Overview

overview

10

Static

static

10

IQHGV07FDy...2).exe

windows7-x64

3

IQHGV07FDy...vn.exe

windows7-x64

3

Junk)2345.eml.ViR.eml

windows7-x64

5

PC Cleaner.exe

windows7-x64

10

PC_cleaner...ed.exe

windows7-x64

3

PC_cleaner...ed.exe

windows7-x64

3

Pizzacrypts.exe

windows7-x64

9

Ponmsiyyks.exe

windows7-x64

3

Rlesvxamve...on.exe

windows7-x64

SATURN_RANSOM.exe

windows7-x64

10

ScreenCapt...er.exe

windows7-x64

1

license key.exe

windows7-x64

malware.exe

windows7-x64

8

mamba_141.exe_.exe

windows7-x64

1

mamba_152.exe_.exe

windows7-x64

5

microsoft-cleaned.exe

windows7-x64

3

msiexec.exe

windows7-x64

10

nc.exe

windows7-x64

1

nd2vj1ux.exe

windows7-x64

notes.exe

windows7-x64

nzpuHohZGP...2).exe

windows7-x64

3

nzpuHohZGP...sr.exe

windows7-x64

3

old_14b68c...0d.exe

windows7-x64

7

patched.exe

windows7-x64

9

pclock.exe

windows7-x64

7

pclock_unpack.exe

windows7-x64

7

pitupi20.exe

windows7-x64

10

pozhehgxml...co.exe

windows7-x64

7

ransom_50....0b.scr

windows7-x64

9

ransomware...20.exe

windows7-x64

9

safeinf.exe

windows7-x64

7

schet1074....16.rtf

windows7-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    301s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    msiexec.exe

  • Size

    401KB

  • MD5

    8028ee3776ac68bb5789575e5a904465

  • SHA1

    d142f9a30280f31b173080388bc04c71b6c45cc6

  • SHA256

    f5096a51fdc054c4a217966b22f827a921d50a12436aa995d6f4180bdc4ba420

  • SHA512

    33b988d5d80c072a12454a4eb49a70c93ffb3c418ae4a3ef61f1a2d8e81b0ee1e590e176ccb5391e5e7237822f022151fe4a3d7b979d301d7b1c41d5a544118a

  • SSDEEP

    12288:iza760BmY7fheiaEyG5wv/kTSie0+vqGlCc:iza+afhzaEyZ4hz6C

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\msiexec.exe
    "C:\Users\Admin\AppData\Local\Temp\msiexec.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Local\Temp\msiexec.exe
      "C:\Users\Admin\AppData\Local\Temp\msiexec.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Looks for VirtualBox Guest Additions in registry
      • Adds policy Run key to start application
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\fc.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\fc.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Control Panel
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2852
      • C:\Users\Admin\AppData\Local\Temp\tmpC774.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpC774.exe" "C:\Users\Admin\AppData\Local\Temp\msiexec.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Users\Admin\AppData\Local\Temp\tmpC774.exe
          "C:\Users\Admin\AppData\Local\Temp\tmpC774.exe" "C:\Users\Admin\AppData\Local\Temp\msiexec.exe"
          4⤵
          • Deletes itself
          • Executes dropped EXE
          PID:2944
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ping 127.0.0.1 >> nul
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\fc.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\fc.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          PID:2612
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.bin\S-1-5-21-3551809350-4263495960-1443967649-1000\$ast-S-1-5-21-3551809350-4263495960-1443967649-1000\3vN4X2GqtJIBGEih5.dat
    Filesize

    21KB

    MD5

    8336733f47b9cfdd55cd8d1bdc11d8fb

    SHA1

    69f0cbcd53763d7f4871847bbeac090f57b3357c

    SHA256

    375d96a5aad89a6b227d11e32a5e3ab5d4dc2fe074e0450e848cfade727de988

    SHA512

    2083b1890ec97f99de8392008a7fd1324c44b8993e1fb717dca9821dfcdae2aab00dfe17a575cd73e34311d0c2d392c8269d99d77f88a20752619f3feadae8f6

    Download Submit

  • C:\$Recycle.bin\S-1-5-21-3551809350-4263495960-1443967649-1000\$ast-S-1-5-21-3551809350-4263495960-1443967649-1000\btYKkhgqI5MszUei4DdaxW.dat
    Filesize

    130KB

    MD5

    961b833ceeddb6c0dffddcb767f8b92c

    SHA1

    5c3acbc9584903c8d89774bbf276aa18460eedf1

    SHA256

    16c4f394fd81c8c0c49b4439761025789c4952258bd008edafd28d77ad509b0b

    SHA512

    4cb068b3b8ddb3eeb7eb4eb4dc35e1215deb53f03ed6770e161f3501e7498ec34ff17ed00bfc08afeaf0f904116dce398ffb0d7684701c3b682e83aa24cf0648

    Download Submit

  • C:\$Recycle.bin\S-1-5-21-3551809350-4263495960-1443967649-1000\$ast-S-1-5-21-3551809350-4263495960-1443967649-1000\u_3atZOzGOEeyEQ9VXPZid9oj6Str.dat
    Filesize

    5KB

    MD5

    02ff5e4434bb3768d048b27c1c92b113

    SHA1

    d34ea7e9177fcc1f60bc023eac1d054a699aff2a

    SHA256

    2feadf29bbd4be9610c8f3e0aab265a8eab77f91abea523055fb8f8e1e2978ef

    SHA512

    5af426293c08f8dd625abdc14aa67926d8a0d92b613993dfd80f628181c1be3c953f1ee16bb0ed8d6048e69ca4218cee74dd6ebd3f91802be3aa3749c75fdd90

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC774.exe
    Filesize

    401KB

    MD5

    8028ee3776ac68bb5789575e5a904465

    SHA1

    d142f9a30280f31b173080388bc04c71b6c45cc6

    SHA256

    f5096a51fdc054c4a217966b22f827a921d50a12436aa995d6f4180bdc4ba420

    SHA512

    33b988d5d80c072a12454a4eb49a70c93ffb3c418ae4a3ef61f1a2d8e81b0ee1e590e176ccb5391e5e7237822f022151fe4a3d7b979d301d7b1c41d5a544118a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fc.lnk
    Filesize

    1KB

    MD5

    a95283dff4027bca8d3abf3f112e3afc

    SHA1

    e5e21a9d9e31fc5ff39d4df77e1d85a67518ca00

    SHA256

    919c76b098ef85461544447edec75eff8e856929f03ef43f5b4c3c4fa7886562

    SHA512

    020d9618fa0b26a763e9a8e77af6208a3793762f9824517fb0baa1603ed5c10a35657509b3c55037abf23ddc7d41965bb89996c0eb5949bf034f8ff618c4b241

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\fc.exe
    Filesize

    130KB

    MD5

    65ff24f06707a6bc04d634d81de21b62

    SHA1

    9b67ac725f4943bd5efef3a21dac34fde9dea321

    SHA256

    c55c23f45448d73e5095f5678bd45a7993154b8818d5b29a2e02119c7612f3ba

    SHA512

    4d84346035ff5a9e58203a4c2a9499dcb735dba29054e4cd0eb422b695621d3e7f25c45053e2ca02688cc8ba54ddcc1bc03e0c7b54e6f068895d60d1bfd52138

    Download Submit

  • memory/2384-0-0x0000000000250000-0x0000000000286000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2524-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-9-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2524-17-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2524-33-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2524-13-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2524-3-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2524-5-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2524-15-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2524-7-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2524-1-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2840-81-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2840-66-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2852-58-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2852-64-0x0000000000920000-0x000000000092B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2852-65-0x0000000000920000-0x000000000092B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2944-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2944-82-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download