Overview

overview

10

Static

static

1

California...ct.msi

windows7-x64

7

California...ct.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2024 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    California-Nurses-Association-Kaiser-Contract.msi

  • Size

    101.7MB

  • MD5

    d32bff7790a7a7cc09e3fd8a604e4462

  • SHA1

    8097f23668557b2dcdf6d3aca285c0d499b5c78f

  • SHA256

    3303926a6468dab25286a65bb9f3e5883a8938e6501031b3b85e21f182d1ed0d

  • SHA512

    cc5f0ff6e7121970c98efe91dff8846c0216faab8daac0102ece6110cb05d2e4504edd2b191c1f0a571a503c4ea3c51add920b22db9696e70579d5d246a43ac0

  • SSDEEP

    49152:cwxcLDe+cpl7+GgVVN7HgTrztiIpqtSZFmD:Pa/MpZGgTFZFmD

Score
7/10
discoveryexecutionpersistenceprivilege_escalation

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 17 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\California-Nurses-Association-Kaiser-Contract.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2424
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding DCC0B781D046C10E03868E84311832D9 C
      2⤵
      • Loads dropped DLL
      PID:2024
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AD854EA5C2915424740F5CA81BDD8C5F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1648
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding B6F91566F571DF555E4DDD229951B213
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Roaming\p.ps1"
        3⤵
        • Drops startup file
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nqrv1cl5.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3792
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC139.tmp"
            5⤵
              PID:3016
        • C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe
          "C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1324
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:2480
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D8" "0000000000000590"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:2016

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f76f49e.rbs
        Filesize

        857KB

        MD5

        2bdf688eb8fa6de215b71edf2ad6fb5e

        SHA1

        cd01a2b43eca990a411475af8e7879d3d6013377

        SHA256

        386327cc54713aea254976c6aeec8328732156e425f4e90a3d8f866301827563

        SHA512

        cb9ee53044e95979130ad13b1490f6eb11a68a75eee218b99f30f63721abc717577905170aafe3be228cf01758a1faad7affb1df9ceb3f5170180125a6dcc65c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        e656499672e958cec2b85ebaed1ae764

        SHA1

        01eff9640e2bf4a46cea24896f868d7810289cc9

        SHA256

        f300069fa567820de1bac2857ca1b06957f1637d14ebdeb915d64e158d0206ff

        SHA512

        2efc4e34539bd6a2b5f10fe9c54803bba88792cc3bbe633881a898cb560f14aed1f369a9944379f5ed476707965fb25bd22d2a3b34531229e75ce556f024dd04

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2f63e4fe-60c0-47ae-b104-702c7f376a7d\Repository.ini
        Filesize

        45B

        MD5

        2d9ec4be01556548c9c58807f0ac3790

        SHA1

        da27ffd82b534b49bf61caa92a590b74075610bc

        SHA256

        ab891a9faa8640e0bd6053fa007fe79a2e615bc911bb5ffd7b03f6eba2729861

        SHA512

        437081a33b6bafcca56e66a838a58f1daf6c08603b2aaf1f66abe20d77c73fb4b0f9b37cce80439e8d75f740a7681739dea46d3fe8719aa48b2a8b14b73d08f6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2f63e4fe-60c0-47ae-b104-702c7f376a7d\Repository.ini
        Filesize

        190B

        MD5

        4751a373ff31630898fd4e621954e5f2

        SHA1

        f4090f055e6a706c099f8e84bc1319b455b35f93

        SHA256

        d73d59cb8997490af4c036dddef09a3229415115caaa32d802bdc47d795f146d

        SHA512

        9997b79539e3a6817ae67904120e3c42f502876132320d4b41f42ae703de29db7a8a45132d549d372a208a71d3d120f4da27399398af91f9e1aa626dce091ba4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabD145.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSID497.tmp
        Filesize

        848KB

        MD5

        8636e27b4e9fe2e7d4ef7f77fe3ba1d2

        SHA1

        f1c7c604ad423ae6885a4df033440056a937e9c2

        SHA256

        5080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c

        SHA512

        dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES13A.tmp
        Filesize

        1KB

        MD5

        3335598910a4382feda153c42aa03485

        SHA1

        b58f6a9297fb7d9a3b37683713ad1143ba3f8c5c

        SHA256

        d0b66d43ec23e4d225cd1af33db595e4bc4aae4802da8b7858c3477e30704fc7

        SHA512

        61e2c08c85db74cd66b098aa3c4ca671c6f98feeea9f92016433394e8900aaa01d402da90944d28009460bf479d1a83aa9cc5d85267c4771d728b561d041c780

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarD158.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nqrv1cl5.dll
        Filesize

        3KB

        MD5

        ba2b1f3aae8a7d88ed023248756cbd33

        SHA1

        f39481ecefce3b321f9bc79f5cd99c66cb3566d2

        SHA256

        7f85d924fb1424a4c821c08a37223fe96204a83bf75f4bf01b749116910500f5

        SHA512

        1507205c30f244b5da4149be775c5721e6f5a5dd2833a48d832e190fca9c99ca49427cba4bfb39ed44250891618771380aad3230c1527e738e435aba78075749

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nqrv1cl5.pdb
        Filesize

        7KB

        MD5

        dfb17e36fd381cb052ef2c6b13faa7c9

        SHA1

        7798208e501e071c2f94a60b9f88547f72f4c062

        SHA256

        b015f6a5b5f918ee1d0d2442fe0ec4bbd679b78f7a3d437022b9db3cf59d8d19

        SHA512

        3400e659cf3e7f3c10c1115d7b765680d2a297f3571fe91c9df12fc54a662df7a2c1e2346cf04eec575cc2b85db76954a5cd540e66a08d9118d57801c152389b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wsWAE.log
        Filesize

        1014B

        MD5

        ed588d53b6c95c7705377ccca570170a

        SHA1

        4c962b65a0c7b9650fd80402942a9a5f4fa287d0

        SHA256

        1b1424ef3d95f55d6543caaf1fbf6df66bd6414e9669282bf64fa546a57f4630

        SHA512

        f2b72e09612706deabfb2e712f95173cf41a9768e557e0266630666ea4c25ed99ba76ce6cd19ea34d47e54152efe4e486b1c70bee822b06caab584143b4d103a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wsWAE.log
        Filesize

        716B

        MD5

        8816f23baa4ad3f7f10225c5880502e8

        SHA1

        6ac5ac8ac4bf1236be123a1ee995b2e81ecfd4df

        SHA256

        3cf48aebd63b1a9cb13b1361d70df75b466de70b41ee80b97243377873c6ce15

        SHA512

        4b97788c4ffa266408b3bea424b9fff759f4481321df09023d6db412ecb9fa4d6684b2607f3a82db5dbee2a98ba9f50481293dc76aca5b17ce75b6fc1182266f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wsduilib.log
        Filesize

        22KB

        MD5

        e51ece384394b31da1477cf76dd669db

        SHA1

        c16b9cfa434fc349e03d893242da892d9e21bb67

        SHA256

        353d0cfaa92a39a98c7bdf54b3b24cc846f23f47a43267ede85f9d9db115bad8

        SHA512

        ea9e93f5e4686e29cdae4c3548d937defb9ef63cdb9302e6d8dade8d7afe1fd8892011a18aef4e3d8e0b27def74d7ac242f58607263a8079ae3c6e0de2afa166

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\BJNVPvnltsjdzcTWq\RyZdCMkSpsDutq.GEwzLfQhqeNnAIUZXbM
        Filesize

        190KB

        MD5

        2e2fdfb9e78fcfabae27be558ff2b7e7

        SHA1

        c8dba8264301905254f17b2cd307cd2563f2b90e

        SHA256

        232d831d6d9a973b9cba7064690e8942b159d20a031972e9e16694d718df1036

        SHA512

        44130250867e128c9e46d0ea5e47ac14377e8612fb6bae1af54d58e605cbfab98e315472213fc4e29ed2636c2ba03f760f64fdc33c60bc92640dc642e1673490

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\BJNVPvnltsjdzcTWq\VwLRBbKuGj.YkTFoDxjBzO
        Filesize

        143KB

        MD5

        eadfee2ca34cc4b57052a84ebeb0e838

        SHA1

        769d901434b58020f97c7c7f6b96ecb862c4afdb

        SHA256

        f767b200b65c4a92121780477bfc57c15c77b2a112aff44314aa3230085c2b4d

        SHA512

        6974cd3a7417d541fdbf860711b9df480ac39d66c1ed8f7cc65bb32a9095958f16ed7846fa8aea8c7c9e06ec533a2a77d338de08fe36f134dacd05716a77dbfb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\BJNVPvnltsjdzcTWq\ZMPAFoJEzBTUph.kPyJSecAgXjbNs
        Filesize

        87KB

        MD5

        347e386f333f82a3e2b117cfea21898e

        SHA1

        960c8d7e7d4225599a3779b96c4a954dcd369bac

        SHA256

        533f5463d1ac0e933a7dec90c374c3993918552672ad32f5e7df7c96685bfe37

        SHA512

        75166b5fe2b3d9580dbeeec23ef86c52ba20285de6979f212bdb94ab34d9f6f53f8f5a33018d0cc1dc2ea852dd6b71487fe44ab44060c00e797477314ad3744e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\p.ps1
        Filesize

        28KB

        MD5

        5201bec05304172eb34578a483da40da

        SHA1

        e4a91fd21e16639f759009a17e1f37df5c89f2b4

        SHA256

        5a2366fb3d365e87f77a982d83eefb5054d50e8e73d2043979e5616c7071a458

        SHA512

        7ea8de19029a90502fd6a472e1b449cdbf017a19e679d3383b34aea2af1e392de6216934640fd9d8c47fb8553759cde0880291ff2d187081ff9896746a276353

        Download Submit

      • C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe
        Filesize

        1.2MB

        MD5

        a9e71619275adf3f7f063f0e5f1da31d

        SHA1

        7b60c38b1a04f46e946828d15f28dd77fcf310f7

        SHA256

        1e26938fcff220a294c03ed106068ab845d9c762f3adba926bf46c19f8ba49d6

        SHA512

        be4c24cdf620f2dbb661aaf715703acb597604e2092917d96da437e7eed5cb3c866bd3914b7cf40eab7cff6cb1e19e0c3b62ccb29abc2f6d8e2e9d2ad7f75f17

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC139.tmp
        Filesize

        652B

        MD5

        82642649a46230030aeee0125670e65c

        SHA1

        5469408ff2e19812a182eab6551702da3e4f103f

        SHA256

        09ae163d6e80cf9de7bd628b21fb0dbd470316d275a2dda68d4cf1ca585da31d

        SHA512

        3e8cb6de8fd980b4809198d8771dc949a6f573ea8d24f1a7abf22bb29de66942dba29b2a8e9268481d09cbcc54ba92a0e2062dc675fade7ea5c5ace115b4e8d1

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\nqrv1cl5.0.cs
        Filesize

        236B

        MD5

        dae076349c85f1ed8db78fd3bd75473c

        SHA1

        33be9fc7f764edae76f95fe28f452b740a75d809

        SHA256

        9e3f4a1c1286b86413b4844e216248f1a95e8a13ee74c2c71412c2d6c571f156

        SHA512

        ae396e869013c2c70936858646aeac2289b17c16a4f2a6b938d6d2434a30e9785e010ff3c42b9c728cd8c002ea4c8190783665f575e15962553eb7b229b9a923

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\nqrv1cl5.cmdline
        Filesize

        309B

        MD5

        65970c297dc43fd2d002a7be9e52b310

        SHA1

        1f060d5270fc6f3b4f0725abdaaf1ca92a6d291d

        SHA256

        ff7bcbc743a060579547e8d62cf1b3b09833cdbc44776003b06906a5747e53dd

        SHA512

        71bd8426365a8621ff54daa9f13ba3fcd5f526679d54a2589e64da2c5334d7dd180da72ca3a1a424b302fb182fa9a95b501347fbdd7aa5fc457810da37351046

        Download Submit

      • memory/1888-1504-0x0000000002C60000-0x0000000002C68000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1888-1132-0x000000001B580000-0x000000001B862000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1888-1232-0x00000000029E0000-0x00000000029E8000-memory.dmp

        Filesize

        32KB

        Download