Resubmissions

09/11/2024, 21:59

241109-1v6r4atbqk 6

09/11/2024, 21:57

241109-1vch9aslex 6

09/11/2024, 21:56

241109-1tn6natbnj 8

Analysis

  • max time kernel
    95s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 21:56

General

  • Target

    Retrac.Launcher_1.0.14_x64_en-US.msi

  • Size

    6.8MB

  • MD5

    ae30168aa8f32e9a4f00df855a303509

  • SHA1

    287b7fba5ff1ba3f5261b8a842da3f6b23e61e02

  • SHA256

    b99bb0941d2258332591632921c5fd9a35bcc2487e69cf2b7a92579965dafc2c

  • SHA512

    4e88b2402fcf60465d8990227f13d5d0c7e016a7a62b0478d7b26406e3cbde86e31e212d5b5cbcb4dad08222694f02008c078cfcd0ed6cd851756fd832bf563d

  • SSDEEP

    196608:0wcRCejj2fzY5Uj1H7lNMsR2AcEE7IEEvo1L1:dcR//2bYI1blIA/wWUL1

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Retrac.Launcher_1.0.14_x64_en-US.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4544
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B7C213158F7BA3A9D8B5B0C799326CBD C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:992
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2336
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4812
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5112

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MSIAB82.tmp

        Filesize

        113KB

        MD5

        4fdd16752561cf585fed1506914d73e0

        SHA1

        f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

        SHA256

        aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

        SHA512

        3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

        Filesize

        24.1MB

        MD5

        631546f0a905684e96533acf60c0bc7d

        SHA1

        515e925a2916dfe07bce21a7ba32844740d9ec79

        SHA256

        312a5a69034a60e2cc81808124a46eb68885e68315511d65168331a5dc997864

        SHA512

        4959d3b693af13cca6c294f681565c84808ebcb3c045ded31c4f07ba78e87a9482958b0e9bb12fa748b55173ca36902e3412737582296771e92c141af18a06bb

      • \??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b3812333-7144-4141-ac89-c2bafa7a5c97}_OnDiskSnapshotProp

        Filesize

        6KB

        MD5

        6ce3ecf090dcd07e8c00ee41388f8eb8

        SHA1

        a4e4991d12b9e3df522c63a5f7bc64cf025b9fd1

        SHA256

        d83c5a9c24871578bf02e4e6ac2890e16ba2a20402cf0279bc5d80c4857b89d6

        SHA512

        38b10608d233aef8cd4562cf0b918b0b644325c4cbd5cc852a1ff9ba8ab4aa909ba652a3aa84c3ca5608cd9ba51b42b24728570008004f9df393f660acc90188