Overview

overview

8

Static

static

10

FORM_PIX XJTVCZG.msi

windows7_x64

8

FORM_PIX XJTVCZG.msi

windows10_x64

8

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    25/10/2021, 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FORM_PIX XJTVCZG.msi

  • Size

    953KB

  • MD5

    f2836216ca554dfdc8a300decb644911

  • SHA1

    338829d2c88f430b0d00bfb03ad8a43649b4e1d8

  • SHA256

    951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f

  • SHA512

    02148775c5db048566d0fb73e7d8da06597362a31934907ce356238bc1aa8ab4b319094d16d2a5881bf9b6797fde023c42a76846448a5436f4b72f067a668b1c

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\FORM_PIX XJTVCZG.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4040
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C75F255D415FF83D03C9D3E068B20291
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:3232

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2940-118-0x0000019663770000-0x0000019663772000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2940-117-0x0000019663770000-0x0000019663772000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3232-121-0x0000000000780000-0x0000000000781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3232-120-0x0000000000780000-0x0000000000781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4040-115-0x0000023EA5040000-0x0000023EA5042000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4040-116-0x0000023EA5040000-0x0000023EA5042000-memory.dmp

    Filesize

    8KB

    Download