Analysis

  • max time kernel
    119s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 19:43

General

  • Target

    install.msi

  • Size

    1.9MB

  • MD5

    bdc8b7229eaa7473c25a37f08ba79189

  • SHA1

    9699c8b0f0235bae5285a80b3e3b8c447d2aad0c

  • SHA256

    7b939d1d59b370c836fea6703a254127de36ac0259538809535bb136b6725c72

  • SHA512

    1332bfad5da5c8fce17cf374ff1012831744e3e69cea4b87607eb9dc95b6ebc51c91a6766ee186d5ee8a5e027111ec74a644bd470fb891c60240239f727b3e17

  • SSDEEP

    24576:kt9cpVDhI6DDys5Rtmi/Bt3O79TqszKlGEa7vFLf2nxh7H7mGV:jpRhFnywtmABg7Qm+GlDFLfax17m

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2084
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A3DB03CEDC31A0BBD97DB63C2249D7B6
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-50442e9b-f739-47aa-be8d-04b0e51e561f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1228
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2000
      • C:\Users\Admin\AppData\Local\Temp\MW-50442e9b-f739-47aa-be8d-04b0e51e561f\files\install.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-50442e9b-f739-47aa-be8d-04b0e51e561f\files\install.exe" /VERYSILENT /VERYSILENT
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2420
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2676
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "000000000000048C"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-50442e9b-f739-47aa-be8d-04b0e51e561f\files.cab

    Filesize

    1.6MB

    MD5

    dde33cc7bc57e73262a9587e6fd2c73b

    SHA1

    429a01f8dd68c1d46f32a3a13e4b5051803139a3

    SHA256

    3fb44f2533de3106494be7f12fb2a7f3fe9453384385e5b2d489788dbc150bab

    SHA512

    31f0d86a3638341e40f949cf9f386abe843afa3a04abe36ac26071b63507a5c19fcc54f594cc280bc1969bed7879163324477027bff0f1a68e5ef09f27b60d66

  • C:\Users\Admin\AppData\Local\Temp\MW-50442e9b-f739-47aa-be8d-04b0e51e561f\msiwrapper.ini

    Filesize

    386B

    MD5

    908e2010baad2e14fab8a27de6a29f69

    SHA1

    a114f24ed9c1f83e8f5bd35713dc1e12bd370c3b

    SHA256

    1f533e5e881bc433200f7e0b46e255dd53db8c1c2f7289299bbe6c1baa831d85

    SHA512

    cdfb9eb8abec806066b9e5cb299f0b628858c05b0a647fea8c2f06d629f81d0bd01b5b82daaed3b37fc214acc723663fe8c4aeb079a0c0fcc62cc4cdb21e465b

  • C:\Users\Admin\AppData\Local\Temp\MW-50442e9b-f739-47aa-be8d-04b0e51e561f\msiwrapper.ini

    Filesize

    1KB

    MD5

    b1eea7d4eba6b500d17a82dce0469cf6

    SHA1

    4433e1ccb1d0ab7f829f64c727b7cfcc32d1147d

    SHA256

    cb621ede1f4e61ae9ac43e0d94461c1d52874f8a48471602febf047a2b63080f

    SHA512

    ac063dae218efc4ab0f0ec9b87e647e914b63f7511d9d80d03b18b824ee98fab20cbc2b9a55384608391d1cda42d54b10e4eac830c5fcb8980f5ebb55a4b30b3

  • C:\Users\Admin\AppData\Local\Temp\MW-50442e9b-f739-47aa-be8d-04b0e51e561f\msiwrapper.ini

    Filesize

    1KB

    MD5

    924b7c7bb5e198cfb110a745126ae673

    SHA1

    cbd7ccc66d5990651643ed1ee096a145dcfaaa3b

    SHA256

    83c6e47301acd0ec1f9c98d9605d7ef2cece80d3b97e22123694d6081df2a07f

    SHA512

    c59f3f0f0c34854a952868ef9e5a38ceda2a05362a4e83b22a2bbab935e75e8385291b39fda6be8948f14e76e567af0439e69f1a8ba6141cfa4b95d6c797c450

  • C:\Windows\Installer\MSI2EE.tmp

    Filesize

    208KB

    MD5

    0c8921bbcc37c6efd34faf44cf3b0cb5

    SHA1

    dcfa71246157edcd09eecaf9d4c5e360b24b3e49

    SHA256

    fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

    SHA512

    ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108