Analysis
-
max time kernel
4294201s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
16-03-2022 04:20
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://download.nutanix.com/Foundation/5.1.1/foundation-5.1.1-windows.msi?Expires=1647317017618&Key-Pair-Id=APKAJTTNCWPEI42QKMSA&Signature=G-MEsjjAR8ynl~LpkXPKS3R0s4kj0q1Owu7DO~Jq2QashOc5n1M0pP883g8mGTNkRA7uIbpCaom1RKSYk0R4xlkD-Pm6MFdjnZbXwQskCcynegYCq7SQV3TYC7~jXRqYbwpQhY4Uox7wUC2pA6zRPFnrCQoyXlnp0Jqyn8M-lNpsdSp2bdTMKDCn4l03LH5nsiZdBmXesNx6bKgmDhZRbxpYWbo56i-8VvSgmkk0DaY21GAs2~oujB~41gFVe-~rfuu4bDVWTqrGNGD--Uz~oLp8A7k4sLm3QM8h0iSHbvclBTmTRdQhc71Wjv3sm8HXxrSeuObaPzmR06wpEjJoFQ__
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
https://download.nutanix.com/Foundation/5.1.1/foundation-5.1.1-windows.msi?Expires=1647317017618&Key-Pair-Id=APKAJTTNCWPEI42QKMSA&Signature=G-MEsjjAR8ynl~LpkXPKS3R0s4kj0q1Owu7DO~Jq2QashOc5n1M0pP883g8mGTNkRA7uIbpCaom1RKSYk0R4xlkD-Pm6MFdjnZbXwQskCcynegYCq7SQV3TYC7~jXRqYbwpQhY4Uox7wUC2pA6zRPFnrCQoyXlnp0Jqyn8M-lNpsdSp2bdTMKDCn4l03LH5nsiZdBmXesNx6bKgmDhZRbxpYWbo56i-8VvSgmkk0DaY21GAs2~oujB~41gFVe-~rfuu4bDVWTqrGNGD--Uz~oLp8A7k4sLm3QM8h0iSHbvclBTmTRdQhc71Wjv3sm8HXxrSeuObaPzmR06wpEjJoFQ__
Resource
win10v2004-20220310-en
General
-
Target
https://download.nutanix.com/Foundation/5.1.1/foundation-5.1.1-windows.msi?Expires=1647317017618&Key-Pair-Id=APKAJTTNCWPEI42QKMSA&Signature=G-MEsjjAR8ynl~LpkXPKS3R0s4kj0q1Owu7DO~Jq2QashOc5n1M0pP883g8mGTNkRA7uIbpCaom1RKSYk0R4xlkD-Pm6MFdjnZbXwQskCcynegYCq7SQV3TYC7~jXRqYbwpQhY4Uox7wUC2pA6zRPFnrCQoyXlnp0Jqyn8M-lNpsdSp2bdTMKDCn4l03LH5nsiZdBmXesNx6bKgmDhZRbxpYWbo56i-8VvSgmkk0DaY21GAs2~oujB~41gFVe-~rfuu4bDVWTqrGNGD--Uz~oLp8A7k4sLm3QM8h0iSHbvclBTmTRdQhc71Wjv3sm8HXxrSeuObaPzmR06wpEjJoFQ__
Malware Config
Signatures
-
PlugX Rat Payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi.6d0mdht.partial PlugX -
Detect jar appended to MSI 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi.6d0mdht.partial jar_in_msi -
Patched UPX-packed file 1 IoCs
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi.6d0mdht.partial patched_upx -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi.6d0mdht.partial pdf_with_link_action -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a0cc1546ed38d801 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "354169443" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{80EC5421-A4E0-11EC-BBED-DA40BCC881D4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeShutdownPrivilege 1576 msiexec.exe Token: SeIncreaseQuotaPrivilege 1576 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exemsiexec.exepid process 1996 iexplore.exe 1996 iexplore.exe 1576 msiexec.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1996 iexplore.exe 1996 iexplore.exe 1724 IEXPLORE.EXE 1724 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
iexplore.exedescription pid process target process PID 1996 wrote to memory of 1724 1996 iexplore.exe IEXPLORE.EXE PID 1996 wrote to memory of 1724 1996 iexplore.exe IEXPLORE.EXE PID 1996 wrote to memory of 1724 1996 iexplore.exe IEXPLORE.EXE PID 1996 wrote to memory of 1724 1996 iexplore.exe IEXPLORE.EXE PID 1996 wrote to memory of 1576 1996 iexplore.exe msiexec.exe PID 1996 wrote to memory of 1576 1996 iexplore.exe msiexec.exe PID 1996 wrote to memory of 1576 1996 iexplore.exe msiexec.exe PID 1996 wrote to memory of 1576 1996 iexplore.exe msiexec.exe PID 1996 wrote to memory of 1576 1996 iexplore.exe msiexec.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://download.nutanix.com/Foundation/5.1.1/foundation-5.1.1-windows.msi?Expires=1647317017618&Key-Pair-Id=APKAJTTNCWPEI42QKMSA&Signature=G-MEsjjAR8ynl~LpkXPKS3R0s4kj0q1Owu7DO~Jq2QashOc5n1M0pP883g8mGTNkRA7uIbpCaom1RKSYk0R4xlkD-Pm6MFdjnZbXwQskCcynegYCq7SQV3TYC7~jXRqYbwpQhY4Uox7wUC2pA6zRPFnrCQoyXlnp0Jqyn8M-lNpsdSp2bdTMKDCn4l03LH5nsiZdBmXesNx6bKgmDhZRbxpYWbo56i-8VvSgmkk0DaY21GAs2~oujB~41gFVe-~rfuu4bDVWTqrGNGD--Uz~oLp8A7k4sLm3QM8h0iSHbvclBTmTRdQhc71Wjv3sm8HXxrSeuObaPzmR06wpEjJoFQ__1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
c3204dfa2fe898f26335602b34edc1b9
SHA1004f492206233f6982f2dffb01481f73399b8e9e
SHA2567b836166676d3c36ecd0ff2cff355a0340872353dbe900b8c1fde2f2fc62a065
SHA51296aaa34d44912eff6cd22e88fb4ef753070263a61bf3b7ebe4cffda311cded6394b284fd18c122caa68271fcf721f2864d512cfc946e666012137d83e6dd571a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi.6d0mdht.partialMD5
54853d2e8bbb9b615114fb921938bbd6
SHA1a11614837579da81f7d641c4b84d74e06e806de3
SHA256b8921576aeff21fcea96ffe581b397fe34aa9094bc09e33e75d09ca2aeeba8e0
SHA512e9362ba4c064b51154c966112b98e4e7c53b0fafcfe5c5d4a8c73e2c1fa5f8fe634e389e59cd5834035d6527e64682e2073921394f73322a6c978bf45de2428d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OFKPF99F.txtMD5
76e5c920753e7d18954ba8a0063532ea
SHA17d752f5889550dac7e7158fba0891d061f188a44
SHA256440f271123c5f93253f0ce32106482e94f73bf6a2745c4dad3448a4622bfbcd2
SHA51251f9385bb31bc2d63048f55c0b7ea9adc09ca01c700ba0799606a40451f0cc65d4385b3ebe4d7842df643ae47b74b1ae8bf88d73b54a0f1f0136bdc9ee232395
-
memory/1576-57-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB