Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 13:20

General

  • Target

    luoma2.msi

  • Size

    2.0MB

  • MD5

    44933b8bcf9994f8d5088dbfd75bd781

  • SHA1

    4daeed4b62ec79ce1416ad7f62107db4525aeedc

  • SHA256

    2f77174a331482149dbb2a31cc57aebac7b7466ddbb309e40003c45bfad2e9da

  • SHA512

    e4c7297b7054960652090d5efabf9407a359ee547bea64ba9d6ddef325278c9f930be004ea1eccb11bf3aa10f3a4a61c1abf629f4a07c668864eb1acedec2aec

  • SSDEEP

    49152:JxB+M1DwJ9AQNvKbJ917NIe87J3ZbBjqrDvytoqjaxP:J7+EUJeQNvKb/75oZU/vyjad

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies data under HKEY_USERS 48 IoCs
  • Modifies registry class 22 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\luoma2.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2496
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 33DF56A76EE90ED027C1DCB79176D96B M Global\MSI0000
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\PrepareUpliftingProducer'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS" -o"C:\Program Files\PrepareUpliftingProducer\" -p"08603ofn={DHx}m7~1j8" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg" -x!1_BiEzaHFZmGAK.exe -o"C:\Program Files\PrepareUpliftingProducer\" -p"71633}[lV%g5Os!px;&}" -y
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
          "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS" -o"C:\Program Files\PrepareUpliftingProducer\" -p"08603ofn={DHx}m7~1j8" -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2116
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 2
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2672
        • C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
          "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg" -x!1_BiEzaHFZmGAK.exe -o"C:\Program Files\PrepareUpliftingProducer\" -p"71633}[lV%g5Os!px;&}" -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2676
      • C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe
        "C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe" -number 254 -file file3 -mode mode3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2804
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2380 -s 576
      2⤵
        PID:2728
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "000000000000055C"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f769c22.rbs

      Filesize

      7KB

      MD5

      6f47f13aff0a463feffe9924e2b9bb22

      SHA1

      c55049f4b23c8785dca076ceac98deb98a6e89bb

      SHA256

      1e676b8262093048790b19945cd1a8226380d3f5067d98a5d365ade1413c6cfd

      SHA512

      0cfc654887f6c583f4bb3368c08fc1fae81b4b0192f3bcee5b38b925290c3bf1579219e5960578c02e0e4487059fae5c14d190b073cc61365da089ef3f83ce27

    • C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe

      Filesize

      2.1MB

      MD5

      cbfd19024613960afbca2592c254797c

      SHA1

      498f21770764974008a04e3c1e013112b07a440b

      SHA256

      e836bac2f7e08d68df29e1fbaba53d51bad7d7b304d3f8721ac9687275aec97a

      SHA512

      98a162f7e6146e9973e4075867289627e2290ebd73745ccea701b7a28e2b112854ab90604d7ff16f207d91160181992e655bb7ea30ac58d9f7696bdad9a7d101

    • C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg

      Filesize

      1.5MB

      MD5

      c2ddc9c1c68f17bcabe6d453bdedd54d

      SHA1

      1f9a8a688498fccfba10beb74366de6aca5d8f71

      SHA256

      a4d8817a8152b7f4b4ab0d194e35ab4fb49bf4d567bd23e1ec359af29543c41b

      SHA512

      3d464130d1ef6fcf13a6f7623c4fd507f7053aa8fcff8d7e7ff1f47b7fb85999c3d1119b49fcaa2a96efd587d609150f0f529f2fe36e66bc2c0ad9e89f5ada9a

    • C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS

      Filesize

      1.5MB

      MD5

      4bf1d9c71a407d753fbe43603baa740b

      SHA1

      7bda556251c6aafb215df4b8dc9d1dc35e805b4a

      SHA256

      afb17b50d2c8f3e2412ad64977860d595fa8b67691714306fd371264065d19d7

      SHA512

      50a35c209a525f5c87ae94da25722ae385a57107d1738ac3f8a55bf1c9df4a9e42d9784c119d4d44d590592b824c09d6d97ec9ce6de424cdb09e0116e5c75d93

    • C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe

      Filesize

      577KB

      MD5

      c31c4b04558396c6fabab64dcf366534

      SHA1

      fa836d92edc577d6a17ded47641ba1938589b09a

      SHA256

      9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

      SHA512

      814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

    • C:\Windows\Installer\f769c20.msi

      Filesize

      2.0MB

      MD5

      44933b8bcf9994f8d5088dbfd75bd781

      SHA1

      4daeed4b62ec79ce1416ad7f62107db4525aeedc

      SHA256

      2f77174a331482149dbb2a31cc57aebac7b7466ddbb309e40003c45bfad2e9da

      SHA512

      e4c7297b7054960652090d5efabf9407a359ee547bea64ba9d6ddef325278c9f930be004ea1eccb11bf3aa10f3a4a61c1abf629f4a07c668864eb1acedec2aec

    • memory/1428-18-0x000000001B660000-0x000000001B942000-memory.dmp

      Filesize

      2.9MB

    • memory/1428-19-0x0000000001E00000-0x0000000001E08000-memory.dmp

      Filesize

      32KB

    • memory/1924-13-0x0000000000580000-0x0000000000590000-memory.dmp

      Filesize

      64KB

    • memory/2804-56-0x000000000A7D0000-0x000000000A7FF000-memory.dmp

      Filesize

      188KB