Overview

overview

8

Static

static

8

XMLFC-NI_27.msi

windows7_x64

XMLFC-NI_27.msi

windows10_x64

Analysis

  • max time kernel
    31s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    06-03-2021 11:30

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    XMLFC-NI_27.msi

  • Size

    267KB

  • MD5

    3ba27f796d18104606b2f58744fb017c

  • SHA1

    cc253e24ab868e61419a78fc161a5546ce878bd6

  • SHA256

    e2eaa5496cb25b7d2866507d4fc494173588897b4d589b8322fc9635bac71e02

  • SHA512

    30fa4108697a1f80a3164318d953e585dee98965477e7dcbaf45d1e2194f648c0e4398ee55d3540b09897dfdbd934abed9c48141adddb41d1765109d7806320f

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\XMLFC-NI_27.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1856
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 337D4332E1760ED4A5CFFC7B24DB5371
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "ÚñåcÖáÎâå×ÖÈãÝÞo.App.Refresh.System" /t REG_SZ /F /D "C:\ProgramData\Exported Files\ÚñåcÖáÎâå×ÖÈãÝÞo.App.Refresh.System.exe"
        3⤵
        • Adds Run key to start application
        PID:2044
      • C:\WINDOWS\SysWOW64\shutdown.exe
        "C:\WINDOWS\system32\shutdown.exe" -r -t 1 -f
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
  • C:\Windows\system32\wlrmdr.exe
    -s -1 -f 2 -t You are about to be logged off -m Windows will shut down in less than a minute. -a 3
    1⤵
      PID:1576
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1796
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:944

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\MSI476d5.LOG
          MD5

          56a7ab3c2b275c82dbf6514ff9f73491

          SHA1

          809769579380a865166e5a956e10479fa1e2338d

          SHA256

          a3427105a51891d728ca115fac9667a102b1a0edfd03b15ad5433db344005302

          SHA512

          35d68c0100614a5e7fef0ef344aa50570ed170aa9072a3ed9c660908d01e1097198ca4f21e5a37dee3649a4f2679a4ad822dfbc23e766cff1e5544e9b33d8544

          Download Submit
        • C:\Windows\Installer\MSI7A4E.tmp
          MD5

          5c5bef05b6f3806106f8f3ce13401cc1

          SHA1

          6005fbe17f6e917ac45317552409d7a60976db14

          SHA256

          f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

          SHA512

          97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

          Download Submit
        • C:\Windows\Installer\MSI7DD8.tmp
          MD5

          5c5bef05b6f3806106f8f3ce13401cc1

          SHA1

          6005fbe17f6e917ac45317552409d7a60976db14

          SHA256

          f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

          SHA512

          97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

          Download Submit
        • \Windows\Installer\MSI7A4E.tmp
          MD5

          5c5bef05b6f3806106f8f3ce13401cc1

          SHA1

          6005fbe17f6e917ac45317552409d7a60976db14

          SHA256

          f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

          SHA512

          97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

          Download Submit
        • \Windows\Installer\MSI7DD8.tmp
          MD5

          5c5bef05b6f3806106f8f3ce13401cc1

          SHA1

          6005fbe17f6e917ac45317552409d7a60976db14

          SHA256

          f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

          SHA512

          97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

          Download Submit
        • memory/944-21-0x0000000002760000-0x0000000002761000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1424-12-0x000007FEF7F70000-0x000007FEF81EA000-memory.dmp
          Filesize

          2.5MB

          Download
        • memory/1576-17-0x00000000003D0000-0x00000000003D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1796-19-0x0000000002980000-0x0000000002981000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1856-16-0x0000000002290000-0x0000000002294000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1856-2-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1948-11-0x0000000000250000-0x0000000000252000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1948-6-0x00000000767E1000-0x00000000767E3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1948-5-0x0000000000000000-mapping.dmp
          Download
        • memory/2004-14-0x0000000000000000-mapping.dmp
          Download
        • memory/2044-13-0x0000000000000000-mapping.dmp
          Download