Overview

overview

6

Static

static

1

Documentat...ME.pdf

windows10-ltsc 2021-x64

4

Installers....3.msi

windows10-ltsc 2021-x64

6

Installers...64.msi

windows10-ltsc 2021-x64

6

Installers...64.msi

windows10-ltsc 2021-x64

6

Analysis

  • max time kernel
    97s
  • max time network
    145s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    13-11-2024 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installers/LegacyBrowserSupport_8.1.0.0_en_x64.msi

  • Size

    648KB

  • MD5

    aac201214371a190669a7cb89a99f0bb

  • SHA1

    8eb32be4d92a7f6853f4bacfdc3e1509a34be47b

  • SHA256

    34c365a19709e93996bf54f31948418b48ca5eb129bf36b76dec4e5b234c9206

  • SHA512

    7b54129458c9d849a30735f189e8eb9e39748f61515bd5c924d030b43f3658f8f00dbc709f7913d9cb20ca317a0e67232e7d9cb634f6eee106b5f6b7658a0255

  • SSDEEP

    12288:w5UMAFQefDvtS8NiLr62AL/j2TkM4iA03QhHLgolfTbivLWCf:w2diMDV/NGJqL2x4iAhHLgSTbivCCf

Score
6/10
adwarepersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 10 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Installers\LegacyBrowserSupport_8.1.0.0_en_x64.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4456
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
      2⤵
        PID:2936
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57bbdf.rbs
      Filesize

      17KB

      MD5

      152c1839b627fd89432cd5f2c9703ed8

      SHA1

      87150101aa00dc80faac3bffdfb6198478c6d723

      SHA256

      2e1471e83869fccf70d740e5c6d437aa5f0e64cc7d025101e0d7abe5b9161d42

      SHA512

      095ab7977995eee5021b6960a54635f1091aea6bfdd47ee5ee72727f57e22790b08668f69af767909d2f45f40a6274e26f3e7e4d86a4bd5452a42fa32b402c67

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
      Filesize

      471B

      MD5

      de60388f3921fe0cd4272d7fc99a4bd9

      SHA1

      4726073b006c9b54cdcb378212dee2cdd4bd622b

      SHA256

      9e8579e6133a72d13a0704175fb50353bef2876e04e0b510d32791e47ac94c31

      SHA512

      84325efe7125e5c12adbfb5edd96147e3211c8128e02183effa7db9c52255f8ce1ff20eae5eb50e999cb4a8528ea3f8b4fb09e5fe85478559688c1b208691e0c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D
      Filesize

      727B

      MD5

      79d4db3b77806a23ca4331a6f9bf71d3

      SHA1

      d9509b5fb62166d5f5dcf69f9a8b04d72dc419e5

      SHA256

      0397bd524add84da0dfdc45e08aa4f3517fe596511b24a2c5027aa49f295043d

      SHA512

      f40932c00786187c8d82ea513ffbc5d57ee9423125c44b8973d9bcc6c9b71c9a43624083e6c44937b522e648dbd417237e35293bdf0a82bbc85a8598f0f6c3a0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
      Filesize

      727B

      MD5

      19818ddcac7e6d84edda2d202a8bd6f5

      SHA1

      078a354358a3ab745489ec949e64e71b73f800a7

      SHA256

      376fd6fec42ba09d21b131410ebd956b6c768597d3bba28d120060ca8f8ca64c

      SHA512

      646010ea61958a0af74cf6bf53623fdc233291cdb309b7d92dfc1cce33444e57c693c3186b54ac7e082106fe02a48faefc02ff647a5eb09fc2b945f12d0df36b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
      Filesize

      400B

      MD5

      c579c6e9014efc96403004ab683383f1

      SHA1

      f5e53ade0e789950a7d4e0d3bb7b8e9869900edf

      SHA256

      5f975b854ae97a240947e19d7b807d80553027d7facb51820bd6d51601c60cc6

      SHA512

      bdcb528e79beaac443636cf3f3fafae2545c9a815995523f02c34ccec51cd8d5745f3ba5cba68e042244beb83d71c07dc14e7b408c645f351add707face63d2b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D
      Filesize

      404B

      MD5

      2bb97dd1891206aab29f6c379e6e3c12

      SHA1

      a69221b1b6f31c6b5793cd51386d599dbf03428d

      SHA256

      ef90d2173af637003bc4ef926d8b1554b66fb52f7f63578e3ff8ad70f1cf0069

      SHA512

      7775c5699e4815894f76a032a6754107f5e6e8cf80ff69e5d3868896022f12acb5b3a17c59a6f87c01dc2a01f1a1e465912dc50fa53187f45f7134426e4414f5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
      Filesize

      412B

      MD5

      06b38dc20e8b66246c9ebaf1b5233be6

      SHA1

      965026b2a1faf1acd493170ca2b85f057b371eb6

      SHA256

      1d7c9ac79f3a733b47a011ca327b9b354e01cd0d37aaedcd424d86fe8a977aff

      SHA512

      a7886b7ca5ffde23094b1735e9dc3c122aad3b1448f35ff3e0510b9dc479a64e581aaf508cc23477ce3913a695695c70ca42b2d945f3b8942e6ebdd04892a09f

      Download Submit

    • C:\Windows\Installer\e57bbde.msi
      Filesize

      648KB

      MD5

      aac201214371a190669a7cb89a99f0bb

      SHA1

      8eb32be4d92a7f6853f4bacfdc3e1509a34be47b

      SHA256

      34c365a19709e93996bf54f31948418b48ca5eb129bf36b76dec4e5b234c9206

      SHA512

      7b54129458c9d849a30735f189e8eb9e39748f61515bd5c924d030b43f3658f8f00dbc709f7913d9cb20ca317a0e67232e7d9cb634f6eee106b5f6b7658a0255

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.9MB

      MD5

      768b9e7b78c1cd525d495c60c88517db

      SHA1

      9e77f3f7f1b281688e118409f72a9d4fbf314ca2

      SHA256

      c8fa815afad8e6c1560dd72bd47dd652dbea8b68e204b4339c4566bd02744e5a

      SHA512

      0c6e0abf6d1155646049d3048193969faeb840434c51046711c4e721aae355e619ac2c0313b85d69001fc830626f2cff55ee115097038865a35533471479dd6d

      Download Submit

    • \??\Volume{8fc2d019-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e3fb1600-4970-4312-8815-1cc9bd6fa27a}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      29d873a2023d4d7b7bb88d1fd5834ae5

      SHA1

      cda943e178c2a1d4fe191856993bc1b5b3c00827

      SHA256

      64a1745824732b40bfad5973dd7796864a76bb183c627c975c873630a9f17b87

      SHA512

      5488576fad1c10051f4ae69182b63c7be03300aecb49c4b15f77cf28bdf2c08da364498da71feaa94badf3fc9f60c6d6b07c1ff1e058beddd1b7dc85a2580274

      Download Submit