Overview

overview

8

Static

static

8

4_23422345...84.msi

windows7_x64

4_23422345...84.msi

windows10_x64

Analysis

  • max time kernel
    26s
  • max time network
    30s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    11-03-2021 13:49

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    4_2342234575679328584.msi

  • Size

    266KB

  • MD5

    7c07a45d87cc4651a1fd84ec84a26305

  • SHA1

    a2c9403bd3c9482cf666bfef2261e0625d1b5132

  • SHA256

    53cacd3f0415f660597b5636056c0303fb9559ce5a8d9197930ef94c273be306

  • SHA512

    e60e20bdd286bde8828679a8176695119c7bb4d9e679d2ba746f272e1cf868e1a35eb2afb4e0eef15e33cf3927293110e4544d111f5c5c3dbdecea4101414684

Score
8/10
bootkitpersistenceransomware

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4_2342234575679328584.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1160
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0B257856F760571B6F98CF3D598577D1
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "ÖåóÝåÚpæëÓÛÞàÓvÍ.App.Refresh.System" /t REG_SZ /F /D "C:\ProgramData\Exported Files\ÖåóÝåÚpæëÓÛÞàÓvÍ.App.Refresh.System.exe"
        3⤵
        • Adds Run key to start application
        PID:516
      • C:\WINDOWS\SysWOW64\shutdown.exe
        "C:\WINDOWS\system32\shutdown.exe" -r -t 1 -f
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3872
  • C:\Windows\system32\wlrmdr.exe
    -s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 3
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2596
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad5055 /state1:0x41c64e6d
    1⤵
    • Modifies WinLogon to allow AutoLogon
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI43f70.LOG
    MD5

    bb536a18eb2148c14247d9fdd5469e38

    SHA1

    06d138afe0faedc2f980c838ce6eea19d3c07899

    SHA256

    48e66b5a1cb1e80ab1bf8d05c0f825512b0486884853fcfd81a30af0cb493771

    SHA512

    f5f76d585ef42d1d81de803613d35e8b9e3493cf64a42370d945e8955221957f0c9569da1397b37fa61b4eaf844d06311a7cb937a07ab9424c973c61ef3d09e1

    Download Submit
  • C:\Windows\Installer\MSI44A0.tmp
    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit
  • C:\Windows\Installer\MSI4BE4.tmp
    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit
  • \Windows\Installer\MSI44A0.tmp
    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit
  • \Windows\Installer\MSI4BE4.tmp
    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit
  • memory/516-11-0x0000000000000000-mapping.dmp
    Download
  • memory/2600-6-0x0000000000000000-mapping.dmp
    Download
  • memory/3872-12-0x0000000000000000-mapping.dmp
    Download