72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8

General

Target

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
Size

71KB
MD5

d6f1148158f46d5d845d0fd4b77ab44b
SHA1

51eb682f1b0b186ac86329cf65e3c70cee195178
SHA256

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8
SHA512

38f02436a46fbaa0970871c169051ea50dc9d3349cf025ecb6d2938ce83b61610d3d1aaf58c45d08468f9400c4dddb3587c8f103b08693596ff7b4acfccc9914
SSDEEP

768:eme0+LDFxI0xlMBBXwZmdWlBUUoArbMwCdJooWYAT1rak8aIHUm+MlXKCbF9+ljK:+0sIyOkllfoAPN+eoouq8HwjK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

msiexec.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\46381 = "c:\\progra~3\\msousein.exe"	msiexec.exe

Blocklisted process makes network request 6 IoCs

Processes:

msiexec.exe

flow pid process

2 1280 msiexec.exe
3 1280 msiexec.exe
6 1280 msiexec.exe
10 1280 msiexec.exe
12 1280 msiexec.exe
16 1280 msiexec.exe
Disables taskbar notifications via registry modification
evasion
Deletes itself 1 IoCs

Processes:

msiexec.exe

pid process

1280 msiexec.exe

flow	pid	process
2	1280	msiexec.exe
3	1280	msiexec.exe
6	1280	msiexec.exe
10	1280	msiexec.exe
12	1280	msiexec.exe
16	1280	msiexec.exe

pid	process
1280	msiexec.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

description	pid	process	target process
PID 1320 set thread context of 956	1320	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created \??\c:\progra~3\msousein.exe msiexec.exe

description	ioc	process
File created	\??\c:\progra~3\msousein.exe	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exemsiexec.exe

pid	process
956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe

Suspicious behavior: MapViewOfSection 27 IoCs

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exemsiexec.exe

pid	process
956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe
1280	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

msiexec.exe

description pid process

Token: SeDebugPrivilege 1280 msiexec.exe
Token: SeBackupPrivilege 1280 msiexec.exe
Token: SeRestorePrivilege 1280 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

pid process

1320 72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

description	pid	process
Token: SeDebugPrivilege	1280	msiexec.exe
Token: SeBackupPrivilege	1280	msiexec.exe
Token: SeRestorePrivilege	1280	msiexec.exe

pid	process
1320	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exemsiexec.exe

description	pid	process	target process
PID 1320 wrote to memory of 956	1320	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1320 wrote to memory of 956	1320	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1320 wrote to memory of 956	1320	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1320 wrote to memory of 956	1320	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1320 wrote to memory of 956	1320	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1320 wrote to memory of 956	1320	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1320 wrote to memory of 956	1320	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1320 wrote to memory of 956	1320	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 956 wrote to memory of 1280	956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	msiexec.exe
PID 956 wrote to memory of 1280	956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	msiexec.exe
PID 956 wrote to memory of 1280	956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	msiexec.exe
PID 956 wrote to memory of 1280	956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	msiexec.exe
PID 956 wrote to memory of 1280	956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	msiexec.exe
PID 956 wrote to memory of 1280	956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	msiexec.exe
PID 956 wrote to memory of 1280	956	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	msiexec.exe
PID 1280 wrote to memory of 928	1280	msiexec.exe	msiexec.exe
PID 1280 wrote to memory of 928	1280	msiexec.exe	msiexec.exe
PID 1280 wrote to memory of 928	1280	msiexec.exe	msiexec.exe
PID 1280 wrote to memory of 928	1280	msiexec.exe	msiexec.exe
PID 1280 wrote to memory of 928	1280	msiexec.exe	msiexec.exe
PID 1280 wrote to memory of 928	1280	msiexec.exe	msiexec.exe
PID 1280 wrote to memory of 928	1280	msiexec.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
"C:\Users\Admin\AppData\Local\Temp\72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
"C:\Users\Admin\AppData\Local\Temp\72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe"
2⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
3⤵
- UAC bypass
- Adds policy Run key to start application
- Blocklisted process makes network request
- Deletes itself
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
4⤵
PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\progra~3\msousein.exe

Filesize
71KB

MD5
d6f1148158f46d5d845d0fd4b77ab44b

SHA1
51eb682f1b0b186ac86329cf65e3c70cee195178

SHA256
72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8

SHA512
38f02436a46fbaa0970871c169051ea50dc9d3349cf025ecb6d2938ce83b61610d3d1aaf58c45d08468f9400c4dddb3587c8f103b08693596ff7b4acfccc9914

Download Submit
memory/928-70-0x0000000000000000-mapping.dmp

Download
memory/956-64-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/956-60-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/956-61-0x000000000040207D-mapping.dmp

Download
memory/956-63-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/956-56-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/956-59-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/956-57-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1280-65-0x0000000000000000-mapping.dmp

Download
memory/1280-66-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1280-68-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1280-69-0x000000007EFA0000-0x000000007EFA7000-memory.dmp

Filesize
28KB

Download
memory/1280-67-0x0000000000B10000-0x0000000000B24000-memory.dmp

Filesize
80KB

Download
memory/1280-73-0x000000007EFA0000-0x000000007EFA7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads