Analysis
-
max time kernel
35s -
max time network
47s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-07-2021 19:03
Behavioral task
behavioral1
Sample
banload.msi
Resource
win7v20210410
Behavioral task
behavioral2
Sample
banload.msi
Resource
win10v20210408
Errors
General
-
Target
banload.msi
-
Size
309KB
-
MD5
495a4543965b4a92c6314294b338602f
-
SHA1
a520425e51ae8211ddc85566111d204282e493df
-
SHA256
154080c5844ed76332320fcf3f1773391d80200f18f9025fd05b55b86f8ff795
-
SHA512
ddba1d22bb8cf1f4a0bc5dbc8c19087b908370d464b1a64683d69f5553a8da99650fe0ea0d88f5cfab14a37a0bfa5fdf0a9435d05a368efb40cb16c2ac4c9efb
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 11 3736 MsiExec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 3736 MsiExec.exe 3736 MsiExec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdminroVyD© = "\"C:\\AdminroVyD©\\bd3aB©.exe\"" reg.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI5866.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5F0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI60E4.tmp msiexec.exe File created C:\Windows\Installer\f74579b.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{5AC50B2E-05CB-42FD-A8CE-84CB8376FAE9} msiexec.exe File opened for modification C:\Windows\Installer\f74579b.msi msiexec.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exewlrmdr.exepid process 1792 msiexec.exe 1792 msiexec.exe 396 wlrmdr.exe 396 wlrmdr.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
msiexec.exemsiexec.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 3492 msiexec.exe Token: SeIncreaseQuotaPrivilege 3492 msiexec.exe Token: SeSecurityPrivilege 1792 msiexec.exe Token: SeCreateTokenPrivilege 3492 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3492 msiexec.exe Token: SeLockMemoryPrivilege 3492 msiexec.exe Token: SeIncreaseQuotaPrivilege 3492 msiexec.exe Token: SeMachineAccountPrivilege 3492 msiexec.exe Token: SeTcbPrivilege 3492 msiexec.exe Token: SeSecurityPrivilege 3492 msiexec.exe Token: SeTakeOwnershipPrivilege 3492 msiexec.exe Token: SeLoadDriverPrivilege 3492 msiexec.exe Token: SeSystemProfilePrivilege 3492 msiexec.exe Token: SeSystemtimePrivilege 3492 msiexec.exe Token: SeProfSingleProcessPrivilege 3492 msiexec.exe Token: SeIncBasePriorityPrivilege 3492 msiexec.exe Token: SeCreatePagefilePrivilege 3492 msiexec.exe Token: SeCreatePermanentPrivilege 3492 msiexec.exe Token: SeBackupPrivilege 3492 msiexec.exe Token: SeRestorePrivilege 3492 msiexec.exe Token: SeShutdownPrivilege 3492 msiexec.exe Token: SeDebugPrivilege 3492 msiexec.exe Token: SeAuditPrivilege 3492 msiexec.exe Token: SeSystemEnvironmentPrivilege 3492 msiexec.exe Token: SeChangeNotifyPrivilege 3492 msiexec.exe Token: SeRemoteShutdownPrivilege 3492 msiexec.exe Token: SeUndockPrivilege 3492 msiexec.exe Token: SeSyncAgentPrivilege 3492 msiexec.exe Token: SeEnableDelegationPrivilege 3492 msiexec.exe Token: SeManageVolumePrivilege 3492 msiexec.exe Token: SeImpersonatePrivilege 3492 msiexec.exe Token: SeCreateGlobalPrivilege 3492 msiexec.exe Token: SeRestorePrivilege 1792 msiexec.exe Token: SeTakeOwnershipPrivilege 1792 msiexec.exe Token: SeRestorePrivilege 1792 msiexec.exe Token: SeTakeOwnershipPrivilege 1792 msiexec.exe Token: SeRestorePrivilege 1792 msiexec.exe Token: SeTakeOwnershipPrivilege 1792 msiexec.exe Token: SeRestorePrivilege 1792 msiexec.exe Token: SeTakeOwnershipPrivilege 1792 msiexec.exe Token: SeRestorePrivilege 1792 msiexec.exe Token: SeTakeOwnershipPrivilege 1792 msiexec.exe Token: SeRestorePrivilege 1792 msiexec.exe Token: SeTakeOwnershipPrivilege 1792 msiexec.exe Token: SeRestorePrivilege 1792 msiexec.exe Token: SeTakeOwnershipPrivilege 1792 msiexec.exe Token: SeShutdownPrivilege 2872 shutdown.exe Token: SeRemoteShutdownPrivilege 2872 shutdown.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exeMsiExec.exepid process 3492 msiexec.exe 3736 MsiExec.exe 3736 MsiExec.exe 3736 MsiExec.exe 3492 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
wlrmdr.exeLogonUI.exepid process 396 wlrmdr.exe 2192 LogonUI.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exeMsiExec.execmd.execmd.exedescription pid process target process PID 1792 wrote to memory of 3736 1792 msiexec.exe MsiExec.exe PID 1792 wrote to memory of 3736 1792 msiexec.exe MsiExec.exe PID 1792 wrote to memory of 3736 1792 msiexec.exe MsiExec.exe PID 3736 wrote to memory of 1476 3736 MsiExec.exe cmd.exe PID 3736 wrote to memory of 1476 3736 MsiExec.exe cmd.exe PID 3736 wrote to memory of 1476 3736 MsiExec.exe cmd.exe PID 3736 wrote to memory of 2100 3736 MsiExec.exe cmd.exe PID 3736 wrote to memory of 2100 3736 MsiExec.exe cmd.exe PID 3736 wrote to memory of 2100 3736 MsiExec.exe cmd.exe PID 1476 wrote to memory of 1832 1476 cmd.exe reg.exe PID 1476 wrote to memory of 1832 1476 cmd.exe reg.exe PID 1476 wrote to memory of 1832 1476 cmd.exe reg.exe PID 2100 wrote to memory of 2872 2100 cmd.exe shutdown.exe PID 2100 wrote to memory of 2872 2100 cmd.exe shutdown.exe PID 2100 wrote to memory of 2872 2100 cmd.exe shutdown.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\banload.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1BFECF281450324F5BCC238C994E47F42⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminroVyD©" /t reg_sz /d "\"C:\AdminroVyD©\bd3aB©.exe\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminroVyD©" /t reg_sz /d "\"C:\AdminroVyD©\bd3aB©.exe\"4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C start /MIN shutdown -r -f -t 20 -c "Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas..."3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -f -t 20 -c "Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas..."4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You're about to be signed out -m Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas... -a 31⤵
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You're about to be signed out -m Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas... -a 31⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI5866.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI5F0F.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI5866.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI5F0F.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/1476-125-0x0000000000000000-mapping.dmp
-
memory/1832-127-0x0000000000000000-mapping.dmp
-
memory/2100-126-0x0000000000000000-mapping.dmp
-
memory/2872-128-0x0000000000000000-mapping.dmp
-
memory/3736-118-0x0000000000000000-mapping.dmp