Analysis
-
max time kernel
16s -
max time network
60s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 20:02
General
-
Target
meu.agendamento28765768 zwrgikqa mcsh0e.msi
-
Size
269KB
-
MD5
0a6e3cafaf5cb2656e56be4440d06662
-
SHA1
01a311c11f47d5b85de8e05dfd3fc59f3b4e12ad
-
SHA256
15f01cf888792f4f3c3124b6e65a615342c7c8b9788941947f8131f3786a499c
-
SHA512
e14201a00dfefe8becb294d48c452dcabe74acde46dba0af6c82c315d8ed5f3a616c31fd26bb5473ccfd80985c317324152bc8f813c58a534b141c49e414b12d
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 8 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\meu.agendamento28765768 zwrgikqa mcsh0e.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 86B681B15143F8DF17312463B20E03812⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI5006e.LOGMD5
841b9b3c15dda27144050c41c63fa12d
SHA1fdb473efea0897c4d58fe6edc7b291dc870fadc6
SHA2566f878da5405ed58c04a07099859e49c3e67104a95c4cf4f8aef452493d5cc634
SHA512168815490f15776dec77788f8eb6bfdd457f05862a2d9cdfbc9b217e7df0bdf05669a01c61a6da5a15f5ba94584ca0f26606b76b3aab0cb38aa1d88abd673f90
-
C:\Windows\Installer\MSI474.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
C:\Windows\Installer\MSI723.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI474.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI723.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
memory/604-60-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmpFilesize
8KB
-
memory/2044-63-0x0000000000000000-mapping.dmp
-
memory/2044-64-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB