c16b701105afe180c77befa58f8140f9583a1b0538d13b43e52eb2b996885124

Analysis

max time kernel
137s
max time network
139s
platform
windows7_x64
resource
win7-en
submitted
16-09-2021 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

4 1032 msiexec.exe
6 1032 msiexec.exe
8 1032 msiexec.exe
Executes dropped EXE 1 IoCs

Processes:

MSI564.tmp

pid process

1976 MSI564.tmp
Loads dropped DLL 5 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exe

pid process

1032 msiexec.exe
1536 MsiExec.exe
1280
1536 MsiExec.exe
1288 MsiExec.exe

flow	pid	process
4	1032	msiexec.exe
6	1032	msiexec.exe
8	1032	msiexec.exe

pid	process
1976	MSI564.tmp

pid	process
1032	msiexec.exe
1536	MsiExec.exe
1280
1536	MsiExec.exe
1288	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSI564.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSI564.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSI564.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSI564.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString	MSI564.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSI564.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MSI564.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	MSI564.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	MSI564.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeMsiExec.exe

pid process

1036 powershell.exe
1288 MsiExec.exe

pid	process
1036	powershell.exe
1288	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1112	msiexec.exe
Token: SeTakeOwnershipPrivilege	1112	msiexec.exe
Token: SeSecurityPrivilege	1112	msiexec.exe
Token: SeCreateTokenPrivilege	1032	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1032	msiexec.exe
Token: SeLockMemoryPrivilege	1032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1032	msiexec.exe
Token: SeMachineAccountPrivilege	1032	msiexec.exe
Token: SeTcbPrivilege	1032	msiexec.exe
Token: SeSecurityPrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeLoadDriverPrivilege	1032	msiexec.exe
Token: SeSystemProfilePrivilege	1032	msiexec.exe
Token: SeSystemtimePrivilege	1032	msiexec.exe
Token: SeProfSingleProcessPrivilege	1032	msiexec.exe
Token: SeIncBasePriorityPrivilege	1032	msiexec.exe
Token: SeCreatePagefilePrivilege	1032	msiexec.exe
Token: SeCreatePermanentPrivilege	1032	msiexec.exe
Token: SeBackupPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeShutdownPrivilege	1032	msiexec.exe
Token: SeDebugPrivilege	1032	msiexec.exe
Token: SeAuditPrivilege	1032	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1032	msiexec.exe
Token: SeChangeNotifyPrivilege	1032	msiexec.exe
Token: SeRemoteShutdownPrivilege	1032	msiexec.exe
Token: SeUndockPrivilege	1032	msiexec.exe
Token: SeSyncAgentPrivilege	1032	msiexec.exe
Token: SeEnableDelegationPrivilege	1032	msiexec.exe
Token: SeManageVolumePrivilege	1032	msiexec.exe
Token: SeImpersonatePrivilege	1032	msiexec.exe
Token: SeCreateGlobalPrivilege	1032	msiexec.exe
Token: SeCreateTokenPrivilege	1032	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1032	msiexec.exe
Token: SeLockMemoryPrivilege	1032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1032	msiexec.exe
Token: SeMachineAccountPrivilege	1032	msiexec.exe
Token: SeTcbPrivilege	1032	msiexec.exe
Token: SeSecurityPrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeLoadDriverPrivilege	1032	msiexec.exe
Token: SeSystemProfilePrivilege	1032	msiexec.exe
Token: SeSystemtimePrivilege	1032	msiexec.exe
Token: SeProfSingleProcessPrivilege	1032	msiexec.exe
Token: SeIncBasePriorityPrivilege	1032	msiexec.exe
Token: SeCreatePagefilePrivilege	1032	msiexec.exe
Token: SeCreatePermanentPrivilege	1032	msiexec.exe
Token: SeBackupPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeShutdownPrivilege	1032	msiexec.exe
Token: SeDebugPrivilege	1032	msiexec.exe
Token: SeAuditPrivilege	1032	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1032	msiexec.exe
Token: SeChangeNotifyPrivilege	1032	msiexec.exe
Token: SeRemoteShutdownPrivilege	1032	msiexec.exe
Token: SeUndockPrivilege	1032	msiexec.exe
Token: SeSyncAgentPrivilege	1032	msiexec.exe
Token: SeEnableDelegationPrivilege	1032	msiexec.exe
Token: SeManageVolumePrivilege	1032	msiexec.exe
Token: SeImpersonatePrivilege	1032	msiexec.exe
Token: SeCreateGlobalPrivilege	1032	msiexec.exe
Token: SeCreateTokenPrivilege	1032	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1032 msiexec.exe

pid	process
1032	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

msiexec.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 1112 wrote to memory of 1536	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1536	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1536	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1536	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1536	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1536	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1536	1112	msiexec.exe	MsiExec.exe
PID 1032 wrote to memory of 1976	1032	msiexec.exe	MSI564.tmp
PID 1032 wrote to memory of 1976	1032	msiexec.exe	MSI564.tmp
PID 1032 wrote to memory of 1976	1032	msiexec.exe	MSI564.tmp
PID 1536 wrote to memory of 1036	1536	MsiExec.exe	powershell.exe
PID 1536 wrote to memory of 1036	1536	MsiExec.exe	powershell.exe
PID 1536 wrote to memory of 1036	1536	MsiExec.exe	powershell.exe
PID 1536 wrote to memory of 1036	1536	MsiExec.exe	powershell.exe
PID 1112 wrote to memory of 1288	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1288	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1288	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1288	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1288	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1288	1112	msiexec.exe	MsiExec.exe
PID 1112 wrote to memory of 1288	1112	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\MSI564.tmp
"C:\Users\Admin\AppData\Local\Temp\MSI564.tmp"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
PID:1976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A776C0033133A581DF8120B718B69634 C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss792.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi770.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr771.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr772.txt" -propSep " :<->: " -testPrefix "_testValue."
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1C8C29DDB20EC90356E1F3B19CDCC9D9 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1288

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI1934.tmp
MD5
55bd68162716cc435eb221b048567e73

SHA1
3e9ef3823a6ecb7ca7942a332e400ec3adb8c2bb

SHA256
76bb62394bef8acf9021f8e94219430515cb2734805e29684044a0a4a802469c

SHA512
f371443c8577cf55dd4e76c4fb5d90dff4bcc3e839b7c31183d5db0d4586d105237a8d3a34ed68b0bf64c90dfd99fe64ceac57b91a0ac7835d34ad574f4ccc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1A0F.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI564.tmp
MD5
91841e006225ac500de7630740a21d91

SHA1
68875ce8177794df6bf125b2bb8b8ecc3b84517b

SHA256
cb1d73323d3d80004ada185844b0d461abd9ded736d5dc690607f935b4f2b58a

SHA512
d66e70b9d4d1997ac687589d0723c78e6ffe96aa35343b71f4e57750b7aad33d5555fd5d6b743125852e13cc9b9c338a8fb6b4844768054321404a8491546f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI574.tmp
MD5
c26c68e4a79fd2629714b17514411c40

SHA1
00138d8edea0918c4476da303415be399cf704c6

SHA256
55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

SHA512
6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss792.ps1
MD5
0c95bc11cfca37f84a19de0529377e13

SHA1
41f409dbbab04ef35c4f6489af6f85fceb9c501a

SHA256
88748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93

SHA512
8a52f3c40440e3129a367609ee4b6e9e98aa62edec48592be03bad1aadcd389e2e58e095f4ea3d6f9cb458aa7101fcb5afdff66658885bfa0634c74c086db568

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr771.ps1
MD5
2908843ef0e8bb1207fe9a351cece994

SHA1
f98cb3d404c5823eca0027740d44acc8bcce214b

SHA256
f6aa48bc45be3b603a48a5261a28cc75e9c1c2f65aa37bb807b6c1bd80dce05a

SHA512
b660f2393b3978db34057fae047b73ade6122f8fb56569996a81235c681442c9d55e2223ac2045579b6e27b886f20d7f04520eb851ea7efeef30b401900d08a0

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1934.tmp
MD5
55bd68162716cc435eb221b048567e73

SHA1
3e9ef3823a6ecb7ca7942a332e400ec3adb8c2bb

SHA256
76bb62394bef8acf9021f8e94219430515cb2734805e29684044a0a4a802469c

SHA512
f371443c8577cf55dd4e76c4fb5d90dff4bcc3e839b7c31183d5db0d4586d105237a8d3a34ed68b0bf64c90dfd99fe64ceac57b91a0ac7835d34ad574f4ccc87

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1A0F.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
\Users\Admin\AppData\Local\Temp\MSI564.tmp
MD5
91841e006225ac500de7630740a21d91

SHA1
68875ce8177794df6bf125b2bb8b8ecc3b84517b

SHA256
cb1d73323d3d80004ada185844b0d461abd9ded736d5dc690607f935b4f2b58a

SHA512
d66e70b9d4d1997ac687589d0723c78e6ffe96aa35343b71f4e57750b7aad33d5555fd5d6b743125852e13cc9b9c338a8fb6b4844768054321404a8491546f0e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI564.tmp
MD5
91841e006225ac500de7630740a21d91

SHA1
68875ce8177794df6bf125b2bb8b8ecc3b84517b

SHA256
cb1d73323d3d80004ada185844b0d461abd9ded736d5dc690607f935b4f2b58a

SHA512
d66e70b9d4d1997ac687589d0723c78e6ffe96aa35343b71f4e57750b7aad33d5555fd5d6b743125852e13cc9b9c338a8fb6b4844768054321404a8491546f0e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI574.tmp
MD5
c26c68e4a79fd2629714b17514411c40

SHA1
00138d8edea0918c4476da303415be399cf704c6

SHA256
55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

SHA512
6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

Download Submit
memory/1032-52-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/1036-66-0x00000000021C1000-0x00000000021C2000-memory.dmp

Filesize
4KB

Download
memory/1036-67-0x00000000021C2000-0x00000000021C4000-memory.dmp

Filesize
8KB

Download
memory/1036-65-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/1036-62-0x0000000000000000-mapping.dmp

Download
memory/1288-72-0x0000000000000000-mapping.dmp

Download
memory/1536-59-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1536-54-0x0000000000000000-mapping.dmp

Download
memory/1976-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads