Overview

overview

6

Static

static

3

WebM Premi...al.pdf

windows7-x64

3

WebM Premi...al.pdf

windows10-2004-x64

3

WebM_Premiere.msi

windows7-x64

6

WebM_Premiere.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    39s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WebM_Premiere.msi

  • Size

    9.8MB

  • MD5

    a914bade13e6df609b57bf8a3e3d5010

  • SHA1

    b9abb9fabe1e9a9b4f0391945b47fcede813da85

  • SHA256

    8d0a4372c4af1f3e94661c2577b68c130f686506dbe647c98691ed7d2e3947e3

  • SHA512

    051d575956323fc881741111528c841874b414aacb787c5542803d934122898ff38bb976d00b32fb95bc7986db7b01a05d4837276d69c40cc8b3b37e2807d27b

  • SSDEEP

    196608:LBEKTWkkBNM5116cg2zc/blV4G1TwAfh91v3rPJsDjSOYl7m27lP:xWkQ6122Y/bljTwAfxv7xFn

Score
6/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WebM_Premiere.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2332
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1560
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2056
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003AC" "00000000000005E8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f776c1d.rbs
    Filesize

    7KB

    MD5

    942bd0fa504f8fbee8c043d63b60547f

    SHA1

    4c2c384c17f88d48de71f2c4664685d3fca9bdad

    SHA256

    41bc7f039287316912c986fc86b903d6cd99e334af00db9002783f006bf1c2d2

    SHA512

    ed68f1577ddf1374167543d30ab26b99969a9f81f97b673cea43810f692091c330b4986cc22378d559e4d3943fe7b1a131a88dc239e1447fae0f554a665b3608

    Download Submit

  • C:\Windows\Installer\f776c1b.msi
    Filesize

    9.8MB

    MD5

    a914bade13e6df609b57bf8a3e3d5010

    SHA1

    b9abb9fabe1e9a9b4f0391945b47fcede813da85

    SHA256

    8d0a4372c4af1f3e94661c2577b68c130f686506dbe647c98691ed7d2e3947e3

    SHA512

    051d575956323fc881741111528c841874b414aacb787c5542803d934122898ff38bb976d00b32fb95bc7986db7b01a05d4837276d69c40cc8b3b37e2807d27b

    Download Submit