Analysis

  • max time kernel
    194s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2025, 05:19

General

  • Target

    flashplayer20_0d0_228_winax.msi

  • Size

    18.7MB

  • MD5

    5bbdc07c6e6389b5d2ce86765911c879

  • SHA1

    fa86f107111fc7def35742097bf0aa29c82d7638

  • SHA256

    63cef518bff5b7a8cadd6b2a8c6b738ce3f2fdce231e95db920cbdd75e0f0bc6

  • SHA512

    144b7d73094f19cfec404f1c10d133df43f5b67d39b404ecc2c82598bed55b0622dce13e24cfa39d0cbf552a296f4a132922d23e84130fe26480cf1b0dad0e73

  • SSDEEP

    393216:AJhhV7thwzSIFadpgMKjSCHDqhadHDk2My5FiO93IYP:UnV76SIUMDSADqhaLMy5l3b

Malware Config

Signatures

  • CryptOne packer 1 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 8 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Drops file in System32 directory 17 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 16 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\flashplayer20_0d0_228_winax.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1576
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 33DFBA81004DD9C1869C521CA424B15E C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2708
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5CD7C4A0C7DF636DF5A5C27F81432905
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2508
    • C:\Users\Admin\AppData\Local\Temp\InstallAX_20_0_0_228.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallAX_20_0_0_228.exe" -install -msi
      2⤵
      • Event Triggered Execution: Image File Execution Options Injection
      • Drops file in System32 directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\{384B3B3C-4FF7-4EA9-ADB3-A340EC429255}\InstallFlashPlayer.exe
        "C:\Users\Admin\AppData\Local\Temp\{384B3B3C-4FF7-4EA9-ADB3-A340EC429255}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 2 -au 4294967295
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Network Service Discovery
        • Drops file in System32 directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Modifies Internet Explorer settings
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:620
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\{384B3B3C-4FF7-4EA9-ADB3-A340EC429255}\InstallFlashPlayer.exe" >> NUL
          4⤵
            PID:2520
        • C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
          C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:812
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\InstallAX_20_0_0_228.exe" >> NUL
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2428
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:1116
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000054C" "00000000000002D0"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:2036
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {2B735B4B-F54F-4EB4-8311-11DCFB82D640} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
          C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1664
      • C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
        C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1644

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f76dfc6.rbs

        Filesize

        8KB

        MD5

        49b207f82ed4f4976d397c6bd51ed99f

        SHA1

        2da8ac53f00695e0b43ab66ce4c90044b0e45963

        SHA256

        d862e3141136047f46007be797196f1612a37888b923988413f059658ef72d89

        SHA512

        d08f16a3f6c4bd9817128ffe6c0735d1f2ecf99c551710b31518127d073a0ba5be0cb65f99d94485b0613e96affe864f47c7b9795686518f3433d30d872bcb18

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_3EAEAB67121169D5C037E4B1278DEA7C

        Filesize

        5B

        MD5

        5bfa51f3a417b98e7443eca90fc94703

        SHA1

        8c015d80b8a23f780bdd215dc842b0f5551f63bd

        SHA256

        bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

        SHA512

        4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3D0AC26322348780E90E022EA217C58C

        Filesize

        16KB

        MD5

        f3c162704d3b510ad6e20ed70e5f7652

        SHA1

        4e9091c9c519fe60e1509364f9120a4c1f1f5bdb

        SHA256

        06cbf2c10e9e9fccc983aca05d438a3d11a3f8fb3a28ca000fe579b0b8e18a03

        SHA512

        97cca43da45a1f3b236ab455f72a4784174fac1a2ea513751008b1a42774e14a9eb8c302e9c8f090198953846affd4886178ef9af27b6ba3f8434d9c695c04ba

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        71KB

        MD5

        83142242e97b8953c386f988aa694e4a

        SHA1

        833ed12fc15b356136dcdd27c61a50f59c5c7d50

        SHA256

        d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

        SHA512

        bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A3D5BF1283C2E63D8C8A8C72F0051F5A

        Filesize

        834B

        MD5

        5cb16e48b582bf86a4b396fcbc235981

        SHA1

        3e7cbf189fbbff1efb9b04c398ceb902e816f15b

        SHA256

        ba479af493eeefdf7de4c86890f5d87886bc0bc92522d39dd09eb21f85cf23f9

        SHA512

        55210eb21fd974bb189063d4e377c37b2cf1c2e0d7ec056dee48f8619cfe04a7a8c1ba329abcfa7edb4785fac08375df4c8261e98dc3a8294f0f4fc29cf61eee

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_3EAEAB67121169D5C037E4B1278DEA7C

        Filesize

        398B

        MD5

        8fbab61f92ae9738df8d7b6e0044b885

        SHA1

        a93dbb12e49a05b78a9b16a9a542b35144895cc5

        SHA256

        63b83e1496f1957ee56996f0150bce73b09ad2af75f5783bb85914fb407f2575

        SHA512

        1851d1577b73898d4162e3dd5a741cb633ac345a3453fe524b82a280e88df64daa32537799455f0049099047b588e65f594b1fbd9aeaf9062ad8b742968bf3f6

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3D0AC26322348780E90E022EA217C58C

        Filesize

        170B

        MD5

        48ff82c29b79468aa7f2c93eb0f33eb8

        SHA1

        da2ed96f39d89354d8b31064e712e754822cb724

        SHA256

        bbd46bb328f9a8a6c378bbcea8b220a7ddbe939d36a55a944750a3d5dec40b6b

        SHA512

        22a7a83994d7a160e2eef63db9ddcbc34fed29ae79ee3b6284a8ab433f0092ae004cbebba809b4ff1c2ee69e96439f2fe137379133f4be02e9a7021d7e4a6712

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F

        Filesize

        392B

        MD5

        7151f5435f27472e3a2e82b471c633dd

        SHA1

        96eeb10b23a892b62dcfc8211cf84a2dfa386564

        SHA256

        77b7a3cf36b4f99d5c1b8d721929d50b6d68cb0ffa4d4169e0cedfd0653d1bb8

        SHA512

        e1086b40938314f7d3f6e7326956b24720cb801c56e664378553f57325d5addba854fc11379c4681d5439481fa892d4b3dddc08a0b77b3420810b9d142e142cf

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        03ab73ba87389a0c28bdf8e871cae5bf

        SHA1

        6bfd35567f76693e234409e28aa8396e1c57af9f

        SHA256

        1de7e500cc31bc6433053344c26c647e6f35b601bb1b3fa38d626714e29ce345

        SHA512

        304ba8d864ca4cc5faa7c4e138116f8c99a2502ed5bb6bd2549168c1c5318954eff0e4b80cd36550f834eaf2d6588a0f9d56bd1e7a8f2f8f879c92af90fb061c

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A3D5BF1283C2E63D8C8A8C72F0051F5A

        Filesize

        178B

        MD5

        76709272b9d0a9db164146952a1776bd

        SHA1

        815f25cee8d5f3e3aa10d115bd1954c1f5f78046

        SHA256

        37c5cf2bdcad4b6546deabdc238c0e76eaaeb044ff1e63508e607d19d57946bc

        SHA512

        bb509438126c53912e548e53c7d56b0c3071c711c564553ca477de75b944e7db2d2f36b0de9c428064303d8b15b1ff5348c08790b5505ac21394ebbb8af5d299

      • C:\Users\Admin\AppData\Local\Temp\InstallAX_20_0_0_228.exe

        Filesize

        17.5MB

        MD5

        8028ab3fa3c7f3c3468a714db788f2b1

        SHA1

        2035f1356438d7ed28db46b3e2a4eeb11ade4579

        SHA256

        2998f50b750ad49dc49b9a46e8c1a69a6fe636a3f0f10705deab9a4ea31d7209

        SHA512

        6c6dd8bd10a6a543eada17e54e4a7ef7fdcb5f080041be275e377fa15f63a730d210f04bcb0880222e38ca28932c531128f5e537a03b7b95ee56a6742bf25e6d

      • C:\Users\Admin\AppData\Local\Temp\MSI6aa63.LOG

        Filesize

        63KB

        MD5

        715432bd0d2e49b58b28d3932fd89cad

        SHA1

        6e4ad494e48b9cc4a75ad8a95238dc62c5280dfe

        SHA256

        b8d74bb855c240f11dd3d781d667b306832f67c741c9fece2cd42da07e4fba91

        SHA512

        9a107934e7ce007ca055cc3cd47b27ccb526e82c86b4dfc2e9d407b6c0e547170b58530005e1d24d4f04a455e594c803a1b8aea59882b23a1a743b33ec6ad1b6

      • C:\Users\Admin\AppData\Local\Temp\MSIAFF8.tmp

        Filesize

        57KB

        MD5

        c23d4d5a87e08f8a822ad5a8dbd69592

        SHA1

        317df555bc309dace46ae5c5589bec53ea8f137e

        SHA256

        6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

        SHA512

        fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

      • C:\Users\Admin\AppData\Local\Temp\MSIB047.tmp

        Filesize

        141KB

        MD5

        edb88affffd67bca3523b41d3e2e4810

        SHA1

        0055b93907665fed56d22a7614a581a87d060ead

        SHA256

        4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15

        SHA512

        2b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf

      • C:\Users\Admin\AppData\Local\Temp\TarAC7C.tmp

        Filesize

        183KB

        MD5

        109cab5505f5e065b63d01361467a83b

        SHA1

        4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

        SHA256

        ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

        SHA512

        753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

      • C:\Windows\Installer\f76dfc4.msi

        Filesize

        18.7MB

        MD5

        5bbdc07c6e6389b5d2ce86765911c879

        SHA1

        fa86f107111fc7def35742097bf0aa29c82d7638

        SHA256

        63cef518bff5b7a8cadd6b2a8c6b738ce3f2fdce231e95db920cbdd75e0f0bc6

        SHA512

        144b7d73094f19cfec404f1c10d133df43f5b67d39b404ecc2c82598bed55b0622dce13e24cfa39d0cbf552a296f4a132922d23e84130fe26480cf1b0dad0e73

      • \Users\Admin\AppData\Local\Temp\{384B3B3C-4FF7-4EA9-ADB3-A340EC429255}\InstallFlashPlayer.exe

        Filesize

        9.1MB

        MD5

        2c307edcbbbd6ad698c4e47067aa8641

        SHA1

        4b5c6b933d71b56fa01ed53e74b257944708ae55

        SHA256

        f34939585a10764d45a87c535873aec4e28a0e8016f581ff339436be034ba52a

        SHA512

        bd3bae96ddf9a00eae39b3f954984f3b834b32d15e6537e747d049ecc8dcde31b9a35a906dcb77d2e3e97c36f895b4ef6f9188d5a981a882db3adaa5b988ecfa

      • \Users\Admin\AppData\Local\Temp\{51617FF3-D79C-4880-A849-C0DD18F28629}\fpb.tmp

        Filesize

        562KB

        MD5

        f6c9330cc45fdd0caef7f5f8bdb51ff5

        SHA1

        278fcfa827257e37f91e6f3005dd7774b50d29d9

        SHA256

        2d5895550819a89d7a8346dac2ac3043baeea6705148456d8649969cf88bde79

        SHA512

        ac1e5141956e3bc3f4167f3676a10a2ea674c89ca4eadac195411b62ebcf4f51dcf0e8dbd1bd3d5443d441aa9a228c8558f1789d8d2292ec7d14607fe28df01a

      • \Users\Admin\AppData\Local\Temp\{537E4760-347F-4E2D-97B7-5B2011453863}\fpb.tmp

        Filesize

        496KB

        MD5

        ba4ae84720ed3fb1e0f04481f03c928f

        SHA1

        3071b7b4fe8fce29dd6afbf2630d0396f795c6f4

        SHA256

        c52f5f7ce908a9a3bab64ec8e765f53012f6bdcb8736b31fede77cb1dc268bdc

        SHA512

        37baeb41c55b5cfb10c92cc3e682d1b229d5cbc9063fc70c74d9befcf655ef1939d244574e2f97e10226ff6c210e54a1eb1660a082bb8a34d112e59f39fe163a

      • \Users\Admin\AppData\Local\Temp\{8DD97C1D-148B-4E2A-B1FA-F1549CA669A7}\fpb.tmp

        Filesize

        1.1MB

        MD5

        4b5578b92aa9b6c8e456606adf962bb3

        SHA1

        60bcace18b601036cdf6a659e502be7ae1fa28b2

        SHA256

        9c3f2d1fa670a0ddd3781e7e8e86c4fb1b516fa9f3ae970f4d4c581e5939fdc1

        SHA512

        3ff95d64c8afdc8c8ab974f513db873e99d0d3fde897db55574c13f7f38f37b2ad03a6354b8321e696c5790fe071133e0fe4b5ef2f7dbcbb76ea3f521abe898a

      • \Users\Admin\AppData\Local\Temp\{BF866B1B-791F-412E-8A17-C6E9F484042B}\fpb.tmp

        Filesize

        858KB

        MD5

        ab8b7d5e808226f8e4279f6a779dcf2d

        SHA1

        213cebfa80f179468c79296a7e5d038bb3ed84a2

        SHA256

        60048a8f9395ec1dd6160ee7bed035f106ae13cccd714cc2c40173cfb3fbd242

        SHA512

        b43fbfb51a014be44f43b6abb252e3f1be74b825f0c18c1bf7775e0eafa7e1c602e46a46307e35bbe9ebafddbbf3cf384c4d366e8b8bfc11632c2ad2291cf43a

      • \Windows\SysWOW64\Macromed\Flash\Flash32_20_0_0_228.ocx

        Filesize

        16.9MB

        MD5

        2f45875867bf0dc006d1a11e795abc8e

        SHA1

        bf1de85b83200ad8e8913183226b76aabc122986

        SHA256

        77e1e64227ba610f010f3742349114a4859daf57650ac676b220d1e1cf547450

        SHA512

        7b848c65d07bbfee2f369c0ebb4571fc8af8c739a74852fe6dda9f4df9287ac45ffa40f0b9d07c39f85fc49b31d8e7ec8765b4707e5e7314b54a1005ced92961

      • \Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

        Filesize

        263KB

        MD5

        bdd170a319b7a9f7b11f58e59f827a31

        SHA1

        05ce443e1f44449b07ad3d45a8ae4e3465697bf6

        SHA256

        ca8355f72b3d8e000e60670f717508a8dbde163d26f0e6e6255f6dee2027124b

        SHA512

        eca9431d7e40f88a8c51ba0533e63c001b340be81c330f61f082d85c55b4fee489eee85776494ee723b051f2b982b5669144b8f2d8d33b92e924ca02a870b0df

      • \Windows\System32\Macromed\Flash\Flash64_20_0_0_228.ocx

        Filesize

        23.6MB

        MD5

        914fc3a3c30f3f5d7906308067b9ae2f

        SHA1

        6ab5f83269500809bbed37081dc7cdb8c08fecfc

        SHA256

        93d92c4e66a91535bd1a2b17445c183ade43fb0a94bffb96e693704bdbd28c43

        SHA512

        8c0f8d6815fae339624985b2977f1d5abd8f75a7109071428eb70b66770473cb3913a87394c6201e9046d25657e7c58851c9f8474aada1d5afcdfd9874ecfbd0

      • memory/620-149-0x00000000710B0000-0x0000000072944000-memory.dmp

        Filesize

        24.6MB