Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
fc73a6d7ba29346cec2696e05861af8a.msi
Resource
win7-en-20210920
General
-
Target
fc73a6d7ba29346cec2696e05861af8a.msi
-
Size
1.3MB
-
MD5
fc73a6d7ba29346cec2696e05861af8a
-
SHA1
463d5f12fd5c940323439cb023e2f46ffb4cabac
-
SHA256
1ffa9fbad9e31dbaa54e8f72abe42fdccb47333d1aa07bf0c541d0011f7ac9cc
-
SHA512
a42ecbd88a646b3fa0820304397980429cbee95efe66a273ee68edd32b410cd5c108d6400ed999f0e4923f03ad708f539b5bb4147292434bef02dd1706e59611
Malware Config
Signatures
-
Taurus Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1504-140-0x0000000000400000-0x000000000046A000-memory.dmp family_taurus_stealer -
Executes dropped EXE 2 IoCs
Processes:
MSIDBD.tmpupdateKMS.exepid process 1800 MSIDBD.tmp 1504 updateKMS.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exepid process 780 MsiExec.exe 780 MsiExec.exe 780 MsiExec.exe 780 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f75fd5c.msi msiexec.exe File opened for modification C:\Windows\Installer\f75fd5c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI77F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E8.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{55F6B651-A24C-4726-9FD2-959DFC38462C} msiexec.exe File opened for modification C:\Windows\Installer\MSIDBD.tmp msiexec.exe File created C:\Windows\Installer\f75fd5f.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIFEF2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI83B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID3F.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 424 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1236 msiexec.exe 1236 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2092 msiexec.exe Token: SeIncreaseQuotaPrivilege 2092 msiexec.exe Token: SeSecurityPrivilege 1236 msiexec.exe Token: SeCreateTokenPrivilege 2092 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2092 msiexec.exe Token: SeLockMemoryPrivilege 2092 msiexec.exe Token: SeIncreaseQuotaPrivilege 2092 msiexec.exe Token: SeMachineAccountPrivilege 2092 msiexec.exe Token: SeTcbPrivilege 2092 msiexec.exe Token: SeSecurityPrivilege 2092 msiexec.exe Token: SeTakeOwnershipPrivilege 2092 msiexec.exe Token: SeLoadDriverPrivilege 2092 msiexec.exe Token: SeSystemProfilePrivilege 2092 msiexec.exe Token: SeSystemtimePrivilege 2092 msiexec.exe Token: SeProfSingleProcessPrivilege 2092 msiexec.exe Token: SeIncBasePriorityPrivilege 2092 msiexec.exe Token: SeCreatePagefilePrivilege 2092 msiexec.exe Token: SeCreatePermanentPrivilege 2092 msiexec.exe Token: SeBackupPrivilege 2092 msiexec.exe Token: SeRestorePrivilege 2092 msiexec.exe Token: SeShutdownPrivilege 2092 msiexec.exe Token: SeDebugPrivilege 2092 msiexec.exe Token: SeAuditPrivilege 2092 msiexec.exe Token: SeSystemEnvironmentPrivilege 2092 msiexec.exe Token: SeChangeNotifyPrivilege 2092 msiexec.exe Token: SeRemoteShutdownPrivilege 2092 msiexec.exe Token: SeUndockPrivilege 2092 msiexec.exe Token: SeSyncAgentPrivilege 2092 msiexec.exe Token: SeEnableDelegationPrivilege 2092 msiexec.exe Token: SeManageVolumePrivilege 2092 msiexec.exe Token: SeImpersonatePrivilege 2092 msiexec.exe Token: SeCreateGlobalPrivilege 2092 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2092 msiexec.exe 2092 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exeMSIDBD.tmpupdateKMS.execmd.exedescription pid process target process PID 1236 wrote to memory of 780 1236 msiexec.exe MsiExec.exe PID 1236 wrote to memory of 780 1236 msiexec.exe MsiExec.exe PID 1236 wrote to memory of 780 1236 msiexec.exe MsiExec.exe PID 1236 wrote to memory of 1800 1236 msiexec.exe MSIDBD.tmp PID 1236 wrote to memory of 1800 1236 msiexec.exe MSIDBD.tmp PID 1236 wrote to memory of 1800 1236 msiexec.exe MSIDBD.tmp PID 1800 wrote to memory of 1504 1800 MSIDBD.tmp updateKMS.exe PID 1800 wrote to memory of 1504 1800 MSIDBD.tmp updateKMS.exe PID 1800 wrote to memory of 1504 1800 MSIDBD.tmp updateKMS.exe PID 1504 wrote to memory of 2436 1504 updateKMS.exe cmd.exe PID 1504 wrote to memory of 2436 1504 updateKMS.exe cmd.exe PID 1504 wrote to memory of 2436 1504 updateKMS.exe cmd.exe PID 2436 wrote to memory of 424 2436 cmd.exe timeout.exe PID 2436 wrote to memory of 424 2436 cmd.exe timeout.exe PID 2436 wrote to memory of 424 2436 cmd.exe timeout.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fc73a6d7ba29346cec2696e05861af8a.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2092
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7640604A6204996A5454B4806B32D51C2⤵
- Loads dropped DLL
PID:780 -
C:\Windows\Installer\MSIDBD.tmp"C:\Windows\Installer\MSIDBD.tmp" -p89l3Ccf4 -s12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\updateKMS.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\updateKMS.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\RarSFX0\updateKMS.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
PID:424
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
57fb19fcafe6bf4faab9a5c593249be4
SHA125e0e14735a0864694c3e6d96ae91d38b02dd1f5
SHA25647335ce2ac06bab49c4295f4ed06ed68a1e20aafbf4a59d2c28daaacd32893b0
SHA512c3620ea90f9d808069ca0afcbdf24356199977d79643a32ab14ed21fc6e19495db98f3562aa4337065b5e95c5f95da0740c17484d7724a812c1e0ece8d040168
-
MD5
57fb19fcafe6bf4faab9a5c593249be4
SHA125e0e14735a0864694c3e6d96ae91d38b02dd1f5
SHA25647335ce2ac06bab49c4295f4ed06ed68a1e20aafbf4a59d2c28daaacd32893b0
SHA512c3620ea90f9d808069ca0afcbdf24356199977d79643a32ab14ed21fc6e19495db98f3562aa4337065b5e95c5f95da0740c17484d7724a812c1e0ece8d040168
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
45e48997516c0d93885c88f9d186361d
SHA19967123fd1b6a62f65d0d2270f6689666aab24df
SHA256e0e2aa6d65cf83b262ef4b2da82277e0e307c73629d1f44ec316a02cd22a4ca9
SHA5120fce2eacdb63507288f9dabfa995d79f9e0597009b0dfd318dcd6989dbb3cca749e9b7fbc419fd245ca361fac57bb205c707007a121a51748994c5649d5d0a9a
-
MD5
45e48997516c0d93885c88f9d186361d
SHA19967123fd1b6a62f65d0d2270f6689666aab24df
SHA256e0e2aa6d65cf83b262ef4b2da82277e0e307c73629d1f44ec316a02cd22a4ca9
SHA5120fce2eacdb63507288f9dabfa995d79f9e0597009b0dfd318dcd6989dbb3cca749e9b7fbc419fd245ca361fac57bb205c707007a121a51748994c5649d5d0a9a
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
MD5
72b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170