Analysis
-
max time kernel
108s -
max time network
108s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-03-2021 07:24
Behavioral task
behavioral1
Sample
12.msi
Resource
win7v20201028
General
-
Target
12.msi
-
Size
240KB
-
MD5
e454beb5e1cec91e4498e8c0b0a5f08d
-
SHA1
37e4e481f50a7b72ef974a5c690a9cdbbadcde9a
-
SHA256
c06642bc94a8d7604ef34b33bbf2994ae789c18e3d0bd7019720294c58fe021e
-
SHA512
70329c0c264af855875c6c1511c2de8dbcbaea0a6d60139cb803158983fa58733d15ce45c5637cea3da690f4e49851731218cf5c1cc19dc49198da9d06017539
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1500-10-0x0000000000220000-0x000000000024A000-memory.dmp netwire behavioral1/memory/1500-12-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
MSIE581.tmppid process 1500 MSIE581.tmp -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIE581.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f74e2a1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE4D3.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\f74e2a1.msi msiexec.exe File created C:\Windows\Installer\f74e2a3.ipi msiexec.exe -
Modifies data under HKEY_USERS 44 IoCs
Processes:
DrvInst.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1264 msiexec.exe 1264 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 1656 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1656 msiexec.exe Token: SeIncreaseQuotaPrivilege 1656 msiexec.exe Token: SeRestorePrivilege 1264 msiexec.exe Token: SeTakeOwnershipPrivilege 1264 msiexec.exe Token: SeSecurityPrivilege 1264 msiexec.exe Token: SeCreateTokenPrivilege 1656 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1656 msiexec.exe Token: SeLockMemoryPrivilege 1656 msiexec.exe Token: SeIncreaseQuotaPrivilege 1656 msiexec.exe Token: SeMachineAccountPrivilege 1656 msiexec.exe Token: SeTcbPrivilege 1656 msiexec.exe Token: SeSecurityPrivilege 1656 msiexec.exe Token: SeTakeOwnershipPrivilege 1656 msiexec.exe Token: SeLoadDriverPrivilege 1656 msiexec.exe Token: SeSystemProfilePrivilege 1656 msiexec.exe Token: SeSystemtimePrivilege 1656 msiexec.exe Token: SeProfSingleProcessPrivilege 1656 msiexec.exe Token: SeIncBasePriorityPrivilege 1656 msiexec.exe Token: SeCreatePagefilePrivilege 1656 msiexec.exe Token: SeCreatePermanentPrivilege 1656 msiexec.exe Token: SeBackupPrivilege 1656 msiexec.exe Token: SeRestorePrivilege 1656 msiexec.exe Token: SeShutdownPrivilege 1656 msiexec.exe Token: SeDebugPrivilege 1656 msiexec.exe Token: SeAuditPrivilege 1656 msiexec.exe Token: SeSystemEnvironmentPrivilege 1656 msiexec.exe Token: SeChangeNotifyPrivilege 1656 msiexec.exe Token: SeRemoteShutdownPrivilege 1656 msiexec.exe Token: SeUndockPrivilege 1656 msiexec.exe Token: SeSyncAgentPrivilege 1656 msiexec.exe Token: SeEnableDelegationPrivilege 1656 msiexec.exe Token: SeManageVolumePrivilege 1656 msiexec.exe Token: SeImpersonatePrivilege 1656 msiexec.exe Token: SeCreateGlobalPrivilege 1656 msiexec.exe Token: SeBackupPrivilege 772 vssvc.exe Token: SeRestorePrivilege 772 vssvc.exe Token: SeAuditPrivilege 772 vssvc.exe Token: SeBackupPrivilege 1264 msiexec.exe Token: SeRestorePrivilege 1264 msiexec.exe Token: SeRestorePrivilege 748 DrvInst.exe Token: SeRestorePrivilege 748 DrvInst.exe Token: SeRestorePrivilege 748 DrvInst.exe Token: SeRestorePrivilege 748 DrvInst.exe Token: SeRestorePrivilege 748 DrvInst.exe Token: SeRestorePrivilege 748 DrvInst.exe Token: SeRestorePrivilege 748 DrvInst.exe Token: SeLoadDriverPrivilege 748 DrvInst.exe Token: SeLoadDriverPrivilege 748 DrvInst.exe Token: SeLoadDriverPrivilege 748 DrvInst.exe Token: SeRestorePrivilege 1264 msiexec.exe Token: SeTakeOwnershipPrivilege 1264 msiexec.exe Token: SeRestorePrivilege 1264 msiexec.exe Token: SeTakeOwnershipPrivilege 1264 msiexec.exe Token: SeRestorePrivilege 1264 msiexec.exe Token: SeTakeOwnershipPrivilege 1264 msiexec.exe Token: SeRestorePrivilege 1264 msiexec.exe Token: SeTakeOwnershipPrivilege 1264 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1656 msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
msiexec.exedescription pid process target process PID 1264 wrote to memory of 1500 1264 msiexec.exe MSIE581.tmp PID 1264 wrote to memory of 1500 1264 msiexec.exe MSIE581.tmp PID 1264 wrote to memory of 1500 1264 msiexec.exe MSIE581.tmp PID 1264 wrote to memory of 1500 1264 msiexec.exe MSIE581.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\12.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIE581.tmp"C:\Windows\Installer\MSIE581.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000003AC" "00000000000004D8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIE581.tmpMD5
2ac73e1ff512b1d7954e2b6bf36552b5
SHA1daa74846340dc814a884566ecb64f6d06b12781e
SHA256c65f180478891893801bf1e4a3e2b8f534079161587a07319d53d051dc40dcb8
SHA512049bd48374659c74c071548b2abe48569195540d53160a62edc2cc571289adce97d17b9e714078408f9882f8a9ce12a46f3d4f21db1cc90f0f51c66fa2a558e4
-
memory/1500-7-0x0000000000000000-mapping.dmp
-
memory/1500-9-0x0000000002E80000-0x0000000002E91000-memory.dmpFilesize
68KB
-
memory/1500-10-0x0000000000220000-0x000000000024A000-memory.dmpFilesize
168KB
-
memory/1500-11-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1500-12-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1656-2-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1656-3-0x0000000003280000-0x0000000003284000-memory.dmpFilesize
16KB
-
memory/1656-4-0x0000000004110000-0x0000000004114000-memory.dmpFilesize
16KB