Overview

overview

8

Static

static

8

digital.-....ZA.msi

windows7_x64

digital.-....ZA.msi

windows10_x64

Analysis

  • max time kernel
    14s
  • max time network
    14s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-03-2021 18:01

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi

  • Size

    268KB

  • MD5

    3cdb1d26ef24c423f83ba602129b5b35

  • SHA1

    ddc88f08d80382e733c4d9197ae08f795e0601f9

  • SHA256

    f364525bd719aefacb0453cb9eb8814d8c67b87ce0928aed13196936115f9280

  • SHA512

    b935ab83d77163d5915e8c94cd2a7fe97c89f4730a7ac77724aa7f4bec16546e57d66b4c2ffa3cb014708a26b3545a226da041f837777fddaac0d22adba20267

Score
8/10
bootkitpersistenceransomware

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1048
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5757BE3F705D149A019B4AE210E91282
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:200
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminJyQEm©" /t reg_sz /d "\"C:\AdminJyQEm©\CGABW©.exe\"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminJyQEm©" /t reg_sz /d "\"C:\AdminJyQEm©\CGABW©.exe\"
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:2284
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C start /MIN shutdown -r -f -t 00
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown -r -f -t 00
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3860
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad5055 /state1:0x41c64e6d
    1⤵
    • Modifies WinLogon to allow AutoLogon
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSI9744.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI9E4A.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI9744.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI9E4A.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/200-14-0x0000000000000000-mapping.dmp
    Download
  • memory/1376-19-0x0000000000000000-mapping.dmp
    Download
  • memory/2084-20-0x0000000000000000-mapping.dmp
    Download
  • memory/2284-21-0x0000000000000000-mapping.dmp
    Download
  • memory/3860-22-0x0000000000000000-mapping.dmp
    Download