Resubmissions
09/11/2024, 21:59
241109-1v6r4atbqk 609/11/2024, 21:57
241109-1vch9aslex 609/11/2024, 21:56
241109-1tn6natbnj 8Analysis
-
max time kernel
95s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
Retrac.Launcher_1.0.14_x64_en-US.msi
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Retrac.Launcher_1.0.14_x64_en-US.msi
Resource
win10v2004-20241007-en
General
-
Target
Retrac.Launcher_1.0.14_x64_en-US.msi
-
Size
6.8MB
-
MD5
ae30168aa8f32e9a4f00df855a303509
-
SHA1
287b7fba5ff1ba3f5261b8a842da3f6b23e61e02
-
SHA256
b99bb0941d2258332591632921c5fd9a35bcc2487e69cf2b7a92579965dafc2c
-
SHA512
4e88b2402fcf60465d8990227f13d5d0c7e016a7a62b0478d7b26406e3cbde86e31e212d5b5cbcb4dad08222694f02008c078cfcd0ed6cd851756fd832bf563d
-
SSDEEP
196608:0wcRCejj2fzY5Uj1H7lNMsR2AcEE7IEEvo1L1:dcR//2bYI1blIA/wWUL1
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Installer\e57ffad.msi msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 992 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4544 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4896 msiexec.exe 4896 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4544 msiexec.exe Token: SeIncreaseQuotaPrivilege 4544 msiexec.exe Token: SeSecurityPrivilege 4896 msiexec.exe Token: SeCreateTokenPrivilege 4544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4544 msiexec.exe Token: SeLockMemoryPrivilege 4544 msiexec.exe Token: SeIncreaseQuotaPrivilege 4544 msiexec.exe Token: SeMachineAccountPrivilege 4544 msiexec.exe Token: SeTcbPrivilege 4544 msiexec.exe Token: SeSecurityPrivilege 4544 msiexec.exe Token: SeTakeOwnershipPrivilege 4544 msiexec.exe Token: SeLoadDriverPrivilege 4544 msiexec.exe Token: SeSystemProfilePrivilege 4544 msiexec.exe Token: SeSystemtimePrivilege 4544 msiexec.exe Token: SeProfSingleProcessPrivilege 4544 msiexec.exe Token: SeIncBasePriorityPrivilege 4544 msiexec.exe Token: SeCreatePagefilePrivilege 4544 msiexec.exe Token: SeCreatePermanentPrivilege 4544 msiexec.exe Token: SeBackupPrivilege 4544 msiexec.exe Token: SeRestorePrivilege 4544 msiexec.exe Token: SeShutdownPrivilege 4544 msiexec.exe Token: SeDebugPrivilege 4544 msiexec.exe Token: SeAuditPrivilege 4544 msiexec.exe Token: SeSystemEnvironmentPrivilege 4544 msiexec.exe Token: SeChangeNotifyPrivilege 4544 msiexec.exe Token: SeRemoteShutdownPrivilege 4544 msiexec.exe Token: SeUndockPrivilege 4544 msiexec.exe Token: SeSyncAgentPrivilege 4544 msiexec.exe Token: SeEnableDelegationPrivilege 4544 msiexec.exe Token: SeManageVolumePrivilege 4544 msiexec.exe Token: SeImpersonatePrivilege 4544 msiexec.exe Token: SeCreateGlobalPrivilege 4544 msiexec.exe Token: SeCreateTokenPrivilege 4544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4544 msiexec.exe Token: SeLockMemoryPrivilege 4544 msiexec.exe Token: SeIncreaseQuotaPrivilege 4544 msiexec.exe Token: SeMachineAccountPrivilege 4544 msiexec.exe Token: SeTcbPrivilege 4544 msiexec.exe Token: SeSecurityPrivilege 4544 msiexec.exe Token: SeTakeOwnershipPrivilege 4544 msiexec.exe Token: SeLoadDriverPrivilege 4544 msiexec.exe Token: SeSystemProfilePrivilege 4544 msiexec.exe Token: SeSystemtimePrivilege 4544 msiexec.exe Token: SeProfSingleProcessPrivilege 4544 msiexec.exe Token: SeIncBasePriorityPrivilege 4544 msiexec.exe Token: SeCreatePagefilePrivilege 4544 msiexec.exe Token: SeCreatePermanentPrivilege 4544 msiexec.exe Token: SeBackupPrivilege 4544 msiexec.exe Token: SeRestorePrivilege 4544 msiexec.exe Token: SeShutdownPrivilege 4544 msiexec.exe Token: SeDebugPrivilege 4544 msiexec.exe Token: SeAuditPrivilege 4544 msiexec.exe Token: SeSystemEnvironmentPrivilege 4544 msiexec.exe Token: SeChangeNotifyPrivilege 4544 msiexec.exe Token: SeRemoteShutdownPrivilege 4544 msiexec.exe Token: SeUndockPrivilege 4544 msiexec.exe Token: SeSyncAgentPrivilege 4544 msiexec.exe Token: SeEnableDelegationPrivilege 4544 msiexec.exe Token: SeManageVolumePrivilege 4544 msiexec.exe Token: SeImpersonatePrivilege 4544 msiexec.exe Token: SeCreateGlobalPrivilege 4544 msiexec.exe Token: SeCreateTokenPrivilege 4544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4544 msiexec.exe Token: SeLockMemoryPrivilege 4544 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4544 msiexec.exe 4544 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4896 wrote to memory of 992 4896 msiexec.exe 102 PID 4896 wrote to memory of 992 4896 msiexec.exe 102 PID 4896 wrote to memory of 992 4896 msiexec.exe 102 PID 4896 wrote to memory of 2336 4896 msiexec.exe 112 PID 4896 wrote to memory of 2336 4896 msiexec.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Retrac.Launcher_1.0.14_x64_en-US.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4544
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B7C213158F7BA3A9D8B5B0C799326CBD C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:992
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2336
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4812
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
Filesize
24.1MB
MD5631546f0a905684e96533acf60c0bc7d
SHA1515e925a2916dfe07bce21a7ba32844740d9ec79
SHA256312a5a69034a60e2cc81808124a46eb68885e68315511d65168331a5dc997864
SHA5124959d3b693af13cca6c294f681565c84808ebcb3c045ded31c4f07ba78e87a9482958b0e9bb12fa748b55173ca36902e3412737582296771e92c141af18a06bb
-
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b3812333-7144-4141-ac89-c2bafa7a5c97}_OnDiskSnapshotProp
Filesize6KB
MD56ce3ecf090dcd07e8c00ee41388f8eb8
SHA1a4e4991d12b9e3df522c63a5f7bc64cf025b9fd1
SHA256d83c5a9c24871578bf02e4e6ac2890e16ba2a20402cf0279bc5d80c4857b89d6
SHA51238b10608d233aef8cd4562cf0b918b0b644325c4cbd5cc852a1ff9ba8ab4aa909ba652a3aa84c3ca5608cd9ba51b42b24728570008004f9df393f660acc90188