Overview

overview

7

Static

static

1

cloudflare.msi

windows7-x64

7

cloudflare.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cloudflare.msi

  • Size

    13.8MB

  • MD5

    5d2922491b47e1c355103194e069e5ac

  • SHA1

    eb918f926c9cc2f9239f1dfe0380727c8170982c

  • SHA256

    c348002e3d2cf40a2fc3c819a96b1735dc451bb3ec32ba9355feaccd3eee63c0

  • SHA512

    522be674a5fb20af9a4fa42315ae8e780df3310f5b0ea8feccca1cf788cd6af542226aed65e9c6f7353d2daf954522f4067880626a2ccf4b7793178b57eb0bd9

  • SSDEEP

    393216:GDFCbAjiImi73v4JPUQ6Rm1feeuQx1qbvto:GRCbAjCK6PEm12ZQx1qbFo

Score
7/10
collectiondiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 19 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cloudflare.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1704
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
      "C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe"
      2⤵
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1668
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2552
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000056C" "0000000000000570"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Defense Evasion

Modify Registry

2
T1112

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76f807.rbs
    Filesize

    12KB

    MD5

    c940450b44f165eb3543f72d987ee17c

    SHA1

    2352ed2b4fc7fa53b6061a8ed4c5ff519067d01d

    SHA256

    4dbdc9ea48389a7df7ce7fae8dd5af18a108799d5ed6434232243ffad465e5c3

    SHA512

    67b7a3b8b3a49d6774dc839f24b9c28beb60f5d3f6d936a28f5ffef29d238f8f3fa22f434affbcde791cec0bd8c425ca1d247fc5f4968ff1c52bfc0c6a1863cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\ABCpdf.dll
    Filesize

    652KB

    MD5

    f35e190d9847aee93157ad18bee2ff51

    SHA1

    011dd903705ac60f39a74191b41b82c11c53abe6

    SHA256

    faf2b98ef2934c7addf7056a3b6f2fa56c814db79d960f8fb2744e4e4d260500

    SHA512

    f4329b5bed3a840e1e630be9a5a61903d2aae31d6fac068d6f750b98a0d2b65de9b38db1ddd6298c104704d48593996bc7db8f6e6d77f1117bfc8e0431935738

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
    Filesize

    2.3MB

    MD5

    5d8a546c266cc1d2f14b3be5c662c67a

    SHA1

    a474fe2bf3311a452bee640dbb423b20e0a99929

    SHA256

    8eaeff4697ce489daee3d82e7c703409907bfb9fa890a3646b56634798e01bc4

    SHA512

    cdd3c8c4a73ccf10d97097826e5b4567d0a3b227a9080e3ff7ad84eec6276a11c94a47f545d2b6023ed6a3b4b377d2073e6584b2ce4492f1de7789a7fa6c2cca

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\CharcoalDarkSlate.vsf
    Filesize

    59KB

    MD5

    947023ba00312c4574a44688a11fd5eb

    SHA1

    164a4609c041d93ccb645ab8df70e04ffb984508

    SHA256

    aa45e23296396e41e3f1547ee8aa59989f2ee3e05651f27b842eca366c87f047

    SHA512

    a6af49ba6e12b886bd30217a7ae5856881f553a4931acda2ae26e372fb79afc09ecf0a6364011adcdf2e2f93d76899a23570f00db2dce9d5c06a1a9c24b5c66d

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\Concept.dat
    Filesize

    5.5MB

    MD5

    4035390af4171153c1cb708f7151ed5f

    SHA1

    9ed10ad504e6b19f6fd9570ed92a793bd2d79721

    SHA256

    407048f9d01e5bf9051a043261a29c4654190444fe15e5f96f97c446ad7ae8d3

    SHA512

    56c8942340b9d83c0c396aed680000e1a2c9a0f075cb8c96150d9341aeef4a62245a373288ca0546c21605333deca86dc2fd47812de605bb3eaeb08b987e22c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\Languages\Russian.sib
    Filesize

    125KB

    MD5

    4d7d38ca87590e1c4787d834312485fb

    SHA1

    7114a6219f62149071e289ff171cb3a78dd43dd7

    SHA256

    ba8827d76c9682a3fbb548c1c392bd058c1cfda1fd8654c715abfbdad750e9a0

    SHA512

    28680ac747344f770d6a724c27f3b5f073c5a0d159ffa620900042ef25433e46f45d3a4c803175a92051f1f10b67f32ed2c41deb5b610f65e37bb41c701b2cd5

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\License-Russian.txt
    Filesize

    4KB

    MD5

    3d44e666ce041981dbf7529916d4c92a

    SHA1

    0d51862ae922cebaa9638d542d6b4684e195a1a8

    SHA256

    62edad9e609781d9cc130b3dcb9ac27c7342f79f97be295390c517251e98877b

    SHA512

    665e016a6956588ce761aca0e11d9429164e05e471b8f9c7510b297ddf136b209ec112c6043af5407f3effdde3e09ac4baa47548209c5c09f156e483d447016b

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\License.txt
    Filesize

    3KB

    MD5

    8c3d5df72e234543b6619a38ea4c9915

    SHA1

    42247b1b09814b174742d85a87e842af096426c9

    SHA256

    3a5ddb81221d346b0a4f9dcbdcefa7d63f38d4570d0c9b0627a7698094ba4356

    SHA512

    9f52d48261909bb151449dac60eb5d74128fab03e89c2e50ee9a872d263e0f4d27203fc898e4ba1e39510672de6ca0caea0329640c78b639da58defb1f18c225

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\PDFtext.dll
    Filesize

    1.2MB

    MD5

    f5dd27918cdc45136567ceb8b216c5b8

    SHA1

    d7da1e100292ab7d6908516a60a555be77b6d01e

    SHA256

    8a4c862ffdf0e858ae721bce97e2a5951c4d8dd665856459c41378141f5f2772

    SHA512

    c1d2240dc168df8cad9355f5266093babf0eaf257f40206a18f3364d0d3f2b1d03042241cef8134df06aa11cfb386f231ea48fa433801ace68282bbe32d904bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\SAPIDLL.DLL
    Filesize

    403KB

    MD5

    7d96ebf6ab548ac4e9f6ee761454de9f

    SHA1

    cc121db7480602a3e3a10cfc453f2604258805d2

    SHA256

    39c4355690759ade7e5a645603c46c48ff83b0d47163fbf7ffe9eaa92dfaecaf

    SHA512

    b2bf462d11217c764a5071b2e84b18cfdba778b48705afbde6e38f68dff80f8fe9a8f3c0f27cc731efa114e2ddd3a67219d79b289934c328d3820a2fe017a0df

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\ThemedTypesIgnore.xml.bkp
    Filesize

    322B

    MD5

    df00c215260aaa2d2b571005d38dee66

    SHA1

    a32c80f9023a9efb2d23a0c9d2b67824f5dfe85c

    SHA256

    72d8c1c2d41160e27830af8c48d49c8bb36cbcb03c4dcd0ecada3e43bcea31d8

    SHA512

    b15911c9a908758006200d31bc359611f3e6eb197cf98b61307680fee1bcad011beb5d09b6e7fe4e14b31e00715950b1ba43e5ab26e43207f36c856e3b61cddc

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\WhatsNew-Russian.txt
    Filesize

    753B

    MD5

    622f3d0b51d18328020f858c77ac4a9c

    SHA1

    84ec68b009c254fbcbf8d0fe38917e27eee26392

    SHA256

    4f39de7b48d8cd80f40267250df737619c122c260e982ca64029ce6bbc852d95

    SHA512

    1f9712be02005380a52806478eb316d9d9f212cedfd7458eb337b9534823ddd5ad69e4f2d968d8ce8825286372a1da90423a8ef0e0bba6068deaeeff228656fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\WhatsNew.txt
    Filesize

    782B

    MD5

    26c76e66cf53cf7767f08c00e4659b09

    SHA1

    0907744fe2d42ebb9b53be23ad28dddb256acbd2

    SHA256

    5cbd87a6585c0bbc9904dff390d98333c36dd7728fbb67ece896bdd93abfd066

    SHA512

    874746b34fe44ba42e3aebb691b446ad6a8f7ceda52ca35c99b2a06ab754e4538931eb3bb3d2beb71196102bd1516a14ddfe9235f94bfd42d117c596a8129b39

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\ebooks\meal.wav
    Filesize

    1.8MB

    MD5

    1adb1764e42021f4049b1ae9f2e1d614

    SHA1

    813df01ff0a7562f1d0a02ab1f60f3f60435abd4

    SHA256

    88183affe3e1feb95c8b9f55b2d4a63bcbd1e8b40b901ec01bdcaa15a6d442a1

    SHA512

    e3d4f0efb59a7f77b5940a0a3c26aec5a5e879dc42f951376bb6c5e4184f137bd624d766c10b6315294860cb0b7113ff2fd6b4d09c89b4f9421b73705dd5e647

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\jdefend.dll
    Filesize

    8.7MB

    MD5

    ba095598cffb424c202781656ca2f2a7

    SHA1

    013486f84aba2a89955c6a62def2fd9524dba151

    SHA256

    f7b8d216b27fa51d835d262ee55fbd836d08b4f413e42bad38dea658f1779aed

    SHA512

    687223da11c8e0507a57b8480421400cbc44476ee94407e3601a8797e86449f95bf72ce47520071816523b40377509a27cfbdab29eac7c97f68c4411a852229c

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\links.xml
    Filesize

    255B

    MD5

    a09cd34d7b0c5d9855e09181c6dd72e8

    SHA1

    d6b1fa061c69bc773922336824ed8b6040b9690c

    SHA256

    c7b45450bf29b9e7dbce2b7ebc0583875edd233180eeca698b2b681c5da9200d

    SHA512

    b6af8cd55d1361e248091e4de08a13f6deabaa5e129aef6a29f161916682ab8a9133955e418bcda0e79cdd053f0872c0d1b2525e5fafa275f431886d88580ea1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Iepeqeytqrs
    Filesize

    92KB

    MD5

    bae565bc385845e730347df331491051

    SHA1

    5da4a3def18f75d007cee6ee334f8e36b0c377bc

    SHA256

    c6aeae82d3a49e6ce016e1f02fa93c918d50934f93847ae371816e5fdeb79dd5

    SHA512

    6e9120dca1ec8acadbccff6c99bf81ccb6e91b53019be1b5bda35fa5a5be8e18fd001fcda8f01096123d3aae1e71e0262910dad846f756c513493c92387232a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Qeprrtedtddhae
    Filesize

    92KB

    MD5

    0040f587d31c3c0be57da029997f9978

    SHA1

    d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

    SHA256

    a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

    SHA512

    3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

    Download Submit

  • C:\Windows\Installer\f76f805.msi
    Filesize

    13.8MB

    MD5

    5d2922491b47e1c355103194e069e5ac

    SHA1

    eb918f926c9cc2f9239f1dfe0380727c8170982c

    SHA256

    c348002e3d2cf40a2fc3c819a96b1735dc451bb3ec32ba9355feaccd3eee63c0

    SHA512

    522be674a5fb20af9a4fa42315ae8e780df3310f5b0ea8feccca1cf788cd6af542226aed65e9c6f7353d2daf954522f4067880626a2ccf4b7793178b57eb0bd9

    Download Submit

  • \Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\RwcProxy.dll
    Filesize

    336KB

    MD5

    741fd2623ad12de3403f39ef575181e3

    SHA1

    54f3fa29a9565278109ba6a4049f403970110c49

    SHA256

    1612b2db97aa51736de92be6fc50c502394169ed4dc3e9bfde06f331dd08790a

    SHA512

    045171c2f8b65a0ce41ac86680dbc2683c1561ed008a4f33c34874cddefb8f5b15aa7f402dc98386e7b37428fc7ea86325c19c2e3b1b91bc401fc1659f6b8705

    Download Submit

  • memory/1668-78-0x00000000052F0000-0x00000000053DB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1668-117-0x00000000052F0000-0x00000000053DB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1668-61-0x0000000074710000-0x000000007477E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1668-76-0x00000000052F0000-0x00000000053DB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1668-81-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1668-82-0x00000000006D0000-0x000000000073A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1668-83-0x0000000000740000-0x0000000000887000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1668-84-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1668-87-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1668-93-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1668-114-0x00000000052F0000-0x00000000053DB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1668-111-0x00000000052F0000-0x00000000053DB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1668-110-0x00000000052F0000-0x00000000053DB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1668-62-0x00000000052F0000-0x00000000053DB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1668-120-0x0000000008BD0000-0x0000000009167000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1668-121-0x0000000063280000-0x00000000634BE000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1668-122-0x000000006E600000-0x000000006E69D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1668-124-0x00000000080A0000-0x000000000862C000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1668-123-0x00000000080A0000-0x000000000862C000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1668-125-0x00000000080A0000-0x000000000862C000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1668-126-0x00000000080A0000-0x000000000862C000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1668-127-0x00000000080A0000-0x000000000862C000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1668-53-0x0000000000740000-0x0000000000887000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1668-50-0x00000000006D0000-0x000000000073A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1668-164-0x0000000074710000-0x000000007477E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1668-174-0x00000000052F0000-0x00000000053DB000-memory.dmp

    Filesize

    940KB

    Download