Overview

overview

8

Static

static

8

digital.-....ZA.msi

windows7_x64

digital.-....ZA.msi

windows10_x64

Analysis

  • max time kernel
    10s
  • max time network
    7s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-03-2021 18:01

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi

  • Size

    268KB

  • MD5

    3cdb1d26ef24c423f83ba602129b5b35

  • SHA1

    ddc88f08d80382e733c4d9197ae08f795e0601f9

  • SHA256

    f364525bd719aefacb0453cb9eb8814d8c67b87ce0928aed13196936115f9280

  • SHA512

    b935ab83d77163d5915e8c94cd2a7fe97c89f4730a7ac77724aa7f4bec16546e57d66b4c2ffa3cb014708a26b3545a226da041f837777fddaac0d22adba20267

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1904
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8622C252D957F5E7E9DC999F4EADDC5E
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Admin2xpML©" /t reg_sz /d "\"C:\Admin2xpML©\g1gd6©.exe\"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:672
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Admin2xpML©" /t reg_sz /d "\"C:\Admin2xpML©\g1gd6©.exe\"
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:1196
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C start /MIN shutdown -r -f -t 00
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown -r -f -t 00
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1020
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1624
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1768

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Installer\MSI483.tmp
        MD5

        9f1e5d66c2889018daef4aef604eebc4

        SHA1

        b80294261c8a1635e16e14f55a3d76889ff2c857

        SHA256

        02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

        SHA512

        8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

        Download Submit
      • C:\Windows\Installer\MSI6C5.tmp
        MD5

        9f1e5d66c2889018daef4aef604eebc4

        SHA1

        b80294261c8a1635e16e14f55a3d76889ff2c857

        SHA256

        02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

        SHA512

        8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

        Download Submit
      • \Windows\Installer\MSI483.tmp
        MD5

        9f1e5d66c2889018daef4aef604eebc4

        SHA1

        b80294261c8a1635e16e14f55a3d76889ff2c857

        SHA256

        02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

        SHA512

        8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

        Download Submit
      • \Windows\Installer\MSI6C5.tmp
        MD5

        9f1e5d66c2889018daef4aef604eebc4

        SHA1

        b80294261c8a1635e16e14f55a3d76889ff2c857

        SHA256

        02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

        SHA512

        8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

        Download Submit
      • memory/672-11-0x0000000000000000-mapping.dmp
        Download
      • memory/952-12-0x0000000000000000-mapping.dmp
        Download
      • memory/1020-14-0x0000000000000000-mapping.dmp
        Download
      • memory/1196-13-0x0000000000000000-mapping.dmp
        Download
      • memory/1540-5-0x00000000766F1000-0x00000000766F3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1540-4-0x0000000000000000-mapping.dmp
        Download
      • memory/1540-10-0x0000000001EA0000-0x0000000001EA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1624-17-0x0000000002880000-0x0000000002881000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1768-19-0x0000000002760000-0x0000000002761000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1904-2-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1904-15-0x0000000002130000-0x0000000002134000-memory.dmp
        Filesize

        16KB

        Download