Analysis
-
max time kernel
24s -
max time network
24s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-03-2021 19:50
Behavioral task
behavioral1
Sample
XMLFC-NI_91.msi
Resource
win7v20201028
Behavioral task
behavioral2
Sample
XMLFC-NI_91.msi
Resource
win10v20201028
Errors
General
-
Target
XMLFC-NI_91.msi
-
Size
268KB
-
MD5
ea216c4397537df9d792c82c852796fa
-
SHA1
c9706304fa18ff3640f4f4db414f026b4de4cbee
-
SHA256
eb1cc652821c6f0665e79abe6dffee13461ffd001a331ffc6752460b7e2d073d
-
SHA512
32c00bf837c78c4e4c6e14fd57ee658100547231255aa08cafd4ff9e65455c79e6c405e3b2574da2f422253a32f5a185d41edaad1d0e33c08744514e84cf7e1a
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
MsiExec.exeflow pid process 8 3364 MsiExec.exe 15 3364 MsiExec.exe 17 3364 MsiExec.exe 19 3364 MsiExec.exe 21 3364 MsiExec.exe -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 3364 MsiExec.exe 3364 MsiExec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ÓzÑÙÎÌÖàâÓrìåàáÌ.App.Refresh.System = "C:\\ProgramData\\Exported Files\\ÓzÑÙÎÌÖàâÓrìåàáÌ.App.Refresh.System.exe" reg.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f744135.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI425E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI452E.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{187B873D-9E06-4065-A278-668510B1CE94} msiexec.exe File opened for modification C:\Windows\Installer\f744135.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4677.tmp msiexec.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exewlrmdr.exepid process 4928 msiexec.exe 4928 msiexec.exe 4384 wlrmdr.exe 4384 wlrmdr.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
msiexec.exemsiexec.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 4704 msiexec.exe Token: SeIncreaseQuotaPrivilege 4704 msiexec.exe Token: SeSecurityPrivilege 4928 msiexec.exe Token: SeCreateTokenPrivilege 4704 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4704 msiexec.exe Token: SeLockMemoryPrivilege 4704 msiexec.exe Token: SeIncreaseQuotaPrivilege 4704 msiexec.exe Token: SeMachineAccountPrivilege 4704 msiexec.exe Token: SeTcbPrivilege 4704 msiexec.exe Token: SeSecurityPrivilege 4704 msiexec.exe Token: SeTakeOwnershipPrivilege 4704 msiexec.exe Token: SeLoadDriverPrivilege 4704 msiexec.exe Token: SeSystemProfilePrivilege 4704 msiexec.exe Token: SeSystemtimePrivilege 4704 msiexec.exe Token: SeProfSingleProcessPrivilege 4704 msiexec.exe Token: SeIncBasePriorityPrivilege 4704 msiexec.exe Token: SeCreatePagefilePrivilege 4704 msiexec.exe Token: SeCreatePermanentPrivilege 4704 msiexec.exe Token: SeBackupPrivilege 4704 msiexec.exe Token: SeRestorePrivilege 4704 msiexec.exe Token: SeShutdownPrivilege 4704 msiexec.exe Token: SeDebugPrivilege 4704 msiexec.exe Token: SeAuditPrivilege 4704 msiexec.exe Token: SeSystemEnvironmentPrivilege 4704 msiexec.exe Token: SeChangeNotifyPrivilege 4704 msiexec.exe Token: SeRemoteShutdownPrivilege 4704 msiexec.exe Token: SeUndockPrivilege 4704 msiexec.exe Token: SeSyncAgentPrivilege 4704 msiexec.exe Token: SeEnableDelegationPrivilege 4704 msiexec.exe Token: SeManageVolumePrivilege 4704 msiexec.exe Token: SeImpersonatePrivilege 4704 msiexec.exe Token: SeCreateGlobalPrivilege 4704 msiexec.exe Token: SeRestorePrivilege 4928 msiexec.exe Token: SeTakeOwnershipPrivilege 4928 msiexec.exe Token: SeRestorePrivilege 4928 msiexec.exe Token: SeTakeOwnershipPrivilege 4928 msiexec.exe Token: SeRestorePrivilege 4928 msiexec.exe Token: SeTakeOwnershipPrivilege 4928 msiexec.exe Token: SeRestorePrivilege 4928 msiexec.exe Token: SeTakeOwnershipPrivilege 4928 msiexec.exe Token: SeShutdownPrivilege 4084 shutdown.exe Token: SeRemoteShutdownPrivilege 4084 shutdown.exe Token: SeRestorePrivilege 4928 msiexec.exe Token: SeTakeOwnershipPrivilege 4928 msiexec.exe Token: SeRestorePrivilege 4928 msiexec.exe Token: SeTakeOwnershipPrivilege 4928 msiexec.exe Token: SeRestorePrivilege 4928 msiexec.exe Token: SeTakeOwnershipPrivilege 4928 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4704 msiexec.exe 4704 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
wlrmdr.exeLogonUI.exepid process 4384 wlrmdr.exe 4480 LogonUI.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 4928 wrote to memory of 3364 4928 msiexec.exe MsiExec.exe PID 4928 wrote to memory of 3364 4928 msiexec.exe MsiExec.exe PID 4928 wrote to memory of 3364 4928 msiexec.exe MsiExec.exe PID 3364 wrote to memory of 4076 3364 MsiExec.exe reg.exe PID 3364 wrote to memory of 4076 3364 MsiExec.exe reg.exe PID 3364 wrote to memory of 4076 3364 MsiExec.exe reg.exe PID 3364 wrote to memory of 4084 3364 MsiExec.exe shutdown.exe PID 3364 wrote to memory of 4084 3364 MsiExec.exe shutdown.exe PID 3364 wrote to memory of 4084 3364 MsiExec.exe shutdown.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\XMLFC-NI_91.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CFD42D283A77CBB7AB15ED046B042AF02⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "ÓzÑÙÎÌÖàâÓrìåàáÌ.App.Refresh.System" /t REG_SZ /F /D "C:\ProgramData\Exported Files\ÓzÑÙÎÌÖàâÓrìåàáÌ.App.Refresh.System.exe"3⤵
- Adds Run key to start application
-
C:\WINDOWS\SysWOW64\shutdown.exe"C:\WINDOWS\system32\shutdown.exe" -r -t 1 -f3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 31⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad1055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI43eb4.LOGMD5
64b7bbd8a96846db2c034c3484232a4f
SHA122a589eabc888ba9d74ad71663ab2fd16951abb2
SHA256e74744474480f5b363153181b268b595c1a0bd83b9200bbba38ad5de1eb336af
SHA512c53afa94eac78d29487953918a98641e8871549812618c1a65e3beef211e753f8813f7c16a7f8e19b5732b9bf449df776e040081569d23194305b8972f5805ba
-
C:\Windows\Installer\MSI425E.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
C:\Windows\Installer\MSI452E.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI425E.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI452E.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
memory/3364-3-0x0000000000000000-mapping.dmp
-
memory/4076-8-0x0000000000000000-mapping.dmp
-
memory/4084-9-0x0000000000000000-mapping.dmp