185e7914fb334360e83bb85bc6cdf7e3311b77f49197748b271803484050d38d

Analysis

max time kernel
129s
max time network
136s
platform
windows7_x64
resource
win7
submitted
10/07/2020, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ada66908-1faf-4e78-8582-239d6d90c2cf.msi
Size

1.7MB
MD5

4c2f959dcda49fa48d8dc13a7eac6b3b
SHA1

d270aedb78fe928e425ecc4f2f1b5c9c38dca764
SHA256

185e7914fb334360e83bb85bc6cdf7e3311b77f49197748b271803484050d38d
SHA512

aabde1125b7167bbd2b2734df099e07b92382dd579429652fd7f0a28705c744befad6b3d428cb09c4fea524ef421dd7a17f621957fa55d4592550176592df37f

Score

7^/10

persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	612	msiexec.exe
Token: SeTakeOwnershipPrivilege	612	msiexec.exe
Token: SeSecurityPrivilege	612	msiexec.exe
Token: SeCreateTokenPrivilege	1124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1124	msiexec.exe
Token: SeLockMemoryPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeMachineAccountPrivilege	1124	msiexec.exe
Token: SeTcbPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeLoadDriverPrivilege	1124	msiexec.exe
Token: SeSystemProfilePrivilege	1124	msiexec.exe
Token: SeSystemtimePrivilege	1124	msiexec.exe
Token: SeProfSingleProcessPrivilege	1124	msiexec.exe
Token: SeIncBasePriorityPrivilege	1124	msiexec.exe
Token: SeCreatePagefilePrivilege	1124	msiexec.exe
Token: SeCreatePermanentPrivilege	1124	msiexec.exe
Token: SeBackupPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeDebugPrivilege	1124	msiexec.exe
Token: SeAuditPrivilege	1124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1124	msiexec.exe
Token: SeChangeNotifyPrivilege	1124	msiexec.exe
Token: SeRemoteShutdownPrivilege	1124	msiexec.exe
Token: SeUndockPrivilege	1124	msiexec.exe
Token: SeSyncAgentPrivilege	1124	msiexec.exe
Token: SeEnableDelegationPrivilege	1124	msiexec.exe
Token: SeManageVolumePrivilege	1124	msiexec.exe
Token: SeImpersonatePrivilege	1124	msiexec.exe
Token: SeCreateGlobalPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	612	msiexec.exe
Token: SeTakeOwnershipPrivilege	612	msiexec.exe
Token: SeRestorePrivilege	612	msiexec.exe
Token: SeTakeOwnershipPrivilege	612	msiexec.exe
Token: SeRestorePrivilege	612	msiexec.exe
Token: SeTakeOwnershipPrivilege	612	msiexec.exe
Token: SeRestorePrivilege	612	msiexec.exe
Token: SeTakeOwnershipPrivilege	612	msiexec.exe
Token: SeRestorePrivilege	612	msiexec.exe
Token: SeTakeOwnershipPrivilege	612	msiexec.exe
Token: SeRestorePrivilege	612	msiexec.exe
Token: SeTakeOwnershipPrivilege	612	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1124	msiexec.exe
1580	MsiExec.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\win68 = "C:\\Users\\Public\\avglfesb.msi /quiet"	MsiExec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI705.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI734.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI36A.tmp	msiexec.exe
File created	C:\Windows\Installer\ff18.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D8.tmp	msiexec.exe
File created	C:\Windows\Installer\ff16.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\ff16.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1.tmp	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1124	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 612 wrote to memory of 1580	612	msiexec.exe	25
PID 612 wrote to memory of 1580	612	msiexec.exe	25
PID 612 wrote to memory of 1580	612	msiexec.exe	25
PID 612 wrote to memory of 1580	612	msiexec.exe	25
PID 612 wrote to memory of 1580	612	msiexec.exe	25
PID 612 wrote to memory of 1580	612	msiexec.exe	25
PID 612 wrote to memory of 1580	612	msiexec.exe	25

Loads dropped DLL 4 IoCs

pid	Process
1580	MsiExec.exe
1580	MsiExec.exe
1580	MsiExec.exe
1580	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
612	msiexec.exe
612	msiexec.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ada66908-1faf-4e78-8582-239d6d90c2cf.msi
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1124

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24AD0F51745696182781F376226486B2
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Adds Run entry to start application
  - Loads dropped DLL
  PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-9-0x0000000001890000-0x0000000001894000-memory.dmp

Filesize
16KB

Download
memory/612-10-0x0000000000ED0000-0x0000000000ED4000-memory.dmp

Filesize
16KB

Download
memory/1124-0-0x0000000004030000-0x0000000004034000-memory.dmp

Filesize
16KB

Download