Overview

overview

10

Static

static

1

renamed file.msi

windows7-x64

7

renamed file.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    renamed file.msi

  • Size

    101.7MB

  • MD5

    d32bff7790a7a7cc09e3fd8a604e4462

  • SHA1

    8097f23668557b2dcdf6d3aca285c0d499b5c78f

  • SHA256

    3303926a6468dab25286a65bb9f3e5883a8938e6501031b3b85e21f182d1ed0d

  • SHA512

    cc5f0ff6e7121970c98efe91dff8846c0216faab8daac0102ece6110cb05d2e4504edd2b191c1f0a571a503c4ea3c51add920b22db9696e70579d5d246a43ac0

  • SSDEEP

    49152:cwxcLDe+cpl7+GgVVN7HgTrztiIpqtSZFmD:Pa/MpZGgTFZFmD

Score
7/10
discoveryexecution

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 17 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\renamed file.msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2664
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding B63C597D20B2D086C1F1C496DD34AA27 C
      2⤵
      • Loads dropped DLL
      PID:2412
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5C76BAB212CFC17142319F24E9A61544
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2416
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding A3DBE1F5DF5E99D0276EADA771855E22
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Roaming\p.ps1"
        3⤵
        • Drops startup file
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8ys2dmh9.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC15B2.tmp"
            5⤵
              PID:2072
        • C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe
          "C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:352
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:1292
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "00000000000003A8"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:940

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f7707fe.rbs
        Filesize

        857KB

        MD5

        d351a33fdd4aeecb5990d990a068eace

        SHA1

        fc2561ca80c784458f4c0697b01c6695bf53cfcf

        SHA256

        ca8ec0b1333ec9345c1d130c3ed592104ec15767f3f40968f5bf8454bd2c9374

        SHA512

        eb3c9441694177ddea439d2364695c5b68ab9b03865fb53e9c17190a80ab9abbc5cda123656d44871096b356a933dd950fa466bc67fa9076bea888ef73e45b7e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        c39794eacc658d16ddc48d5ed375793c

        SHA1

        5cc27fedb9059e372f9d7a6b042a387359c8b338

        SHA256

        2e550353c64c3d4b655ed45b2caaf5026619faa70054dd559e23b1a5b0e73d1a

        SHA512

        40e3c84400b98c1828ed62f2b5fa7a4acd7c99d8824977d2de14e750510824cc21ede94ce02bcd958ce9c7212afac898445925ac9ee30e301ecea5def3498ee8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\03f200a0-33db-487c-89c0-0096948db8f6\Repository.ini
        Filesize

        190B

        MD5

        4751a373ff31630898fd4e621954e5f2

        SHA1

        f4090f055e6a706c099f8e84bc1319b455b35f93

        SHA256

        d73d59cb8997490af4c036dddef09a3229415115caaa32d802bdc47d795f146d

        SHA512

        9997b79539e3a6817ae67904120e3c42f502876132320d4b41f42ae703de29db7a8a45132d549d372a208a71d3d120f4da27399398af91f9e1aa626dce091ba4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\8ys2dmh9.dll
        Filesize

        3KB

        MD5

        35300f2e87e750dfe8d8e4c670698eb1

        SHA1

        f02b41dbf830f5444b6cfe6c0f9e8c5ea34f6c65

        SHA256

        ba891d816b30733a8a9ca01e23342a008425fcca15bc5ad25253eaca6146d0d0

        SHA512

        36e8bb3c2e68940387ddb22eb8b6807f3f46f59272a9650be1a220bf4c6384c003c80fe028fc06b8a7cddea266a89ff020dde8b92eb3ac44ad17d4669c2f1e07

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\8ys2dmh9.pdb
        Filesize

        7KB

        MD5

        4433b8762072074d1efada54c113aabc

        SHA1

        3902435a9b2f084b58d05a97e08c8b77f9ae3ace

        SHA256

        c82c20cfcbca003473296739718d4d53efacc8036d38d2f8a5cf774012419b52

        SHA512

        e9c0f98fe73cdcd9df8e1787d447e1aaa9407ff1f75ba4a547b176bd26cb1c160f3fa798c1b5b44a1a57536b1a185eee8ccaa5126ad6e9d57606d5b96dbdd4cb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabEA13.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIEE7D.tmp
        Filesize

        848KB

        MD5

        8636e27b4e9fe2e7d4ef7f77fe3ba1d2

        SHA1

        f1c7c604ad423ae6885a4df033440056a937e9c2

        SHA256

        5080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c

        SHA512

        dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES15D3.tmp
        Filesize

        1KB

        MD5

        58875050b9c1c6739d6c83e75f39e8ec

        SHA1

        589af175bd6134210f1e69227fd2e6bf640bd228

        SHA256

        aa509b94bcefaac3af1a2f3ff8571f373058a6f4831c114a866fa59475783a49

        SHA512

        533d524fcd430f074a7ccd514203160c46bd035a397cf5be5c3c6d897a9d74c881b5ea89c5019fa062bc372a3e41d554af529be04a2f6bc7656b3453effdb302

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarEA35.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wsWAE.log
        Filesize

        1KB

        MD5

        d1bea0e086f80f1613a3e2872bd8a706

        SHA1

        f724e7f22f8dd98c4a98a9a3ca72b148044adfdb

        SHA256

        92efe12f2ef88bc413b101c36e819a669bca4c42200db7e80c0dd7b5520687b5

        SHA512

        0f75bffc587461661f1d5ce040d344a33539788c9d88076663e6d679046610ac38c7c9c37540d0a3f429d6a420a272a92ab32f7ef85522288f0d98570679cf1e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wsWAE.log
        Filesize

        1KB

        MD5

        ea4c22972d20f662cc89087ea3bde586

        SHA1

        a643b8ace911d64db920d195430d555de5ef9185

        SHA256

        7c1c52b2d1a94447f44658b683051b11c44222ab570b6022dcdefc84648b9e80

        SHA512

        1acd981792641f80e614890d07446889e62f1b90e4e3db6f5cce87e4c5a2bbe3c6b8156fb0840709c96c6775b22026d59db2b8385f25879c784a142f8810397b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wsWAE.log
        Filesize

        704B

        MD5

        2ce652e27c24640d27416b244314d2d9

        SHA1

        642812a6cf1da73f3bb5d8dde789095a4e852fdf

        SHA256

        a1c9305ddadcf8e1bd47caab7d43425e8bf2fddc4e881c595f2248b30d5d5405

        SHA512

        50d5c2c0d74fffe2797a7016f57e2e592bc77510bc59f4e08349c159a3aada06836b14bad80e938dc8a999fd0e41d791f474c59d219698b498c667e5d0e350c4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wsduilib.log
        Filesize

        5KB

        MD5

        4e5209c8917e23a90fd802e8445564b8

        SHA1

        7e306644e5ad5c49731ed3493c3fcae6ec4595b9

        SHA256

        535aae77eca11e7b646117f3988d91111563a6cd5964c5e77917ba45384d9b08

        SHA512

        a720b841c155adef95adc67e2550cc5853cf6bd87d5318095ed08d61cc0f4729a4d5ccacad40ba24db423e8e7dd9ff1df50b5a55d964b5ea6cff6e4307a5f3af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wsduilib.log
        Filesize

        5KB

        MD5

        174713c5b4d852c4e5fa9aa697a99e5f

        SHA1

        a6b4ae69b0c93a7549ffda2195de60a675adc274

        SHA256

        9fe8d1a41f0dd20ae088d206aa76e63a1bdfe288e3aa5536325be68f242b6ab1

        SHA512

        5ee601833d1c0adfb2a4b23fbe4a54341f80658b6de14f6a9ae1abdf8e9724340fc395d6ac39107efb53b479dbde1a76d9de5d6f99df9e49bbc044e2849f540b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\uTFNyfqQlz\IWmQuHKqVGE.vBoiWPlDSXQZFsLyHtq
        Filesize

        80KB

        MD5

        468dee9785329d33d4be8c0061b695a4

        SHA1

        ce15df045676b9e7aa1be72058ac773967d231c0

        SHA256

        49c8255e93aeb1e4b22165d5450fb6405d828da0e4be4514afe8170d90fa056d

        SHA512

        7ec48f5a5d88cb16eee703eaf1a4008ba2dcf5bec39fafa092df899410f4910ade3e7e85e212702ad51e7ac3e73ca29de7fc787b14dc289f3b8809605f0e3123

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\uTFNyfqQlz\ItBLwjsEWNgqAkPelSG.ATjgkouJblHymtG
        Filesize

        157KB

        MD5

        3a3eac6e5c487e08df53fea4c5609443

        SHA1

        71ebc6a510ce8c6af80e9d6238c543cd8c7d6a01

        SHA256

        d115de38100886aa37067942c5996526be84d7574293a2f3e3c156c9e088e1fe

        SHA512

        d595d43225ca2e9dc5bc19f7631eb6ed1315f0b12981893061d444a0a87598eb43fd191debb4e24e22102ad09e57906ff2bb9a67d1d8ed1516cf05717477aba9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\uTFNyfqQlz\OYrPSIEVQmiXF.oWgqnZbAzlERwCr
        Filesize

        141KB

        MD5

        5662203f0d751fe7a7eb9424dfb003b5

        SHA1

        82152cba29c062df9dc363809a806706433cc9d4

        SHA256

        3f714b3cc0ce96583b9988cf123bcc50224c009d93639c2a2307895d2c6ff691

        SHA512

        9476c7252495f05dc66beff0243ce28da96acc802415dc33cbbbfcd1f48d7333eba4fa1324b63586bde0e5fcf6b1abf048254c9aa93bbb4c6f0c79736e94b3a1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\uTFNyfqQlz\RrhTOUqsJCnpZlVN.ETHGrqhnZJ
        Filesize

        49KB

        MD5

        01468ec8dd6ec869a56ff080b7148d45

        SHA1

        19f903afd3ea89e269ba15ed9fb5cfed9c84697e

        SHA256

        4c3f9fb0d2faeb9dd6bae0fc3974412a72607c2b4220a29fdfc869afa1835bb7

        SHA512

        36a1cf34d26306dbe592313459cf0b42602bfe851bddda25e26e429cf7ee86dcc0c3ce420b627171e8c6e5b0eeab396f6bd53939a09034957031980962526632

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\uTFNyfqQlz\TunXijxrdEp.zHtZprThoAavwWiedNl
        Filesize

        142KB

        MD5

        4c304cb2c66335f35a6108d2d96c32ff

        SHA1

        a635f1bcee3a01b9e1443f96f1dec6cdf00b436e

        SHA256

        54c3a322637d57b7feef67a545eecf04dfb10616e6c54b289305929c3048ae2c

        SHA512

        6cc6616e0887cc019b895fbb3bb0fd4bd626f9a64b8f8d01bb7b4cc2de1353eca76d6ba09522727ad7bf9ee04210e324db98f87d33ad4a88bc14520f8f006993

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\uTFNyfqQlz\cnazKJgIdisObweqmr.JBjiEnFHWRUm
        Filesize

        124KB

        MD5

        f637c84ffe9d44c5e8dd96d5ad6a657b

        SHA1

        be0f9a0025e0b166d99b76a8a9b843f7ac7fecbb

        SHA256

        13dbe1b569455e35b01f1ef37808eb32e28c3eea2c61ad791ea1bae22571cdd2

        SHA512

        e9e5740cd13b34815912d50f039bda286ca90887a17bff5dfc6d1321ed5ead74b85c14ed24f4b6deae17260b07c8c3c890ce9a88b0930abf65ec4009c7c123a1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\uTFNyfqQlz\rTeERxIwNAVJz.SMhIQnZCzT
        Filesize

        170KB

        MD5

        7fae53376124e44532f945457992c233

        SHA1

        50eade936dc63a23d5df5f84d10be662c7433dc6

        SHA256

        929e4b73dd12280cabd4e41d4fce4c55eb74cec3ef5af7fb561adddf5e199fb5

        SHA512

        96e562c1434302d548500ff6dd754506feacc7d17f3a392b156620882be051840432e0a47ddfcf7cdce0562c28ad7f4c9e61283be68fddf5aa6154f6d86b147d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\p.ps1
        Filesize

        28KB

        MD5

        5201bec05304172eb34578a483da40da

        SHA1

        e4a91fd21e16639f759009a17e1f37df5c89f2b4

        SHA256

        5a2366fb3d365e87f77a982d83eefb5054d50e8e73d2043979e5616c7071a458

        SHA512

        7ea8de19029a90502fd6a472e1b449cdbf017a19e679d3383b34aea2af1e392de6216934640fd9d8c47fb8553759cde0880291ff2d187081ff9896746a276353

        Download Submit

      • C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe
        Filesize

        1.2MB

        MD5

        a9e71619275adf3f7f063f0e5f1da31d

        SHA1

        7b60c38b1a04f46e946828d15f28dd77fcf310f7

        SHA256

        1e26938fcff220a294c03ed106068ab845d9c762f3adba926bf46c19f8ba49d6

        SHA512

        be4c24cdf620f2dbb661aaf715703acb597604e2092917d96da437e7eed5cb3c866bd3914b7cf40eab7cff6cb1e19e0c3b62ccb29abc2f6d8e2e9d2ad7f75f17

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\8ys2dmh9.0.cs
        Filesize

        236B

        MD5

        dae076349c85f1ed8db78fd3bd75473c

        SHA1

        33be9fc7f764edae76f95fe28f452b740a75d809

        SHA256

        9e3f4a1c1286b86413b4844e216248f1a95e8a13ee74c2c71412c2d6c571f156

        SHA512

        ae396e869013c2c70936858646aeac2289b17c16a4f2a6b938d6d2434a30e9785e010ff3c42b9c728cd8c002ea4c8190783665f575e15962553eb7b229b9a923

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\8ys2dmh9.cmdline
        Filesize

        309B

        MD5

        1414ceac3690b595e9032a7dc46bf931

        SHA1

        87505f13c1fc28bf2d034b3f2c81e0dc12f217f1

        SHA256

        56df6d3504166fddc6507ecb99440dc6f71364c13fde2e73bffccede02d83e2d

        SHA512

        b2ffd3657f5c24014d5784f7989bdb2eb548c66dcd4c34254c2909cbc9c96fa0d20bb7874bbb5658ac1bfa1e23fd86124f8e59b2a28ec7c3e15f14b291b13b67

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC15B2.tmp
        Filesize

        652B

        MD5

        e403947c4ad9eb690432c45d11fd32c6

        SHA1

        6421c46886e951cb907666173d09a7bd61494e61

        SHA256

        52ce0ddfd08b62cf150d21f8898bad7dbbda42f6d9b16e01228b90f5c7c20ce6

        SHA512

        03bb61c9442c274f9b15cbdb23110465da8ca3c9d1c053cc02419a5fb003ed14342d28ad9f6be748ac18c8de4c6deea3373ee7e08457b6323377f5fc0146b085

        Download Submit

      • memory/268-1502-0x0000000002960000-0x0000000002968000-memory.dmp

        Filesize

        32KB

        Download

      • memory/268-413-0x0000000002620000-0x0000000002628000-memory.dmp

        Filesize

        32KB

        Download

      • memory/268-412-0x000000001B640000-0x000000001B922000-memory.dmp

        Filesize

        2.9MB

        Download