Analysis
-
max time kernel
437s -
max time network
439s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
21-11-2024 16:54
General
-
Target
_CommonRedist/xnafx40_redist.msi
-
Size
6.7MB
-
MD5
97c2eebb30c5a88c68c8f24f37183f1d
-
SHA1
49efdc29f65fc8263c196338552c7009fc96c5de
-
SHA256
e6c41d692ebcba854dad4b1c52bb7ddd05926bad3105595d6596b8bab01c25e7
-
SHA512
c9d1017b274ceb1b4ee624cf7e628787c32a727c64f715fbce1f1ae929d9114f8fe1291e34583cec615619b0128c01206b07efc878e7a5c57b792453f73fd0da
-
SSDEEP
98304:wynfL329J1XswfXO6wiBB+4RZg6aENaCZAU5PMO0MntfERyJGH2YPq/:wYD3C1XXfzH+4cLHU5PM/Mnt+YGlq
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 21 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 29 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 53 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\_CommonRedist\xnafx40_redist.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:42⤵
-
-
C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe"C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe" /silent2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
-
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Microsoft Shared\XNA\Framework\Shared\xnavisualizer.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5ed929b766bbc5f3aa0150012277af431
SHA1e29975d2d94059a8d02fa16cdc0acb9006a64435
SHA256f36f01332c9555540b48b09dfb63b70dff466ac57dd75675d18a8abacafb47c7
SHA5120086d80b918ab47fefecdd3b6e8b02e2a3658dfd79c488d6477591b49cce5ef32490a9f7d0d4812e789dcf564f444122d4208a38b8a2f285ee1ac74954a01c05
-
Filesize
596B
MD58d445977a2bcea75edeef7ddc6635370
SHA1d83f7a6dd21064e5807c872ed001e78feb340ced
SHA25667d51da99c0b6ab0e9a603ef0ca5fa1712020e6b7265ccf0c21db2ea5e61155d
SHA512fc128f15f264a64b510556bbe02a13d8cf9f045e8b88f5039bfacec5abc7b6356da38f48e805bd678ddc851c6e31435595fd2de0fc092fec7871a818d230439c
-
Filesize
1.5MB
MD53676d740157493e80e7b8641289c003c
SHA18135aeeab67151dd4e2418d4907077f646e72873
SHA256219441f975c200352a12dc3d8f82811fc7b53ed28d63761327933afbb660f876
SHA512abfc5ea36a7368a34193c8f3771ae4e36c0d570ae0a20b11892184cd4e384d6abe6542769e3c890293b4e640faecf6392f84f5733017d8d86c65456caa24c6f7
-
Filesize
55KB
MD5f83f54f45ac15a32dc17614c4f6882d4
SHA1fc8542fcd33bb9e669806409f677edec9bfb64fb
SHA2565ab7bb15394e4ece850da5453413ab1de2ea97d5c93f86482b75073aaa05da9c
SHA512e4dcccc3a4299d262b94b24ff4b29394bed71e211b80a8a457acc4ab89325500082e6a9b597bc7b1dbc35746d01a9aa038a9c3a401aa42a426fcc3d15f410c9a
-
Filesize
20KB
MD5ed093ce20bddc7c42ede4daf772ed5aa
SHA121beb0ef8130be1c62b8467dfb67bf3f7548cea1
SHA2567fbf09682fd15d721ff2c5cb110b5ffcf5982cd2dd8d72b708cf3cd0bc4fa250
SHA512734e397f4ed2554944e1d1f6f799794c4027792a06e9da25bab58e6e4ff58146058d8b45ff0cb9c861f77989cad029164945f22ffcb459432e1d3a2c7172525c
-
Filesize
90KB
MD55cf3585c99a59319ac10e18cc92f0024
SHA1c48c25e6b7094eaf337fa986960f9895e5f465ba
SHA2560ba00c41443639dea9b816fa2608088ccef5dbe850531dff4c1e7993804b0b60
SHA51226b8213a5105b37912632c8abc1a07381210836e620f8f70d77b3b412a406e2e38df7af037001fe27f2da874e143c59aa7dbff90a9183e7619a8e5af0a23b158
-
Filesize
270KB
MD55da6e4a80fa53568d2fdde31cbff2979
SHA19606fda70427cd9f4eb8e67b625417e2775e6876
SHA256281bb0e12f617e9ae7fe3301a7d4a08201b377caa0311a886e8cddc2526f734a
SHA512649fc2578388064267ebe8e55daada29d2e51ae6422b10088b6bfacd229bc0439aafdc4f9af7b3b5e187df179c72b4d85f70839a8c91505d17da06d53a40cf3b
-
Filesize
1.5MB
MD50fdd6e4e5dfc5d913261355746402214
SHA1a80c28755c9d3ca163bd377d1bd951a1c111733c
SHA2565146e15d4c65590704286bfcfbbcc31e98a6832f8a7cc3bfdcb1e7fa5a647bb1
SHA5129eb85c4507881fc1004c906ee954273bfbea8979d70b2321f197a3cf82121734225103e4239a9bfb591a980b70400a5d19b93482abc108c46614a20476a81f90
-
Filesize
93KB
MD5c187448c8104d30087f3f25a9d112014
SHA1b64ac3e44f2f38a3bf8400f11a40a39039fc9caa
SHA25654d68f154058433865708ee0dbf3ecf2d609ffbd618e84a1056440379494d9fd
SHA5129148cece409557444eeaf66dee58e2a6043a64d7b76b91e6c4074a5ba0d066cd1ebb2c60d44e1c7a40ca1dc63d72aa7afcc410202901d5afbf2116e3ba8b0f11
-
Filesize
46KB
MD5ba187b4db5dae1bee29e6f18b7775b8b
SHA1efce87100c26165cfd7eb627534e42cb72ddb5b7
SHA25611bcc9f47d9b0397f6d78c08e7208ee812cbef54bb02a8c3a681608879471c8c
SHA512c9c2c3760e495c611a925bb5ae162d4c4ac90f53e2c0a9d20f68085ab43cc0f0a7ad1d201564649e4cf67ef4402d874626c6911f01f8a055da0b993730afc12c
-
Filesize
512KB
MD511dd6e8ab9759d1ac91ffe0d0e4949cb
SHA12a86774d0c87050d5c7aa9738cc3975303a40d0e
SHA25616953a202265db5655b3dd972b855619728da76545a2f94bcbb6c43262f48d5b
SHA51206828f51b3866f7c2b29861707bf8552b742e366783115b3062f08a9c0005c96507ecf1fff92ad41dc0318ad715176c39c84ff0424372b080bf7c031e4f307de
-
Filesize
91KB
MD54d48dbe4d3a06c497435014e5c583f34
SHA1159cbc37080b7ea3ceae8d25125b99f9f4948341
SHA2569d47b4fa2dcce6a02a51324cfb97f5e153086c2eb8832b211e175cbe5fb850b3
SHA512b8029bde36e4d6581916c131ec51d74f4a2b03abf5a238c503e1c7b19980d0946606375f0b4c3bd10b9c514e084368c356be8536b282bee887037d7d7f139732
-
Filesize
1.6MB
MD57c7cc9feb1026678c48bbabe84ea57c2
SHA14fe9c466fc65cf07af0e1440743b1822ab65849b
SHA256a5c6df12f9fe2edab2a22fe7abf3cb17eac110a6fd469f2570ba04afc88ad767
SHA512d9cca6dfd5966d45342b87afb6091bc8ad3beff039f9bc9c523f8118dc6723337c279cd652c19624250ed3934d8f4a2b15670652867c0114b7e785bbab4212e0
-
Filesize
1KB
MD5e84adf38d499ae39090ad60fd76d76e3
SHA16af4d58bc04aac2723e8b97649f1b35fb1aca84c
SHA256d4da3e530982812d1e2a31570b80af541fac1b13c72997d2aad7ea3bfeaf4a4a
SHA5126714992e7aee7bd0798fbec68f92c97ee502127580e21e1b6693ed6737312b44dbc9fd9ef579fe552590e9e5a4904df94e4116334265a34699a04aa76ab87c24
-
Filesize
1KB
MD582c10b720e33be099f69e4010d44ecd2
SHA1e95a2eb23db3fd610d71089500aad523f93c9469
SHA256e850fdb84bcac0f667927e53fee943efd3f43be6c6a0ae1e17f3fff83ddb2635
SHA512853261c439b26cdc8991ac289b9f9925976452ed613481b0cf09e75444882805ffa15633eba441d8e1a04641f5f6378b68e2270a6a48d3911d7f9c2c0b1235bd
-
Filesize
1KB
MD5e6e942a2cfbb587bfcc4203b5bb34fd4
SHA12e0172ea1936911a98e11a6e98990703e24172c0
SHA25674c827ef94881099761e04397ef8f162fd0ccaf4876a5503c4b53a5216d2acca
SHA5123d70d76e6f459819a1703c5019a2e10fe518ee6e8eb5d3313fe57d3d1b6313b52c4904398a26841c78a9ecf9d715e1201e834ab3df47265e070ec94417a78e4d
-
Filesize
1KB
MD5b37a5ff044eb65521a290c79ba1a3e00
SHA1ed505464894bd3e52654834487f3821ae117edfe
SHA256bd29711cc2ecd924990167ffa95f48842e24aeed3acef1023717040240b4bbb6
SHA512eae4408cfa7f9c39b101489688cc570a184b8a57f3d20d3b0452a581fb80c4f485dc2f512a39669a92a5bde81fbf474e1585f566ff482e87610780c23126c21e
-
Filesize
21KB
MD5c811e70c8804cfff719038250a43b464
SHA1ec48da45888ccea388da1425d5322f5ee9285282
SHA256288c701bdedf1d45c63dd0b7d424a752f8819f90feb5088c582f76bc98970ba3
SHA51209f2f4d412485ef69aceacc90637c90fad25874f534433811c5ed88225285559db1d981a3ab7bc3a20336e96fb43b4801b4b48a3668c64c21436ee3ea3c32f45
-
Filesize
72KB
MD5e4ce2af32f501a7f7dddd908704a0ee6
SHA19dc2976efb15b6fba08bebdeb98929b6961063a5
SHA2560aee44b12913a95840ee6431d90518b0d72c54a27392e21ee6995e2151554a06
SHA512ec14a58414d595a36c6b575cdae690f11481cd3f0b35fd2f4c6a6d162a6272882cfe03da865e09a34972775790529f51c80b69056a2fcb909f25b549ed2f7f01
-
Filesize
515KB
MD54976243bd70fae3d1d24e49739ab2710
SHA16ef27b10bcf4e697fe77c3e964b326be11e4444f
SHA25661b57170f7c6365714396072d22cb98746718c0f44c9f0d5c62fdb1b218639c7
SHA512af2d6aaad44bed880a1a2ee947618b142c76a5eca42d4608196b74df9108a9649059d8207e84a58b76ad43aefe9b66ffcc519f8126667177011cf4199f163e83
-
Filesize
1KB
MD5044cae9c30c88bda73727243f5e5206d
SHA1de744e349cf4ea458b10657d510966d21ad08d67
SHA256349a09a2791d697bffffc61410a536cdcf258f0d7c86dda44a297e8aec4bdf00
SHA51218e501142004afbcd28b41bdd3a9b19e2eebc047d7858ee11a9135f19759cfd8c643ff074a51e937bbcab7162888fd95effc146be21fe63dfc300ef03ed44056
-
Filesize
1KB
MD5e188f534500688cec2e894d3533997b4
SHA1f073f8515b94cb23b703ab5cdb3a5cfcc10b3333
SHA2561c798cb80e9e46ce03356ea7316e1eff5d3a88ccdd7cbfbfcdce73cded23b4e5
SHA512332ccb25c5ed92ae48c5805a330534d985d6b41f9220af0844d407b2019396fcefea7076b409439f5ab8a9ca6819b65c07ada7bd3aa1222429966dc5a440d4f7
-
Filesize
3.3MB
MD5cdb1cd22baff21f48606b3c1a18b000b
SHA19315b5db975a34dbebdb4dcae652ba1db01c482c
SHA256c6b7b2ad7742dde5dd8d1a35fdc1c185e586e551ad9c74d3fb21759cd8ca4da8
SHA512c5fb24de8f1ee6fc1ed6e74580b5d22599ea4eb6c3589645fff0b15dc8dca051c4917e60fbc00ca86542dd63a8f5e40da92ea77e24826c0c6bdba9b58c36d4db
-
Filesize
4.0MB
MD53fa06cf5079b84155d18b05c08f7131b
SHA1fafe52876151a08f39dbb6b4aa137dd85558ba5f
SHA2566ac4df203af419d3f3b7d9a99e14a3490ea3ad307c474bfe36baea642b1421f6
SHA51224d29c3ffb6532da860fef4dd93e61f7532cea3af94928495a3af0231e7dff6db5cad25713451a2e722c076462b94818cd6969a1c7d8905585b0f64e12174d1e
-
Filesize
169KB
MD5c4842e139fca422e265c91c44a1341d6
SHA1299a5ab4644fe7302b515aa10ef0f1715046275c
SHA256b1f954cd75dc3c9d5bc57f1a4c28720ee3639aa8a4306f3da7b27d3c361ff8f5
SHA512e85a35164e0feafa73a676dacf67d275b8e8aa5be40d861743662a7d1ac8135625c2d59a73e5c77fe1e3e8bd8523d9c823c89137aa4cb1b32d392cd9a1b59989
-
Filesize
12KB
MD58c281fcb5546d1ed3cdaf6e3f7303139
SHA1de342a17f2df0386f6584e2f55ae43c558ceb6c4
SHA2567530c6e18dbb522c5f4fbf6714962c185ea318f9eab7aeb833b0cc07cd2fe656
SHA512344ea0a375c8851fcf413f441a1cac3013b3748d1630a4d677da72e98f41823bf9427d896de7e1fe35bf868279538cf3b8322aa6ef20025bff48a6bb7f8c42d3
-
Filesize
233KB
MD5f81c4678a55ffee585ac75825faf5582
SHA18fb2e6cf2a022eaed2ff5e3e225b3ca1e453d1cc
SHA2568a7e7c5ac2e6230f0249d46751522e7ecf85e7490cf7491ab73bf2e7e59e4c0f
SHA5128c8071bc2640d5c0fcf140ad68d4788cbb0706d17313c3cb74e25624a748b282acbf77eda678cf0d5fecf2ec3d583508c6f4eaf5c84073909b616f59b4f4e5fe
-
Filesize
79KB
MD577f595dee5ffacea72b135b1fce1312e
SHA1d2a710b332de3ef7a576e0aed27b0ae66892b7e9
SHA2568d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7
SHA512a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746
-
Filesize
6.7MB
MD597c2eebb30c5a88c68c8f24f37183f1d
SHA149efdc29f65fc8263c196338552c7009fc96c5de
SHA256e6c41d692ebcba854dad4b1c52bb7ddd05926bad3105595d6596b8bab01c25e7
SHA512c9d1017b274ceb1b4ee624cf7e628787c32a727c64f715fbce1f1ae929d9114f8fe1291e34583cec615619b0128c01206b07efc878e7a5c57b792453f73fd0da
-
Filesize
10KB
MD5b9e6e7e65ec217a9689d0011cb648a1f
SHA198ae6685de8c26a78fd61bdf443f01e41051a8c2
SHA2561f003216e648e521160787faf1a16b715562d4f13f38ae74fde249ae371e01d7
SHA51202710b043b5490c4ab809ed828dba45cf5c00d92404604855342cdd83cf2da36c104928e57a6bb65b8695a5bf3dd028ee8b4c8971f120b58e13965413d18f054
-
Filesize
74KB
MD5cf7788e795f1c743d6ee0bf8de3fa502
SHA1db2bf000c096a91aca46da5fe35326761c63053f
SHA2566824bb0b7b42626d1ed5b7ab7e4dab4a380fa010175d4de0fadb1c3904e491d1
SHA51213cd0d8d7479d7bb9b721cbd8109764bfb58e4dc01661e8fd6819f1cb182e408766e7cc61103e95763bdc1e11ab4b901ae05c8748e18b5f730ec78c5868f7781
-
Filesize
657KB
MD5343f79fe3dcfe0828f7ac2a13f8f7210
SHA18daafd2b9e44f0b46b2dc6ba4607ef155964db0e
SHA2568b7aa4c4939f243b21432747281cc8aacdcda56191a16d9eaa036b4136cf0da4
SHA512651d7acf8effe6a77ce094c88163adb950830d2f5779f900129391f2f9ca7393163749084e861fbd742e26f61c350225107d64dcf888c0b5d4ac9de8ae99d44a
-
Filesize
24KB
MD57b26de335983eb8b800a67ef5ff077d5
SHA1f614672dd8b25985a417ed339a6a6532c9e57800
SHA2567688ebdffc98433eef8aada293a8c4beec6d6acfc0e1f91ca8eb2f1c350e7cec
SHA512fc14dcda0703c8ade152bee32b4c4175c37e98500cc1370d4de0ffd0eac398edae3a42d29711e6ec841231fab0eed228fc6eba69347b54a8e125866ae6822043
-
Filesize
70KB
MD5f1e460b7805cbc4901c410f2767912ab
SHA101e7f335e58af5140bc7953518739f43c59f1c98
SHA256627e84c06cc4e409870b068c9ec9149adba425e47e64185f92d839db2aa35484
SHA5123f34bb839deb6af6b68946aaeac17fa3a1e419d2f8310f37d1f460bda329c2bd46e380fe18f883389dcc64e482e596a0b31e0291b202abefe1c6976d5dec8751
-
Filesize
22KB
MD5911fbe5496efbaed4ea67497fa63c633
SHA1570911a579cd752ceedbe9b07efc1c8c832cfda9
SHA2562191bad4540b50723acbda55bd2c6e5d80cc6f84ad989ff89ddda672348577b2
SHA5126ffc30116c62f9a91e5d6fee4133e87417df14aafdf5443f7002b46c20ddbf0eca242ea54f8711b31defb42ad0ef3f5f11b16e699ce3dbdaa728ec1661e00d7d
-
Filesize
53KB
MD5378479eead647cedc6b74bf84e5514a2
SHA18dac9af1bec30f93a4aa6650ced1f64dd0791841
SHA2563c0b37068ad56193fd613eb8f6bd321e7e08a99b9cf85606ccddf060afb1263b
SHA5126b0cb09a21121d2eed1277c0989d5ae142b6c724886ada5f713f762c61641901fadbb4fdea115cbdb662ceee220aa7d684e5a7a0613fc3a642bbad36e9c22e88
-
Filesize
20KB
MD517c4074e1d0977182060959ec63e18a6
SHA1af73bc4b90899793525ca472a1b90312c33063e9
SHA2567edbb80c699ce3ead8aee5a512ee34c7718cb5dceeb1d0577e788ad8d0ad9383
SHA512b7d7fc7b21f3fd480e6ee40cfb3682b898382ad2397cc38ef7258db68dcac31de0f64b8adae5ac92d0b31c3cf85c2489a04dfa77675104134d874fb4871e91b0
-
Filesize
23.9MB
MD5be096e9c4495d8234b027ca4e3749468
SHA1cf7f3752a636892e85f90ec902d97ffbf8bddd7c
SHA2565a1c7e59d1a2e3201fc6b598346f0ba2e5298c063fbf5125dad42a6c9c0e31ae
SHA5122e3e0124ca06825a855011d71149004150e84e267ae4130c3d303ce5d4e4300079fe880f6d44861d5e324f7eb3f1f110eeb46d2336252ed83903e9fe80623cc7
-
Filesize
6KB
MD579f6df4205f76c8edb1c896b7db1cf16
SHA13c43486cdf32ebac1f76a0ecff63e374d5f9e958
SHA256ed887a35e76c06b3829d3bcda86a165c2afd5c7cf0fefb534ca08d8d127a40f3
SHA5125a92ba1e3f67e7e7cb75d475f58c690c3c8685ff800eb728accb08f5e0c8e4aeb6ed91c38dd48f7a4f77fcdd3866e70d471d7be9af1edd1001a3bac9eb4b4300
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
432KB
-
Filesize
88KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
680KB
-
Filesize
80KB
-
Filesize
48KB