Analysis

  • max time kernel
    114s
  • max time network
    114s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/11/2024, 12:12

General

  • Target

    7z2401.msi

  • Size

    1.4MB

  • MD5

    a141303fe3fd74208c1c8a1121a7f67d

  • SHA1

    b55c286e80a9e128fbf615da63169162c08aef94

  • SHA256

    1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99

  • SHA512

    2323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8

  • SSDEEP

    24576:S+xMHACSK47NXchb6OqTHHBniI4BqHsE4RKKKGE32/XlOA+gYy4isa444GuOlr3B:NMX747NXch+Oq7VsE44KPE3qlHyjwlrx

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7z2401.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2296
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3368
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3880
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2312
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4488
      • C:\Program Files (x86)\7-Zip\7zFM.exe
        "C:\Program Files (x86)\7-Zip\7zFM.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:536
      • C:\Windows\system32\BackgroundTransferHost.exe
        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
        1⤵
        • Modifies registry class
        PID:1592

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Config.Msi\e57f899.rbs

              Filesize

              20KB

              MD5

              e86a3b8f658a169016416939f83cd2c7

              SHA1

              63ec56b0462655fbd24f69597f11dd2faad25ecf

              SHA256

              c160ca82345a7413e51afb32e112f276cbaed2613cdc61227584ef846a339173

              SHA512

              0be8253b1a6d9cc351c8d2f70261a396bbb4e80182f90560b4fcfbac1940e82223e2fb2dda6e492aa9352fd76aabed1c6855b67fabbf4f451bc991807a12a82f

            • C:\Program Files (x86)\7-Zip\7zFM.exe

              Filesize

              574KB

              MD5

              52ae15f525a8732bcb89ba874461b05e

              SHA1

              265ec2444e7724374a9cbba01c4f4d89e58108fa

              SHA256

              1e6162ad80dc358bd58013500c18ce568ec97734eebb94acd70cb74bba5c0c91

              SHA512

              617d29d831943bb06a2f3846679cd47025a9979bd3331b221f2239f8ac6f7a255d642dd638be761f71b3f4994b6d84cc0b04a2baf072e1b596d18191a24154ac

            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\963629fa-6b8f-4f25-9a9c-91284c3e8e63.down_data

              Filesize

              555KB

              MD5

              5683c0028832cae4ef93ca39c8ac5029

              SHA1

              248755e4e1db552e0b6f8651b04ca6d1b31a86fb

              SHA256

              855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

              SHA512

              aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

              Filesize

              10KB

              MD5

              dc879a8af8313d9650b9b9a95ac476bd

              SHA1

              6ee2343088f99f9665169d9b5dbb60abfe6248cc

              SHA256

              7435b32ab904760596ee8cb89be798e88e7a97876f91f1a44ba06c1509e480ad

              SHA512

              2b4bc41f441f443aca620b1375f1d35ec69446d619666811901d070ed8a7f9882332a2d5e65d9f33076030208bae0d92c301e2947c7be3575e20b389a6e11548

            • C:\Windows\Installer\e57f898.msi

              Filesize

              1.4MB

              MD5

              a141303fe3fd74208c1c8a1121a7f67d

              SHA1

              b55c286e80a9e128fbf615da63169162c08aef94

              SHA256

              1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99

              SHA512

              2323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8

            • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

              Filesize

              24.6MB

              MD5

              6b41b5d80def31e3fdb78d38c6d92b4b

              SHA1

              eaef2e9e7a7fce39744871072ef1f62687d4eb45

              SHA256

              c2c3f611512a5815921a9f6f9b92bd46d0d4073217f2d21b1241fa3d0f607a4f

              SHA512

              d6a5e951ce88335eeb1ee68afc8c9e6ff6a63549709e1081dc41e9386f1b844920231756d479e76d489374723d79661842f4a2d4a1c7c99a30811382afb71ace

            • \??\Volume{280cc82f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4e9311c4-1ff2-46da-9548-1c8eea309690}_OnDiskSnapshotProp

              Filesize

              6KB

              MD5

              2342c8e3719ac77bc2923278291f6e0e

              SHA1

              7296bbe9f2a23fcca3afcdb9862463ae7fac3fd7

              SHA256

              1080543268adf7e806e560cc6887552b8caf6608c2b47945c2e8033f1985f896

              SHA512

              a6a0f34d060072e0519223c89fe107ffa8b9222cb80a12a89eb800a0ee40f5bf5508577c34cdd15f326e73aad09e77a5c63209e1144e08211c53b7c019f42cab