Analysis
-
max time kernel
118s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
18-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
fc73a6d7ba29346cec2696e05861af8a.msi
Resource
win7-en-20210920
General
-
Target
fc73a6d7ba29346cec2696e05861af8a.msi
-
Size
1.3MB
-
MD5
fc73a6d7ba29346cec2696e05861af8a
-
SHA1
463d5f12fd5c940323439cb023e2f46ffb4cabac
-
SHA256
1ffa9fbad9e31dbaa54e8f72abe42fdccb47333d1aa07bf0c541d0011f7ac9cc
-
SHA512
a42ecbd88a646b3fa0820304397980429cbee95efe66a273ee68edd32b410cd5c108d6400ed999f0e4923f03ad708f539b5bb4147292434bef02dd1706e59611
Malware Config
Signatures
-
Taurus Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1272-79-0x0000000000400000-0x000000000046A000-memory.dmp family_taurus_stealer -
Executes dropped EXE 2 IoCs
Processes:
MSI4242.tmpupdateKMS.exepid process 1792 MSI4242.tmp 1272 updateKMS.exe -
Loads dropped DLL 9 IoCs
Processes:
MsiExec.exeMSI4242.tmpupdateKMS.exepid process 1456 MsiExec.exe 1456 MsiExec.exe 1456 MsiExec.exe 1792 MSI4242.tmp 1792 MSI4242.tmp 1792 MSI4242.tmp 1272 updateKMS.exe 1272 updateKMS.exe 1272 updateKMS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI3A81.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3C65.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4203.tmp msiexec.exe File created C:\Windows\Installer\f7639ca.msi msiexec.exe File opened for modification C:\Windows\Installer\f7639c8.ipi msiexec.exe File created C:\Windows\Installer\f7639c6.msi msiexec.exe File opened for modification C:\Windows\Installer\f7639c6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3CF3.tmp msiexec.exe File created C:\Windows\Installer\f7639c8.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4242.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2036 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 584 msiexec.exe 584 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeupdateKMS.exedescription pid process Token: SeShutdownPrivilege 1516 msiexec.exe Token: SeIncreaseQuotaPrivilege 1516 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeSecurityPrivilege 584 msiexec.exe Token: SeCreateTokenPrivilege 1516 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1516 msiexec.exe Token: SeLockMemoryPrivilege 1516 msiexec.exe Token: SeIncreaseQuotaPrivilege 1516 msiexec.exe Token: SeMachineAccountPrivilege 1516 msiexec.exe Token: SeTcbPrivilege 1516 msiexec.exe Token: SeSecurityPrivilege 1516 msiexec.exe Token: SeTakeOwnershipPrivilege 1516 msiexec.exe Token: SeLoadDriverPrivilege 1516 msiexec.exe Token: SeSystemProfilePrivilege 1516 msiexec.exe Token: SeSystemtimePrivilege 1516 msiexec.exe Token: SeProfSingleProcessPrivilege 1516 msiexec.exe Token: SeIncBasePriorityPrivilege 1516 msiexec.exe Token: SeCreatePagefilePrivilege 1516 msiexec.exe Token: SeCreatePermanentPrivilege 1516 msiexec.exe Token: SeBackupPrivilege 1516 msiexec.exe Token: SeRestorePrivilege 1516 msiexec.exe Token: SeShutdownPrivilege 1516 msiexec.exe Token: SeDebugPrivilege 1516 msiexec.exe Token: SeAuditPrivilege 1516 msiexec.exe Token: SeSystemEnvironmentPrivilege 1516 msiexec.exe Token: SeChangeNotifyPrivilege 1516 msiexec.exe Token: SeRemoteShutdownPrivilege 1516 msiexec.exe Token: SeUndockPrivilege 1516 msiexec.exe Token: SeSyncAgentPrivilege 1516 msiexec.exe Token: SeEnableDelegationPrivilege 1516 msiexec.exe Token: SeManageVolumePrivilege 1516 msiexec.exe Token: SeImpersonatePrivilege 1516 msiexec.exe Token: SeCreateGlobalPrivilege 1516 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 1272 updateKMS.exe Token: SeBackupPrivilege 1272 updateKMS.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1516 msiexec.exe 1516 msiexec.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
msiexec.exeMSI4242.tmpupdateKMS.execmd.exedescription pid process target process PID 584 wrote to memory of 1456 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1456 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1456 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1456 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1456 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1456 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1456 584 msiexec.exe MsiExec.exe PID 584 wrote to memory of 1792 584 msiexec.exe MSI4242.tmp PID 584 wrote to memory of 1792 584 msiexec.exe MSI4242.tmp PID 584 wrote to memory of 1792 584 msiexec.exe MSI4242.tmp PID 584 wrote to memory of 1792 584 msiexec.exe MSI4242.tmp PID 1792 wrote to memory of 1272 1792 MSI4242.tmp updateKMS.exe PID 1792 wrote to memory of 1272 1792 MSI4242.tmp updateKMS.exe PID 1792 wrote to memory of 1272 1792 MSI4242.tmp updateKMS.exe PID 1792 wrote to memory of 1272 1792 MSI4242.tmp updateKMS.exe PID 1792 wrote to memory of 1272 1792 MSI4242.tmp updateKMS.exe PID 1792 wrote to memory of 1272 1792 MSI4242.tmp updateKMS.exe PID 1792 wrote to memory of 1272 1792 MSI4242.tmp updateKMS.exe PID 1272 wrote to memory of 1780 1272 updateKMS.exe cmd.exe PID 1272 wrote to memory of 1780 1272 updateKMS.exe cmd.exe PID 1272 wrote to memory of 1780 1272 updateKMS.exe cmd.exe PID 1272 wrote to memory of 1780 1272 updateKMS.exe cmd.exe PID 1272 wrote to memory of 1780 1272 updateKMS.exe cmd.exe PID 1272 wrote to memory of 1780 1272 updateKMS.exe cmd.exe PID 1272 wrote to memory of 1780 1272 updateKMS.exe cmd.exe PID 1780 wrote to memory of 2036 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 2036 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 2036 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 2036 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 2036 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 2036 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 2036 1780 cmd.exe timeout.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fc73a6d7ba29346cec2696e05861af8a.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1516
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 159F17F82927F1D0291D5EA00E7174332⤵
- Loads dropped DLL
PID:1456 -
C:\Windows\Installer\MSI4242.tmp"C:\Windows\Installer\MSI4242.tmp" -p89l3Ccf4 -s12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\updateKMS.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\updateKMS.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\RarSFX0\updateKMS.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
PID:2036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
57fb19fcafe6bf4faab9a5c593249be4
SHA125e0e14735a0864694c3e6d96ae91d38b02dd1f5
SHA25647335ce2ac06bab49c4295f4ed06ed68a1e20aafbf4a59d2c28daaacd32893b0
SHA512c3620ea90f9d808069ca0afcbdf24356199977d79643a32ab14ed21fc6e19495db98f3562aa4337065b5e95c5f95da0740c17484d7724a812c1e0ece8d040168
-
MD5
57fb19fcafe6bf4faab9a5c593249be4
SHA125e0e14735a0864694c3e6d96ae91d38b02dd1f5
SHA25647335ce2ac06bab49c4295f4ed06ed68a1e20aafbf4a59d2c28daaacd32893b0
SHA512c3620ea90f9d808069ca0afcbdf24356199977d79643a32ab14ed21fc6e19495db98f3562aa4337065b5e95c5f95da0740c17484d7724a812c1e0ece8d040168
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
45e48997516c0d93885c88f9d186361d
SHA19967123fd1b6a62f65d0d2270f6689666aab24df
SHA256e0e2aa6d65cf83b262ef4b2da82277e0e307c73629d1f44ec316a02cd22a4ca9
SHA5120fce2eacdb63507288f9dabfa995d79f9e0597009b0dfd318dcd6989dbb3cca749e9b7fbc419fd245ca361fac57bb205c707007a121a51748994c5649d5d0a9a
-
MD5
45e48997516c0d93885c88f9d186361d
SHA19967123fd1b6a62f65d0d2270f6689666aab24df
SHA256e0e2aa6d65cf83b262ef4b2da82277e0e307c73629d1f44ec316a02cd22a4ca9
SHA5120fce2eacdb63507288f9dabfa995d79f9e0597009b0dfd318dcd6989dbb3cca749e9b7fbc419fd245ca361fac57bb205c707007a121a51748994c5649d5d0a9a
-
MD5
57fb19fcafe6bf4faab9a5c593249be4
SHA125e0e14735a0864694c3e6d96ae91d38b02dd1f5
SHA25647335ce2ac06bab49c4295f4ed06ed68a1e20aafbf4a59d2c28daaacd32893b0
SHA512c3620ea90f9d808069ca0afcbdf24356199977d79643a32ab14ed21fc6e19495db98f3562aa4337065b5e95c5f95da0740c17484d7724a812c1e0ece8d040168
-
MD5
57fb19fcafe6bf4faab9a5c593249be4
SHA125e0e14735a0864694c3e6d96ae91d38b02dd1f5
SHA25647335ce2ac06bab49c4295f4ed06ed68a1e20aafbf4a59d2c28daaacd32893b0
SHA512c3620ea90f9d808069ca0afcbdf24356199977d79643a32ab14ed21fc6e19495db98f3562aa4337065b5e95c5f95da0740c17484d7724a812c1e0ece8d040168
-
MD5
57fb19fcafe6bf4faab9a5c593249be4
SHA125e0e14735a0864694c3e6d96ae91d38b02dd1f5
SHA25647335ce2ac06bab49c4295f4ed06ed68a1e20aafbf4a59d2c28daaacd32893b0
SHA512c3620ea90f9d808069ca0afcbdf24356199977d79643a32ab14ed21fc6e19495db98f3562aa4337065b5e95c5f95da0740c17484d7724a812c1e0ece8d040168
-
MD5
57fb19fcafe6bf4faab9a5c593249be4
SHA125e0e14735a0864694c3e6d96ae91d38b02dd1f5
SHA25647335ce2ac06bab49c4295f4ed06ed68a1e20aafbf4a59d2c28daaacd32893b0
SHA512c3620ea90f9d808069ca0afcbdf24356199977d79643a32ab14ed21fc6e19495db98f3562aa4337065b5e95c5f95da0740c17484d7724a812c1e0ece8d040168
-
MD5
57fb19fcafe6bf4faab9a5c593249be4
SHA125e0e14735a0864694c3e6d96ae91d38b02dd1f5
SHA25647335ce2ac06bab49c4295f4ed06ed68a1e20aafbf4a59d2c28daaacd32893b0
SHA512c3620ea90f9d808069ca0afcbdf24356199977d79643a32ab14ed21fc6e19495db98f3562aa4337065b5e95c5f95da0740c17484d7724a812c1e0ece8d040168
-
MD5
57fb19fcafe6bf4faab9a5c593249be4
SHA125e0e14735a0864694c3e6d96ae91d38b02dd1f5
SHA25647335ce2ac06bab49c4295f4ed06ed68a1e20aafbf4a59d2c28daaacd32893b0
SHA512c3620ea90f9d808069ca0afcbdf24356199977d79643a32ab14ed21fc6e19495db98f3562aa4337065b5e95c5f95da0740c17484d7724a812c1e0ece8d040168
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170