Analysis
-
max time kernel
123s -
max time network
127s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
31-10-2024 08:13
General
-
Target
QuantAnalysis.msi
-
Size
10.8MB
-
MD5
eed73ffb6f45153f5262fb46c8ab7ddc
-
SHA1
cb77c2fa6ea50fe2e2f124e49701112ea0acd038
-
SHA256
f6440afa2e7866b2fc44fff37c044dd35c2c5f112911e07b98ffaadcaae8c3fb
-
SHA512
600e0890aa308cb49a74c70b1e2d76b2ed8524c352212d847041d89efcbc393e027b6566d2790f9c384c31cb21643f7cbb94960fa3b6cc012224b1057817950e
-
SSDEEP
49152:HFoRM63NLhkx5pHP9eSh9/MEGrQzdv1Pk+41+BcXsXOGXsXv5ooWT0HjW0Rz15yZ:He38Fx/zGcJ6+I+IeOsev5rW0l6
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 21 IoCs
-
Loads dropped DLL 18 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\QuantAnalysis.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E729D2A57203D79EBF12F26470F1DFCE C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 91EF3A7056CBBE022DAB674E5DBA4CE9 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI703F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240611515 3 QuantCustomAction!QuantCustomAction.CustomActions.DetectCustomerHome3⤵
- Loads dropped DLL
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI7198.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240611750 16 QuantCustomAction!QuantCustomAction.CustomActions.DetectReportBuilderCommonFolder3⤵
- Loads dropped DLL
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding CD70B88AD526707D2E9192FB480112A82⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIFF7E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240648218 2 QuantCustomAction!QuantCustomAction.CustomActions.TranslateSidToName3⤵
- Drops file in Windows directory
- Loads dropped DLL
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3CC00F69058265A26AB20ED8AD0FCE062⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5a5b207ecda7d98827e121a903fadf43d
SHA1c933e93d2f14d3ed7bedce189646f5b9436bf39f
SHA25689e2b61f14682c065070c6e7fb6ca254555336c8e4092321913eea8edb1de1e5
SHA512b3fec39c8a404c739f119a2b8430788509a99ebb97b5c3e82e90cc3b66068c54f4299a143e387729debd19ed43d8529b6373ce04ea37bb91a86593cbaff0b791
-
Filesize
1KB
MD5b7b89696a30acab9b6b6b944d55514a7
SHA14d37505156c7c7288b4c4d569cec0087273ff718
SHA256450d65c3e4a85fc4e7f39b972b71982042e1a1302dce6d9242aadd6fa90fbccb
SHA512d34c1f79dcccc3147b568b2f2038c012a6b244cf6117aa59fcad65d3178de0b4abaed45f5cc4e3c9952ba4fbfdf2dcf63819b928d8c58d648da4b20596df78b8
-
Filesize
5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
388B
MD5e12cdcdfcd98ff5504ce9bc791ce78cf
SHA14ceab8399616b201e851d701551c3e9a26a59b45
SHA25687b6477a113fff71780bc24205a683eedffdc3d21f4826ebd0a88523b6203e89
SHA512ba6ca134e58326b60a629a16a4e7a9d6d6c847d86e6401f692619e2ac82110580eaee06389811fa7ddad46560cffd1e0c1987595559b96b417e666096c6c54bd
-
Filesize
170B
MD589ac934ae1bc4d619b67153992d78936
SHA1a053dca9955ce7b47505f401b95cfc0ae3ee9fe4
SHA256e44e87f041d84d6597c74f4c86be95e7b85d8df2432e80c8b6d896c48b57da22
SHA51252fee69828c0df63b5bc63c952cd2ab198ffdff3bdae700c283f1f410ea14d6fd2087cd1630effed2d88c40ba3880935646f1d31821616ae8b7ca7d6e891e922
-
Filesize
192B
MD5576a9879bb3305a021226f574b2f8894
SHA177a6e65f1bd17a8a37c5078b13dcb4baecc614da
SHA2565ab03d789c16d2a4a7b8de73e3d375da873f624a1d9b73393e645863c210baea
SHA512c84cdb907df90d5778524b13a8a8fc99884862d0db5e93cb404888584ee08fb7938dbc463ee782b27f08d720cec03a8cd222d35985e13eafacb5a3f26863ca17
-
Filesize
390B
MD593911394e4560554557556336cb0c528
SHA12047ae7e8db60f6ceca9110c1c89ac7846953fb8
SHA256309fc7a7074890363f79ac0610262c6c57237fcb782e8c5c281ddf969d60e56a
SHA51291d8a3193cb945ca4033a891bb005028b81e35ea81ec1bb1ea72b7662caf7d78d7de4baee4e2162d9dcee1db741de43a30e89725da80ad0da453139b3b4b1e92
-
Filesize
651B
MD579dd9d574bf7da4d10dee390db653a12
SHA1ddb3e64a2e79b01101cbd6d553eda0659451bc84
SHA2564c0cac895c138615c44f674f0a92304ec664e87fbd3721eb9f403cc03f2fea34
SHA512f08b39971a8cc77761dea295906bead275aac4011821a3ea1c0a78ae1162bbbb1cf51cc93fbbb7c72cc4ac1bd2cb7d69cdd27ef6ff93d31ef66be8f97615e4b7
-
Filesize
199KB
MD53a4e61909500d677745ef2ab508f3f3b
SHA1ee398e1a153ca96c2592816eb8e8b2b7bb845e1e
SHA256fb7a6eb19d1d1042d3bd8b3add9271116b8b6db3714dfcc0b6fee8e088d4a2cc
SHA512feba07bba5007a20e0a1e2ca8c9050ae8624e8fbb0f24aada5dc7c2bde3be561b844453a573cab2a24c3769a8dba401db4eeef0d22ef86e2109b67e54392ee45
-
Filesize
1.3MB
MD53704a1c7537679f424a175e41a358831
SHA188e94d11cc778048ccaf311c85ddaf4079d92d05
SHA2562d544865ce9377960393ad0399d2f8193e8f2388af35af2f3a4a83f663fe6c1d
SHA5123696733f49d95cf2395c464f3c9bbb978220ec790a95b8687f589076cb1004b8e53db8115eb21164c061ce621516fd78368638bb710356ed03e1284c60d51e2d
-
Filesize
5KB
MD526452ceae72e1a7eb954919cad85261d
SHA13e0ce558624156818ad9763067903632393e1545
SHA25688558723dddf63ef8b72c1ff7ed0892895839aa1e736edbd23d690acaff5188c
SHA51256ff796524f2f0f453e5b1fa1a855dccf4465469a6b9945019ac397f3c01676cbfdf2a7ebf31382c5a04227402104bddc6df1d8fb80bd79eeedd1d0eadb6f94e
-
Filesize
13KB
MD54e27768f2c0de3564599ac585f59bc3c
SHA1905c0eea30a704447a748f2a1d2bc31a2e70958c
SHA25600a586dacb6092ba0d60e468a7ec1f86f7b3d1fc90967a0d7a7ec0ce0b866264
SHA5120cbfb297c3393e4d7f2cc29e7882f8a628eb499f7bc76a27a2daaaaed806c75625a51167d349570fab044c26510fa2187836210e63d432b66ab96c49a66fed48
-
Filesize
1KB
MD54933c1e1be5973187e991ea2ed9e6451
SHA1b16b52ba34a835b5bb8665f502e7e37985b6776e
SHA256dc44fb3a0ce9cb88926b2d91ec3cc5a5c5d694b02415c4b2459090f08f08ed58
SHA512766ed216354a9d0f681607577e586e89dc82729ced58c328676771178ba547cd87878a1f5955cd46b197672753bc693d08246a7a11ceb8a7f255e1321403e805
-
Filesize
172KB
MD573527c4ccfe8c3d2f27ffb4b9d1adff2
SHA129f5a5a2c3f2d59753442317e51ff2a6a74a3bbd
SHA2562dd1998a04bf8ab20dabd3da8d8cb9f4be737700ae100260f6f378d667a1a714
SHA5121df26232f30e9cb11fbbaaeee049053077425ad6b7d691ca759553c0e0cbbbc1fa8fb07fab2bf8ad63b4ea75e70988f29d9fb42994961301a59f690f3b10b8d8
-
Filesize
102KB
MD5d9ac1b56edf330a6eb7894ab293f14f6
SHA1022d8944e3927fff2b330dab54716ddcbb366d16
SHA256097f1c3f27b18010448d77e3f70c4d9f774cb9c5ab435c62baa1c00e4cadd5ef
SHA512e434410e2b2c2bb1fba4f3fc7c277b978c45b1df1d3c3994d6dc1530558393d7d42a713506bf95d013b2e40e9da36fd3e588fea8d8dc062a24ad931e4d76c328
-
Filesize
125KB
MD51c302a070ebbd4f4bd53a80d55af6b16
SHA18eaf3ebc9b0fbc6cb0b581a1dc15926686003125
SHA25626d11fcfceca93490c3b2d624ecdbc7a169c87fbee5c4da347e99696368a08ba
SHA5126b1d96d55d22d1137882e504601f1e907ccc44b903cd7188c9c9b93f3ea18cf7f5029641be09805811c8effa679efcd339a16695089ad31c1e54b60799741e09
-
Filesize
92KB
MD5b28c68187ad1690a0098cdac086a5bcd
SHA1faab81f060e837b38de23485562f75082543c960
SHA2568f0241a8511301ab18825fefa7316cbf07a26c3ac97e8c327685613a57aede7d
SHA512b5c89bea0306f915ba9d8314c64096738bed64e692c4288f512fc54d22c34c8e8c52c3b47ce43aacb003ed65a5e6d39a2d12a6afa5b73ca87218ace9832d3381
-
Filesize
24.6MB
MD5b9b2f2fb34bbe33df7ac4e0384bf8258
SHA1fec40480c013d8d6fc2bee99e713942d2a882a33
SHA256ca5336f9a535f34ffb117d1cfdb759cc818fb8c4c60b1e30fc91e213f080547f
SHA5124f46cd6b6d7f70cfb90d476536a0dc0dc3c64c79f82603fc148c1d0a16d567b76125a62163404f7fdc2619fabedf81dd3faaad8d2b78e8080c5a683acd2c4e97
-
Filesize
6KB
MD5dd6f3b4470e6eda0b7bf3a7919b9c54e
SHA1eb8f130b6e03c8758313b18d6b0fc97d4a39ca20
SHA25628cceaffc53b33899a173bdb576d22fcfeac7dd450eccbd5c2a2741701fff07b
SHA51287e9c7bb1199369919f6b8ed66ae9a9810627013fbd7db472ec746626b5599e578894d1d098636cc9b50cb1fadd6c78c7137d269f7ade2d53ffa5644125f1d88
-
Filesize
120KB
-
Filesize
24KB
-
Filesize
32KB
-
Filesize
184KB