15f01cf888792f4f3c3124b6e65a615342c7c8b9788941947f8131f3786a499c

Analysis

max time kernel
243s
max time network
340s
platform
windows7_x64
resource
win7v20210410
submitted
21-07-2021 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meu.agendamento.msi
Size

269KB
MD5

0a6e3cafaf5cb2656e56be4440d06662
SHA1

01a311c11f47d5b85de8e05dfd3fc59f3b4e12ad
SHA256

15f01cf888792f4f3c3124b6e65a615342c7c8b9788941947f8131f3786a499c
SHA512

e14201a00dfefe8becb294d48c452dcabe74acde46dba0af6c82c315d8ed5f3a616c31fd26bb5473ccfd80985c317324152bc8f813c58a534b141c49e414b12d

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

MsiExec.exe

flow pid process

3 1964 MsiExec.exe
5 1964 MsiExec.exe
7 1964 MsiExec.exe
10 1964 MsiExec.exe

flow	pid	process
3	1964	MsiExec.exe
5	1964	MsiExec.exe
7	1964	MsiExec.exe
10	1964	MsiExec.exe

Executes dropped EXE 3 IoCs

Processes:

VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exeVCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exeVCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

pid	process
1796	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
1736	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
1612	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1796-83-0x0000000003570000-0x0000000003849000-memory.dmp	upx

Loads dropped DLL 10 IoCs

Processes:

MsiExec.exeVCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exeVCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exeVCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

pid	process
1964	MsiExec.exe
1964	MsiExec.exe
1964	MsiExec.exe
1964	MsiExec.exe
1796	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
1796	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
1736	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
1736	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
1612	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
1612	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSID2FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74cfb0.ipi	msiexec.exe
File created	C:\Windows\Installer\f74cfae.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74cfae.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID04A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1A2.tmp	msiexec.exe
File created	C:\Windows\Installer\f74cfb0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

912 schtasks.exe

pid	process
912	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exeVCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

pid process

1316 msiexec.exe
1316 msiexec.exe
1796 VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

pid	process
1316	msiexec.exe
1316	msiexec.exe
1796	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1816	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeSecurityPrivilege	1316	msiexec.exe
Token: SeCreateTokenPrivilege	1816	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1816	msiexec.exe
Token: SeLockMemoryPrivilege	1816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1816	msiexec.exe
Token: SeMachineAccountPrivilege	1816	msiexec.exe
Token: SeTcbPrivilege	1816	msiexec.exe
Token: SeSecurityPrivilege	1816	msiexec.exe
Token: SeTakeOwnershipPrivilege	1816	msiexec.exe
Token: SeLoadDriverPrivilege	1816	msiexec.exe
Token: SeSystemProfilePrivilege	1816	msiexec.exe
Token: SeSystemtimePrivilege	1816	msiexec.exe
Token: SeProfSingleProcessPrivilege	1816	msiexec.exe
Token: SeIncBasePriorityPrivilege	1816	msiexec.exe
Token: SeCreatePagefilePrivilege	1816	msiexec.exe
Token: SeCreatePermanentPrivilege	1816	msiexec.exe
Token: SeBackupPrivilege	1816	msiexec.exe
Token: SeRestorePrivilege	1816	msiexec.exe
Token: SeShutdownPrivilege	1816	msiexec.exe
Token: SeDebugPrivilege	1816	msiexec.exe
Token: SeAuditPrivilege	1816	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1816	msiexec.exe
Token: SeChangeNotifyPrivilege	1816	msiexec.exe
Token: SeRemoteShutdownPrivilege	1816	msiexec.exe
Token: SeUndockPrivilege	1816	msiexec.exe
Token: SeSyncAgentPrivilege	1816	msiexec.exe
Token: SeEnableDelegationPrivilege	1816	msiexec.exe
Token: SeManageVolumePrivilege	1816	msiexec.exe
Token: SeImpersonatePrivilege	1816	msiexec.exe
Token: SeCreateGlobalPrivilege	1816	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1816 msiexec.exe
1816 msiexec.exe

pid	process
1816	msiexec.exe
1816	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exeVCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exeVCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

pid	process
1796	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
1736	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
1612	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

msiexec.exeMsiExec.exeVCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.execmd.exetaskeng.exe

description	pid	process	target process
PID 1316 wrote to memory of 1964	1316	msiexec.exe	MsiExec.exe
PID 1316 wrote to memory of 1964	1316	msiexec.exe	MsiExec.exe
PID 1316 wrote to memory of 1964	1316	msiexec.exe	MsiExec.exe
PID 1316 wrote to memory of 1964	1316	msiexec.exe	MsiExec.exe
PID 1316 wrote to memory of 1964	1316	msiexec.exe	MsiExec.exe
PID 1316 wrote to memory of 1964	1316	msiexec.exe	MsiExec.exe
PID 1316 wrote to memory of 1964	1316	msiexec.exe	MsiExec.exe
PID 1964 wrote to memory of 1796	1964	MsiExec.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1964 wrote to memory of 1796	1964	MsiExec.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1964 wrote to memory of 1796	1964	MsiExec.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1964 wrote to memory of 1796	1964	MsiExec.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1796 wrote to memory of 1800	1796	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe	cmd.exe
PID 1796 wrote to memory of 1800	1796	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe	cmd.exe
PID 1796 wrote to memory of 1800	1796	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe	cmd.exe
PID 1796 wrote to memory of 1800	1796	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe	cmd.exe
PID 1800 wrote to memory of 912	1800	cmd.exe	schtasks.exe
PID 1800 wrote to memory of 912	1800	cmd.exe	schtasks.exe
PID 1800 wrote to memory of 912	1800	cmd.exe	schtasks.exe
PID 1800 wrote to memory of 912	1800	cmd.exe	schtasks.exe
PID 1788 wrote to memory of 1736	1788	taskeng.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1788 wrote to memory of 1736	1788	taskeng.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1788 wrote to memory of 1736	1788	taskeng.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1788 wrote to memory of 1736	1788	taskeng.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1788 wrote to memory of 1612	1788	taskeng.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1788 wrote to memory of 1612	1788	taskeng.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1788 wrote to memory of 1612	1788	taskeng.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
PID 1788 wrote to memory of 1612	1788	taskeng.exe	VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\meu.agendamento.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9615CFADB26ED9DFB7DD5E5324D01251
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
"C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C schtasks /CREATE /TN "ImmersiveControlPanel " /TR C:\\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe /SC minute /MO 2 /IT /RU %USERNAME%
4⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ImmersiveControlPanel " /TR C:\\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe /SC minute /MO 2 /IT /RU Admin
5⤵
- Creates scheduled task(s)
PID:912

C:\Windows\system32\taskeng.exe
taskeng.exe {1EB250AD-AB1D-4A59-ADF7-05075F95ADBE} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
C:\\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
C:\\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI4cd7c.LOG
MD5
c59996c2bdb9ad2dda303be42867522c

SHA1
687ce18878e5ab4b8411a8aeac6cefb41b71efef

SHA256
205b23b2d828560190193b1db62cb0f48225c2ecf92fa5cf0cf3e261d8fdbedd

SHA512
a0a22af8b2bccf0d4a4692e61979415fb313046bf4e825746b9e80498faa970993203c8c91c7cfb9da8c7d8b180c11dcec05139298c032f9b107b674d61c5ab2

Download Submit
C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\FlexiMusicService0.dll
MD5
e307873befe4de974ed28ee82b11c31b

SHA1
740e3f54b05b9aea35a4684a4cfe2680aa76e783

SHA256
1f6570afdd3c00ffd6e13889e4242ff92f4d411d1c99e4580674c5b9058d4c5e

SHA512
c53039fd0da71706ab928ecf34822ac3419dc414e74260a0e43aa48b1e81254b9b60c828243f64641e7c49448f5eb1f87730b0a9f2f6db4ff021285a54dfea02

Download Submit
C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\FlexiMusicService7.dll
MD5
0f17784e38b2c09a2a77e5a386c11d2c

SHA1
5e3dd6ebdfa3a4fdba5ce43e15b3296f3f3b8e27

SHA256
41d9acee01bc30f6460a888106e25ea807b18b67a0ff4db82f851cbabd56db3c

SHA512
030b0e4690e842b8b08e5860169e5fc50354c56c02d9886306ceeab6d869ffb1caef9fb4ad04a039ef1d2444007d502ed9175839780c4339b9b75acf130aad6d

Download Submit
C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\Host.hst
MD5
56ad070b3efb28459804076e7295dc5f

SHA1
57c869425b06b2a11d3722bb6ea640713bd11d3a

SHA256
ea039c0e334688005936fe50f0308616e1e9a4397927c69150cd73c0088bb1a9

SHA512
83d43d8c9a3d57c3791900aaa3665d78fca63196f77be03e5a703f1d767ab1fc7a5028fbb92222d72f33c66bd36ebb202c3d106a35cb2bcf3f4c471b1322ea08

Download Submit
C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
MD5
d5ff0a986bc8146314cf92a5653aeca2

SHA1
46d568311495400517d367813c4ac4d736f64f2f

SHA256
b915dedfff05c661933e71bccd10a8c624ae6dc18165aba01119aaf952779c86

SHA512
d7b7b02857700e61fe896921586fc6c66f99dbe35a5a960e3a56ee3911b0947a07c34fe144c4815522eca068dc29a0d2eac5029a851bb8dd4d6fa11dd432ed92

Download Submit
C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
MD5
d5ff0a986bc8146314cf92a5653aeca2

SHA1
46d568311495400517d367813c4ac4d736f64f2f

SHA256
b915dedfff05c661933e71bccd10a8c624ae6dc18165aba01119aaf952779c86

SHA512
d7b7b02857700e61fe896921586fc6c66f99dbe35a5a960e3a56ee3911b0947a07c34fe144c4815522eca068dc29a0d2eac5029a851bb8dd4d6fa11dd432ed92

Download Submit
C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
MD5
d5ff0a986bc8146314cf92a5653aeca2

SHA1
46d568311495400517d367813c4ac4d736f64f2f

SHA256
b915dedfff05c661933e71bccd10a8c624ae6dc18165aba01119aaf952779c86

SHA512
d7b7b02857700e61fe896921586fc6c66f99dbe35a5a960e3a56ee3911b0947a07c34fe144c4815522eca068dc29a0d2eac5029a851bb8dd4d6fa11dd432ed92

Download Submit
C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
MD5
d5ff0a986bc8146314cf92a5653aeca2

SHA1
46d568311495400517d367813c4ac4d736f64f2f

SHA256
b915dedfff05c661933e71bccd10a8c624ae6dc18165aba01119aaf952779c86

SHA512
d7b7b02857700e61fe896921586fc6c66f99dbe35a5a960e3a56ee3911b0947a07c34fe144c4815522eca068dc29a0d2eac5029a851bb8dd4d6fa11dd432ed92

Download Submit
C:\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\win_sparkle_check_update_with_ui_and_install
MD5
5a9d68d9dbcbd912ce45de4e4577cb69

SHA1
84c3b1bc2afa2108d0eedb48d7b97a922f503a8c

SHA256
ce073c90061e20808c6099ebf4cd3cddb7d75151f836647d972555608b20d566

SHA512
d90ca759495a950f88895680fbb89d8606a9945d8a9448382058e796acc9ee70a8d3d2154cb6747df32b1b5ea02265f5123c89afa56a9d15e017f29747c55996

Download Submit
C:\Windows\Installer\MSID04A.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
C:\Windows\Installer\MSID1A2.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\FlexiMusicService0.dll
MD5
e307873befe4de974ed28ee82b11c31b

SHA1
740e3f54b05b9aea35a4684a4cfe2680aa76e783

SHA256
1f6570afdd3c00ffd6e13889e4242ff92f4d411d1c99e4580674c5b9058d4c5e

SHA512
c53039fd0da71706ab928ecf34822ac3419dc414e74260a0e43aa48b1e81254b9b60c828243f64641e7c49448f5eb1f87730b0a9f2f6db4ff021285a54dfea02

Download Submit
\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\FlexiMusicService0.dll
MD5
e307873befe4de974ed28ee82b11c31b

SHA1
740e3f54b05b9aea35a4684a4cfe2680aa76e783

SHA256
1f6570afdd3c00ffd6e13889e4242ff92f4d411d1c99e4580674c5b9058d4c5e

SHA512
c53039fd0da71706ab928ecf34822ac3419dc414e74260a0e43aa48b1e81254b9b60c828243f64641e7c49448f5eb1f87730b0a9f2f6db4ff021285a54dfea02

Download Submit
\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\FlexiMusicService0.dll
MD5
e307873befe4de974ed28ee82b11c31b

SHA1
740e3f54b05b9aea35a4684a4cfe2680aa76e783

SHA256
1f6570afdd3c00ffd6e13889e4242ff92f4d411d1c99e4580674c5b9058d4c5e

SHA512
c53039fd0da71706ab928ecf34822ac3419dc414e74260a0e43aa48b1e81254b9b60c828243f64641e7c49448f5eb1f87730b0a9f2f6db4ff021285a54dfea02

Download Submit
\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\FlexiMusicService7.dll
MD5
0f17784e38b2c09a2a77e5a386c11d2c

SHA1
5e3dd6ebdfa3a4fdba5ce43e15b3296f3f3b8e27

SHA256
41d9acee01bc30f6460a888106e25ea807b18b67a0ff4db82f851cbabd56db3c

SHA512
030b0e4690e842b8b08e5860169e5fc50354c56c02d9886306ceeab6d869ffb1caef9fb4ad04a039ef1d2444007d502ed9175839780c4339b9b75acf130aad6d

Download Submit
\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\FlexiMusicService7.dll
MD5
0f17784e38b2c09a2a77e5a386c11d2c

SHA1
5e3dd6ebdfa3a4fdba5ce43e15b3296f3f3b8e27

SHA256
41d9acee01bc30f6460a888106e25ea807b18b67a0ff4db82f851cbabd56db3c

SHA512
030b0e4690e842b8b08e5860169e5fc50354c56c02d9886306ceeab6d869ffb1caef9fb4ad04a039ef1d2444007d502ed9175839780c4339b9b75acf130aad6d

Download Submit
\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\FlexiMusicService7.dll
MD5
0f17784e38b2c09a2a77e5a386c11d2c

SHA1
5e3dd6ebdfa3a4fdba5ce43e15b3296f3f3b8e27

SHA256
41d9acee01bc30f6460a888106e25ea807b18b67a0ff4db82f851cbabd56db3c

SHA512
030b0e4690e842b8b08e5860169e5fc50354c56c02d9886306ceeab6d869ffb1caef9fb4ad04a039ef1d2444007d502ed9175839780c4339b9b75acf130aad6d

Download Submit
\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
MD5
d5ff0a986bc8146314cf92a5653aeca2

SHA1
46d568311495400517d367813c4ac4d736f64f2f

SHA256
b915dedfff05c661933e71bccd10a8c624ae6dc18165aba01119aaf952779c86

SHA512
d7b7b02857700e61fe896921586fc6c66f99dbe35a5a960e3a56ee3911b0947a07c34fe144c4815522eca068dc29a0d2eac5029a851bb8dd4d6fa11dd432ed92

Download Submit
\Users\Admin\IMMPPUPODPEVKVPSPVSDPPEM\VCUKPDKSOITOTPTDPTTSOTMCPTUKVSOMPSMUDKKDS.exe
MD5
d5ff0a986bc8146314cf92a5653aeca2

SHA1
46d568311495400517d367813c4ac4d736f64f2f

SHA256
b915dedfff05c661933e71bccd10a8c624ae6dc18165aba01119aaf952779c86

SHA512
d7b7b02857700e61fe896921586fc6c66f99dbe35a5a960e3a56ee3911b0947a07c34fe144c4815522eca068dc29a0d2eac5029a851bb8dd4d6fa11dd432ed92

Download Submit
\Windows\Installer\MSID04A.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Windows\Installer\MSID1A2.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
memory/912-87-0x0000000000000000-mapping.dmp

Download
memory/1612-103-0x0000000002F80000-0x0000000003432000-memory.dmp

Filesize
4.7MB

Download
memory/1612-97-0x0000000000000000-mapping.dmp

Download
memory/1736-90-0x0000000000000000-mapping.dmp

Download
memory/1736-96-0x0000000002EF0000-0x00000000033A2000-memory.dmp

Filesize
4.7MB

Download
memory/1796-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1796-71-0x0000000000000000-mapping.dmp

Download
memory/1796-85-0x0000000004760000-0x000000000521A000-memory.dmp

Filesize
10.7MB

Download
memory/1796-79-0x0000000002F70000-0x0000000003422000-memory.dmp

Filesize
4.7MB

Download
memory/1796-82-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1796-83-0x0000000003570000-0x0000000003849000-memory.dmp

Filesize
2.8MB

Download
memory/1800-86-0x0000000000000000-mapping.dmp

Download
memory/1816-60-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/1964-64-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1964-63-0x0000000000000000-mapping.dmp

Download