Overview

overview

8

Static

static

XER-34T.msi

windows7_x64

XER-34T.msi

windows10_x64

Analysis

  • max time kernel
    14s
  • max time network
    13s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07-02-2021 05:29

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    XER-34T.msi

  • Size

    1.8MB

  • MD5

    aedde70fbec3b017bced97e32323e559

  • SHA1

    4ee6cb0632af8cfe1c7b4e57918aae1a9c28682d

  • SHA256

    32d4a464dae9552b1a5aaf8b95c1f22d3f99ebd112245fa1a3719ad12fa26ed6

  • SHA512

    4f744b6758df23d81ea1190519687b926cd506191db081ad32cf01c2b6e05d7ebd207e1cf19147c5ba65894daad389d1c5a3919c1dfe32a5da6592001355f276

Score
8/10
bootkitpersistenceransomware

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 17 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\XER-34T.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1276
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B8BB4472E70CF79D2666C79C1586106F
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminiZxcM©" /t reg_sz /d "\"C:\AdminiZxcM©\9uh2X©.exe\"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminiZxcM©" /t reg_sz /d "\"C:\AdminiZxcM©\9uh2X©.exe\"
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:3012
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C start /MIN shutdown -r -f -t 00
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown -r -f -t 00
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2584
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d
    1⤵
    • Modifies WinLogon to allow AutoLogon
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSI7584.tmp
    MD5

    be4faa40a5ff233859aa72eb1fcd1350

    SHA1

    9bd945f1885cce39f5b5e42de0916b206868b12f

    SHA256

    70731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863

    SHA512

    fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf

    Download Submit
  • C:\Windows\Installer\MSI7815.tmp
    MD5

    a3b4d222a755f43b34a0963f13f77500

    SHA1

    e3bd216f35434287197082745b9f789b9a4f93c6

    SHA256

    9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

    SHA512

    7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

    Download Submit
  • C:\Windows\Installer\MSI7874.tmp
    MD5

    a3b4d222a755f43b34a0963f13f77500

    SHA1

    e3bd216f35434287197082745b9f789b9a4f93c6

    SHA256

    9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

    SHA512

    7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

    Download Submit
  • C:\Windows\Installer\MSI78D2.tmp
    MD5

    a3b4d222a755f43b34a0963f13f77500

    SHA1

    e3bd216f35434287197082745b9f789b9a4f93c6

    SHA256

    9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

    SHA512

    7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

    Download Submit
  • C:\Windows\Installer\MSI7970.tmp
    MD5

    c1b635990fad0fcce9eea1cdb72860f0

    SHA1

    d32e1f9ccbec61d87597bf9345999c0290156544

    SHA256

    4f6922e784cad973e2dd5c8896cffab49b8f92a6b1516ed53e93ade76495bc16

    SHA512

    4f646210e200e2f432a7af8c965ec5f84180242bc34d0315c3ac21e277a3163d24287e9f14b479532389e498bf1aef80387c0357b2bba85b53f0f9c206f0c12a

    Download Submit
  • C:\Windows\Installer\MSI7B55.tmp
    MD5

    be4faa40a5ff233859aa72eb1fcd1350

    SHA1

    9bd945f1885cce39f5b5e42de0916b206868b12f

    SHA256

    70731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863

    SHA512

    fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf

    Download Submit
  • C:\Windows\Installer\MSI7BE3.tmp
    MD5

    be4faa40a5ff233859aa72eb1fcd1350

    SHA1

    9bd945f1885cce39f5b5e42de0916b206868b12f

    SHA256

    70731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863

    SHA512

    fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf

    Download Submit
  • C:\Windows\Installer\MSI7CAF.tmp
    MD5

    a3b4d222a755f43b34a0963f13f77500

    SHA1

    e3bd216f35434287197082745b9f789b9a4f93c6

    SHA256

    9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

    SHA512

    7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

    Download Submit
  • C:\Windows\Installer\MSI7DAA.tmp
    MD5

    be4faa40a5ff233859aa72eb1fcd1350

    SHA1

    9bd945f1885cce39f5b5e42de0916b206868b12f

    SHA256

    70731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863

    SHA512

    fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf

    Download Submit
  • C:\Windows\Installer\MSI8EC5.tmp
    MD5

    be4faa40a5ff233859aa72eb1fcd1350

    SHA1

    9bd945f1885cce39f5b5e42de0916b206868b12f

    SHA256

    70731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863

    SHA512

    fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf

    Download Submit
  • \Windows\Installer\MSI7584.tmp
    MD5

    be4faa40a5ff233859aa72eb1fcd1350

    SHA1

    9bd945f1885cce39f5b5e42de0916b206868b12f

    SHA256

    70731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863

    SHA512

    fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf

    Download Submit
  • \Windows\Installer\MSI7815.tmp
    MD5

    a3b4d222a755f43b34a0963f13f77500

    SHA1

    e3bd216f35434287197082745b9f789b9a4f93c6

    SHA256

    9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

    SHA512

    7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

    Download Submit
  • \Windows\Installer\MSI7874.tmp
    MD5

    a3b4d222a755f43b34a0963f13f77500

    SHA1

    e3bd216f35434287197082745b9f789b9a4f93c6

    SHA256

    9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

    SHA512

    7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

    Download Submit
  • \Windows\Installer\MSI78D2.tmp
    MD5

    a3b4d222a755f43b34a0963f13f77500

    SHA1

    e3bd216f35434287197082745b9f789b9a4f93c6

    SHA256

    9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

    SHA512

    7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

    Download Submit
  • \Windows\Installer\MSI7970.tmp
    MD5

    c1b635990fad0fcce9eea1cdb72860f0

    SHA1

    d32e1f9ccbec61d87597bf9345999c0290156544

    SHA256

    4f6922e784cad973e2dd5c8896cffab49b8f92a6b1516ed53e93ade76495bc16

    SHA512

    4f646210e200e2f432a7af8c965ec5f84180242bc34d0315c3ac21e277a3163d24287e9f14b479532389e498bf1aef80387c0357b2bba85b53f0f9c206f0c12a

    Download Submit
  • \Windows\Installer\MSI7B55.tmp
    MD5

    be4faa40a5ff233859aa72eb1fcd1350

    SHA1

    9bd945f1885cce39f5b5e42de0916b206868b12f

    SHA256

    70731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863

    SHA512

    fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf

    Download Submit
  • \Windows\Installer\MSI7BE3.tmp
    MD5

    be4faa40a5ff233859aa72eb1fcd1350

    SHA1

    9bd945f1885cce39f5b5e42de0916b206868b12f

    SHA256

    70731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863

    SHA512

    fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf

    Download Submit
  • \Windows\Installer\MSI7CAF.tmp
    MD5

    a3b4d222a755f43b34a0963f13f77500

    SHA1

    e3bd216f35434287197082745b9f789b9a4f93c6

    SHA256

    9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

    SHA512

    7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

    Download Submit
  • \Windows\Installer\MSI7DAA.tmp
    MD5

    be4faa40a5ff233859aa72eb1fcd1350

    SHA1

    9bd945f1885cce39f5b5e42de0916b206868b12f

    SHA256

    70731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863

    SHA512

    fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf

    Download Submit
  • \Windows\Installer\MSI8EC5.tmp
    MD5

    be4faa40a5ff233859aa72eb1fcd1350

    SHA1

    9bd945f1885cce39f5b5e42de0916b206868b12f

    SHA256

    70731166474e8a0fe63f691195332e9931442515c1e0746717344a37e4553863

    SHA512

    fa172138cee49da2bf842f349599b8a676244287f5195d93f1ad904c79731f59516fbdb8dcb706b0b0f05acab4b7c40fc0e9ff06d9932d836b3137f2b0c8bedf

    Download Submit
  • memory/208-21-0x0000000000000000-mapping.dmp
    Download
  • memory/1276-27-0x0000025522ED0000-0x0000025522ED4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2208-2-0x0000000000000000-mapping.dmp
    Download
  • memory/2584-24-0x0000000000000000-mapping.dmp
    Download
  • memory/2864-22-0x0000000000000000-mapping.dmp
    Download
  • memory/3012-26-0x0000000000000000-mapping.dmp
    Download