72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8

General

Target

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
Size

71KB
MD5

d6f1148158f46d5d845d0fd4b77ab44b
SHA1

51eb682f1b0b186ac86329cf65e3c70cee195178
SHA256

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8
SHA512

38f02436a46fbaa0970871c169051ea50dc9d3349cf025ecb6d2938ce83b61610d3d1aaf58c45d08468f9400c4dddb3587c8f103b08693596ff7b4acfccc9914
SSDEEP

768:eme0+LDFxI0xlMBBXwZmdWlBUUoArbMwCdJooWYAT1rak8aIHUm+MlXKCbF9+ljK:+0sIyOkllfoAPN+eoouq8HwjK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

msiexec.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\54001 = "c:\\progra~3\\msiawtua.exe"	msiexec.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

68 5052 msiexec.exe
Disables taskbar notifications via registry modification
evasion

flow	pid	process
68	5052	msiexec.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

description	pid	process	target process
PID 1136 set thread context of 1788	1136	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created \??\c:\progra~3\msiawtua.exe msiexec.exe

description	ioc	process
File created	\??\c:\progra~3\msiawtua.exe	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exemsiexec.exe

pid	process
1788	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
1788	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
1788	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
1788	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exemsiexec.exe

pid	process
1788	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
1788	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

msiexec.exe

description pid process

Token: SeDebugPrivilege 5052 msiexec.exe
Token: SeBackupPrivilege 5052 msiexec.exe
Token: SeRestorePrivilege 5052 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

pid process

1136 72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

description	pid	process
Token: SeDebugPrivilege	5052	msiexec.exe
Token: SeBackupPrivilege	5052	msiexec.exe
Token: SeRestorePrivilege	5052	msiexec.exe

pid	process
1136	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exemsiexec.exe

description	pid	process	target process
PID 1136 wrote to memory of 1788	1136	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1136 wrote to memory of 1788	1136	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1136 wrote to memory of 1788	1136	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1136 wrote to memory of 1788	1136	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1136 wrote to memory of 1788	1136	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1136 wrote to memory of 1788	1136	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1136 wrote to memory of 1788	1136	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
PID 1788 wrote to memory of 5052	1788	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	msiexec.exe
PID 1788 wrote to memory of 5052	1788	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	msiexec.exe
PID 1788 wrote to memory of 5052	1788	72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe	msiexec.exe
PID 5052 wrote to memory of 3856	5052	msiexec.exe	msiexec.exe
PID 5052 wrote to memory of 3856	5052	msiexec.exe	msiexec.exe
PID 5052 wrote to memory of 3856	5052	msiexec.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
"C:\Users\Admin\AppData\Local\Temp\72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe
"C:\Users\Admin\AppData\Local\Temp\72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8.exe"
2⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
3⤵
- UAC bypass
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
4⤵
PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\progra~3\msiawtua.exe

Filesize
71KB

MD5
d6f1148158f46d5d845d0fd4b77ab44b

SHA1
51eb682f1b0b186ac86329cf65e3c70cee195178

SHA256
72af8c1ffb7498fbea76c5f9704b798043a88875c460bfb43cc9085f841e7fd8

SHA512
38f02436a46fbaa0970871c169051ea50dc9d3349cf025ecb6d2938ce83b61610d3d1aaf58c45d08468f9400c4dddb3587c8f103b08693596ff7b4acfccc9914

Download Submit
memory/1788-134-0x0000000000000000-mapping.dmp

Download
memory/1788-135-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1788-137-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1788-138-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3856-143-0x0000000000000000-mapping.dmp

Download
memory/5052-139-0x0000000000000000-mapping.dmp

Download
memory/5052-140-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/5052-141-0x00000000009D0000-0x00000000009D7000-memory.dmp

Filesize
28KB

Download
memory/5052-142-0x000000007FB30000-0x000000007FB37000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads