Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
11/01/2022, 21:15
Static task
static1
Behavioral task
behavioral1
Sample
e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d.msi
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d.msi
Resource
win10-en-20211208
General
-
Target
e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d.msi
-
Size
4.0MB
-
MD5
9c29559b0910132668be272b7228fb5b
-
SHA1
57f3e22aba505bcc671d6b1ac54068c0cdead4b0
-
SHA256
e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d
-
SHA512
143392c71a7cd435e454b79bdcb89c2388a6462111f87bac9118e2189792be24b9bd768f28a5d47042f1e984e133e83d8fc2e0f5dc65746e6a248f482814efde
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 10 3972 MsiExec.exe 26 3972 MsiExec.exe -
Executes dropped EXE 2 IoCs
pid Process 968 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YTnoTgXqWWYnSRb.lnk MsiExec.exe -
Loads dropped DLL 26 IoCs
pid Process 3972 MsiExec.exe 3972 MsiExec.exe 3972 MsiExec.exe 968 oyvdtZKxWZvBNUN.exe 968 oyvdtZKxWZvBNUN.exe 968 oyvdtZKxWZvBNUN.exe 968 oyvdtZKxWZvBNUN.exe 968 oyvdtZKxWZvBNUN.exe 968 oyvdtZKxWZvBNUN.exe 968 oyvdtZKxWZvBNUN.exe 968 oyvdtZKxWZvBNUN.exe 968 oyvdtZKxWZvBNUN.exe 3972 MsiExec.exe 968 oyvdtZKxWZvBNUN.exe 968 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe 3828 oyvdtZKxWZvBNUN.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI4989.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{CB2DC13D-2C3B-4DC5-BB27-1829B1EA007D} msiexec.exe File opened for modification C:\Windows\Installer\MSIBF1.tmp msiexec.exe File created C:\Windows\Installer\f762900.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2D55.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D34.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIF3F.tmp msiexec.exe File opened for modification C:\Windows\Installer\f762900.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2164 schtasks.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 764 msiexec.exe 764 msiexec.exe 968 oyvdtZKxWZvBNUN.exe 968 oyvdtZKxWZvBNUN.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 652 msiexec.exe Token: SeIncreaseQuotaPrivilege 652 msiexec.exe Token: SeSecurityPrivilege 764 msiexec.exe Token: SeCreateTokenPrivilege 652 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 652 msiexec.exe Token: SeLockMemoryPrivilege 652 msiexec.exe Token: SeIncreaseQuotaPrivilege 652 msiexec.exe Token: SeMachineAccountPrivilege 652 msiexec.exe Token: SeTcbPrivilege 652 msiexec.exe Token: SeSecurityPrivilege 652 msiexec.exe Token: SeTakeOwnershipPrivilege 652 msiexec.exe Token: SeLoadDriverPrivilege 652 msiexec.exe Token: SeSystemProfilePrivilege 652 msiexec.exe Token: SeSystemtimePrivilege 652 msiexec.exe Token: SeProfSingleProcessPrivilege 652 msiexec.exe Token: SeIncBasePriorityPrivilege 652 msiexec.exe Token: SeCreatePagefilePrivilege 652 msiexec.exe Token: SeCreatePermanentPrivilege 652 msiexec.exe Token: SeBackupPrivilege 652 msiexec.exe Token: SeRestorePrivilege 652 msiexec.exe Token: SeShutdownPrivilege 652 msiexec.exe Token: SeDebugPrivilege 652 msiexec.exe Token: SeAuditPrivilege 652 msiexec.exe Token: SeSystemEnvironmentPrivilege 652 msiexec.exe Token: SeChangeNotifyPrivilege 652 msiexec.exe Token: SeRemoteShutdownPrivilege 652 msiexec.exe Token: SeUndockPrivilege 652 msiexec.exe Token: SeSyncAgentPrivilege 652 msiexec.exe Token: SeEnableDelegationPrivilege 652 msiexec.exe Token: SeManageVolumePrivilege 652 msiexec.exe Token: SeImpersonatePrivilege 652 msiexec.exe Token: SeCreateGlobalPrivilege 652 msiexec.exe Token: SeRestorePrivilege 764 msiexec.exe Token: SeTakeOwnershipPrivilege 764 msiexec.exe Token: SeRestorePrivilege 764 msiexec.exe Token: SeTakeOwnershipPrivilege 764 msiexec.exe Token: SeRestorePrivilege 764 msiexec.exe Token: SeTakeOwnershipPrivilege 764 msiexec.exe Token: SeRestorePrivilege 764 msiexec.exe Token: SeTakeOwnershipPrivilege 764 msiexec.exe Token: SeIncreaseQuotaPrivilege 1476 WMIC.exe Token: SeSecurityPrivilege 1476 WMIC.exe Token: SeTakeOwnershipPrivilege 1476 WMIC.exe Token: SeLoadDriverPrivilege 1476 WMIC.exe Token: SeSystemProfilePrivilege 1476 WMIC.exe Token: SeSystemtimePrivilege 1476 WMIC.exe Token: SeProfSingleProcessPrivilege 1476 WMIC.exe Token: SeIncBasePriorityPrivilege 1476 WMIC.exe Token: SeCreatePagefilePrivilege 1476 WMIC.exe Token: SeBackupPrivilege 1476 WMIC.exe Token: SeRestorePrivilege 1476 WMIC.exe Token: SeShutdownPrivilege 1476 WMIC.exe Token: SeDebugPrivilege 1476 WMIC.exe Token: SeSystemEnvironmentPrivilege 1476 WMIC.exe Token: SeRemoteShutdownPrivilege 1476 WMIC.exe Token: SeUndockPrivilege 1476 WMIC.exe Token: SeManageVolumePrivilege 1476 WMIC.exe Token: 33 1476 WMIC.exe Token: 34 1476 WMIC.exe Token: 35 1476 WMIC.exe Token: 36 1476 WMIC.exe Token: SeRestorePrivilege 764 msiexec.exe Token: SeTakeOwnershipPrivilege 764 msiexec.exe Token: SeIncreaseQuotaPrivilege 1476 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 652 msiexec.exe 3972 MsiExec.exe 652 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 764 wrote to memory of 3972 764 msiexec.exe 71 PID 764 wrote to memory of 3972 764 msiexec.exe 71 PID 764 wrote to memory of 3972 764 msiexec.exe 71 PID 3972 wrote to memory of 1476 3972 MsiExec.exe 75 PID 3972 wrote to memory of 1476 3972 MsiExec.exe 75 PID 3972 wrote to memory of 1476 3972 MsiExec.exe 75 PID 968 wrote to memory of 3056 968 oyvdtZKxWZvBNUN.exe 79 PID 968 wrote to memory of 3056 968 oyvdtZKxWZvBNUN.exe 79 PID 968 wrote to memory of 3056 968 oyvdtZKxWZvBNUN.exe 79 PID 3056 wrote to memory of 2164 3056 cmd.exe 81 PID 3056 wrote to memory of 2164 3056 cmd.exe 81 PID 3056 wrote to memory of 2164 3056 cmd.exe 81
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e9c0fcf1b6dc4b895ed5ad5c4a6f3aeed343055584f7be6a478f525a27a56d8d.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:652
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6810C1A303306ADEA0D5E56B6D6A4D742⤵
- Blocklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
-
C:\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exeC:\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe /SC minute /MO 2 /IT /RU %USERNAME%2⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe /SC minute /MO 2 /IT /RU Admin3⤵
- Creates scheduled task(s)
PID:2164
-
-
-
C:\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exeC:\\Users\Admin\QpnwGzDpCXmMxBT\oyvdtZKxWZvBNUN.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3828