Resubmissions

22/11/2024, 08:09

241122-j2e5aasrgr 7

22/11/2024, 07:41

241122-jjhgpawqdx 6

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/11/2024, 08:09

General

  • Target

    wangnengjs-winoencxans_1.1.0.6.msi

  • Size

    50.9MB

  • MD5

    143b59cd302d0ca40f146ba53aaaaad5

  • SHA1

    a8a5345e19b20500b62629f14060aefc883e3b52

  • SHA256

    4a68bdfa3e31a8c063bbf94469160eb7998a556027d5ad33f37c347a71c2d3a4

  • SHA512

    f0ee06942a41d51dceb3dd5d512dad6f3380f1ade868807f7134c0607d195e8e4eac979dc2559aa6976eb0d0ff654dded10b9c647188fca206cff287298a1b90

  • SSDEEP

    1572864:ONd1Bl1AJnKNldB6ZCUu6ofwyEICAf3u1ihUsMhMG:ONd1Blzd0ZX3QC03u11sMe

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 20 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wangnengjs-winoencxans_1.1.0.6.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2556
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 99B2C1D7D95C5124A14D49CFA04827F5 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2624
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B6ADDCA3DC46E9811B74AD24405685C9
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1980
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding C785E9434742DF4E4E03761583D999DC
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\down.exe
        C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\\down.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\down.exe
          C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\down.exe /aut
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2436
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2436 -s 96
            5⤵
            • Loads dropped DLL
            PID:2104
        • C:\Windows\system32\colorcpl.exe
          colorcpl.exe
          4⤵
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2400
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1144
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "0000000000000068"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2596

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Config.Msi\f76fc7a.rbs

            Filesize

            28KB

            MD5

            104377ef759cac02d376e016d9f4d958

            SHA1

            dec2b319dcab188536f87dcb01a321bbccbba724

            SHA256

            1a7c2b371e63dba9cc111702018f0d69a81ae669f8701d68984b1c56a2a15df8

            SHA512

            2bbaf285d5892b640b9d0d8f4efa7de66ecd84200a75f60549d4db42bfd4fcdb33e93d94324a54dc0857695d166bc950ecc825577fa496909eb0660ae2a722da

          • C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\MSVCP140.dll

            Filesize

            613KB

            MD5

            c1b066f9e3e2f3a6785161a8c7e0346a

            SHA1

            8b3b943e79c40bc81fdac1e038a276d034bbe812

            SHA256

            99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

            SHA512

            36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

          • C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\VCRUNTIME140.dll

            Filesize

            116KB

            MD5

            e9b690fbe5c4b96871214379659dd928

            SHA1

            c199a4beac341abc218257080b741ada0fadecaf

            SHA256

            a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

            SHA512

            00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

          • C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\VCRUNTIME140_1.dll

            Filesize

            48KB

            MD5

            eb49c1d33b41eb49dfed58aafa9b9a8f

            SHA1

            61786eb9f3f996d85a5f5eea4c555093dd0daab6

            SHA256

            6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

            SHA512

            d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

          • C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\aut.png

            Filesize

            1.3MB

            MD5

            51698f9d781f9ba83b9d1896f047b666

            SHA1

            5e28f766d10af39ec28f46f20a8d047474135923

            SHA256

            300776a76cf4faaa2ef0d0928adf0bb9621ae486e316f81af8d71719d9f413cb

            SHA512

            cee9cb3c89b0a7defdc5cc61acc479f94a3e29556c9fec5ede12997cee8b67e780af443fae1f81399274e0602ac9102521e6389422ec9ede49e23647a256e952

          • C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\view.png

            Filesize

            656KB

            MD5

            90ddb0bcf3638b0c48caed930c641313

            SHA1

            95d1c419151d832260522310fab49c4694882e8a

            SHA256

            50fc547c6c47d3237832d7d9e40712f9c47fb547629023a78dfc46a5f1c50ff9

            SHA512

            5e90a257315d9b3938b9ac0e6205c3b754ee56721a0fb62081be3c06c570a094df134d8437c29cf50f34ceda6ac4461358b8518f505d0a5278617a9afb1c1cb1

          • C:\Users\Admin\AppData\Local\Temp\MSIC284.tmp

            Filesize

            557KB

            MD5

            db7612f0fd6408d664185cfc81bef0cb

            SHA1

            19a6334ec00365b4f4e57d387ed885b32aa7c9aa

            SHA256

            e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

            SHA512

            25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

          • C:\Windows\Installer\MSI264.tmp

            Filesize

            25KB

            MD5

            81902d13c01fd8a187f3a7f2b72d5dd0

            SHA1

            0ac01518c5588eb2788730c78f0c581f79cf2ed4

            SHA256

            eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

            SHA512

            04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

          • C:\users\public\documents\all.zip

            Filesize

            3.0MB

            MD5

            68b50c0c6c89cb9cd971c793cda8e036

            SHA1

            414eb5d40636ca50baae60a42f15b259ae64e01d

            SHA256

            736435af598acbd3d4e802cc8e3114b38cdaf9d400ed33b971aa10fe2011f093

            SHA512

            d8861032bc3e84211746894cc2bd1e057fa1f6f9f5da9a9d43db578fe364c0606978d5e711bee886961206d8a6d9eb79479e396ad8ec7edb6c15a2b53aade690

          • \Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\down.exe

            Filesize

            2.7MB

            MD5

            e025fb98bf7b06e2e1c00d0642cff374

            SHA1

            34b9a8b326023ef06a2545f8932da207b2064237

            SHA256

            9c9a6bc84961f341a783bbda8181e2e189bafe96772bc145cd1e85739cf7da7c

            SHA512

            4491c9ba8f4357ecfaa9e995ec4b6693e981f4268341bc73a9709fdb8f8671b60e79917b8446370ebc22f299be655b6d3aec5041cd277cccb4588372f0159854

          • memory/2400-77-0x0000000000060000-0x00000000000DB000-memory.dmp

            Filesize

            492KB

          • memory/2400-79-0x0000000000060000-0x00000000000DB000-memory.dmp

            Filesize

            492KB

          • memory/2400-86-0x0000000000060000-0x00000000000DB000-memory.dmp

            Filesize

            492KB

          • memory/2400-88-0x0000000000060000-0x00000000000DB000-memory.dmp

            Filesize

            492KB

          • memory/2400-90-0x0000000000060000-0x00000000000DB000-memory.dmp

            Filesize

            492KB

          • memory/2920-50-0x0000000002560000-0x0000000003560000-memory.dmp

            Filesize

            16.0MB