Analysis
-
max time kernel
36s -
max time network
37s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-07-2021 03:10
Behavioral task
behavioral1
Sample
1b8f9447633021747685b230b426e4138d411a98240ebc040abdf25995065857.msi
Resource
win10v20210408
Errors
General
-
Target
1b8f9447633021747685b230b426e4138d411a98240ebc040abdf25995065857.msi
-
Size
300KB
-
MD5
d0bd80d612c1c80cfa645224ef8ec2b4
-
SHA1
a1d3bb499cdd115c151cbcc3571a8835feecbd94
-
SHA256
1b8f9447633021747685b230b426e4138d411a98240ebc040abdf25995065857
-
SHA512
91491c7b54447fdebc75dd2f081cd90ffc909f8b6706c6a956bb88aad9bc712f97ec090304738b9bf2fb2ec8076c895694d44e26b7c1daba127ed109ddd00752
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 10 3272 MsiExec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 3272 MsiExec.exe 3272 MsiExec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdminQgt7s© = "\"C:\\AdminQgt7s©\\tCL3C©.exe\"" reg.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f7478df.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI79C9.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{3F619FA0-6D2A-41D7-8ED5-E5B522D88431} msiexec.exe File opened for modification C:\Windows\Installer\f7478df.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI80B0.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8295.tmp msiexec.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exewlrmdr.exepid process 4004 msiexec.exe 4004 msiexec.exe 3892 wlrmdr.exe 3892 wlrmdr.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
msiexec.exemsiexec.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 808 msiexec.exe Token: SeIncreaseQuotaPrivilege 808 msiexec.exe Token: SeSecurityPrivilege 4004 msiexec.exe Token: SeCreateTokenPrivilege 808 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 808 msiexec.exe Token: SeLockMemoryPrivilege 808 msiexec.exe Token: SeIncreaseQuotaPrivilege 808 msiexec.exe Token: SeMachineAccountPrivilege 808 msiexec.exe Token: SeTcbPrivilege 808 msiexec.exe Token: SeSecurityPrivilege 808 msiexec.exe Token: SeTakeOwnershipPrivilege 808 msiexec.exe Token: SeLoadDriverPrivilege 808 msiexec.exe Token: SeSystemProfilePrivilege 808 msiexec.exe Token: SeSystemtimePrivilege 808 msiexec.exe Token: SeProfSingleProcessPrivilege 808 msiexec.exe Token: SeIncBasePriorityPrivilege 808 msiexec.exe Token: SeCreatePagefilePrivilege 808 msiexec.exe Token: SeCreatePermanentPrivilege 808 msiexec.exe Token: SeBackupPrivilege 808 msiexec.exe Token: SeRestorePrivilege 808 msiexec.exe Token: SeShutdownPrivilege 808 msiexec.exe Token: SeDebugPrivilege 808 msiexec.exe Token: SeAuditPrivilege 808 msiexec.exe Token: SeSystemEnvironmentPrivilege 808 msiexec.exe Token: SeChangeNotifyPrivilege 808 msiexec.exe Token: SeRemoteShutdownPrivilege 808 msiexec.exe Token: SeUndockPrivilege 808 msiexec.exe Token: SeSyncAgentPrivilege 808 msiexec.exe Token: SeEnableDelegationPrivilege 808 msiexec.exe Token: SeManageVolumePrivilege 808 msiexec.exe Token: SeImpersonatePrivilege 808 msiexec.exe Token: SeCreateGlobalPrivilege 808 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeShutdownPrivilege 3676 shutdown.exe Token: SeRemoteShutdownPrivilege 3676 shutdown.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exeMsiExec.exepid process 808 msiexec.exe 3272 MsiExec.exe 3272 MsiExec.exe 3272 MsiExec.exe 808 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
wlrmdr.exeLogonUI.exepid process 3892 wlrmdr.exe 356 LogonUI.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exeMsiExec.execmd.execmd.exedescription pid process target process PID 4004 wrote to memory of 3272 4004 msiexec.exe MsiExec.exe PID 4004 wrote to memory of 3272 4004 msiexec.exe MsiExec.exe PID 4004 wrote to memory of 3272 4004 msiexec.exe MsiExec.exe PID 3272 wrote to memory of 3104 3272 MsiExec.exe cmd.exe PID 3272 wrote to memory of 3104 3272 MsiExec.exe cmd.exe PID 3272 wrote to memory of 3104 3272 MsiExec.exe cmd.exe PID 3272 wrote to memory of 3820 3272 MsiExec.exe cmd.exe PID 3272 wrote to memory of 3820 3272 MsiExec.exe cmd.exe PID 3272 wrote to memory of 3820 3272 MsiExec.exe cmd.exe PID 3820 wrote to memory of 3676 3820 cmd.exe shutdown.exe PID 3820 wrote to memory of 3676 3820 cmd.exe shutdown.exe PID 3820 wrote to memory of 3676 3820 cmd.exe shutdown.exe PID 3104 wrote to memory of 792 3104 cmd.exe reg.exe PID 3104 wrote to memory of 792 3104 cmd.exe reg.exe PID 3104 wrote to memory of 792 3104 cmd.exe reg.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1b8f9447633021747685b230b426e4138d411a98240ebc040abdf25995065857.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F842C348AEA41AA1C6DF45DB5E57A7142⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminQgt7s©" /t reg_sz /d "\"C:\AdminQgt7s©\tCL3C©.exe\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminQgt7s©" /t reg_sz /d "\"C:\AdminQgt7s©\tCL3C©.exe\"4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C start /MIN shutdown -r -f -t 20 -c "Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas..."3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -f -t 20 -c "Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas..."4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You're about to be signed out -m Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas... -a 31⤵
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You're about to be signed out -m Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas... -a 31⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI79C9.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI80B0.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI79C9.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI80B0.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/792-128-0x0000000000000000-mapping.dmp
-
memory/3104-125-0x0000000000000000-mapping.dmp
-
memory/3272-118-0x0000000000000000-mapping.dmp
-
memory/3676-127-0x0000000000000000-mapping.dmp
-
memory/3820-126-0x0000000000000000-mapping.dmp