Overview

overview

8

Static

static

8

1b8f944763...57.msi

windows10_x64

Analysis

  • max time kernel
    36s
  • max time network
    37s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    17-07-2021 03:10

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Remote task has failed: Machine shutdown
Report Analysis Logs

General

  • Target

    1b8f9447633021747685b230b426e4138d411a98240ebc040abdf25995065857.msi

  • Size

    300KB

  • MD5

    d0bd80d612c1c80cfa645224ef8ec2b4

  • SHA1

    a1d3bb499cdd115c151cbcc3571a8835feecbd94

  • SHA256

    1b8f9447633021747685b230b426e4138d411a98240ebc040abdf25995065857

  • SHA512

    91491c7b54447fdebc75dd2f081cd90ffc909f8b6706c6a956bb88aad9bc712f97ec090304738b9bf2fb2ec8076c895694d44e26b7c1daba127ed109ddd00752

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1b8f9447633021747685b230b426e4138d411a98240ebc040abdf25995065857.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:808
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F842C348AEA41AA1C6DF45DB5E57A714
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminQgt7s©" /t reg_sz /d "\"C:\AdminQgt7s©\tCL3C©.exe\"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "AdminQgt7s©" /t reg_sz /d "\"C:\AdminQgt7s©\tCL3C©.exe\"
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C start /MIN shutdown -r -f -t 20 -c "Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas..."
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown -r -f -t 20 -c "Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas..."
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3676
  • C:\Windows\system32\wlrmdr.exe
    -s -1 -f 2 -t You're about to be signed out -m Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas... -a 3
    1⤵
      PID:412
    • C:\Windows\system32\wlrmdr.exe
      -s -1 -f 2 -t You're about to be signed out -m Windows atualizado com sucesso,o computador será reiniciado,para aplicar as atualizações instaladas... -a 3
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3892
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:356

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSI79C9.tmp
      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • C:\Windows\Installer\MSI80B0.tmp
      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • \Windows\Installer\MSI79C9.tmp
      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • \Windows\Installer\MSI80B0.tmp
      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • memory/792-128-0x0000000000000000-mapping.dmp
      Download
    • memory/3104-125-0x0000000000000000-mapping.dmp
      Download
    • memory/3272-118-0x0000000000000000-mapping.dmp
      Download
    • memory/3676-127-0x0000000000000000-mapping.dmp
      Download
    • memory/3820-126-0x0000000000000000-mapping.dmp
      Download