Analysis
-
max time kernel
10s -
max time network
7s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-03-2021 18:01
Behavioral task
behavioral1
Sample
digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi
Resource
win7v20201028
Behavioral task
behavioral2
Sample
digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi
Resource
win10v20201028
Errors
General
-
Target
digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi
-
Size
268KB
-
MD5
3cdb1d26ef24c423f83ba602129b5b35
-
SHA1
ddc88f08d80382e733c4d9197ae08f795e0601f9
-
SHA256
f364525bd719aefacb0453cb9eb8814d8c67b87ce0928aed13196936115f9280
-
SHA512
b935ab83d77163d5915e8c94cd2a7fe97c89f4730a7ac77724aa7f4bec16546e57d66b4c2ffa3cb014708a26b3545a226da041f837777fddaac0d22adba20267
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 2 1540 MsiExec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 1540 MsiExec.exe 1540 MsiExec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin2xpML© = "\"C:\\Admin2xpML©\\g1gd6©.exe\"" reg.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9C3.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7403da.ipi msiexec.exe File created C:\Windows\Installer\f7403d8.msi msiexec.exe File opened for modification C:\Windows\Installer\f7403d8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI483.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6C5.tmp msiexec.exe File created C:\Windows\Installer\f7403da.ipi msiexec.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1984 msiexec.exe 1984 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
msiexec.exemsiexec.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 1904 msiexec.exe Token: SeIncreaseQuotaPrivilege 1904 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeSecurityPrivilege 1984 msiexec.exe Token: SeCreateTokenPrivilege 1904 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1904 msiexec.exe Token: SeLockMemoryPrivilege 1904 msiexec.exe Token: SeIncreaseQuotaPrivilege 1904 msiexec.exe Token: SeMachineAccountPrivilege 1904 msiexec.exe Token: SeTcbPrivilege 1904 msiexec.exe Token: SeSecurityPrivilege 1904 msiexec.exe Token: SeTakeOwnershipPrivilege 1904 msiexec.exe Token: SeLoadDriverPrivilege 1904 msiexec.exe Token: SeSystemProfilePrivilege 1904 msiexec.exe Token: SeSystemtimePrivilege 1904 msiexec.exe Token: SeProfSingleProcessPrivilege 1904 msiexec.exe Token: SeIncBasePriorityPrivilege 1904 msiexec.exe Token: SeCreatePagefilePrivilege 1904 msiexec.exe Token: SeCreatePermanentPrivilege 1904 msiexec.exe Token: SeBackupPrivilege 1904 msiexec.exe Token: SeRestorePrivilege 1904 msiexec.exe Token: SeShutdownPrivilege 1904 msiexec.exe Token: SeDebugPrivilege 1904 msiexec.exe Token: SeAuditPrivilege 1904 msiexec.exe Token: SeSystemEnvironmentPrivilege 1904 msiexec.exe Token: SeChangeNotifyPrivilege 1904 msiexec.exe Token: SeRemoteShutdownPrivilege 1904 msiexec.exe Token: SeUndockPrivilege 1904 msiexec.exe Token: SeSyncAgentPrivilege 1904 msiexec.exe Token: SeEnableDelegationPrivilege 1904 msiexec.exe Token: SeManageVolumePrivilege 1904 msiexec.exe Token: SeImpersonatePrivilege 1904 msiexec.exe Token: SeCreateGlobalPrivilege 1904 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeShutdownPrivilege 1020 shutdown.exe Token: SeRemoteShutdownPrivilege 1020 shutdown.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exeMsiExec.exepid process 1904 msiexec.exe 1540 MsiExec.exe 1540 MsiExec.exe 1540 MsiExec.exe 1904 msiexec.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
msiexec.exeMsiExec.execmd.execmd.exedescription pid process target process PID 1984 wrote to memory of 1540 1984 msiexec.exe MsiExec.exe PID 1984 wrote to memory of 1540 1984 msiexec.exe MsiExec.exe PID 1984 wrote to memory of 1540 1984 msiexec.exe MsiExec.exe PID 1984 wrote to memory of 1540 1984 msiexec.exe MsiExec.exe PID 1984 wrote to memory of 1540 1984 msiexec.exe MsiExec.exe PID 1984 wrote to memory of 1540 1984 msiexec.exe MsiExec.exe PID 1984 wrote to memory of 1540 1984 msiexec.exe MsiExec.exe PID 1540 wrote to memory of 672 1540 MsiExec.exe cmd.exe PID 1540 wrote to memory of 672 1540 MsiExec.exe cmd.exe PID 1540 wrote to memory of 672 1540 MsiExec.exe cmd.exe PID 1540 wrote to memory of 672 1540 MsiExec.exe cmd.exe PID 1540 wrote to memory of 952 1540 MsiExec.exe cmd.exe PID 1540 wrote to memory of 952 1540 MsiExec.exe cmd.exe PID 1540 wrote to memory of 952 1540 MsiExec.exe cmd.exe PID 1540 wrote to memory of 952 1540 MsiExec.exe cmd.exe PID 672 wrote to memory of 1196 672 cmd.exe reg.exe PID 672 wrote to memory of 1196 672 cmd.exe reg.exe PID 672 wrote to memory of 1196 672 cmd.exe reg.exe PID 672 wrote to memory of 1196 672 cmd.exe reg.exe PID 952 wrote to memory of 1020 952 cmd.exe shutdown.exe PID 952 wrote to memory of 1020 952 cmd.exe shutdown.exe PID 952 wrote to memory of 1020 952 cmd.exe shutdown.exe PID 952 wrote to memory of 1020 952 cmd.exe shutdown.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8622C252D957F5E7E9DC999F4EADDC5E2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Admin2xpML©" /t reg_sz /d "\"C:\Admin2xpML©\g1gd6©.exe\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Admin2xpML©" /t reg_sz /d "\"C:\Admin2xpML©\g1gd6©.exe\"4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C start /MIN shutdown -r -f -t 003⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -f -t 004⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI483.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI6C5.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI483.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI6C5.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/672-11-0x0000000000000000-mapping.dmp
-
memory/952-12-0x0000000000000000-mapping.dmp
-
memory/1020-14-0x0000000000000000-mapping.dmp
-
memory/1196-13-0x0000000000000000-mapping.dmp
-
memory/1540-5-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/1540-4-0x0000000000000000-mapping.dmp
-
memory/1540-10-0x0000000001EA0000-0x0000000001EA1000-memory.dmpFilesize
4KB
-
memory/1624-17-0x0000000002880000-0x0000000002881000-memory.dmpFilesize
4KB
-
memory/1768-19-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/1904-2-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmpFilesize
8KB
-
memory/1904-15-0x0000000002130000-0x0000000002134000-memory.dmpFilesize
16KB