78494f5175a1847736882bf0dd4c7531f7ad0886eac6072f8e912fd539e6f988

Analysis

max time kernel
20s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 11:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

72fc9be0f4d0883c2e87d2f8c5eacbfe4b2de8ab658098569641c0afcd06169b.exe
Size

2.0MB
MD5

f850383d1bf0827584c7e5ebd0007155
SHA1

8865a4f611267622444e902aea4f463a9301c9b4
SHA256

72fc9be0f4d0883c2e87d2f8c5eacbfe4b2de8ab658098569641c0afcd06169b
SHA512

f6fc948f5ec844c2ec06ac972bb1c5741467f0d978a10bc2632f621686b3b83a536b629daa00188f464643b258b1405c30fc0e919df8ceb0a255c9bf7fcffd1d
SSDEEP

49152:iWOskjETSLeN1KJ8baio5twfUXXHhIE1NtP2gpXc3yJgU:HXkjETSLeXciojwcHj7d3pX5z

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
34	3908	MsiExec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	WEBINS~1.EXE

Executes dropped EXE 1 IoCs

pid	Process
4040	WEBINS~1.EXE

Loads dropped DLL 2 IoCs

pid	Process
3908	MsiExec.exe
3908	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	72fc9be0f4d0883c2e87d2f8c5eacbfe4b2de8ab658098569641c0afcd06169b.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3960	3908	WerFault.exe	90

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "116"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	WEBINS~1.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4908	msiexec.exe
Token: SeSecurityPrivilege	4308	msiexec.exe
Token: SeCreateTokenPrivilege	4908	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4908	msiexec.exe
Token: SeLockMemoryPrivilege	4908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4908	msiexec.exe
Token: SeMachineAccountPrivilege	4908	msiexec.exe
Token: SeTcbPrivilege	4908	msiexec.exe
Token: SeSecurityPrivilege	4908	msiexec.exe
Token: SeTakeOwnershipPrivilege	4908	msiexec.exe
Token: SeLoadDriverPrivilege	4908	msiexec.exe
Token: SeSystemProfilePrivilege	4908	msiexec.exe
Token: SeSystemtimePrivilege	4908	msiexec.exe
Token: SeProfSingleProcessPrivilege	4908	msiexec.exe
Token: SeIncBasePriorityPrivilege	4908	msiexec.exe
Token: SeCreatePagefilePrivilege	4908	msiexec.exe
Token: SeCreatePermanentPrivilege	4908	msiexec.exe
Token: SeBackupPrivilege	4908	msiexec.exe
Token: SeRestorePrivilege	4908	msiexec.exe
Token: SeShutdownPrivilege	4908	msiexec.exe
Token: SeDebugPrivilege	4908	msiexec.exe
Token: SeAuditPrivilege	4908	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4908	msiexec.exe
Token: SeChangeNotifyPrivilege	4908	msiexec.exe
Token: SeRemoteShutdownPrivilege	4908	msiexec.exe
Token: SeUndockPrivilege	4908	msiexec.exe
Token: SeSyncAgentPrivilege	4908	msiexec.exe
Token: SeEnableDelegationPrivilege	4908	msiexec.exe
Token: SeManageVolumePrivilege	4908	msiexec.exe
Token: SeImpersonatePrivilege	4908	msiexec.exe
Token: SeCreateGlobalPrivilege	4908	msiexec.exe
Token: SeCreateTokenPrivilege	4908	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4908	msiexec.exe
Token: SeLockMemoryPrivilege	4908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4908	msiexec.exe
Token: SeMachineAccountPrivilege	4908	msiexec.exe
Token: SeTcbPrivilege	4908	msiexec.exe
Token: SeSecurityPrivilege	4908	msiexec.exe
Token: SeTakeOwnershipPrivilege	4908	msiexec.exe
Token: SeLoadDriverPrivilege	4908	msiexec.exe
Token: SeSystemProfilePrivilege	4908	msiexec.exe
Token: SeSystemtimePrivilege	4908	msiexec.exe
Token: SeProfSingleProcessPrivilege	4908	msiexec.exe
Token: SeIncBasePriorityPrivilege	4908	msiexec.exe
Token: SeCreatePagefilePrivilege	4908	msiexec.exe
Token: SeCreatePermanentPrivilege	4908	msiexec.exe
Token: SeBackupPrivilege	4908	msiexec.exe
Token: SeRestorePrivilege	4908	msiexec.exe
Token: SeShutdownPrivilege	4908	msiexec.exe
Token: SeDebugPrivilege	4908	msiexec.exe
Token: SeAuditPrivilege	4908	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4908	msiexec.exe
Token: SeChangeNotifyPrivilege	4908	msiexec.exe
Token: SeRemoteShutdownPrivilege	4908	msiexec.exe
Token: SeUndockPrivilege	4908	msiexec.exe
Token: SeSyncAgentPrivilege	4908	msiexec.exe
Token: SeEnableDelegationPrivilege	4908	msiexec.exe
Token: SeManageVolumePrivilege	4908	msiexec.exe
Token: SeImpersonatePrivilege	4908	msiexec.exe
Token: SeCreateGlobalPrivilege	4908	msiexec.exe
Token: SeCreateTokenPrivilege	4908	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4908	msiexec.exe
Token: SeLockMemoryPrivilege	4908	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4908	msiexec.exe
4908	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3980	LogonUI.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 4040	3488	72fc9be0f4d0883c2e87d2f8c5eacbfe4b2de8ab658098569641c0afcd06169b.exe	86
PID 3488 wrote to memory of 4040	3488	72fc9be0f4d0883c2e87d2f8c5eacbfe4b2de8ab658098569641c0afcd06169b.exe	86
PID 3488 wrote to memory of 4040	3488	72fc9be0f4d0883c2e87d2f8c5eacbfe4b2de8ab658098569641c0afcd06169b.exe	86
PID 4040 wrote to memory of 4908	4040	WEBINS~1.EXE	87
PID 4040 wrote to memory of 4908	4040	WEBINS~1.EXE	87
PID 4040 wrote to memory of 4908	4040	WEBINS~1.EXE	87
PID 4308 wrote to memory of 3908	4308	msiexec.exe	90
PID 4308 wrote to memory of 3908	4308	msiexec.exe	90
PID 4308 wrote to memory of 3908	4308	msiexec.exe	90

C:\Users\Admin\AppData\Local\Temp\72fc9be0f4d0883c2e87d2f8c5eacbfe4b2de8ab658098569641c0afcd06169b.exe
"C:\Users\Admin\AppData\Local\Temp\72fc9be0f4d0883c2e87d2f8c5eacbfe4b2de8ab658098569641c0afcd06169b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WEBINS~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WEBINS~1.EXE FORMCODE_MOUSE=BDKTMS FORMCODE_KEYBOARD=BDKTKB FORMCODE_MOUSE_AS=BDKTMA FORMCODE_KEYBOARD_AS=BDKTKA FORMCODE_DSE=BDKTDF PARTNERCODE=BDT1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BingDesktop.msi" REBOOT=ReallySuppress FORMCODE_MOUSE=BDKTMS FORMCODE_KEYBOARD=BDKTKB FORMCODE_MOUSE_AS=BDKTMA FORMCODE_KEYBOARD_AS=BDKTKA FORMCODE_DSE=BDKTDF PARTNERCODE=BDT1
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 953AF782E08BC468F95696FD1663537F C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 844
    3⤵
    - Program crash
    PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908
1⤵
PID:1144

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a8855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BingDesk.msi

Filesize
2.4MB

MD5
ee8af6cb09a3cf41a9c54c4505b867dd

SHA1
5decd0f08abd3915f70c8841c4eec8fab2c95cec

SHA256
2525ea2906bf7fe555966d626194be076ae9ddde5599f184d773b4512d3f8a0c

SHA512
18aab42e53d30a47012db57d416a7a3b65c761334d57ad66ba4fec29121a9c9fd99bfc6e9422fc4640904a5ca1b977bbb2d88ee9dbafc2347f6c9d56fdbdf9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WEBINS~1.EXE

Filesize
62KB

MD5
9f8e1cdf1333e29c1d2a344812aca765

SHA1
4313e7ee3578977db061dffa54eaa34317a34a8c

SHA256
0a034f02fe3f5cac73850ff23e12d7dd258b1635aa1f78fe2109a1e3933791e6

SHA512
bbc9d51b89c45063ea2fd1ec3cb35718cd9f83a388074e2de7fa29f311b8b7abf0339e8a59bedfd66c0156b178ce2118c440bdf1051a583eb84106c2c10d8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WEBINS~1.EXE

Filesize
62KB

MD5
9f8e1cdf1333e29c1d2a344812aca765

SHA1
4313e7ee3578977db061dffa54eaa34317a34a8c

SHA256
0a034f02fe3f5cac73850ff23e12d7dd258b1635aa1f78fe2109a1e3933791e6

SHA512
bbc9d51b89c45063ea2fd1ec3cb35718cd9f83a388074e2de7fa29f311b8b7abf0339e8a59bedfd66c0156b178ce2118c440bdf1051a583eb84106c2c10d8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBCD8.tmp

Filesize
138KB

MD5
2af970f6ab393e1039cee3a14186a090

SHA1
9347595388180d53ac5f12592541014fd7ba48e5

SHA256
5f287276f41c1bc496dbee4354f494041927743d3da4e44015770d8c9fe3cb6d

SHA512
4f561fe9e8ac263745c99bac1a338b3769095888252523b5520882bd2fcf13c8dd212ed9b3f21b6a55da0659fa276eb4af7b6699b39522027439b41b326314e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBCD8.tmp

Filesize
138KB

MD5
2af970f6ab393e1039cee3a14186a090

SHA1
9347595388180d53ac5f12592541014fd7ba48e5

SHA256
5f287276f41c1bc496dbee4354f494041927743d3da4e44015770d8c9fe3cb6d

SHA512
4f561fe9e8ac263745c99bac1a338b3769095888252523b5520882bd2fcf13c8dd212ed9b3f21b6a55da0659fa276eb4af7b6699b39522027439b41b326314e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC276.tmp

Filesize
138KB

MD5
2af970f6ab393e1039cee3a14186a090

SHA1
9347595388180d53ac5f12592541014fd7ba48e5

SHA256
5f287276f41c1bc496dbee4354f494041927743d3da4e44015770d8c9fe3cb6d

SHA512
4f561fe9e8ac263745c99bac1a338b3769095888252523b5520882bd2fcf13c8dd212ed9b3f21b6a55da0659fa276eb4af7b6699b39522027439b41b326314e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC276.tmp

Filesize
138KB

MD5
2af970f6ab393e1039cee3a14186a090

SHA1
9347595388180d53ac5f12592541014fd7ba48e5

SHA256
5f287276f41c1bc496dbee4354f494041927743d3da4e44015770d8c9fe3cb6d

SHA512
4f561fe9e8ac263745c99bac1a338b3769095888252523b5520882bd2fcf13c8dd212ed9b3f21b6a55da0659fa276eb4af7b6699b39522027439b41b326314e9

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads