Overview

overview

6

Static

static

1

digital_cl...64.msi

windows11-21h2-x64

6

Analysis

  • max time kernel
    20s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27/09/2024, 23:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    digital_clock_5-x64.msi

  • Size

    25.0MB

  • MD5

    6d0678fbb1deef83f77db4dabb8b4ffc

  • SHA1

    e10923c06c27e2db0d8832e3da1eb3e2ae39f2a8

  • SHA256

    17ce23f597ad4e83dccc69577691da7ec075453e45dcf0f8fa9d74fdefbb3e02

  • SHA512

    89f94951e535dd09d80b8fa7c07609fe551f44cd819d94915a6f1181f28d0f2e603965133b7844748379276fe9014983db7f9db37969d283aab483a6b4633c31

  • SSDEEP

    393216:HGbzqalcxfoCGd6FEhJ0fgMg3CSDgrRN8h1T7+5naXSTKwaE+5wv416AgwZQeZ:HoqkcxgCcuKufg79qgm6STKwUp9Z5

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 15 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\digital_clock_5-x64.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1284
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1768
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 42EDD782215EA70B5F9FFA989CA36638
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2884
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:5056

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57cf18.rbs
      Filesize

      76KB

      MD5

      2502d35e7159bc97f56b64fccd9d9f92

      SHA1

      a34fc5d24b197ee654d2c49af82f90d5a6f07c58

      SHA256

      592d0fdcedc6d1b9017445152379e75e7bb4f9bff0da633754f345a7c5d2a0b5

      SHA512

      11a2354036ce5cc49e1bdbf73208fc836f49ec89a09db985f5a827ba5c6e9521e64dc773d566fcc9d053371848d7e967f7bfd6a3698254262ba04b9fbaeea5d5

      Download Submit

    • C:\Windows\Installer\MSID8CD.tmp
      Filesize

      234KB

      MD5

      8edc1557e9fc7f25f89ad384d01bcec4

      SHA1

      98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

      SHA256

      78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

      SHA512

      d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

      Download Submit

    • C:\Windows\Installer\e57cf17.msi
      Filesize

      25.0MB

      MD5

      6d0678fbb1deef83f77db4dabb8b4ffc

      SHA1

      e10923c06c27e2db0d8832e3da1eb3e2ae39f2a8

      SHA256

      17ce23f597ad4e83dccc69577691da7ec075453e45dcf0f8fa9d74fdefbb3e02

      SHA512

      89f94951e535dd09d80b8fa7c07609fe551f44cd819d94915a6f1181f28d0f2e603965133b7844748379276fe9014983db7f9db37969d283aab483a6b4633c31

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      12.8MB

      MD5

      2a6fc7fc8cdfee2027c7844efb368a07

      SHA1

      17dfb7f4e368645eb0e6ed05cf3cfd38bdc412de

      SHA256

      adde7aee0ac6d210cfebac7bd5fd8028a6ca05d5db47adaada1f4ad04c491626

      SHA512

      1328f26b8506c041a2f3f749e7fffa01406b26154907873e68a97b0274e18a376c7b8c3f89fedc595044c4a978e7659090c761d5715765d189dbe8b571cdb7cc

      Download Submit

    • \??\Volume{2b988a90-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{88156a5e-0ba9-47c0-bf67-a9af4dbcd7d9}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      e49759cc17b6b6a13737edc02772ca80

      SHA1

      b3331e9178306ce2a84c7c69ce04f15162bc65b6

      SHA256

      a4ab0da4020caa4ab82c8cdeea13c97d8f7c761d6a444723dda50550fc75d4a4

      SHA512

      cbca29eda95eb7b7cc608469ed5e6a0d153f7c684db625fb04b137bbcaf1da89158e752047451311c747e7f29ddc9ae8d1c36b87b75c049e5572259ffe69a5fc

      Download Submit