Analysis
-
max time kernel
167s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 12:40
Static task
static1
Behavioral task
behavioral1
Sample
6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe
Resource
win10v2004-20220901-en
General
-
Target
6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe
-
Size
55KB
-
MD5
d85b27367fe2525cfe48e852620dc23b
-
SHA1
2c5aa228883fe2e19c02577b4acd1ef3927b8da5
-
SHA256
6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab
-
SHA512
8900067072a030d44c416f2e3593bed848425d6c221e7ec022fb0ed12dd1604542ea2a0b666ee3ddeae4b924ca96b356962965dbebbc1ded84740b40f289d9e5
-
SSDEEP
768:FP7HulHnyozBT0HmZ5Gz396lpC2TwTp0Uq3acFzKD3RlY4cIL0b+28z+g:l7O1yo11ZUAlpHEXqqcFeI4cItig
Malware Config
Signatures
-
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\52576 = "c:\\progra~3\\msgqac.exe" msiexec.exe -
Blocklisted process makes network request 22 IoCs
Processes:
msiexec.exeflow pid process 3 484 msiexec.exe 4 484 msiexec.exe 6 484 msiexec.exe 9 484 msiexec.exe 11 484 msiexec.exe 13 484 msiexec.exe 15 484 msiexec.exe 17 484 msiexec.exe 19 484 msiexec.exe 21 484 msiexec.exe 23 484 msiexec.exe 25 484 msiexec.exe 26 484 msiexec.exe 27 484 msiexec.exe 28 484 msiexec.exe 29 484 msiexec.exe 30 484 msiexec.exe 31 484 msiexec.exe 32 484 msiexec.exe 33 484 msiexec.exe 34 484 msiexec.exe 35 484 msiexec.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 484 msiexec.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File created \??\c:\progra~3\msgqac.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exemsiexec.exepid process 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe -
Suspicious behavior: MapViewOfSection 28 IoCs
Processes:
6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exemsiexec.exepid process 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe 484 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
msiexec.exedescription pid process Token: SeDebugPrivilege 484 msiexec.exe Token: SeBackupPrivilege 484 msiexec.exe Token: SeRestorePrivilege 484 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exemsiexec.exedescription pid process target process PID 1756 wrote to memory of 484 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe msiexec.exe PID 1756 wrote to memory of 484 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe msiexec.exe PID 1756 wrote to memory of 484 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe msiexec.exe PID 1756 wrote to memory of 484 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe msiexec.exe PID 1756 wrote to memory of 484 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe msiexec.exe PID 1756 wrote to memory of 484 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe msiexec.exe PID 1756 wrote to memory of 484 1756 6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe msiexec.exe PID 484 wrote to memory of 1488 484 msiexec.exe msiexec.exe PID 484 wrote to memory of 1488 484 msiexec.exe msiexec.exe PID 484 wrote to memory of 1488 484 msiexec.exe msiexec.exe PID 484 wrote to memory of 1488 484 msiexec.exe msiexec.exe PID 484 wrote to memory of 1488 484 msiexec.exe msiexec.exe PID 484 wrote to memory of 1488 484 msiexec.exe msiexec.exe PID 484 wrote to memory of 1488 484 msiexec.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe"C:\Users\Admin\AppData\Local\Temp\6e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe2⤵
- UAC bypass
- Adds policy Run key to start application
- Blocklisted process makes network request
- Deletes itself
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵PID:1488
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\progra~3\msgqac.exeFilesize
55KB
MD5d85b27367fe2525cfe48e852620dc23b
SHA12c5aa228883fe2e19c02577b4acd1ef3927b8da5
SHA2566e1876f992220997545f694fabb9720697e1af01452d2468d34cd08e5133afab
SHA5128900067072a030d44c416f2e3593bed848425d6c221e7ec022fb0ed12dd1604542ea2a0b666ee3ddeae4b924ca96b356962965dbebbc1ded84740b40f289d9e5
-
memory/484-56-0x0000000000000000-mapping.dmp
-
memory/484-58-0x0000000075291000-0x0000000075293000-memory.dmpFilesize
8KB
-
memory/484-59-0x0000000000720000-0x0000000000734000-memory.dmpFilesize
80KB
-
memory/484-60-0x0000000000090000-0x0000000000097000-memory.dmpFilesize
28KB
-
memory/484-61-0x000000007EFA0000-0x000000007EFA7000-memory.dmpFilesize
28KB
-
memory/484-62-0x000000007EFA0000-0x000000007EFA7000-memory.dmpFilesize
28KB
-
memory/1488-63-0x0000000000000000-mapping.dmp
-
memory/1756-54-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1756-55-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1756-57-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB