951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-en-20210920
submitted
25-10-2021 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FORM_PIX XJTVCZG.msi
Size

953KB
MD5

f2836216ca554dfdc8a300decb644911
SHA1

338829d2c88f430b0d00bfb03ad8a43649b4e1d8
SHA256

951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f
SHA512

02148775c5db048566d0fb73e7d8da06597362a31934907ce356238bc1aa8ab4b319094d16d2a5881bf9b6797fde023c42a76846448a5436f4b72f067a668b1c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

MsiExec.exe

flow	pid	Process
5	1924	MsiExec.exe
7	1924	MsiExec.exe
9	1924	MsiExec.exe
11	1924	MsiExec.exe
13	1924	MsiExec.exe

Loads dropped DLL 5 IoCs

Processes:

MsiExec.exe

pid	Process
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICF50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID26E.tmp	msiexec.exe
File created	C:\Windows\Installer\f75ce0b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75ce0b.ipi	msiexec.exe
File created	C:\Windows\Installer\f75ce09.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID164.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD86.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDEFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE112.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f75ce09.msi	msiexec.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid	Process
1032	msiexec.exe
1032	msiexec.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeSecurityPrivilege	1032	msiexec.exe
Token: SeCreateTokenPrivilege	780	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	780	msiexec.exe
Token: SeLockMemoryPrivilege	780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	780	msiexec.exe
Token: SeMachineAccountPrivilege	780	msiexec.exe
Token: SeTcbPrivilege	780	msiexec.exe
Token: SeSecurityPrivilege	780	msiexec.exe
Token: SeTakeOwnershipPrivilege	780	msiexec.exe
Token: SeLoadDriverPrivilege	780	msiexec.exe
Token: SeSystemProfilePrivilege	780	msiexec.exe
Token: SeSystemtimePrivilege	780	msiexec.exe
Token: SeProfSingleProcessPrivilege	780	msiexec.exe
Token: SeIncBasePriorityPrivilege	780	msiexec.exe
Token: SeCreatePagefilePrivilege	780	msiexec.exe
Token: SeCreatePermanentPrivilege	780	msiexec.exe
Token: SeBackupPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	780	msiexec.exe
Token: SeShutdownPrivilege	780	msiexec.exe
Token: SeDebugPrivilege	780	msiexec.exe
Token: SeAuditPrivilege	780	msiexec.exe
Token: SeSystemEnvironmentPrivilege	780	msiexec.exe
Token: SeChangeNotifyPrivilege	780	msiexec.exe
Token: SeRemoteShutdownPrivilege	780	msiexec.exe
Token: SeUndockPrivilege	780	msiexec.exe
Token: SeSyncAgentPrivilege	780	msiexec.exe
Token: SeEnableDelegationPrivilege	780	msiexec.exe
Token: SeManageVolumePrivilege	780	msiexec.exe
Token: SeImpersonatePrivilege	780	msiexec.exe
Token: SeCreateGlobalPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msiexec.exeMsiExec.exe

pid	Process
780	msiexec.exe
1924	MsiExec.exe
780	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	Process	procid_target
PID 1032 wrote to memory of 1924	1032	msiexec.exe	29
PID 1032 wrote to memory of 1924	1032	msiexec.exe	29
PID 1032 wrote to memory of 1924	1032	msiexec.exe	29
PID 1032 wrote to memory of 1924	1032	msiexec.exe	29
PID 1032 wrote to memory of 1924	1032	msiexec.exe	29
PID 1032 wrote to memory of 1924	1032	msiexec.exe	29
PID 1032 wrote to memory of 1924	1032	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\FORM_PIX XJTVCZG.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CF8C0C9D98DA0FCF449AD295FDB179F
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSICF50.tmp

MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
C:\Windows\Installer\MSID164.tmp

MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
C:\Windows\Installer\MSID26E.tmp

MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
C:\Windows\Installer\MSIDEFD.tmp

MD5
06bf05c1b207c1340db60571ee6ef552

SHA1
64b9ad03c6827a320633336c5e53c974d950ef67

SHA256
2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

SHA512
a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

Download Submit
C:\Windows\Installer\MSIE112.tmp

MD5
06bf05c1b207c1340db60571ee6ef552

SHA1
64b9ad03c6827a320633336c5e53c974d950ef67

SHA256
2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

SHA512
a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

Download Submit
\Windows\Installer\MSICF50.tmp

MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
\Windows\Installer\MSID164.tmp

MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
\Windows\Installer\MSID26E.tmp

MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
\Windows\Installer\MSIDEFD.tmp

MD5
06bf05c1b207c1340db60571ee6ef552

SHA1
64b9ad03c6827a320633336c5e53c974d950ef67

SHA256
2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

SHA512
a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

Download Submit
\Windows\Installer\MSIE112.tmp

MD5
06bf05c1b207c1340db60571ee6ef552

SHA1
64b9ad03c6827a320633336c5e53c974d950ef67

SHA256
2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

SHA512
a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

Download Submit
memory/780-54-0x000007FEFBA11000-0x000007FEFBA13000-memory.dmp

Filesize
8KB

Download
memory/1924-57-0x00000000751D1000-0x00000000751D3000-memory.dmp

Filesize
8KB

Download
memory/1924-56-0x0000000000000000-mapping.dmp

Download
memory/1924-68-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download