Analysis
-
max time kernel
26s -
max time network
30s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-03-2021 13:49
Behavioral task
behavioral1
Sample
4_2342234575679328584.msi
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4_2342234575679328584.msi
Resource
win10v20201028
Errors
General
-
Target
4_2342234575679328584.msi
-
Size
266KB
-
MD5
7c07a45d87cc4651a1fd84ec84a26305
-
SHA1
a2c9403bd3c9482cf666bfef2261e0625d1b5132
-
SHA256
53cacd3f0415f660597b5636056c0303fb9559ce5a8d9197930ef94c273be306
-
SHA512
e60e20bdd286bde8828679a8176695119c7bb4d9e679d2ba746f272e1cf868e1a35eb2afb4e0eef15e33cf3927293110e4544d111f5c5c3dbdecea4101414684
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
MsiExec.exeflow pid process 10 2600 MsiExec.exe 13 2600 MsiExec.exe -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 2600 MsiExec.exe 2600 MsiExec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ÖåóÝåÚpæëÓÛÞàÓvÍ.App.Refresh.System = "C:\\ProgramData\\Exported Files\\ÖåóÝåÚpæëÓÛÞàÓvÍ.App.Refresh.System.exe" reg.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI44A0.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4E37.tmp msiexec.exe File created C:\Windows\Installer\f7443c5.msi msiexec.exe File opened for modification C:\Windows\Installer\f7443c5.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI4BE4.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{187B873D-9E06-4065-A278-668510B1CE94} msiexec.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exewlrmdr.exepid process 2456 msiexec.exe 2456 msiexec.exe 2596 wlrmdr.exe 2596 wlrmdr.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
msiexec.exemsiexec.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 1160 msiexec.exe Token: SeIncreaseQuotaPrivilege 1160 msiexec.exe Token: SeSecurityPrivilege 2456 msiexec.exe Token: SeCreateTokenPrivilege 1160 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1160 msiexec.exe Token: SeLockMemoryPrivilege 1160 msiexec.exe Token: SeIncreaseQuotaPrivilege 1160 msiexec.exe Token: SeMachineAccountPrivilege 1160 msiexec.exe Token: SeTcbPrivilege 1160 msiexec.exe Token: SeSecurityPrivilege 1160 msiexec.exe Token: SeTakeOwnershipPrivilege 1160 msiexec.exe Token: SeLoadDriverPrivilege 1160 msiexec.exe Token: SeSystemProfilePrivilege 1160 msiexec.exe Token: SeSystemtimePrivilege 1160 msiexec.exe Token: SeProfSingleProcessPrivilege 1160 msiexec.exe Token: SeIncBasePriorityPrivilege 1160 msiexec.exe Token: SeCreatePagefilePrivilege 1160 msiexec.exe Token: SeCreatePermanentPrivilege 1160 msiexec.exe Token: SeBackupPrivilege 1160 msiexec.exe Token: SeRestorePrivilege 1160 msiexec.exe Token: SeShutdownPrivilege 1160 msiexec.exe Token: SeDebugPrivilege 1160 msiexec.exe Token: SeAuditPrivilege 1160 msiexec.exe Token: SeSystemEnvironmentPrivilege 1160 msiexec.exe Token: SeChangeNotifyPrivilege 1160 msiexec.exe Token: SeRemoteShutdownPrivilege 1160 msiexec.exe Token: SeUndockPrivilege 1160 msiexec.exe Token: SeSyncAgentPrivilege 1160 msiexec.exe Token: SeEnableDelegationPrivilege 1160 msiexec.exe Token: SeManageVolumePrivilege 1160 msiexec.exe Token: SeImpersonatePrivilege 1160 msiexec.exe Token: SeCreateGlobalPrivilege 1160 msiexec.exe Token: SeRestorePrivilege 2456 msiexec.exe Token: SeTakeOwnershipPrivilege 2456 msiexec.exe Token: SeRestorePrivilege 2456 msiexec.exe Token: SeTakeOwnershipPrivilege 2456 msiexec.exe Token: SeRestorePrivilege 2456 msiexec.exe Token: SeTakeOwnershipPrivilege 2456 msiexec.exe Token: SeRestorePrivilege 2456 msiexec.exe Token: SeTakeOwnershipPrivilege 2456 msiexec.exe Token: SeRestorePrivilege 2456 msiexec.exe Token: SeTakeOwnershipPrivilege 2456 msiexec.exe Token: SeRestorePrivilege 2456 msiexec.exe Token: SeTakeOwnershipPrivilege 2456 msiexec.exe Token: SeRestorePrivilege 2456 msiexec.exe Token: SeTakeOwnershipPrivilege 2456 msiexec.exe Token: SeShutdownPrivilege 3872 shutdown.exe Token: SeRemoteShutdownPrivilege 3872 shutdown.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1160 msiexec.exe 1160 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
wlrmdr.exeLogonUI.exepid process 2596 wlrmdr.exe 3988 LogonUI.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 2456 wrote to memory of 2600 2456 msiexec.exe MsiExec.exe PID 2456 wrote to memory of 2600 2456 msiexec.exe MsiExec.exe PID 2456 wrote to memory of 2600 2456 msiexec.exe MsiExec.exe PID 2600 wrote to memory of 516 2600 MsiExec.exe reg.exe PID 2600 wrote to memory of 516 2600 MsiExec.exe reg.exe PID 2600 wrote to memory of 516 2600 MsiExec.exe reg.exe PID 2600 wrote to memory of 3872 2600 MsiExec.exe shutdown.exe PID 2600 wrote to memory of 3872 2600 MsiExec.exe shutdown.exe PID 2600 wrote to memory of 3872 2600 MsiExec.exe shutdown.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4_2342234575679328584.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0B257856F760571B6F98CF3D598577D12⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "ÖåóÝåÚpæëÓÛÞàÓvÍ.App.Refresh.System" /t REG_SZ /F /D "C:\ProgramData\Exported Files\ÖåóÝåÚpæëÓÛÞàÓvÍ.App.Refresh.System.exe"3⤵
- Adds Run key to start application
-
C:\WINDOWS\SysWOW64\shutdown.exe"C:\WINDOWS\system32\shutdown.exe" -r -t 1 -f3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 31⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad5055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI43f70.LOGMD5
bb536a18eb2148c14247d9fdd5469e38
SHA106d138afe0faedc2f980c838ce6eea19d3c07899
SHA25648e66b5a1cb1e80ab1bf8d05c0f825512b0486884853fcfd81a30af0cb493771
SHA512f5f76d585ef42d1d81de803613d35e8b9e3493cf64a42370d945e8955221957f0c9569da1397b37fa61b4eaf844d06311a7cb937a07ab9424c973c61ef3d09e1
-
C:\Windows\Installer\MSI44A0.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
C:\Windows\Installer\MSI4BE4.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI44A0.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI4BE4.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
memory/516-11-0x0000000000000000-mapping.dmp
-
memory/2600-6-0x0000000000000000-mapping.dmp
-
memory/3872-12-0x0000000000000000-mapping.dmp