Analysis
-
max time kernel
149s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 14:50
Static task
static1
Behavioral task
behavioral1
Sample
t1.msi
Resource
win7-en-20210920
General
-
Target
t1.msi
-
Size
124KB
-
MD5
5262da4295e8a62d58d17991b35bf860
-
SHA1
3fba37528f6b06d2c89c7d86ce6352df438f1855
-
SHA256
058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf
-
SHA512
8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
MSI8D82.tmppid process 864 MSI8D82.tmp -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
MSI8D82.tmpMSI8D82.tmpdescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe MSI8D82.tmp File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe MSI8D82.tmp -
Loads dropped DLL 1 IoCs
Processes:
MSI8D82.tmppid process 1764 MSI8D82.tmp -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
MSI8D82.tmpMSI8D82.tmppid process 864 MSI8D82.tmp 1764 MSI8D82.tmp -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSI8D82.tmpdescription pid process target process PID 864 set thread context of 1764 864 MSI8D82.tmp MSI8D82.tmp -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File created C:\Windows\Installer\f768a95.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8D13.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8D82.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f768a93.msi msiexec.exe File opened for modification C:\Windows\Installer\f768a93.msi msiexec.exe File opened for modification C:\Windows\Installer\f768a95.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 584 msiexec.exe 584 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MSI8D82.tmppid process 864 MSI8D82.tmp -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1508 msiexec.exe Token: SeIncreaseQuotaPrivilege 1508 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeSecurityPrivilege 584 msiexec.exe Token: SeCreateTokenPrivilege 1508 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1508 msiexec.exe Token: SeLockMemoryPrivilege 1508 msiexec.exe Token: SeIncreaseQuotaPrivilege 1508 msiexec.exe Token: SeMachineAccountPrivilege 1508 msiexec.exe Token: SeTcbPrivilege 1508 msiexec.exe Token: SeSecurityPrivilege 1508 msiexec.exe Token: SeTakeOwnershipPrivilege 1508 msiexec.exe Token: SeLoadDriverPrivilege 1508 msiexec.exe Token: SeSystemProfilePrivilege 1508 msiexec.exe Token: SeSystemtimePrivilege 1508 msiexec.exe Token: SeProfSingleProcessPrivilege 1508 msiexec.exe Token: SeIncBasePriorityPrivilege 1508 msiexec.exe Token: SeCreatePagefilePrivilege 1508 msiexec.exe Token: SeCreatePermanentPrivilege 1508 msiexec.exe Token: SeBackupPrivilege 1508 msiexec.exe Token: SeRestorePrivilege 1508 msiexec.exe Token: SeShutdownPrivilege 1508 msiexec.exe Token: SeDebugPrivilege 1508 msiexec.exe Token: SeAuditPrivilege 1508 msiexec.exe Token: SeSystemEnvironmentPrivilege 1508 msiexec.exe Token: SeChangeNotifyPrivilege 1508 msiexec.exe Token: SeRemoteShutdownPrivilege 1508 msiexec.exe Token: SeUndockPrivilege 1508 msiexec.exe Token: SeSyncAgentPrivilege 1508 msiexec.exe Token: SeEnableDelegationPrivilege 1508 msiexec.exe Token: SeManageVolumePrivilege 1508 msiexec.exe Token: SeImpersonatePrivilege 1508 msiexec.exe Token: SeCreateGlobalPrivilege 1508 msiexec.exe Token: SeBackupPrivilege 1288 vssvc.exe Token: SeRestorePrivilege 1288 vssvc.exe Token: SeAuditPrivilege 1288 vssvc.exe Token: SeBackupPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeRestorePrivilege 1672 DrvInst.exe Token: SeRestorePrivilege 1672 DrvInst.exe Token: SeRestorePrivilege 1672 DrvInst.exe Token: SeRestorePrivilege 1672 DrvInst.exe Token: SeRestorePrivilege 1672 DrvInst.exe Token: SeRestorePrivilege 1672 DrvInst.exe Token: SeRestorePrivilege 1672 DrvInst.exe Token: SeLoadDriverPrivilege 1672 DrvInst.exe Token: SeLoadDriverPrivilege 1672 DrvInst.exe Token: SeLoadDriverPrivilege 1672 DrvInst.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1508 msiexec.exe 1508 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSI8D82.tmppid process 864 MSI8D82.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
msiexec.exeMSI8D82.tmpdescription pid process target process PID 584 wrote to memory of 864 584 msiexec.exe MSI8D82.tmp PID 584 wrote to memory of 864 584 msiexec.exe MSI8D82.tmp PID 584 wrote to memory of 864 584 msiexec.exe MSI8D82.tmp PID 584 wrote to memory of 864 584 msiexec.exe MSI8D82.tmp PID 864 wrote to memory of 1764 864 MSI8D82.tmp MSI8D82.tmp PID 864 wrote to memory of 1764 864 MSI8D82.tmp MSI8D82.tmp PID 864 wrote to memory of 1764 864 MSI8D82.tmp MSI8D82.tmp PID 864 wrote to memory of 1764 864 MSI8D82.tmp MSI8D82.tmp PID 864 wrote to memory of 1764 864 MSI8D82.tmp MSI8D82.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\t1.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1508
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\Installer\MSI8D82.tmp"C:\Windows\Installer\MSI8D82.tmp"2⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\Installer\MSI8D82.tmp"C:\Windows\Installer\MSI8D82.tmp"3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1764
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000003A4" "00000000000003D0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8c0ef68bfe8b4f2d72ca3599aedb6387
SHA1b6c02d95c26e2ec62ba27d0e4c3cd3b1e7f25261
SHA2564b2a32c7afbfb44a85d88bfd4f0a79306278d880c64a28bf3242dc686665c8fe
SHA51287bf4a30a191e4e7ccc4c17122868a7355d20d4666c954d0229c47bd253077565ee151b33d3a3fff439d56cf0e6360d923055ec7a4993f797a8446a86d29d733
-
MD5
8c0ef68bfe8b4f2d72ca3599aedb6387
SHA1b6c02d95c26e2ec62ba27d0e4c3cd3b1e7f25261
SHA2564b2a32c7afbfb44a85d88bfd4f0a79306278d880c64a28bf3242dc686665c8fe
SHA51287bf4a30a191e4e7ccc4c17122868a7355d20d4666c954d0229c47bd253077565ee151b33d3a3fff439d56cf0e6360d923055ec7a4993f797a8446a86d29d733
-
MD5
8c0ef68bfe8b4f2d72ca3599aedb6387
SHA1b6c02d95c26e2ec62ba27d0e4c3cd3b1e7f25261
SHA2564b2a32c7afbfb44a85d88bfd4f0a79306278d880c64a28bf3242dc686665c8fe
SHA51287bf4a30a191e4e7ccc4c17122868a7355d20d4666c954d0229c47bd253077565ee151b33d3a3fff439d56cf0e6360d923055ec7a4993f797a8446a86d29d733