e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-en-20211208
submitted
11/01/2022, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d.msi
Size

4.0MB
MD5

9c29559b0910132668be272b7228fb5b
SHA1

57f3e22aba505bcc671d6b1ac54068c0cdead4b0
SHA256

e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d
SHA512

143392c71a7cd435e454b79bdcb89c2388a6462111f87bac9118e2189792be24b9bd768f28a5d47042f1e984e133e83d8fc2e0f5dc65746e6a248f482814efde

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1092	MsiExec.exe
4	1092	MsiExec.exe

Executes dropped EXE 2 IoCs

pid	Process
892	CaCvIferOPsSthy.exe
1616	XENCXPGf.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/892-98-0x0000000003370000-0x00000000034CC000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dFQtpsLcVRpQwkn.lnk	MsiExec.exe

Loads dropped DLL 25 IoCs

pid	Process
1092	MsiExec.exe
1092	MsiExec.exe
1092	MsiExec.exe
1092	MsiExec.exe
1092	MsiExec.exe
892	CaCvIferOPsSthy.exe
892	CaCvIferOPsSthy.exe
892	CaCvIferOPsSthy.exe
892	CaCvIferOPsSthy.exe
892	CaCvIferOPsSthy.exe
892	CaCvIferOPsSthy.exe
892	CaCvIferOPsSthy.exe
892	CaCvIferOPsSthy.exe
892	CaCvIferOPsSthy.exe
892	CaCvIferOPsSthy.exe
892	CaCvIferOPsSthy.exe
1616	XENCXPGf.exe
1616	XENCXPGf.exe
1616	XENCXPGf.exe
1616	XENCXPGf.exe
1616	XENCXPGf.exe
1616	XENCXPGf.exe
1616	XENCXPGf.exe
1616	XENCXPGf.exe
1616	XENCXPGf.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIDD64.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF77.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFCA.tmp	msiexec.exe
File created	C:\Windows\Installer\f75dcb8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75dcb8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFC6.tmp	msiexec.exe
File created	C:\Windows\Installer\f75dcba.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f75dcba.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
308	schtasks.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1472	msiexec.exe
1472	msiexec.exe
892	CaCvIferOPsSthy.exe
1616	XENCXPGf.exe
1616	XENCXPGf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeCreateTokenPrivilege	1292	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1292	msiexec.exe
Token: SeLockMemoryPrivilege	1292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1292	msiexec.exe
Token: SeMachineAccountPrivilege	1292	msiexec.exe
Token: SeTcbPrivilege	1292	msiexec.exe
Token: SeSecurityPrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeLoadDriverPrivilege	1292	msiexec.exe
Token: SeSystemProfilePrivilege	1292	msiexec.exe
Token: SeSystemtimePrivilege	1292	msiexec.exe
Token: SeProfSingleProcessPrivilege	1292	msiexec.exe
Token: SeIncBasePriorityPrivilege	1292	msiexec.exe
Token: SeCreatePagefilePrivilege	1292	msiexec.exe
Token: SeCreatePermanentPrivilege	1292	msiexec.exe
Token: SeBackupPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeShutdownPrivilege	1292	msiexec.exe
Token: SeDebugPrivilege	1292	msiexec.exe
Token: SeAuditPrivilege	1292	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1292	msiexec.exe
Token: SeChangeNotifyPrivilege	1292	msiexec.exe
Token: SeRemoteShutdownPrivilege	1292	msiexec.exe
Token: SeUndockPrivilege	1292	msiexec.exe
Token: SeSyncAgentPrivilege	1292	msiexec.exe
Token: SeEnableDelegationPrivilege	1292	msiexec.exe
Token: SeManageVolumePrivilege	1292	msiexec.exe
Token: SeImpersonatePrivilege	1292	msiexec.exe
Token: SeCreateGlobalPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1388	WMIC.exe
Token: SeSecurityPrivilege	1388	WMIC.exe
Token: SeTakeOwnershipPrivilege	1388	WMIC.exe
Token: SeLoadDriverPrivilege	1388	WMIC.exe
Token: SeSystemProfilePrivilege	1388	WMIC.exe
Token: SeSystemtimePrivilege	1388	WMIC.exe
Token: SeProfSingleProcessPrivilege	1388	WMIC.exe
Token: SeIncBasePriorityPrivilege	1388	WMIC.exe
Token: SeCreatePagefilePrivilege	1388	WMIC.exe
Token: SeBackupPrivilege	1388	WMIC.exe
Token: SeRestorePrivilege	1388	WMIC.exe
Token: SeShutdownPrivilege	1388	WMIC.exe
Token: SeDebugPrivilege	1388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1388	WMIC.exe
Token: SeRemoteShutdownPrivilege	1388	WMIC.exe
Token: SeUndockPrivilege	1388	WMIC.exe
Token: SeManageVolumePrivilege	1388	WMIC.exe
Token: 33	1388	WMIC.exe
Token: 34	1388	WMIC.exe
Token: 35	1388	WMIC.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1292	msiexec.exe
1092	MsiExec.exe
1292	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1092	1472	msiexec.exe	28
PID 1472 wrote to memory of 1092	1472	msiexec.exe	28
PID 1472 wrote to memory of 1092	1472	msiexec.exe	28
PID 1472 wrote to memory of 1092	1472	msiexec.exe	28
PID 1472 wrote to memory of 1092	1472	msiexec.exe	28
PID 1472 wrote to memory of 1092	1472	msiexec.exe	28
PID 1472 wrote to memory of 1092	1472	msiexec.exe	28
PID 1092 wrote to memory of 1388	1092	MsiExec.exe	30
PID 1092 wrote to memory of 1388	1092	MsiExec.exe	30
PID 1092 wrote to memory of 1388	1092	MsiExec.exe	30
PID 1092 wrote to memory of 1388	1092	MsiExec.exe	30
PID 892 wrote to memory of 1320	892	CaCvIferOPsSthy.exe	35
PID 892 wrote to memory of 1320	892	CaCvIferOPsSthy.exe	35
PID 892 wrote to memory of 1320	892	CaCvIferOPsSthy.exe	35
PID 892 wrote to memory of 1320	892	CaCvIferOPsSthy.exe	35
PID 1320 wrote to memory of 308	1320	cmd.exe	37
PID 1320 wrote to memory of 308	1320	cmd.exe	37
PID 1320 wrote to memory of 308	1320	cmd.exe	37
PID 1320 wrote to memory of 308	1320	cmd.exe	37
PID 892 wrote to memory of 1616	892	CaCvIferOPsSthy.exe	38
PID 892 wrote to memory of 1616	892	CaCvIferOPsSthy.exe	38
PID 892 wrote to memory of 1616	892	CaCvIferOPsSthy.exe	38
PID 892 wrote to memory of 1616	892	CaCvIferOPsSthy.exe	38

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9948DCFCF4BAC6F5915117DB38CF12A7
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\wIKiEdiJMntJNBE\CaCvIferOPsSthy.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1388

C:\Users\Admin\wIKiEdiJMntJNBE\CaCvIferOPsSthy.exe
C:\Users\Admin\wIKiEdiJMntJNBE\CaCvIferOPsSthy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\wIKiEdiJMntJNBE\CaCvIferOPsSthy.exe /SC minute /MO 2 /IT /RU %USERNAME%
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\wIKiEdiJMntJNBE\CaCvIferOPsSthy.exe /SC minute /MO 2 /IT /RU Admin
    3⤵
    - Creates scheduled task(s)
    PID:308
- C:\Users\Admin\kYWjG A98L\XENCXPGf.exe
  "C:\Users\Admin\kYWjG A98L\XENCXPGf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-97-0x0000000003371000-0x00000000037F7000-memory.dmp

Filesize
4.5MB

Download
memory/892-91-0x0000000000340000-0x0000000000444000-memory.dmp

Filesize
1.0MB

Download
memory/892-98-0x0000000003370000-0x00000000034CC000-memory.dmp

Filesize
1.4MB

Download
memory/892-99-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1092-64-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/1092-57-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1292-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/1616-126-0x0000000001390000-0x00000000013B7000-memory.dmp

Filesize
156KB

Download
memory/1616-130-0x0000000074CC0000-0x0000000074CCD000-memory.dmp

Filesize
52KB

Download
memory/1616-131-0x0000000074C10000-0x0000000074C38000-memory.dmp

Filesize
160KB

Download
memory/1616-133-0x0000000074C00000-0x0000000074C0C000-memory.dmp

Filesize
48KB

Download
memory/1616-134-0x0000000000270000-0x0000000000274000-memory.dmp

Filesize
16KB

Download
memory/1616-136-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download
memory/1616-137-0x0000000000270000-0x0000000000274000-memory.dmp

Filesize
16KB

Download
memory/1616-135-0x0000000074BB1000-0x0000000074BB5000-memory.dmp

Filesize
16KB

Download
memory/1616-132-0x00000000013C0000-0x00000000013DC000-memory.dmp

Filesize
112KB

Download
memory/1616-138-0x0000000000270000-0x0000000000274000-memory.dmp

Filesize
16KB

Download
memory/1616-128-0x0000000074C60000-0x0000000074CB7000-memory.dmp

Filesize
348KB

Download
memory/1616-140-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/1616-142-0x0000000005641000-0x0000000005B4E000-memory.dmp

Filesize
5.1MB

Download
memory/1616-117-0x0000000001280000-0x0000000001384000-memory.dmp

Filesize
1.0MB

Download