Overview

overview

7

Static

static

1

0cd61886c8...e8.msi

windows7-x64

7

0cd61886c8...e8.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8.msi

  • Size

    3.1MB

  • MD5

    d0f6a028fd07c851683f066ff7e1fd5d

  • SHA1

    31a979b820d541059ac4672ff37851014fabb059

  • SHA256

    0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8

  • SHA512

    b59fdf602d477a178d4dad95fcce4d7fa442d529ca6b7d931c47633280d728c9199c54be041d89ba494f11da179f899337b0f10756a09c85e1f8f578ffb3eb8b

  • SSDEEP

    49152:ipRh803EQqONeQDE5y6QHS+mrKcunU/qwYWS42CQlmI/pxpcx9O3cJa5tEvb:ipNEQqOAdfKcunUiwS42AI/pxKUtab

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0cd61886c89fef2291639e9ed0227008b2e17199a64296207fe0b6b5f3e91de8.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4588
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1432
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F15A7A07D64379B20DD4462A12FA41A2
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:3920
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2716
      • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files\cmdfmt.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files\cmdfmt.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4580
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\System32\wscript.exe" Sleep.vbs
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k rundll32 Endpoint.dll, RunDllEntryPointW
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 Endpoint.dll, RunDllEntryPointW
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1168
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c cd C:\Users\Admin\AppData\Roaming\MonitorConfigs&&cmd /c timeout 1&&cmd /c reg.exe import add.txt
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2616
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c timeout 1
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3176
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Delays execution with timeout.exe
                  PID:3368
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c reg.exe import add.txt
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2656
                • C:\Windows\SysWOW64\reg.exe
                  reg.exe import add.txt
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  PID:4740
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c cd C:\Users\Admin\AppData\Roaming\MonitorConfigs&&cmd /c timeout 1&&cmd /c rundll32.exe /sta {3FEE3C07-4C58-4181-AFFD-C6D138E1301C}
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:208
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c timeout 1
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4512
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Delays execution with timeout.exe
                  PID:3244
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c rundll32.exe /sta {3FEE3C07-4C58-4181-AFFD-C6D138E1301C}
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2576
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32.exe /sta {3FEE3C07-4C58-4181-AFFD-C6D138E1301C}
                  8⤵
                  • Suspicious use of SetThreadContext
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1688
                  • C:\Users\Admin\AppData\Roaming\MComponents\WINDBVER.EXE
                    C:\Users\Admin\AppData\Roaming\MComponents\WINDBVER.EXE
                    9⤵
                    • Adds Run key to start application
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:3596
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:868
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Installer Packages

1
T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Installer Packages

1
T1546.016

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

1
T1112

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files.cab
    Filesize

    2.9MB

    MD5

    e63dce70e5a313b358a42000d9fd4490

    SHA1

    eccc857dd0b2114b4e153ea03fc72c5f214ea5d9

    SHA256

    e22ec082c88d575ce3a754a75b630bb349aff82a7519b495bb3c1d3862dbe4b3

    SHA512

    740f75390b74f9c75784cd177ce31b1a778aefff5b33071307e9689062d59b3d68104c5ff4a02291f299228107b2659337bc673b2dd427fb2fb976f9da331369

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files\Endpoint.dll
    Filesize

    40KB

    MD5

    b90d516f11011015872e9da93348be53

    SHA1

    0d091c0b3113012e5930e83e3967430409f5b5f5

    SHA256

    dbc74e253a3a21162168bb22f11f9411b87163fa69a6c0d531f2707f4488ae8d

    SHA512

    072ee865ab745e971c8586da2f5ee46bf6784dfb92deb1ae459b87f6c6ba37c7f2c4c82fe4dc34bc37bcb19c96e6dfd115618916bf60be9abf2a759a37964e2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files\MonitorConfig.dll
    Filesize

    3.7MB

    MD5

    70be95b1770e535345ab8bee4b82a185

    SHA1

    364d70673c497061f4810b66241c7f6e35447121

    SHA256

    11a362125f664bb830b5673db23b49bb3505e8ecc096ce1a174f8c57406a2f76

    SHA512

    0d69827cb6d58c9b974bb5cdd6c961499ea604ad5e41246cd12b077481db963f28cfe0fb5d3a63c1bcade1ae66e7defb7d4f76585e87a645c992b6c20e92b1fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files\MonitorSettings.dll
    Filesize

    624KB

    MD5

    2d987a96075127bd1548c5f79c5783f1

    SHA1

    d53967348052e73d4ade6c2bdfa438fe50fec106

    SHA256

    d309954c3abe64cdd0fefc09575c31eb87b7bb728472a713251b760d80149439

    SHA512

    00103e47cc02a2a58ae099fcd2d2d064a2e8556def1b55b0574ab325f2727a95960c851dd25c4c4ccea193efbb0f426963f2cb1fd3c13b6ce9f41dc8adbb9df2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files\Sleep.vbs
    Filesize

    148B

    MD5

    fad2def6a99554607507c273f73df2b1

    SHA1

    44263a830695cbfaeaefaf3910240af3ac6d240b

    SHA256

    4b4288f0ffdfe0c347795f554f7699b7773d374b0720cbbfd228f1435edf8987

    SHA512

    f06b82977755c62d63c8d5598a74bce0fbd06592497b66ce9076383f2f0597780945c3ea7a78c6b222a3dadcb18b9b5d2047cc492c90347e2e6948fde5ccf8bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files\add.txt
    Filesize

    1015B

    MD5

    59674adb9f1670ca428fdbe5614b1fcc

    SHA1

    2ab3f3606a8c81ba50abf9ffe5405660d7390a1f

    SHA256

    39dc2fda7eddb7b30bbab8171b3e41d640ec56c8821e24b0d63da6c0893794c6

    SHA512

    2738e5b39e4de423daa33274f736dd5df4013dee6c83ea6a2c4b3bd5e62e09ca9f5d18c96fe4559ba3dbe588d8bd56fda2b4ce2e6920dd6347bff3230cad76dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files\cmdfmt.exe
    Filesize

    2.0MB

    MD5

    3c06138c0e9b9706281dea5b5037bfbb

    SHA1

    608a2ee6adf4c3ccfb3ea25edf393f5745cb7b57

    SHA256

    82f93f71f45c1d2ea20697d01d3f5ae50761942a956384e217ba898efa63ec47

    SHA512

    bf1f360f99f0f38ef66d97d42ba689936b22c38e092533e14723974ab2f2b9ffac61446400f3379f97c7edd982c6cec62400670682855ef5482d3bcf6c567131

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files\data.bin
    Filesize

    30KB

    MD5

    73a5552a933e15b0a6fe13bb573e90d3

    SHA1

    5eb98f8a26d30db716a67f152efb8281b330f194

    SHA256

    8778bb953ffead733b53de1b4ac040061fd93e5bee5223893ca4e1dc7b0fea02

    SHA512

    ac08e2cd25a622dce54a0911f832604cda335837aec6f7d324fb486fa104b3ef1466affaedf85541719418fec76d9de89f61fa5cd7d0694e99f7278018179cea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\files\save.txt
    Filesize

    13.4MB

    MD5

    dfb972051b71220c2f87b0ae4a3b7c52

    SHA1

    37a9a86e2187c8311b60ff18805e5826b0627b26

    SHA256

    5531867074b664aecc155df32101b761e3b065a23bfb36c84c4dc246bf405fe7

    SHA512

    c78d65495116d53f611253780f748286d881bad0da7712a1446d8f5e4635b6a99572e0fc597f64771e66c4040b2d6817a75a8b0521f73627e579efe2e208cdd6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\msiwrapper.ini
    Filesize

    1KB

    MD5

    b2ec895fadb81b24729c2a0a93f55a12

    SHA1

    cabba68b1a545f7dc17ab1f763f7c0852f52c900

    SHA256

    81bae895e687c1c3aa3c9fedb992eaf399c05baa8e8ed86d47947da54562e592

    SHA512

    67b82f35b37f4a5356b29bf47719e69c9d06a36148861ad7f24dec5f55b75272a599ec2b9bedacff011ca2244ea8b1c1db302dc390d66b39191268bb70d3778d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-010a2d95-9d46-4001-996f-223a281a10c7\msiwrapper.ini
    Filesize

    1KB

    MD5

    075c3b08188940d5fbe6b566b561ca27

    SHA1

    d041b05d1ac24c752b3ae9b4741562091b516eaf

    SHA256

    76043bc3db208c8bcdd1aae3d092db4ed82bd7daa569c38f63baab26406fa9ea

    SHA512

    d782b1731bb35dcc1d2f6ae576cdb5cdb747611ff9873458c4df0897fcafd21794a7363b69e97e35c5f47e011ce02835c9c51de98ee99be73d5afee91392f242

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MonitorConfigs\add.txt
    Filesize

    1KB

    MD5

    e35a486d96c64f2ffe8ed9d715f7946a

    SHA1

    88a77d3540b854c3cfc514a7e731c2e08c8706de

    SHA256

    9999f791a8407965d30378185949f6dd29f4606048693874bae1599f5ac28ab4

    SHA512

    631984f9595454dee6bc7936574f017ca0be87f4d596ea5c16d9efc4b5ec33623c0306ebaf31da89b3d937d2be78898a71ad923bd589eb07f3bef4b8f9e03c1e

    Download Submit

  • C:\Windows\Installer\MSI819.tmp
    Filesize

    208KB

    MD5

    0c8921bbcc37c6efd34faf44cf3b0cb5

    SHA1

    dcfa71246157edcd09eecaf9d4c5e360b24b3e49

    SHA256

    fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

    SHA512

    ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    7f5797f7921d39ef5b5ec1870177d3f0

    SHA1

    0acc96bda6d8f7cbff2fbd3d56a2b68c03959c07

    SHA256

    276e4d99326dc23ea266c347903d297277381bee6da26b902c2bb63f8bdedbeb

    SHA512

    df098c607428e11497e0ed9c0439ff3779e681603cbbe9d86374fe590ebaf03308d233789b950ad2ae22e4bac3ba29cfb69024d3e2cc52f3d999151e87b294ea

    Download Submit

  • \??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f6eaffbd-bb83-4b77-9b7f-e2813e40339d}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    53f3e7e48bfd85cc81715b99c500e29a

    SHA1

    0c5af442baa7e802739fc1854009c91d2776b809

    SHA256

    86a45e23aea539af7639b6a399d67482df076d6f4b4381a02356e06d848cfb8d

    SHA512

    4d989b30b43ffd591b7a2c3dbddbc2e337f2af92b572f8c83e3e7ea5beaf087ac638e3243966767bc4a1841bf411e2a92505446c139dbd813191b94e29c742e8

    Download Submit

  • memory/1688-128-0x0000000003230000-0x00000000035E9000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3596-144-0x0000000000400000-0x000000000115C000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/3596-140-0x0000000000400000-0x000000000115C000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/3596-139-0x0000000000400000-0x000000000115C000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/3596-147-0x0000000000400000-0x000000000115C000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/3596-149-0x0000000000400000-0x000000000115C000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/3596-153-0x0000000000400000-0x000000000115C000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/3596-155-0x0000000000400000-0x000000000115C000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/3596-157-0x0000000000400000-0x000000000115C000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/3596-158-0x0000000000400000-0x000000000115C000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/3596-160-0x0000000000400000-0x000000000115C000-memory.dmp

    Filesize

    13.4MB

    Download