Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 10:43
Static task
static1
Behavioral task
behavioral1
Sample
4cea5d8cb3e0a17e942812e31667120a.msi
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4cea5d8cb3e0a17e942812e31667120a.msi
Resource
win10-en-20211014
General
-
Target
4cea5d8cb3e0a17e942812e31667120a.msi
-
Size
124KB
-
MD5
4cea5d8cb3e0a17e942812e31667120a
-
SHA1
c526373cc21495053cdf3ff735f10e4f031659b7
-
SHA256
be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a
-
SHA512
1eed5b3fa630ca2e4998e5eae400cab82a2e65005107f9bae0ae04a7ed7b32373ffaaf486578acca13bf74c38193e62fbb51da381555fec8d45c10a40cc962f7
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
MSIFCF7.tmppid process 984 MSIFCF7.tmp -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
MSIFCF7.tmpMSIFCF7.tmpdescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe MSIFCF7.tmp File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe MSIFCF7.tmp -
Loads dropped DLL 1 IoCs
Processes:
MSIFCF7.tmppid process 2028 MSIFCF7.tmp -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
MSIFCF7.tmpdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce MSIFCF7.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PANTOPTEROUS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AGONIED\\KLUMSEDE.vbs" MSIFCF7.tmp -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
MSIFCF7.tmpMSIFCF7.tmppid process 984 MSIFCF7.tmp 2028 MSIFCF7.tmp -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSIFCF7.tmpdescription pid process target process PID 984 set thread context of 2028 984 MSIFCF7.tmp MSIFCF7.tmp -
Drops file in Windows directory 10 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f75fa46.msi msiexec.exe File created C:\Windows\Installer\f75fa48.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIFCA7.tmp msiexec.exe File created C:\Windows\Installer\f75fa46.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIFCF7.tmp msiexec.exe File opened for modification C:\Windows\Installer\f75fa48.ipi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1752 msiexec.exe 1752 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MSIFCF7.tmppid process 984 MSIFCF7.tmp -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 948 msiexec.exe Token: SeIncreaseQuotaPrivilege 948 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe Token: SeSecurityPrivilege 1752 msiexec.exe Token: SeCreateTokenPrivilege 948 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 948 msiexec.exe Token: SeLockMemoryPrivilege 948 msiexec.exe Token: SeIncreaseQuotaPrivilege 948 msiexec.exe Token: SeMachineAccountPrivilege 948 msiexec.exe Token: SeTcbPrivilege 948 msiexec.exe Token: SeSecurityPrivilege 948 msiexec.exe Token: SeTakeOwnershipPrivilege 948 msiexec.exe Token: SeLoadDriverPrivilege 948 msiexec.exe Token: SeSystemProfilePrivilege 948 msiexec.exe Token: SeSystemtimePrivilege 948 msiexec.exe Token: SeProfSingleProcessPrivilege 948 msiexec.exe Token: SeIncBasePriorityPrivilege 948 msiexec.exe Token: SeCreatePagefilePrivilege 948 msiexec.exe Token: SeCreatePermanentPrivilege 948 msiexec.exe Token: SeBackupPrivilege 948 msiexec.exe Token: SeRestorePrivilege 948 msiexec.exe Token: SeShutdownPrivilege 948 msiexec.exe Token: SeDebugPrivilege 948 msiexec.exe Token: SeAuditPrivilege 948 msiexec.exe Token: SeSystemEnvironmentPrivilege 948 msiexec.exe Token: SeChangeNotifyPrivilege 948 msiexec.exe Token: SeRemoteShutdownPrivilege 948 msiexec.exe Token: SeUndockPrivilege 948 msiexec.exe Token: SeSyncAgentPrivilege 948 msiexec.exe Token: SeEnableDelegationPrivilege 948 msiexec.exe Token: SeManageVolumePrivilege 948 msiexec.exe Token: SeImpersonatePrivilege 948 msiexec.exe Token: SeCreateGlobalPrivilege 948 msiexec.exe Token: SeBackupPrivilege 268 vssvc.exe Token: SeRestorePrivilege 268 vssvc.exe Token: SeAuditPrivilege 268 vssvc.exe Token: SeBackupPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1796 DrvInst.exe Token: SeRestorePrivilege 1796 DrvInst.exe Token: SeRestorePrivilege 1796 DrvInst.exe Token: SeRestorePrivilege 1796 DrvInst.exe Token: SeRestorePrivilege 1796 DrvInst.exe Token: SeRestorePrivilege 1796 DrvInst.exe Token: SeRestorePrivilege 1796 DrvInst.exe Token: SeLoadDriverPrivilege 1796 DrvInst.exe Token: SeLoadDriverPrivilege 1796 DrvInst.exe Token: SeLoadDriverPrivilege 1796 DrvInst.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 948 msiexec.exe 948 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSIFCF7.tmppid process 984 MSIFCF7.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
msiexec.exeMSIFCF7.tmpdescription pid process target process PID 1752 wrote to memory of 984 1752 msiexec.exe MSIFCF7.tmp PID 1752 wrote to memory of 984 1752 msiexec.exe MSIFCF7.tmp PID 1752 wrote to memory of 984 1752 msiexec.exe MSIFCF7.tmp PID 1752 wrote to memory of 984 1752 msiexec.exe MSIFCF7.tmp PID 984 wrote to memory of 2028 984 MSIFCF7.tmp MSIFCF7.tmp PID 984 wrote to memory of 2028 984 MSIFCF7.tmp MSIFCF7.tmp PID 984 wrote to memory of 2028 984 MSIFCF7.tmp MSIFCF7.tmp PID 984 wrote to memory of 2028 984 MSIFCF7.tmp MSIFCF7.tmp PID 984 wrote to memory of 2028 984 MSIFCF7.tmp MSIFCF7.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4cea5d8cb3e0a17e942812e31667120a.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIFCF7.tmp"C:\Windows\Installer\MSIFCF7.tmp"2⤵
- Executes dropped EXE
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIFCF7.tmp"C:\Windows\Installer\MSIFCF7.tmp"3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000003D0" "00000000000004D0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIFCF7.tmpMD5
9c0f4f8b74d0c49c28997dcc175897c9
SHA156aedf510fe21edf7f5deb00b210e50f54f44443
SHA2569fd8a479a9f54341cfea3c2906cbc779c8623a288708ac00e21a486f325e3934
SHA512c2ff13b0737904fc97fdd57a17f9d4885776a5c07d1c3a884292e7143df2966397e4f4820a39450c950b2e3c68fdf2799091357fa9f129ef196e962f4c5e8ba3
-
C:\Windows\Installer\MSIFCF7.tmpMD5
9c0f4f8b74d0c49c28997dcc175897c9
SHA156aedf510fe21edf7f5deb00b210e50f54f44443
SHA2569fd8a479a9f54341cfea3c2906cbc779c8623a288708ac00e21a486f325e3934
SHA512c2ff13b0737904fc97fdd57a17f9d4885776a5c07d1c3a884292e7143df2966397e4f4820a39450c950b2e3c68fdf2799091357fa9f129ef196e962f4c5e8ba3
-
C:\Windows\Installer\MSIFCF7.tmpMD5
9c0f4f8b74d0c49c28997dcc175897c9
SHA156aedf510fe21edf7f5deb00b210e50f54f44443
SHA2569fd8a479a9f54341cfea3c2906cbc779c8623a288708ac00e21a486f325e3934
SHA512c2ff13b0737904fc97fdd57a17f9d4885776a5c07d1c3a884292e7143df2966397e4f4820a39450c950b2e3c68fdf2799091357fa9f129ef196e962f4c5e8ba3
-
memory/948-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmpFilesize
8KB
-
memory/984-64-0x0000000077BD0000-0x0000000077D50000-memory.dmpFilesize
1.5MB
-
memory/984-56-0x0000000000000000-mapping.dmp
-
memory/984-62-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/984-63-0x00000000779F0000-0x0000000077B99000-memory.dmpFilesize
1.7MB
-
memory/984-59-0x00000000001C0000-0x00000000001CA000-memory.dmpFilesize
40KB
-
memory/984-58-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/984-71-0x0000000077BD0000-0x0000000077D50000-memory.dmpFilesize
1.5MB
-
memory/984-60-0x0000000000260000-0x0000000000271000-memory.dmpFilesize
68KB
-
memory/2028-69-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/2028-67-0x0000000000401230-mapping.dmp
-
memory/2028-72-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/2028-75-0x00000000779F0000-0x0000000077B99000-memory.dmpFilesize
1.7MB
-
memory/2028-76-0x0000000077BD0000-0x0000000077D50000-memory.dmpFilesize
1.5MB
-
memory/2028-78-0x0000000077BD0000-0x0000000077D50000-memory.dmpFilesize
1.5MB