53cacd3f0415f660597b5636056c0303fb9559ce5a8d9197930ef94c273be306

Reason

Machine shutdown

General

Target

4_2342234575679328584.msi
Size

266KB
MD5

7c07a45d87cc4651a1fd84ec84a26305
SHA1

a2c9403bd3c9482cf666bfef2261e0625d1b5132
SHA256

53cacd3f0415f660597b5636056c0303fb9559ce5a8d9197930ef94c273be306
SHA512

e60e20bdd286bde8828679a8176695119c7bb4d9e679d2ba746f272e1cf868e1a35eb2afb4e0eef15e33cf3927293110e4544d111f5c5c3dbdecea4101414684

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

MsiExec.exe

flow pid process

6 1684 MsiExec.exe
7 1684 MsiExec.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

1684 MsiExec.exe
1684 MsiExec.exe

flow	pid	process
6	1684	MsiExec.exe
7	1684	MsiExec.exe

pid	process
1684	MsiExec.exe
1684	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ÑÎØÉÞÔìáâÎìpØÛìx.App.Refresh.System = "C:\\ProgramData\\Exported Files\\ÑÎØÉÞÔìáâÎìpØÛìx.App.Refresh.System.exe"	reg.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 8 IoCs

Processes:

MsiExec.exe

description	ioc	process
File created	C:\PROGRA~3\EXPORT~1\msvcr120.dll	MsiExec.exe
File opened for modification	C:\PROGRA~3\EXPORT~1\msvcr120.dll	MsiExec.exe
File created	C:\PROGRA~3\EXPORT~1\Avira.OE.NativeCore.dll	MsiExec.exe
File opened for modification	C:\PROGRA~3\EXPORT~1\Avira.OE.NativeCore.dll	MsiExec.exe
File created	C:\PROGRA~3\EXPORT~1\build1	MsiExec.exe
File opened for modification	C:\PROGRA~3\EXPORT~1\build1	MsiExec.exe
File created	C:\PROGRA~3\EXPORT~1\msvcp120.dll	MsiExec.exe
File opened for modification	C:\PROGRA~3\EXPORT~1\msvcp120.dll	MsiExec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI17B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f741364.ipi	msiexec.exe
File created	C:\Windows\Installer\f741362.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f741362.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI142C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1630.tmp	msiexec.exe
File created	C:\Windows\Installer\f741364.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1440 msiexec.exe
1440 msiexec.exe

pid	process
1440	msiexec.exe
1440	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

msiexec.exemsiexec.exeshutdown.exe

description	pid	process
Token: SeShutdownPrivilege	1924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1924	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeSecurityPrivilege	1440	msiexec.exe
Token: SeCreateTokenPrivilege	1924	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1924	msiexec.exe
Token: SeLockMemoryPrivilege	1924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1924	msiexec.exe
Token: SeMachineAccountPrivilege	1924	msiexec.exe
Token: SeTcbPrivilege	1924	msiexec.exe
Token: SeSecurityPrivilege	1924	msiexec.exe
Token: SeTakeOwnershipPrivilege	1924	msiexec.exe
Token: SeLoadDriverPrivilege	1924	msiexec.exe
Token: SeSystemProfilePrivilege	1924	msiexec.exe
Token: SeSystemtimePrivilege	1924	msiexec.exe
Token: SeProfSingleProcessPrivilege	1924	msiexec.exe
Token: SeIncBasePriorityPrivilege	1924	msiexec.exe
Token: SeCreatePagefilePrivilege	1924	msiexec.exe
Token: SeCreatePermanentPrivilege	1924	msiexec.exe
Token: SeBackupPrivilege	1924	msiexec.exe
Token: SeRestorePrivilege	1924	msiexec.exe
Token: SeShutdownPrivilege	1924	msiexec.exe
Token: SeDebugPrivilege	1924	msiexec.exe
Token: SeAuditPrivilege	1924	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1924	msiexec.exe
Token: SeChangeNotifyPrivilege	1924	msiexec.exe
Token: SeRemoteShutdownPrivilege	1924	msiexec.exe
Token: SeUndockPrivilege	1924	msiexec.exe
Token: SeSyncAgentPrivilege	1924	msiexec.exe
Token: SeEnableDelegationPrivilege	1924	msiexec.exe
Token: SeManageVolumePrivilege	1924	msiexec.exe
Token: SeImpersonatePrivilege	1924	msiexec.exe
Token: SeCreateGlobalPrivilege	1924	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeShutdownPrivilege	1196	shutdown.exe
Token: SeRemoteShutdownPrivilege	1196	shutdown.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1924 msiexec.exe
1924 msiexec.exe

pid	process
1924	msiexec.exe
1924	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 1440 wrote to memory of 1684	1440	msiexec.exe	MsiExec.exe
PID 1440 wrote to memory of 1684	1440	msiexec.exe	MsiExec.exe
PID 1440 wrote to memory of 1684	1440	msiexec.exe	MsiExec.exe
PID 1440 wrote to memory of 1684	1440	msiexec.exe	MsiExec.exe
PID 1440 wrote to memory of 1684	1440	msiexec.exe	MsiExec.exe
PID 1440 wrote to memory of 1684	1440	msiexec.exe	MsiExec.exe
PID 1440 wrote to memory of 1684	1440	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 960	1684	MsiExec.exe	reg.exe
PID 1684 wrote to memory of 960	1684	MsiExec.exe	reg.exe
PID 1684 wrote to memory of 960	1684	MsiExec.exe	reg.exe
PID 1684 wrote to memory of 960	1684	MsiExec.exe	reg.exe
PID 1684 wrote to memory of 1196	1684	MsiExec.exe	shutdown.exe
PID 1684 wrote to memory of 1196	1684	MsiExec.exe	shutdown.exe
PID 1684 wrote to memory of 1196	1684	MsiExec.exe	shutdown.exe
PID 1684 wrote to memory of 1196	1684	MsiExec.exe	shutdown.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4_2342234575679328584.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1924

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5686C2B13385200E5C0E0FF3476ED057
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "ÑÎØÉÞÔìáâÎìpØÛìx.App.Refresh.System" /t REG_SZ /F /D "C:\ProgramData\Exported Files\ÑÎØÉÞÔìáâÎìpØÛìx.App.Refresh.System.exe"
3⤵
- Adds Run key to start application
PID:960

C:\WINDOWS\SysWOW64\shutdown.exe
"C:\WINDOWS\system32\shutdown.exe" -r -t 1 -f
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You are about to be logged off -m Windows will shut down in less than a minute. -a 3
1⤵
PID:1076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1616

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI40f1e.LOG
MD5
3f0939862fa1c39e9a31f31b94416cbf

SHA1
17609b02e9a4104b84c4aaca13afe6a5c5ab586d

SHA256
880cbfb41a4c36c7f568378ec47a7d3da2b97bb1ae71ec762c8a695e17067012

SHA512
abae8111225ef53352422c52be953e1ccb53bd220e4c2141d485476953859e3c0c3b2cddb225b21aef6974ac7188ba46adc8d381cef9ff9cb3dc12ef0195e215

Download Submit
C:\Windows\Installer\MSI142C.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
C:\Windows\Installer\MSI1630.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Windows\Installer\MSI142C.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Windows\Installer\MSI1630.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
memory/840-21-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/928-12-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmp

Filesize
2.5MB

Download
memory/960-13-0x0000000000000000-mapping.dmp

Download
memory/1076-18-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1196-14-0x0000000000000000-mapping.dmp

Download
memory/1616-19-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1684-11-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/1684-6-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1684-5-0x0000000000000000-mapping.dmp

Download
memory/1924-16-0x00000000020D0000-0x00000000020D4000-memory.dmp

Filesize
16KB

Download
memory/1924-2-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads