f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4

General

Target

f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
Size

89KB
MD5

341b70cee32d77dbfea0fd2a8e478fe7
SHA1

164da9599a28d1d71a4b7a5e282b9f954f36370d
SHA256

f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4
SHA512

8aaaed938093efd968809f32244369e513b7b86a0aa0f3e584e73f2b1db041022ee701ea26392f6ceeff422c4c4dba48953aed87a9fbcbeabc0af0dede269d1b
SSDEEP

1536:qAvOyB7efrmahettXJrq+eukSZWEStO4YdD2Ml8KYLBmgULh9WAoGvboEa:qAvD7ejJgttXJ4ukSZWvOR2GYLrUiabG

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

msiexec.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\3847835321 = "C:\\PROGRA~3\\msxwsoum.exe"	msiexec.exe

Blocklisted process makes network request 12 IoCs

Processes:

msiexec.exe

flow	pid	process
2	1488	msiexec.exe
3	1488	msiexec.exe
5	1488	msiexec.exe
7	1488	msiexec.exe
11	1488	msiexec.exe
12	1488	msiexec.exe
13	1488	msiexec.exe
14	1488	msiexec.exe
16	1488	msiexec.exe
17	1488	msiexec.exe
18	1488	msiexec.exe
19	1488	msiexec.exe

Disables taskbar notifications via registry modification
evasion
Loads dropped DLL 1 IoCs

Processes:

f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe

pid process

996 f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe

pid	process
996	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe

description	pid	process	target process
PID 996 set thread context of 904	996	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File opened for modification C:\PROGRA~3\msxwsoum.exe msiexec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exemsiexec.exe

pid process

904 f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
1488 msiexec.exe
1488 msiexec.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\msxwsoum.exe	msiexec.exe

Suspicious behavior: MapViewOfSection 25 IoCs

Processes:

f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exemsiexec.exe

pid	process
904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe
1488	msiexec.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

msiexec.exe

pid process

1488 msiexec.exe

pid	process
1488	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
Token: SeBackupPrivilege	904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
Token: SeRestorePrivilege	904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
Token: SeDebugPrivilege	1488	msiexec.exe
Token: SeBackupPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exef9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe

description	pid	process	target process
PID 996 wrote to memory of 904	996	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
PID 996 wrote to memory of 904	996	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
PID 996 wrote to memory of 904	996	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
PID 996 wrote to memory of 904	996	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
PID 996 wrote to memory of 904	996	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
PID 996 wrote to memory of 904	996	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
PID 996 wrote to memory of 904	996	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
PID 996 wrote to memory of 904	996	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
PID 904 wrote to memory of 1488	904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	msiexec.exe
PID 904 wrote to memory of 1488	904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	msiexec.exe
PID 904 wrote to memory of 1488	904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	msiexec.exe
PID 904 wrote to memory of 1488	904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	msiexec.exe
PID 904 wrote to memory of 1488	904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	msiexec.exe
PID 904 wrote to memory of 1488	904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	msiexec.exe
PID 904 wrote to memory of 1488	904	f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
"C:\Users\Admin\AppData\Local\Temp\f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe
"C:\Users\Admin\AppData\Local\Temp\f9690290adbb729d6c9602d708cd3176c6faa84df9eeb09d6275f7ec31e729c4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd84D.tmp\FSeYEPyGSWDFKvf.dll

Filesize
73KB

MD5
4012fe0f10091f4f8b7d922fcdde6ca3

SHA1
4e5cf031b0ed1001aa4dbca89ab933ba1ffb3916

SHA256
bebf3b6c754d7c5d6ab309b9433b8cd9000947ccbafb97c6cfd9578c24ce3d06

SHA512
a9c26a968e4cf17db3f35d7c1bf89966d3eea07c0710ce6e1cb1567390483127aa77fc5228ded93c87f3ad1c32518610f3170119cb9bfef130daa3d5cb6fc79b

Download Submit
memory/904-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/904-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/904-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/904-61-0x00000000004016C3-mapping.dmp

Download
memory/904-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/904-63-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/996-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1488-64-0x0000000000000000-mapping.dmp

Download
memory/1488-66-0x0000000000AE0000-0x0000000000AF4000-memory.dmp

Filesize
80KB

Download
memory/1488-67-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/1488-68-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads