Analysis
-
max time kernel
14s -
max time network
14s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-03-2021 18:01
Behavioral task
behavioral1
Sample
digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi
Resource
win7v20201028
Behavioral task
behavioral2
Sample
digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi
Resource
win10v20201028
Errors
General
-
Target
digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi
-
Size
268KB
-
MD5
3cdb1d26ef24c423f83ba602129b5b35
-
SHA1
ddc88f08d80382e733c4d9197ae08f795e0601f9
-
SHA256
f364525bd719aefacb0453cb9eb8814d8c67b87ce0928aed13196936115f9280
-
SHA512
b935ab83d77163d5915e8c94cd2a7fe97c89f4730a7ac77724aa7f4bec16546e57d66b4c2ffa3cb014708a26b3545a226da041f837777fddaac0d22adba20267
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 11 200 MsiExec.exe -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 200 MsiExec.exe 200 MsiExec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdminJyQEm© = "\"C:\\AdminJyQEm©\\CGABW©.exe\"" reg.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\f749679.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI9744.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{FDC25846-D137-43F2-9F6E-CD584506A197} msiexec.exe File opened for modification C:\Windows\Installer\MSIA06E.tmp msiexec.exe File created C:\Windows\Installer\f749679.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9E4A.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 4024 msiexec.exe 4024 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
msiexec.exemsiexec.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 1048 msiexec.exe Token: SeIncreaseQuotaPrivilege 1048 msiexec.exe Token: SeSecurityPrivilege 4024 msiexec.exe Token: SeCreateTokenPrivilege 1048 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1048 msiexec.exe Token: SeLockMemoryPrivilege 1048 msiexec.exe Token: SeIncreaseQuotaPrivilege 1048 msiexec.exe Token: SeMachineAccountPrivilege 1048 msiexec.exe Token: SeTcbPrivilege 1048 msiexec.exe Token: SeSecurityPrivilege 1048 msiexec.exe Token: SeTakeOwnershipPrivilege 1048 msiexec.exe Token: SeLoadDriverPrivilege 1048 msiexec.exe Token: SeSystemProfilePrivilege 1048 msiexec.exe Token: SeSystemtimePrivilege 1048 msiexec.exe Token: SeProfSingleProcessPrivilege 1048 msiexec.exe Token: SeIncBasePriorityPrivilege 1048 msiexec.exe Token: SeCreatePagefilePrivilege 1048 msiexec.exe Token: SeCreatePermanentPrivilege 1048 msiexec.exe Token: SeBackupPrivilege 1048 msiexec.exe Token: SeRestorePrivilege 1048 msiexec.exe Token: SeShutdownPrivilege 1048 msiexec.exe Token: SeDebugPrivilege 1048 msiexec.exe Token: SeAuditPrivilege 1048 msiexec.exe Token: SeSystemEnvironmentPrivilege 1048 msiexec.exe Token: SeChangeNotifyPrivilege 1048 msiexec.exe Token: SeRemoteShutdownPrivilege 1048 msiexec.exe Token: SeUndockPrivilege 1048 msiexec.exe Token: SeSyncAgentPrivilege 1048 msiexec.exe Token: SeEnableDelegationPrivilege 1048 msiexec.exe Token: SeManageVolumePrivilege 1048 msiexec.exe Token: SeImpersonatePrivilege 1048 msiexec.exe Token: SeCreateGlobalPrivilege 1048 msiexec.exe Token: SeRestorePrivilege 4024 msiexec.exe Token: SeTakeOwnershipPrivilege 4024 msiexec.exe Token: SeRestorePrivilege 4024 msiexec.exe Token: SeTakeOwnershipPrivilege 4024 msiexec.exe Token: SeRestorePrivilege 4024 msiexec.exe Token: SeTakeOwnershipPrivilege 4024 msiexec.exe Token: SeRestorePrivilege 4024 msiexec.exe Token: SeTakeOwnershipPrivilege 4024 msiexec.exe Token: SeRestorePrivilege 4024 msiexec.exe Token: SeTakeOwnershipPrivilege 4024 msiexec.exe Token: SeRestorePrivilege 4024 msiexec.exe Token: SeTakeOwnershipPrivilege 4024 msiexec.exe Token: SeRestorePrivilege 4024 msiexec.exe Token: SeTakeOwnershipPrivilege 4024 msiexec.exe Token: SeShutdownPrivilege 3860 shutdown.exe Token: SeRemoteShutdownPrivilege 3860 shutdown.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exeMsiExec.exepid process 1048 msiexec.exe 200 MsiExec.exe 200 MsiExec.exe 200 MsiExec.exe 1048 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2712 LogonUI.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exeMsiExec.execmd.execmd.exedescription pid process target process PID 4024 wrote to memory of 200 4024 msiexec.exe MsiExec.exe PID 4024 wrote to memory of 200 4024 msiexec.exe MsiExec.exe PID 4024 wrote to memory of 200 4024 msiexec.exe MsiExec.exe PID 200 wrote to memory of 1376 200 MsiExec.exe cmd.exe PID 200 wrote to memory of 1376 200 MsiExec.exe cmd.exe PID 200 wrote to memory of 1376 200 MsiExec.exe cmd.exe PID 200 wrote to memory of 2084 200 MsiExec.exe cmd.exe PID 200 wrote to memory of 2084 200 MsiExec.exe cmd.exe PID 200 wrote to memory of 2084 200 MsiExec.exe cmd.exe PID 1376 wrote to memory of 2284 1376 cmd.exe reg.exe PID 1376 wrote to memory of 2284 1376 cmd.exe reg.exe PID 1376 wrote to memory of 2284 1376 cmd.exe reg.exe PID 2084 wrote to memory of 3860 2084 cmd.exe shutdown.exe PID 2084 wrote to memory of 3860 2084 cmd.exe shutdown.exe PID 2084 wrote to memory of 3860 2084 cmd.exe shutdown.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1048
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5757BE3F705D149A019B4AE210E912822⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminJyQEm©" /t reg_sz /d "\"C:\AdminJyQEm©\CGABW©.exe\"3⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminJyQEm©" /t reg_sz /d "\"C:\AdminJyQEm©\CGABW©.exe\"4⤵
- Adds Run key to start application
- Modifies registry key
PID:2284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C start /MIN shutdown -r -f -t 003⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -f -t 004⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad5055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI9744.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI9E4A.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI9744.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI9E4A.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/200-14-0x0000000000000000-mapping.dmp
-
memory/1376-19-0x0000000000000000-mapping.dmp
-
memory/2084-20-0x0000000000000000-mapping.dmp
-
memory/2284-21-0x0000000000000000-mapping.dmp
-
memory/3860-22-0x0000000000000000-mapping.dmp