Resubmissions

09/11/2024, 21:59

241109-1v6r4atbqk 6

09/11/2024, 21:57

241109-1vch9aslex 6

09/11/2024, 21:56

241109-1tn6natbnj 8

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 21:56

General

  • Target

    Retrac.Launcher_1.0.14_x64_en-US.msi

  • Size

    6.8MB

  • MD5

    ae30168aa8f32e9a4f00df855a303509

  • SHA1

    287b7fba5ff1ba3f5261b8a842da3f6b23e61e02

  • SHA256

    b99bb0941d2258332591632921c5fd9a35bcc2487e69cf2b7a92579965dafc2c

  • SHA512

    4e88b2402fcf60465d8990227f13d5d0c7e016a7a62b0478d7b26406e3cbde86e31e212d5b5cbcb4dad08222694f02008c078cfcd0ed6cd851756fd832bf563d

  • SSDEEP

    196608:0wcRCejj2fzY5Uj1H7lNMsR2AcEE7IEEvo1L1:dcR//2bYI1blIA/wWUL1

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 12 IoCs
  • Loads dropped DLL 7 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Retrac.Launcher_1.0.14_x64_en-US.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3012
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2EF152530343A0ADAD4BF40E29A8158E C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1856
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2408
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000039C" "00000000000005EC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Retrac Launcher\Retrac Launcher.lnk

      Filesize

      2KB

      MD5

      a6b358360240225b4d7395d84a465106

      SHA1

      1ba874569bb740795fb22efa0e2686f1574d0e8c

      SHA256

      9c58ca0ad11046e06648a7b0b111004e5b56484df6ec1ec73920562542c61770

      SHA512

      3b792227b353ed5dec2b185a116031a710daf972d0acd26bfa47a6c2cd31719f779c413e818ba3e508cce7a7b5ab5bcf2f8bab09b5d6afd3760104064a9d5780

    • C:\Users\Admin\AppData\Local\Temp\MSI8823.tmp

      Filesize

      113KB

      MD5

      4fdd16752561cf585fed1506914d73e0

      SHA1

      f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

      SHA256

      aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

      SHA512

      3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

    • C:\Windows\Installer\f76af91.msi

      Filesize

      6.8MB

      MD5

      ae30168aa8f32e9a4f00df855a303509

      SHA1

      287b7fba5ff1ba3f5261b8a842da3f6b23e61e02

      SHA256

      b99bb0941d2258332591632921c5fd9a35bcc2487e69cf2b7a92579965dafc2c

      SHA512

      4e88b2402fcf60465d8990227f13d5d0c7e016a7a62b0478d7b26406e3cbde86e31e212d5b5cbcb4dad08222694f02008c078cfcd0ed6cd851756fd832bf563d

    • \Program Files\Retrac Launcher\Retrac Launcher.exe

      Filesize

      13.0MB

      MD5

      581db83f7ec4b6d773abbf1f5ce67b64

      SHA1

      92bda9c192cd611ee969bdbfb3f9019fbd5a0a9a

      SHA256

      36657fd756a26c855923e601e239c855e36593c2a7ffca04a7d9629cdc0c6ca3

      SHA512

      837d2609cc3cb4270759f6d23ba730a220ea684e1b4b3f82da1d64cee69c30c61a1ba9e0e59c8473f7042bce7f00c4b31e52dde69ad7d8e59f76566870906b65

    • memory/1856-43-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

    • memory/1856-44-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB