Overview

overview

10

Static

static

1

ff38971879...00.msi

windows7-x64

7

ff38971879...00.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000.msi

  • Size

    1.7MB

  • MD5

    7c26877fcd894cc1355f2a31a551243c

  • SHA1

    80104216da4cd3449eabf0e0de2bb3a5b2de85ca

  • SHA256

    ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000

  • SHA512

    a57a961a3339b105f9d5653b69269ed7aab952a4e16600426edee80d628a9ac62a13b5ea642ffd9765fdada7b0db5c5a85a21bc88c125be122bf3c4e89d0cfb8

  • SSDEEP

    49152:BpRhaYJ+2/8yJ5OA4COg9lyp31X01clj+u1GTsF:BpDJ+2pgA4+6p31is+u1G4

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2432
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 331BB1A4175E24D07D8C0EAD27D7813C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2472
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:688
      • C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\files\task.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\files\task.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\files"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1700
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:836
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2828
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E8" "0000000000000534"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
    Filesize

    471B

    MD5

    719182e07998ae9226d45680aa1fe178

    SHA1

    8f8b03c110c129cb3a35841ed959de7a7266ffec

    SHA256

    8f1d64c2c4dbb6ca892083e4b4a8bdb4585597e1269c218340c6b12517bb3dbe

    SHA512

    2df474f0ac4d1ef93b14deda32c5476da130bc41f37c0a5cd0c271c990914613c3c788116a4b87d44876695f71e5a131847fdf96d609364c06cb2f5ed6ce76a3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_6F243E053ACC5B86B13C52D626927FC5
    Filesize

    727B

    MD5

    28002d2c9820d1c41fd7bf3810cb8c85

    SHA1

    acc03c1d657705616dd654086fc54e9fcaef37b8

    SHA256

    84c9e00d5bdf6491a2320989d6c3b66814823d4b0905682b8386e33f7dae8974

    SHA512

    9765b7e3fc6c69cad64ffc49dd3b2f72e593c1be7f0f549b1e8b5ded5f73da0540216e44195c0b057cc1aecce552180d68c007b2abf72a28c695eb70512c46ba

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
    Filesize

    727B

    MD5

    4f2f44acff5c280ecd26b5e7144aff24

    SHA1

    d542052f27cf058cd2bd7d74e75deb8a009bb334

    SHA256

    c9725747ce7f281ac09f3a2287a236369b00e99f310eb837c45b2b4f66b82030

    SHA512

    33d4fcb341e625103b16af3f7b37f4fed5e8d56256980e341fff71356d1a1296192741b96be97de703d8f54af24e3438d0a514edb621ee6e42b1dc4d79089d45

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
    Filesize

    400B

    MD5

    b7c854d5da74a8750a507e7a3a939b01

    SHA1

    a87024dd855de9a4e2c8b5ae62223f7ec7bfa94e

    SHA256

    f6d87d004e61838303cdd5a34228385f1acddc5087dd207431fc1d23f611da2e

    SHA512

    f781f614b02f88687b7d3f1a57a852ac9f2e43f2d6d09fa0e4bc605b703497cb845656c6a3c625d7bee5e5dabab51fe3de8511e9ef81001a91c7ea35b4d65801

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_6F243E053ACC5B86B13C52D626927FC5
    Filesize

    408B

    MD5

    493a19727c92d7776124aa291b6fc5bb

    SHA1

    c5d7bca9834da7fdd6b94ea5da94bd4c1dcfd20e

    SHA256

    3f6b36110e92fd4f24bf898bcba7ac065ecea60256bc55cc76a2378d0a477c49

    SHA512

    390537a47f7ad74fe509737bfc4d11296fbb10881aed59c83e748da3a1769e4e6816ff507cf6710b6e3a6646b72d61103ae6a638350136b3e5e500c98589634f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0d07cf305550496c792878a8c3dd4afb

    SHA1

    a36e4f6563489595184f4412eae5823edd08352a

    SHA256

    a77be916c16a2d3d2f43c062aad129d907de6593262c07f7ced135706a3618e4

    SHA512

    bff392545100fa026a182646f45132c890366119f422ec22e41797b976091717f0b7ee9465be0d3b5a7901f1f9e7cc74542c9599c0628a0bf4a79bc4084c5577

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
    Filesize

    412B

    MD5

    939d78f4d1c876b78ef056ba8172a60d

    SHA1

    489dd0b39b5062ae78db45cae1658529fd199d1a

    SHA256

    68d042cfcdd0ca14a75d4bf239946f3935baeb790c40985fe68c5f6715571450

    SHA512

    4b2745dc68cd1b561b1e8535dff4354643b8be305adbf1179de58e8888dc2dd0329dbf85bbe8f52cca50c7a0773fc72a7872e097fcd860a00fbfbc091cb96a82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3F82.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\files.cab
    Filesize

    1.4MB

    MD5

    240f5d10d0fdc6e3a73b6793e0ea260f

    SHA1

    b6b7549b2c1a98fe88dea9f9fb462cb203647dbc

    SHA256

    5afa0071f63b662d93ab35e8a9a6a44b8ad439c62160388690e5e5793cb2b2d4

    SHA512

    faa0654a4359a90338905bcf627cb75d10d277ce8e2aafc07eca75ea887f54750b118042dd1e25e45c02706791ea5f5741202309928140789c319988e05f5029

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\files\YOUR_P~1.DLL
    Filesize

    601KB

    MD5

    8522cf224cb875847762353c89d2dce2

    SHA1

    4947ef0a7b3da4972106a6a97fff8c03f9db6799

    SHA256

    3dc24e9a42d9230f4c0db64bf11b9df544066c80c49b2aa66ce9a01ddb8c4088

    SHA512

    8933f0add139fd10f452ad18bcc400ab288aebe5bf764da66eb332b9b97dc56f7aaab66fd396b0ca1bf3c29a1487255b562a97fdeffaacc142347a95cd503350

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\files\data.bin
    Filesize

    741KB

    MD5

    8d9b3ca29d78cda545cf0a3131536f17

    SHA1

    d823975e67320244f3f02a59e5d29b53e16a828b

    SHA256

    97978ec89a58611cdeeffc623805c91966bf1d861395082804efe05302daf7cd

    SHA512

    287799d662bf3f113aab8009503afe7306f489b7fdad69ceffb190c9757412e00f6d3eedf5d5254d90319b27577d9567dc4b67860dc0148e249c042575f4dc0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\files\g2m.dll
    Filesize

    603KB

    MD5

    fc284eee599385a7ae9f098d123e983f

    SHA1

    acaa1c92d85afd92184d49592aed3aeab6ad2ded

    SHA256

    16414419a8248a4a55c05859c467d1fafc298694f3f71916261fe2e08ebf4abd

    SHA512

    c2538a98de60aeddb72cb14513ecce3493f04e94135182af658d3fc6425ad890560945efb02c956b11aa10606c95e7cb286e73c0d27e71f2b17d3494506e7123

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\files\run.bat
    Filesize

    70B

    MD5

    f8abf91d350d39ff1a48934b88624291

    SHA1

    88ef29fd18441c628a43925a8b32535d39e07979

    SHA256

    5b4e3e3f739b1ae3cd907a0abe9d5aaf51455551f69f9da57e668f749584efd6

    SHA512

    3c572c7415fbc8ee5f976ac9b6cce43c901174777c859e9461451676bd5158e940e0bd173d83d980958295cb9daacc489f0d596d98e93f71cb81d2603f037876

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\files\task.exe
    Filesize

    39KB

    MD5

    f1b14f71252de9ac763dbfbfbfc8c2dc

    SHA1

    dcc2dcb26c1649887f1d5ae557a000b5fe34bb98

    SHA256

    796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5

    SHA512

    636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\files\task22.msi
    Filesize

    1.2MB

    MD5

    6406cce810c8aaa887ca6b8e004776d2

    SHA1

    1698d3d12341f3824e14f4dae75300eea9670797

    SHA256

    fbfde6f43c30f454b07dbd2fdcd83685ae0016227f5489c13ccb510a0cff00a6

    SHA512

    3cd6f24c1892abd1b12a02dac5ab53e2afe1c68bc366d1ddb26df1e56312da7ff5caca255e78cb61e3fcbbed21cd03fb8909c61302af4dbcdda7ad37eac73ffa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\msiwrapper.ini
    Filesize

    422B

    MD5

    6ff75748e7b29211fefdb22a1f172cea

    SHA1

    27308af0448d29bff8e15c82fc603e42be4b693a

    SHA256

    6ad1516df124bea64151a3c43ef2671e59506d20615ed23609da9a603f617362

    SHA512

    ab1273d4ba749eb59fdf7b6a20a1eb24457c61d5a71f70a3a560fad02bb3f35291a627c9c9c2dec04d421939462ab3499e88813d862eecaa62bfa66eea6c88f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-419012ac-a4d7-40f0-8d1b-ed075db03fe2\msiwrapper.ini
    Filesize

    1KB

    MD5

    4cab75ebea79f5ccda177b7dd0dd161a

    SHA1

    1c9e4a7a1dc026d74cc01b2fa285991f6db6db0c

    SHA256

    de88ff4fb91dbc1c2bcee43fd7d363a2c5b583d77eb9425201ec78748e598532

    SHA512

    16dc1863e865e23983f128f073a971d7e7de545952fc807d799b89d2b5b1556e8d900ab2c07e27b268523ed3fdcd1deb98ab50fb99897b5d785a273bbaa4db54

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar456E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\Installer\MSI8410.tmp
    Filesize

    208KB

    MD5

    0c8921bbcc37c6efd34faf44cf3b0cb5

    SHA1

    dcfa71246157edcd09eecaf9d4c5e360b24b3e49

    SHA256

    fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

    SHA512

    ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

    Download Submit

  • C:\Windows\Installer\f76820b.msi
    Filesize

    1.7MB

    MD5

    7c26877fcd894cc1355f2a31a551243c

    SHA1

    80104216da4cd3449eabf0e0de2bb3a5b2de85ca

    SHA256

    ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000

    SHA512

    a57a961a3339b105f9d5653b69269ed7aab952a4e16600426edee80d628a9ac62a13b5ea642ffd9765fdada7b0db5c5a85a21bc88c125be122bf3c4e89d0cfb8

    Download Submit