB000-memory.dmp

    Filesize

    1.1MB