1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c

Resubmissions

23/01/2022, 16:46

220123-t96bjsgbem 10

17/01/2022, 19:00

220117-xntbmsccfp 8

Analysis

max time kernel
488s
max time network
601s
platform
windows7_x64
resource
win7-en-20211208
submitted
17/01/2022, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msg.exe
Size

392KB
MD5

d90d0f4d6dad402b5d025987030cc87c
SHA1

fad66bdf5c5dc2c050cbc574832c6995dba086a0
SHA256

1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
SHA512

c2faeacfd588585633630ad710f443a72c7617c2d5e37dbfe43570e6ac5904e4b81eb682356a48a93bb794ef5e9d8ad0d673966d57798079b4de62ea61241024

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1476	igfxCUIService.exe

Loads dropped DLL 2 IoCs

pid	Process
740	msg.exe
740	msg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\igfxCUIService = "C:\\ProgramData\\SystemData\\igfxCUIService.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1100	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
796	powershell.exe
1936	powershell.exe
776	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeIncreaseQuotaPrivilege	1748	WMIC.exe
Token: SeSecurityPrivilege	1748	WMIC.exe
Token: SeTakeOwnershipPrivilege	1748	WMIC.exe
Token: SeLoadDriverPrivilege	1748	WMIC.exe
Token: SeSystemProfilePrivilege	1748	WMIC.exe
Token: SeSystemtimePrivilege	1748	WMIC.exe
Token: SeProfSingleProcessPrivilege	1748	WMIC.exe
Token: SeIncBasePriorityPrivilege	1748	WMIC.exe
Token: SeCreatePagefilePrivilege	1748	WMIC.exe
Token: SeBackupPrivilege	1748	WMIC.exe
Token: SeRestorePrivilege	1748	WMIC.exe
Token: SeShutdownPrivilege	1748	WMIC.exe
Token: SeDebugPrivilege	1748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1748	WMIC.exe
Token: SeRemoteShutdownPrivilege	1748	WMIC.exe
Token: SeUndockPrivilege	1748	WMIC.exe
Token: SeManageVolumePrivilege	1748	WMIC.exe
Token: 33	1748	WMIC.exe
Token: 34	1748	WMIC.exe
Token: 35	1748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1748	WMIC.exe
Token: SeSecurityPrivilege	1748	WMIC.exe
Token: SeTakeOwnershipPrivilege	1748	WMIC.exe
Token: SeLoadDriverPrivilege	1748	WMIC.exe
Token: SeSystemProfilePrivilege	1748	WMIC.exe
Token: SeSystemtimePrivilege	1748	WMIC.exe
Token: SeProfSingleProcessPrivilege	1748	WMIC.exe
Token: SeIncBasePriorityPrivilege	1748	WMIC.exe
Token: SeCreatePagefilePrivilege	1748	WMIC.exe
Token: SeBackupPrivilege	1748	WMIC.exe
Token: SeRestorePrivilege	1748	WMIC.exe
Token: SeShutdownPrivilege	1748	WMIC.exe
Token: SeDebugPrivilege	1748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1748	WMIC.exe
Token: SeRemoteShutdownPrivilege	1748	WMIC.exe
Token: SeUndockPrivilege	1748	WMIC.exe
Token: SeManageVolumePrivilege	1748	WMIC.exe
Token: 33	1748	WMIC.exe
Token: 34	1748	WMIC.exe
Token: 35	1748	WMIC.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeIncreaseQuotaPrivilege	612	WMIC.exe
Token: SeSecurityPrivilege	612	WMIC.exe
Token: SeTakeOwnershipPrivilege	612	WMIC.exe
Token: SeLoadDriverPrivilege	612	WMIC.exe
Token: SeSystemProfilePrivilege	612	WMIC.exe
Token: SeSystemtimePrivilege	612	WMIC.exe
Token: SeProfSingleProcessPrivilege	612	WMIC.exe
Token: SeIncBasePriorityPrivilege	612	WMIC.exe
Token: SeCreatePagefilePrivilege	612	WMIC.exe
Token: SeBackupPrivilege	612	WMIC.exe
Token: SeRestorePrivilege	612	WMIC.exe
Token: SeShutdownPrivilege	612	WMIC.exe
Token: SeDebugPrivilege	612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	612	WMIC.exe
Token: SeRemoteShutdownPrivilege	612	WMIC.exe
Token: SeUndockPrivilege	612	WMIC.exe
Token: SeManageVolumePrivilege	612	WMIC.exe
Token: 33	612	WMIC.exe
Token: 34	612	WMIC.exe
Token: 35	612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	612	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 796	740	msg.exe	29
PID 740 wrote to memory of 796	740	msg.exe	29
PID 740 wrote to memory of 796	740	msg.exe	29
PID 740 wrote to memory of 796	740	msg.exe	29
PID 740 wrote to memory of 1476	740	msg.exe	31
PID 740 wrote to memory of 1476	740	msg.exe	31
PID 740 wrote to memory of 1476	740	msg.exe	31
PID 740 wrote to memory of 1476	740	msg.exe	31
PID 1476 wrote to memory of 1936	1476	igfxCUIService.exe	32
PID 1476 wrote to memory of 1936	1476	igfxCUIService.exe	32
PID 1476 wrote to memory of 1936	1476	igfxCUIService.exe	32
PID 1476 wrote to memory of 1936	1476	igfxCUIService.exe	32
PID 1936 wrote to memory of 916	1936	powershell.exe	34
PID 1936 wrote to memory of 916	1936	powershell.exe	34
PID 1936 wrote to memory of 916	1936	powershell.exe	34
PID 1936 wrote to memory of 916	1936	powershell.exe	34
PID 1936 wrote to memory of 1748	1936	powershell.exe	37
PID 1936 wrote to memory of 1748	1936	powershell.exe	37
PID 1936 wrote to memory of 1748	1936	powershell.exe	37
PID 1936 wrote to memory of 1748	1936	powershell.exe	37
PID 1476 wrote to memory of 776	1476	igfxCUIService.exe	38
PID 1476 wrote to memory of 776	1476	igfxCUIService.exe	38
PID 1476 wrote to memory of 776	1476	igfxCUIService.exe	38
PID 1476 wrote to memory of 776	1476	igfxCUIService.exe	38
PID 1476 wrote to memory of 2008	1476	igfxCUIService.exe	40
PID 1476 wrote to memory of 2008	1476	igfxCUIService.exe	40
PID 1476 wrote to memory of 2008	1476	igfxCUIService.exe	40
PID 1476 wrote to memory of 2008	1476	igfxCUIService.exe	40
PID 2008 wrote to memory of 612	2008	cmd.exe	42
PID 2008 wrote to memory of 612	2008	cmd.exe	42
PID 2008 wrote to memory of 612	2008	cmd.exe	42
PID 2008 wrote to memory of 612	2008	cmd.exe	42
PID 1476 wrote to memory of 960	1476	igfxCUIService.exe	43
PID 1476 wrote to memory of 960	1476	igfxCUIService.exe	43
PID 1476 wrote to memory of 960	1476	igfxCUIService.exe	43
PID 1476 wrote to memory of 960	1476	igfxCUIService.exe	43
PID 960 wrote to memory of 544	960	cmd.exe	45
PID 960 wrote to memory of 544	960	cmd.exe	45
PID 960 wrote to memory of 544	960	cmd.exe	45
PID 960 wrote to memory of 544	960	cmd.exe	45
PID 1476 wrote to memory of 1876	1476	igfxCUIService.exe	46
PID 1476 wrote to memory of 1876	1476	igfxCUIService.exe	46
PID 1476 wrote to memory of 1876	1476	igfxCUIService.exe	46
PID 1476 wrote to memory of 1876	1476	igfxCUIService.exe	46
PID 1876 wrote to memory of 1100	1876	cmd.exe	48
PID 1876 wrote to memory of 1100	1876	cmd.exe	48
PID 1876 wrote to memory of 1100	1876	cmd.exe	48
PID 1876 wrote to memory of 1100	1876	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\msg.exe
"C:\Users\Admin\AppData\Local\Temp\msg.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\Admin\AppData\Local\Temp\msg.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\ProgramData\SystemData\igfxCUIService.exe
  "C:\ProgramData\SystemData\igfxCUIService.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\getmac.exe
      "C:\Windows\system32\getmac.exe"
      4⤵
      PID:916
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic OS get Caption, CSDVersion, OSArchitecture, Version / value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wmic nicconfig where 'IPEnabled = True' get ipaddress > "C:\ProgramData\SystemData\tempi1.txt" && type "C:\ProgramData\SystemData\tempi1.txt" > "C:\ProgramData\SystemData\tempi2.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nicconfig where 'IPEnabled = True' get ipaddress
      4⤵
      PID:544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/796-60-0x0000000002600000-0x000000000324A000-memory.dmp

Filesize
12.3MB

Download
memory/796-58-0x0000000002600000-0x000000000324A000-memory.dmp

Filesize
12.3MB

Download
memory/796-59-0x0000000002600000-0x000000000324A000-memory.dmp

Filesize
12.3MB

Download
memory/1936-71-0x00000000024F0000-0x000000000313A000-memory.dmp

Filesize
12.3MB

Download