Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240215-es -
resource tags
arch:x64arch:x86image:win7-20240215-eslocale:es-esos:windows7-x64systemwindows -
submitted
03-05-2024 17:03
Behavioral task
behavioral1
Sample
c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5.msi
Resource
win7-20240215-es
Behavioral task
behavioral2
Sample
c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5.msi
Resource
win10v2004-20240419-es
General
-
Target
c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5.msi
-
Size
13.7MB
-
MD5
b9f84cbf370857a27761d54dae9a31f0
-
SHA1
db4b996018577044895978e48fe1244d639eeb93
-
SHA256
c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5
-
SHA512
be6b60499906bd5b5e52e7685980d5a1648a4f8a82b81d05a8d7da46ae01e9cd1a852db0e8af4993e391dbfbee39f83808aa942667083fc504871b43762104a6
-
SSDEEP
98304:DtNkaeb7Yp7pRFjr+fTHopNj2AGvCg5P2hyzJGuvPEsxNg9Lkh8l480:DebGX0HuNABQyNPEsDKwS
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
UNC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\sgs7lrs = "C:\\5izjq1fr\\UNC.exe" UNC.exe -
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 4 3004 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\f7619d7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1AE1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1B11.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1C89.tmp msiexec.exe File created C:\Windows\Installer\f7619d7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1A06.tmp msiexec.exe File created C:\Windows\Installer\f7619da.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1CAA.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7619da.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
UNC.exepid process 1724 UNC.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exeUNC.exepid process 3004 MsiExec.exe 3004 MsiExec.exe 3004 MsiExec.exe 3004 MsiExec.exe 3004 MsiExec.exe 3004 MsiExec.exe 1724 UNC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2676 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msiexec.exeUNC.exepid process 2820 msiexec.exe 2820 msiexec.exe 1724 UNC.exe 1724 UNC.exe 1724 UNC.exe 1724 UNC.exe 1724 UNC.exe 1724 UNC.exe 1724 UNC.exe 1724 UNC.exe 1724 UNC.exe 1724 UNC.exe 1724 UNC.exe 1724 UNC.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
UNC.exepid process 1724 UNC.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2360 msiexec.exe Token: SeIncreaseQuotaPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2820 msiexec.exe Token: SeTakeOwnershipPrivilege 2820 msiexec.exe Token: SeSecurityPrivilege 2820 msiexec.exe Token: SeCreateTokenPrivilege 2360 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2360 msiexec.exe Token: SeLockMemoryPrivilege 2360 msiexec.exe Token: SeIncreaseQuotaPrivilege 2360 msiexec.exe Token: SeMachineAccountPrivilege 2360 msiexec.exe Token: SeTcbPrivilege 2360 msiexec.exe Token: SeSecurityPrivilege 2360 msiexec.exe Token: SeTakeOwnershipPrivilege 2360 msiexec.exe Token: SeLoadDriverPrivilege 2360 msiexec.exe Token: SeSystemProfilePrivilege 2360 msiexec.exe Token: SeSystemtimePrivilege 2360 msiexec.exe Token: SeProfSingleProcessPrivilege 2360 msiexec.exe Token: SeIncBasePriorityPrivilege 2360 msiexec.exe Token: SeCreatePagefilePrivilege 2360 msiexec.exe Token: SeCreatePermanentPrivilege 2360 msiexec.exe Token: SeBackupPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2360 msiexec.exe Token: SeShutdownPrivilege 2360 msiexec.exe Token: SeDebugPrivilege 2360 msiexec.exe Token: SeAuditPrivilege 2360 msiexec.exe Token: SeSystemEnvironmentPrivilege 2360 msiexec.exe Token: SeChangeNotifyPrivilege 2360 msiexec.exe Token: SeRemoteShutdownPrivilege 2360 msiexec.exe Token: SeUndockPrivilege 2360 msiexec.exe Token: SeSyncAgentPrivilege 2360 msiexec.exe Token: SeEnableDelegationPrivilege 2360 msiexec.exe Token: SeManageVolumePrivilege 2360 msiexec.exe Token: SeImpersonatePrivilege 2360 msiexec.exe Token: SeCreateGlobalPrivilege 2360 msiexec.exe Token: SeRestorePrivilege 2820 msiexec.exe Token: SeTakeOwnershipPrivilege 2820 msiexec.exe Token: SeRestorePrivilege 2820 msiexec.exe Token: SeTakeOwnershipPrivilege 2820 msiexec.exe Token: SeRestorePrivilege 2820 msiexec.exe Token: SeTakeOwnershipPrivilege 2820 msiexec.exe Token: SeRestorePrivilege 2820 msiexec.exe Token: SeTakeOwnershipPrivilege 2820 msiexec.exe Token: SeRestorePrivilege 2820 msiexec.exe Token: SeTakeOwnershipPrivilege 2820 msiexec.exe Token: SeRestorePrivilege 2820 msiexec.exe Token: SeTakeOwnershipPrivilege 2820 msiexec.exe Token: SeRestorePrivilege 2820 msiexec.exe Token: SeTakeOwnershipPrivilege 2820 msiexec.exe Token: SeRestorePrivilege 2820 msiexec.exe Token: SeTakeOwnershipPrivilege 2820 msiexec.exe Token: SeRestorePrivilege 2820 msiexec.exe Token: SeTakeOwnershipPrivilege 2820 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exeUNC.exepid process 2360 msiexec.exe 2360 msiexec.exe 1724 UNC.exe 1724 UNC.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
UNC.exepid process 1724 UNC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
MsiExec.exeUNC.exepid process 3004 MsiExec.exe 3004 MsiExec.exe 3004 MsiExec.exe 1724 UNC.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
msiexec.exeMsiExec.exeUNC.execmd.exedescription pid process target process PID 2820 wrote to memory of 3004 2820 msiexec.exe MsiExec.exe PID 2820 wrote to memory of 3004 2820 msiexec.exe MsiExec.exe PID 2820 wrote to memory of 3004 2820 msiexec.exe MsiExec.exe PID 2820 wrote to memory of 3004 2820 msiexec.exe MsiExec.exe PID 2820 wrote to memory of 3004 2820 msiexec.exe MsiExec.exe PID 2820 wrote to memory of 3004 2820 msiexec.exe MsiExec.exe PID 2820 wrote to memory of 3004 2820 msiexec.exe MsiExec.exe PID 3004 wrote to memory of 1724 3004 MsiExec.exe UNC.exe PID 3004 wrote to memory of 1724 3004 MsiExec.exe UNC.exe PID 3004 wrote to memory of 1724 3004 MsiExec.exe UNC.exe PID 3004 wrote to memory of 1724 3004 MsiExec.exe UNC.exe PID 1724 wrote to memory of 2264 1724 UNC.exe cmd.exe PID 1724 wrote to memory of 2264 1724 UNC.exe cmd.exe PID 1724 wrote to memory of 2264 1724 UNC.exe cmd.exe PID 1724 wrote to memory of 2264 1724 UNC.exe cmd.exe PID 2264 wrote to memory of 2676 2264 cmd.exe ipconfig.exe PID 2264 wrote to memory of 2676 2264 cmd.exe ipconfig.exe PID 2264 wrote to memory of 2676 2264 cmd.exe ipconfig.exe PID 2264 wrote to memory of 2676 2264 cmd.exe ipconfig.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24A024C72715D9FCA75C53C138D70ED92⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\5izjq1fr\UNC.exe"C:\5izjq1fr\UNC.exe"3⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /renew4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew5⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\5izjq1fr\UNC.exeFilesize
5.7MB
MD5b43c99c9e4b57ea9fef141ac306e59fe
SHA1b4f15a82fd94043f94267fe8948a2d402176f731
SHA256437d592cec3a0085b89f21ba1bcf41f6d62c9ce7cca7fe2452eebb567ffb9d06
SHA5127c1d39fa3f0c58939000722fc2a6a3155e12444e1986317775158019b6915225255b86c7f16d5afaf10223e8ab0f9b3c9357eda19e7f5f716ee14f3da5e6e1c9
-
C:\5izjq1fr\tont.dllFilesize
1.5MB
MD59982dd5b2f0c21404a2025db4900966e
SHA143484b55d1ba57fc05234aa8c05c0d4adb78239c
SHA256e0e888371dfe14b8e2e8115bab277d1f17bffbff2a83fe6e259edf7e05cc6267
SHA5120c89a65b4e3fdd0dfc1a1dbd4bca458cd386e1d42e78baa19d8860bb49a9164607475db9a455e42fd58008e0a5c9bbeaa40cdd1ba868bbd696873cfbe3ed311e
-
C:\Windows\Installer\MSI1A06.tmpFilesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
C:\Windows\Installer\MSI1CAA.tmpFilesize
12.6MB
MD5f93953ae688e969695943a1948920507
SHA172e6b4e6b43cd6978e54d50771c8f74cf19110bd
SHA2568b233d87ce4e5e7795bad1c4011e0ac922a344a2d584ebc7070e07d2166f90e6
SHA512086b2f8bf0f9e8412e5339ac18791fd10404e889de23d065c8351a63f1d527034d3bd97352bd697eb9e621c0fb4414f496531e501da391a1d9d1f6e94ca7cfdf
-
memory/1724-69-0x0000000006790000-0x0000000006914000-memory.dmpFilesize
1.5MB
-
memory/1724-81-0x0000000000400000-0x0000000000AC9000-memory.dmpFilesize
6.8MB
-
memory/1724-60-0x0000000003E20000-0x0000000003E21000-memory.dmpFilesize
4KB
-
memory/1724-68-0x0000000006790000-0x0000000006914000-memory.dmpFilesize
1.5MB
-
memory/1724-76-0x0000000006790000-0x0000000006914000-memory.dmpFilesize
1.5MB
-
memory/1724-79-0x0000000006790000-0x0000000006914000-memory.dmpFilesize
1.5MB
-
memory/1724-78-0x0000000006790000-0x0000000006914000-memory.dmpFilesize
1.5MB
-
memory/1724-77-0x0000000006790000-0x0000000006914000-memory.dmpFilesize
1.5MB
-
memory/1724-106-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/1724-67-0x0000000006790000-0x0000000006914000-memory.dmpFilesize
1.5MB
-
memory/1724-66-0x0000000006790000-0x0000000006914000-memory.dmpFilesize
1.5MB
-
memory/1724-57-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/1724-82-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/1724-86-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/1724-90-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/1724-92-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/1724-94-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/1724-96-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/1724-98-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/1724-100-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/1724-104-0x0000000004000000-0x0000000004F7B000-memory.dmpFilesize
15.5MB
-
memory/3004-21-0x0000000072750000-0x000000007349D000-memory.dmpFilesize
13.3MB