aeb23ba69d662e5c8fc765af2714ab0c1cdb443d00e66f751fc38a777ac1062d

General

Target

ARQL25_69265.msi
Size

19.2MB
MD5

ca33e3b489162ddc3ad217f61b86c97e
SHA1

faa398428b873a845ad52cc63061ff5a0602d6c3
SHA256

0e79c3f3ca3c6a391ca7c70bb07ebbc8d3266d51287a62658203e8e935d4deda
SHA512

666091ca5a5fc35951d076f6df59f578d9ac7807650cd5ceb26910412d1536acefae8fbcd66ad2773d85b190701d3b74349aad6afa67781c2176d8a4fd9ca37d
SSDEEP

393216:4/wpJKaB9QEyLiZWGF/56TF4XgZCsl9sj3tgzXqGMJ8/M:AR5+ZlF/5uF4X86CrqBu0

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Physlez.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Office Reader = "C:\\Users\\Admin\\AppData\\Local\\WappPrxy\\Physlez.exe"	Physlez.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EF9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e575ab3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C0A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6219.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI648B.tmp	msiexec.exe
File created	C:\Windows\Installer\e575ab7.msi	msiexec.exe
File created	C:\Windows\Installer\e575ab3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6004.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI60A1.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{77CC1DAE-718A-4943-ACDC-8864DACB746B}	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

Physlez.exe

pid process

2316 Physlez.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exePhyslez.exe

pid process

2480 MsiExec.exe
2480 MsiExec.exe
2480 MsiExec.exe
2480 MsiExec.exe
2480 MsiExec.exe
2316 Physlez.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exePhyslez.exe

pid process

5060 msiexec.exe
5060 msiexec.exe
2316 Physlez.exe
2316 Physlez.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Physlez.exe

pid process

2316 Physlez.exe

pid	process
2316	Physlez.exe

pid	process
2480	MsiExec.exe
2480	MsiExec.exe
2480	MsiExec.exe
2480	MsiExec.exe
2480	MsiExec.exe
2316	Physlez.exe

pid	process
5060	msiexec.exe
5060	msiexec.exe
2316	Physlez.exe
2316	Physlez.exe

pid	process
2316	Physlez.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4248	msiexec.exe
Token: SeSecurityPrivilege	5060	msiexec.exe
Token: SeCreateTokenPrivilege	4248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4248	msiexec.exe
Token: SeLockMemoryPrivilege	4248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4248	msiexec.exe
Token: SeMachineAccountPrivilege	4248	msiexec.exe
Token: SeTcbPrivilege	4248	msiexec.exe
Token: SeSecurityPrivilege	4248	msiexec.exe
Token: SeTakeOwnershipPrivilege	4248	msiexec.exe
Token: SeLoadDriverPrivilege	4248	msiexec.exe
Token: SeSystemProfilePrivilege	4248	msiexec.exe
Token: SeSystemtimePrivilege	4248	msiexec.exe
Token: SeProfSingleProcessPrivilege	4248	msiexec.exe
Token: SeIncBasePriorityPrivilege	4248	msiexec.exe
Token: SeCreatePagefilePrivilege	4248	msiexec.exe
Token: SeCreatePermanentPrivilege	4248	msiexec.exe
Token: SeBackupPrivilege	4248	msiexec.exe
Token: SeRestorePrivilege	4248	msiexec.exe
Token: SeShutdownPrivilege	4248	msiexec.exe
Token: SeDebugPrivilege	4248	msiexec.exe
Token: SeAuditPrivilege	4248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4248	msiexec.exe
Token: SeChangeNotifyPrivilege	4248	msiexec.exe
Token: SeRemoteShutdownPrivilege	4248	msiexec.exe
Token: SeUndockPrivilege	4248	msiexec.exe
Token: SeSyncAgentPrivilege	4248	msiexec.exe
Token: SeEnableDelegationPrivilege	4248	msiexec.exe
Token: SeManageVolumePrivilege	4248	msiexec.exe
Token: SeImpersonatePrivilege	4248	msiexec.exe
Token: SeCreateGlobalPrivilege	4248	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe
Token: SeRestorePrivilege	5060	msiexec.exe
Token: SeTakeOwnershipPrivilege	5060	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4248 msiexec.exe
4248 msiexec.exe

pid	process
4248	msiexec.exe
4248	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 5060 wrote to memory of 2480	5060	msiexec.exe	MsiExec.exe
PID 5060 wrote to memory of 2480	5060	msiexec.exe	MsiExec.exe
PID 5060 wrote to memory of 2480	5060	msiexec.exe	MsiExec.exe
PID 5060 wrote to memory of 2316	5060	msiexec.exe	Physlez.exe
PID 5060 wrote to memory of 2316	5060	msiexec.exe	Physlez.exe
PID 5060 wrote to memory of 2316	5060	msiexec.exe	Physlez.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ARQL25_69265.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C7CD64013DB9ED034B6FB7A09B69496E
2⤵
- Loads dropped DLL
PID:2480

C:\Users\Admin\AppData\Local\WappPrxy\Physlez.exe
"C:\Users\Admin\AppData\Local\WappPrxy\Physlez.exe"
2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575ab6.rbs
Filesize
16KB

MD5
6719e5d7d0b121e1f6e40b20c9705e42

SHA1
8474d7c2a17e31b0d4848820804841560c2e3d19

SHA256
5bfb400467af4aa3e0ca1f21aab92d82ba26654deee8dd26e2ffd9e66898cffe

SHA512
2be3447e2ecbf5adb54c1ab283fd352a4f673d04ac295969c28a3dc5bc37d2772a13718d355edfe8cfd0504164035cfedd7ca785d7f3744eadc443ab7e33ee4f

Download Submit
C:\Users\Admin\AppData\Local\WappPrxy\AGLoader.dll
Filesize
7.4MB

MD5
165770fb5b4a3bbc4f2957dcab07de22

SHA1
0e9a85acf8e6319f6f7cd844e54856f1c724ece8

SHA256
bda0a6b59cd715ea7446752c2f08b65387c2112ed3f72640c9c7ed795e91f3ee

SHA512
0e57d387dd77999f96370e49a910b9b68a4dc615fe2148103e73b7c7d671e67c1d7e8c069f700c36ffb19eb0155f870f952381ee4445c499aecf831bdb25de3a

Download Submit
C:\Users\Admin\AppData\Local\WappPrxy\Physlez.exe
Filesize
289KB

MD5
eb67273c54e78db4faffab9001148753

SHA1
0e6cab2fdf666e53c994718477068e51b656e078

SHA256
7fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd

SHA512
8fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07

Download Submit
C:\Users\Admin\AppData\Local\WappPrxy\pagina.pag
Filesize
4.1MB

MD5
19f984657f363ddcadfd13efd52ccf75

SHA1
7d207d3892c8e3679833f3c7350aa31f4a24f4ff

SHA256
f7d96ae48880838da407797b6016060edd7edf5c7d94f36f48c39b5e13361c75

SHA512
eb55200daf20bcc7c30e03ae9c629b3a2846fd32ea47f2fa05b4361acd25cb17b21f8f8e958e02f8ef1e693867ee40f350b5f5d158f65ee5b269be728073de55

Download Submit
C:\Windows\Installer\MSI5C0A.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Windows\Installer\MSI6219.tmp
Filesize
391KB

MD5
5f0c2017c1120c03d2af10a21a02cc69

SHA1
ff7ff3e0e0f9d9fcef42ccbdd41bf8ba020b4367

SHA256
0f681c5db5c2c0c5660927a5b60ba35d205c0a8eab5f0a17ea0617f67290d972

SHA512
300f60ee506776e6226dd282aaef9af433e446925517b70baefbf8de36e40210ee3a695fb8aa1b6fcbe26389ebddf5f2c72f46808d20e2bf80ba9837556eec5e

Download Submit
C:\Windows\Installer\e575ab3.msi
Filesize
13.9MB

MD5
136153002b6eaeab583002ad98459c2b

SHA1
bb91559cf5df5203a8457c449eac0edbd269cb48

SHA256
dfbb9c43f2bed443f7b08636fc64b063acbd76d9870f38b40bc3f51117c63a2b

SHA512
f5a3e324faba805db928247f24794804c894be7ae3480aa819af543663e7547508e8f96c3cd9eba5179258a98eb10ce7b82ac1a2421761419d04320c31a51103

Download Submit
memory/2316-154-0x0000000073080000-0x0000000073D0B000-memory.dmp

Filesize
12.5MB

Download
memory/2316-158-0x0000000002F20000-0x000000000334E000-memory.dmp

Filesize
4.2MB

Download
memory/2316-149-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2316-151-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/2316-150-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/2316-147-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2316-153-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/2316-152-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/2316-146-0x0000000073080000-0x0000000073D0B000-memory.dmp

Filesize
12.5MB

Download
memory/2316-148-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/2316-161-0x0000000002F20000-0x000000000334E000-memory.dmp

Filesize
4.2MB

Download
memory/2316-162-0x0000000002F20000-0x000000000334E000-memory.dmp

Filesize
4.2MB

Download
memory/2316-163-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2316-168-0x0000000073080000-0x0000000073D0B000-memory.dmp

Filesize
12.5MB

Download
memory/2316-169-0x0000000002F20000-0x000000000334E000-memory.dmp

Filesize
4.2MB

Download
memory/2316-170-0x0000000002F20000-0x000000000334E000-memory.dmp

Filesize
4.2MB

Download
memory/2316-171-0x0000000002F20000-0x000000000334E000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads