Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15/06/2023, 17:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe
Resource
win7-20230220-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe
-
Size
96KB
-
MD5
828935356a8a7c7b8d99e7d2a591b694
-
SHA1
d53ab4302c2a102e46d5644dd1c2c2ba875e060d
-
SHA256
71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213
-
SHA512
83a1dbda9fbb32e0e9b45c3ed9c87e7c7c8b5647360aed879ce570622192dd6edadb4d82d4af115a52a8421fc4bcbcfcb26dc1cffcf72bb13b248cc4ddebadcc
-
SSDEEP
1536:LqZci4yzPgWT/ZtXnso5zT70ISnc4nlBlovle:LqOi4PWTXs6TwISnc4nlBlo
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\15492 = "c:\\progra~3\\msyqueoh.exe" msiexec.exe -
Blocklisted process makes network request 15 IoCs
flow pid Process 2 2020 msiexec.exe 6 2020 msiexec.exe 8 2020 msiexec.exe 10 2020 msiexec.exe 12 2020 msiexec.exe 15 2020 msiexec.exe 16 2020 msiexec.exe 17 2020 msiexec.exe 18 2020 msiexec.exe 19 2020 msiexec.exe 20 2020 msiexec.exe 21 2020 msiexec.exe 22 2020 msiexec.exe 23 2020 msiexec.exe 24 2020 msiexec.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2020 msiexec.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created \??\c:\progra~3\msyqueoh.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe -
Suspicious behavior: MapViewOfSection 28 IoCs
pid Process 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2020 msiexec.exe Token: SeBackupPrivilege 2020 msiexec.exe Token: SeRestorePrivilege 2020 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1400 wrote to memory of 2020 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 28 PID 1400 wrote to memory of 2020 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 28 PID 1400 wrote to memory of 2020 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 28 PID 1400 wrote to memory of 2020 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 28 PID 1400 wrote to memory of 2020 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 28 PID 1400 wrote to memory of 2020 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 28 PID 1400 wrote to memory of 2020 1400 71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe 28 PID 2020 wrote to memory of 1072 2020 msiexec.exe 29 PID 2020 wrote to memory of 1072 2020 msiexec.exe 29 PID 2020 wrote to memory of 1072 2020 msiexec.exe 29 PID 2020 wrote to memory of 1072 2020 msiexec.exe 29 PID 2020 wrote to memory of 1072 2020 msiexec.exe 29 PID 2020 wrote to memory of 1072 2020 msiexec.exe 29 PID 2020 wrote to memory of 1072 2020 msiexec.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe"C:\Users\Admin\AppData\Local\Temp\71c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe2⤵
- UAC bypass
- Adds policy Run key to start application
- Blocklisted process makes network request
- Deletes itself
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵PID:1072
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5828935356a8a7c7b8d99e7d2a591b694
SHA1d53ab4302c2a102e46d5644dd1c2c2ba875e060d
SHA25671c47d36b52988d817938c4f13ba4d014fc12e52a94aacbd516edeaa8baed213
SHA51283a1dbda9fbb32e0e9b45c3ed9c87e7c7c8b5647360aed879ce570622192dd6edadb4d82d4af115a52a8421fc4bcbcfcb26dc1cffcf72bb13b248cc4ddebadcc