Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
22/11/2021, 07:55
Static task
static1
Behavioral task
behavioral1
Sample
ee408fa74fbfe568a05b0bbeff2e4339.msi
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ee408fa74fbfe568a05b0bbeff2e4339.msi
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
ee408fa74fbfe568a05b0bbeff2e4339.msi
-
Size
4.0MB
-
MD5
ee408fa74fbfe568a05b0bbeff2e4339
-
SHA1
0e8e7da9769102123a1bd8ad0d22e48338d20495
-
SHA256
abe6b696965b8e856ccb20587f8a2fc8327169557e0083cebeab58e14a9d0560
-
SHA512
290d475b870da3d3e436d67b6aed192e1f68be592ee2b9eb70b2731596c8ce13be7c0bfd0192d63b57d4d103cca4f5a6d781ccf8dba17234f73c247de21162ac
Score
10/10
Malware Config
Signatures
-
suricata: ET MALWARE Ousaban Banker Checkin M1
suricata: ET MALWARE Ousaban Banker Checkin M1
-
Blocklisted process makes network request 2 IoCs
flow pid Process 17 1360 MsiExec.exe 25 1360 MsiExec.exe -
Executes dropped EXE 1 IoCs
pid Process 3384 IPaDJCXLumdu.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SCgrDlIizGws.lnk MsiExec.exe -
Loads dropped DLL 12 IoCs
pid Process 1360 MsiExec.exe 1360 MsiExec.exe 1360 MsiExec.exe 1360 MsiExec.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Installer\f75c7d5.msi msiexec.exe File opened for modification C:\Windows\Installer\f75c7d5.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC8FE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID13D.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID0DE.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{4B2034EB-6BA0-48DB-BDA8-0A07DDDD2112} msiexec.exe File opened for modification C:\Windows\Installer\MSI3651.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI372F.tmp msiexec.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 4056 msiexec.exe 4056 msiexec.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2700 msiexec.exe Token: SeIncreaseQuotaPrivilege 2700 msiexec.exe Token: SeSecurityPrivilege 4056 msiexec.exe Token: SeCreateTokenPrivilege 2700 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2700 msiexec.exe Token: SeLockMemoryPrivilege 2700 msiexec.exe Token: SeIncreaseQuotaPrivilege 2700 msiexec.exe Token: SeMachineAccountPrivilege 2700 msiexec.exe Token: SeTcbPrivilege 2700 msiexec.exe Token: SeSecurityPrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeLoadDriverPrivilege 2700 msiexec.exe Token: SeSystemProfilePrivilege 2700 msiexec.exe Token: SeSystemtimePrivilege 2700 msiexec.exe Token: SeProfSingleProcessPrivilege 2700 msiexec.exe Token: SeIncBasePriorityPrivilege 2700 msiexec.exe Token: SeCreatePagefilePrivilege 2700 msiexec.exe Token: SeCreatePermanentPrivilege 2700 msiexec.exe Token: SeBackupPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeShutdownPrivilege 2700 msiexec.exe Token: SeDebugPrivilege 2700 msiexec.exe Token: SeAuditPrivilege 2700 msiexec.exe Token: SeSystemEnvironmentPrivilege 2700 msiexec.exe Token: SeChangeNotifyPrivilege 2700 msiexec.exe Token: SeRemoteShutdownPrivilege 2700 msiexec.exe Token: SeUndockPrivilege 2700 msiexec.exe Token: SeSyncAgentPrivilege 2700 msiexec.exe Token: SeEnableDelegationPrivilege 2700 msiexec.exe Token: SeManageVolumePrivilege 2700 msiexec.exe Token: SeImpersonatePrivilege 2700 msiexec.exe Token: SeCreateGlobalPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 4056 msiexec.exe Token: SeTakeOwnershipPrivilege 4056 msiexec.exe Token: SeRestorePrivilege 4056 msiexec.exe Token: SeTakeOwnershipPrivilege 4056 msiexec.exe Token: SeRestorePrivilege 4056 msiexec.exe Token: SeTakeOwnershipPrivilege 4056 msiexec.exe Token: SeRestorePrivilege 4056 msiexec.exe Token: SeTakeOwnershipPrivilege 4056 msiexec.exe Token: SeIncreaseQuotaPrivilege 3152 WMIC.exe Token: SeSecurityPrivilege 3152 WMIC.exe Token: SeTakeOwnershipPrivilege 3152 WMIC.exe Token: SeLoadDriverPrivilege 3152 WMIC.exe Token: SeSystemProfilePrivilege 3152 WMIC.exe Token: SeSystemtimePrivilege 3152 WMIC.exe Token: SeProfSingleProcessPrivilege 3152 WMIC.exe Token: SeIncBasePriorityPrivilege 3152 WMIC.exe Token: SeCreatePagefilePrivilege 3152 WMIC.exe Token: SeBackupPrivilege 3152 WMIC.exe Token: SeRestorePrivilege 3152 WMIC.exe Token: SeShutdownPrivilege 3152 WMIC.exe Token: SeDebugPrivilege 3152 WMIC.exe Token: SeSystemEnvironmentPrivilege 3152 WMIC.exe Token: SeRemoteShutdownPrivilege 3152 WMIC.exe Token: SeUndockPrivilege 3152 WMIC.exe Token: SeManageVolumePrivilege 3152 WMIC.exe Token: 33 3152 WMIC.exe Token: 34 3152 WMIC.exe Token: 35 3152 WMIC.exe Token: 36 3152 WMIC.exe Token: SeRestorePrivilege 4056 msiexec.exe Token: SeTakeOwnershipPrivilege 4056 msiexec.exe Token: SeRestorePrivilege 4056 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2700 msiexec.exe 1360 MsiExec.exe 2700 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3384 IPaDJCXLumdu.exe 3384 IPaDJCXLumdu.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4056 wrote to memory of 1360 4056 msiexec.exe 70 PID 4056 wrote to memory of 1360 4056 msiexec.exe 70 PID 4056 wrote to memory of 1360 4056 msiexec.exe 70 PID 1360 wrote to memory of 3152 1360 MsiExec.exe 73 PID 1360 wrote to memory of 3152 1360 MsiExec.exe 73 PID 1360 wrote to memory of 3152 1360 MsiExec.exe 73
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ee408fa74fbfe568a05b0bbeff2e4339.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2700
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F980178973369033E3CED268C2F33AAE2⤵
- Blocklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\UnEoAxEDzWie\IPaDJCXLumdu.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
-
C:\Users\Admin\UnEoAxEDzWie\IPaDJCXLumdu.exeC:\Users\Admin\UnEoAxEDzWie\IPaDJCXLumdu.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3384