Overview

overview

9

Static

static

8

DOCUMENTO....J?.msi

windows10_x64

9

Analysis

  • max time kernel
    1200s
  • max time network
    976s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    14-07-2021 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOCUMENTO.BR4.PIXQIGCMOMAJHNVRASLBFSXDNMQAVJ?.msi

  • Size

    282KB

  • MD5

    5068c2facc5121859ceb4a337eccab1e

  • SHA1

    f6ce53f58563a1f62505b4bac6cf91905805c71e

  • SHA256

    f316986a337648669a6ded3161838f7d0a9dac41ef985f9505ad5548e3b3c272

  • SHA512

    9baed08b6e0bdc090b09e5399fa1428af4ef1fe11839140881475b52e466496b5a16889c6738214ccf2561fb70af6527701f07e0fb0cc5cf5e6444d7bd73bdcf

Score
9/10
bootkitevasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DOCUMENTO.BR4.PIXQIGCMOMAJHNVRASLBFSXDNMQAVJ_.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:904
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6E314C3CF92A895DF06E985D956A6558
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cd\;cd 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Start-Sleep -s 60;Invoke-Item 'ATXDTLTLAZ.lnk'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Users\Public\Downloads\OVZVBGKXWYYPHSIGGJLW\JQSTIUEBCMWWQDIHHJELSNCHWKFYFWDPJOBñ.exe
          "C:\Users\Public\Downloads\OVZVBGKXWYYPHSIGGJLW\JQSTIUEBCMWWQDIHHJELSNCHWKFYFWDPJOBñ.exe"
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1216
  • C:\Users\Admin\AppData\Local\Temp\398486407\zmstage.exe
    zmstage.exe
    1⤵
      PID:2524

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MSI461ec.LOG
      MD5

      5b6a1ef5f7e135c6ec9f52e0a66de4bc

      SHA1

      2476eeec655a0fa1c06b5b4f84ef6de5946a3bc5

      SHA256

      0d026b2afd2f41808705af945ba1799596a42045ea5a562a9972abb9c6d31322

      SHA512

      2d8cd0ef7ab026f97aea80156a29a01a6f1c2194403c5231bab07c26f2723afcee61e7e92b8db28cb7f8c7ed631f57065a1445d191a78b67e11383d5c440bf08

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ATXDTLTLAZ.lnk
      MD5

      8bedda9ec61b2f321376b153d054abed

      SHA1

      6ed0b5196d1e5302c37f8d18f8ce9a8667228246

      SHA256

      3573920b29c722ad976ccc3a733cf8670fcf2bd1e0e4a1e35f684f25bcac576b

      SHA512

      3f9f850a71459fb4f23bab076074b8a426d106b56a73540b7b8cfb7a0da341c72bb0c3d2fd1ade4e7ef565217ed94e11742f677f2d64293e370e75c1b1069efe

      Download Submit
    • C:\Users\Public\Downloads\OVZVBGKXWYYPHSIGGJLW\Avira.OE.NativeCore.dll
      MD5

      759bbd553496e0fad10ed1e89f83ecf9

      SHA1

      240a2c2c465660e46f19de5bd5cb58a6f3a2d92a

      SHA256

      568829dea29381ac4f997a1db9625e6619511b6849b1ddd0338a2a41f2710f72

      SHA512

      186abbcf425b0d8f64c38aeaceac208df001321a49814642441bc236d14b8a82f3ebcb8e1eff839eef6ad0f00ba4388e4eb46bf5b43c8b3582f7573625a377ef

      Download Submit
    • C:\Users\Public\Downloads\OVZVBGKXWYYPHSIGGJLW\JQSTIUEBCMWWQDIHHJELSNCHWKFYFWDPJOBñ.exe
      MD5

      8cbb75febfb4b0b7c3b6d3613386220c

      SHA1

      ba5493b08354aee85151b7bbd15150a1c3f03d1d

      SHA256

      f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a

      SHA512

      8cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd

      Download Submit
    • C:\Users\Public\Downloads\OVZVBGKXWYYPHSIGGJLW\JQSTIUEBCMWWQDIHHJELSNCHWKFYFWDPJOBñ.exe
      MD5

      8cbb75febfb4b0b7c3b6d3613386220c

      SHA1

      ba5493b08354aee85151b7bbd15150a1c3f03d1d

      SHA256

      f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a

      SHA512

      8cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd

      Download Submit
    • C:\Users\Public\Downloads\OVZVBGKXWYYPHSIGGJLW\MSVCP120.dll
      MD5

      fd5cabbe52272bd76007b68186ebaf00

      SHA1

      efd1e306c1092c17f6944cc6bf9a1bfad4d14613

      SHA256

      87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

      SHA512

      1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

      Download Submit
    • C:\Users\Public\Downloads\OVZVBGKXWYYPHSIGGJLW\MSVCR120.dll
      MD5

      034ccadc1c073e4216e9466b720f9849

      SHA1

      f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

      SHA256

      86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

      SHA512

      5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

      Download Submit
    • C:\Windows\Installer\MSI64DA.tmp
      MD5

      5c5bef05b6f3806106f8f3ce13401cc1

      SHA1

      6005fbe17f6e917ac45317552409d7a60976db14

      SHA256

      f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

      SHA512

      97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

      Download Submit
    • C:\Windows\Installer\MSI673C.tmp
      MD5

      5c5bef05b6f3806106f8f3ce13401cc1

      SHA1

      6005fbe17f6e917ac45317552409d7a60976db14

      SHA256

      f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

      SHA512

      97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

      Download Submit
    • \Users\Public\Downloads\OVZVBGKXWYYPHSIGGJLW\Avira.OE.NativeCore.dll
      MD5

      759bbd553496e0fad10ed1e89f83ecf9

      SHA1

      240a2c2c465660e46f19de5bd5cb58a6f3a2d92a

      SHA256

      568829dea29381ac4f997a1db9625e6619511b6849b1ddd0338a2a41f2710f72

      SHA512

      186abbcf425b0d8f64c38aeaceac208df001321a49814642441bc236d14b8a82f3ebcb8e1eff839eef6ad0f00ba4388e4eb46bf5b43c8b3582f7573625a377ef

      Download Submit
    • \Users\Public\Downloads\OVZVBGKXWYYPHSIGGJLW\msvcp120.dll
      MD5

      fd5cabbe52272bd76007b68186ebaf00

      SHA1

      efd1e306c1092c17f6944cc6bf9a1bfad4d14613

      SHA256

      87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

      SHA512

      1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

      Download Submit
    • \Users\Public\Downloads\OVZVBGKXWYYPHSIGGJLW\msvcr120.dll
      MD5

      034ccadc1c073e4216e9466b720f9849

      SHA1

      f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

      SHA256

      86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

      SHA512

      5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

      Download Submit
    • \Windows\Installer\MSI64DA.tmp
      MD5

      5c5bef05b6f3806106f8f3ce13401cc1

      SHA1

      6005fbe17f6e917ac45317552409d7a60976db14

      SHA256

      f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

      SHA512

      97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

      Download Submit
    • \Windows\Installer\MSI673C.tmp
      MD5

      5c5bef05b6f3806106f8f3ce13401cc1

      SHA1

      6005fbe17f6e917ac45317552409d7a60976db14

      SHA256

      f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

      SHA512

      97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

      Download Submit
    • memory/932-119-0x0000000000000000-mapping.dmp
      Download
    • memory/1216-163-0x0000000000000000-mapping.dmp
      Download
    • memory/1216-173-0x0000000077000000-0x000000007718E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1216-174-0x000000006CCA0000-0x000000006EF32000-memory.dmp
      Filesize

      34.6MB

      Download
    • memory/1216-175-0x000000006CCA1000-0x000000006D147000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/1216-176-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-131-0x0000000006A60000-0x0000000006A61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-147-0x00000000091E0000-0x00000000091E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-152-0x0000000009D60000-0x0000000009D61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-146-0x0000000008940000-0x0000000008941000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-145-0x0000000007F40000-0x0000000007F41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-144-0x0000000008BE0000-0x0000000008BE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-139-0x0000000007BE0000-0x0000000007BE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-138-0x0000000007CB0000-0x0000000007CB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-137-0x0000000007380000-0x0000000007381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-135-0x0000000000C10000-0x0000000000C11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-136-0x0000000000C12000-0x0000000000C13000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-134-0x0000000007520000-0x0000000007521000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-133-0x00000000072B0000-0x00000000072B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-172-0x0000000000C13000-0x0000000000C14000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-132-0x0000000006C00000-0x0000000006C01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-130-0x0000000006C80000-0x0000000006C81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-129-0x0000000000C90000-0x0000000000C91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-126-0x0000000000000000-mapping.dmp
      Download