Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/11/2024, 22:02

General

  • Target

    NexusFN Installer.msi

  • Size

    126.7MB

  • MD5

    83338d9ea82fff1be02b65eee8cc2905

  • SHA1

    bda5f18fefd43976fe83d0ced884d048e75a7644

  • SHA256

    370aa26e8145e8c211bb9ceefcce57004795d79e6d5c5e0ab2d4bf56252e2e2a

  • SHA512

    ee29c9b92ca90c7f8b709efcb0bc82759ac7b73524ad13f5e9d29d12ac40d910ae17e66cac7f15350302a39ec7a317799f7c535b067f722f0a212b72a0f7c857

  • SSDEEP

    3145728:AjqcoCtwCBRaaTjQE2P/C1DmefJhuQ+H4UZPNXg7MNnKR//Cly3H:2WEBrTjH2P/CzJK4yNXg7MNnKxCly

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 15 IoCs
  • Loads dropped DLL 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\NexusFN Installer.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:912
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C3A05C8188ED527C8369309853E8B067 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4988
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3744
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding E71B830D028B0B46993E3CCFF3C33217
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3544
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57fc04.rbs

      Filesize

      15KB

      MD5

      f3a5cd8f973dbb7178968177a0b1d258

      SHA1

      aa6908cae0767c725fd1b9bd05031bce7e67f644

      SHA256

      7c50ad35fc022d600b074ebec5d74a6330e9c2fc6036790a914d80c838b2a74a

      SHA512

      34e2f5a40c5f7c2a5e05df137f59dd8ec3d566afef72198996d4b7e7889874630c651d78df58efe8ca268a94bf966c8febc7afac9563063e57a33ff9515fb6b4

    • C:\Users\Admin\AppData\Local\Temp\MSIB8A1.tmp

      Filesize

      936KB

      MD5

      13056f6fc48a93c1268d690e554f4571

      SHA1

      b83de3638e8551a315bb51703762a9820a7e0688

      SHA256

      aeda49baf2d79da2f7a9266f1fb7884111c2620e187090321f5278af5131c996

      SHA512

      ca828b4248e399178a8614f941332d159a30bad0156df0d5f4c4ca9d74d0ccb61fac59f34c945f5f914e22ec639bd97718f76d21b452825b07fe4041d1a44824

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      24.6MB

      MD5

      a2f7be335b99a874dab06f836706e355

      SHA1

      9380c51e6e1fff96cbb5b5600277580b855581f6

      SHA256

      6d6ebcdb954ca9dc3e0fca9f7b02858dd823a029bffa0c964cfa213d46de1ec5

      SHA512

      635bed2780e9002380398d2f2dbf81e0f4380da4dda268fcd1b8311c9cda41a2bd18316c425f472acfcf7f150a168f597720dc4c3c5cc4b70c4723eac83fadc3

    • \??\Volume{f83dfe0f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{429e9764-b627-4a65-b388-262107925287}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      df4dd1aa5d4418d1f7cba24c6c9a8f9f

      SHA1

      bde9a68766be33028681ebf3a1818e7b663174fb

      SHA256

      6cb43c2193a565da59bd07ddbe8307387e471f96cc2a1852a75281a05a34d53e

      SHA512

      97d2dda6eeb26287b316f6d54ba4eb7fc65f3da31c806833c9410afc341f7522f172956281424fa828961349ab608ded5120208923946e3a4da41e829420146c