Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 07:35
General
-
Target
7z2401.msi
-
Size
1.4MB
-
MD5
a141303fe3fd74208c1c8a1121a7f67d
-
SHA1
b55c286e80a9e128fbf615da63169162c08aef94
-
SHA256
1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99
-
SHA512
2323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8
-
SSDEEP
24576:S+xMHACSK47NXchb6OqTHHBniI4BqHsE4RKKKGE32/XlOA+gYy4isa444GuOlr3B:NMX747NXch+Oq7VsE44KPE3qlHyjwlrx
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 8 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 37 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7z2401.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD570aba7262c51c9830025ba6ca0b646b5
SHA1b15c6876a3d8c5705688279ab88092b3b121ad3d
SHA25673dc2068bc7cb6001f1ed96f717ed5a16846d7d69f48bd6ea862e4c651faa8cf
SHA5125d99fa8633d9f38148f3af6bfba119fd7b8e9e070811849889782318d7afed1f51a226ffdff752c0ae9d6c7382512f1a19cd0a1e21867612bf56361a47f590d4
-
Filesize
1.4MB
MD5a141303fe3fd74208c1c8a1121a7f67d
SHA1b55c286e80a9e128fbf615da63169162c08aef94
SHA2561c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99
SHA5122323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8
-
Filesize
24.1MB
MD58a20c46995b8df8fbaecccf67ab3cf31
SHA19c5ae7bc75dee721603761b27b335350c1bc1ac1
SHA256bf95e9d5a755de5052e2849365723265644f17754b93ff465888c41f6ef6240c
SHA5129766e17ff52f1e70f25f92ac153ffbd9a50adfd4514fae3b5280b1b688b0bc5ab7c509a155f119a93439244a30b05e3444bbd8ba84f9fde981cc4f80e43da1df
-
Filesize
6KB
MD55a4b4a1d8ea17c0c346ee3bc7f3af10c
SHA1eff89681e175b66b45573b07ec911bf082962378
SHA2568021ab7313a66eb23f4d72bdc4e45e2cd2f1495b0e5265c522930c895fc5b6fb
SHA51278b67eec04802d792aedd5063fe2adbe3e26846b396a29d4b143d20b474ff902c7de775376cd6cad854f0d5e9344851ed67d32059b9c7fc05831fa4f198a924d