Analysis
-
max time kernel
16s -
max time network
60s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 20:02
Behavioral task
behavioral1
Sample
meu.agendamento28765768 zwrgikqa mcsh0e.msi
Resource
win7v20210408
Behavioral task
behavioral2
Sample
meu.agendamento28765768 zwrgikqa mcsh0e.msi
Resource
win10v20210408
General
-
Target
meu.agendamento28765768 zwrgikqa mcsh0e.msi
-
Size
269KB
-
MD5
0a6e3cafaf5cb2656e56be4440d06662
-
SHA1
01a311c11f47d5b85de8e05dfd3fc59f3b4e12ad
-
SHA256
15f01cf888792f4f3c3124b6e65a615342c7c8b9788941947f8131f3786a499c
-
SHA512
e14201a00dfefe8becb294d48c452dcabe74acde46dba0af6c82c315d8ed5f3a616c31fd26bb5473ccfd80985c317324152bc8f813c58a534b141c49e414b12d
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
MsiExec.exeflow pid process 2 2044 MsiExec.exe 4 2044 MsiExec.exe 6 2044 MsiExec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 2044 MsiExec.exe 2044 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI956.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7503e9.ipi msiexec.exe File created C:\Windows\Installer\f7503e7.msi msiexec.exe File opened for modification C:\Windows\Installer\f7503e7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI474.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI723.tmp msiexec.exe File created C:\Windows\Installer\f7503e9.ipi msiexec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1648 msiexec.exe 1648 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 604 msiexec.exe Token: SeIncreaseQuotaPrivilege 604 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeSecurityPrivilege 1648 msiexec.exe Token: SeCreateTokenPrivilege 604 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 604 msiexec.exe Token: SeLockMemoryPrivilege 604 msiexec.exe Token: SeIncreaseQuotaPrivilege 604 msiexec.exe Token: SeMachineAccountPrivilege 604 msiexec.exe Token: SeTcbPrivilege 604 msiexec.exe Token: SeSecurityPrivilege 604 msiexec.exe Token: SeTakeOwnershipPrivilege 604 msiexec.exe Token: SeLoadDriverPrivilege 604 msiexec.exe Token: SeSystemProfilePrivilege 604 msiexec.exe Token: SeSystemtimePrivilege 604 msiexec.exe Token: SeProfSingleProcessPrivilege 604 msiexec.exe Token: SeIncBasePriorityPrivilege 604 msiexec.exe Token: SeCreatePagefilePrivilege 604 msiexec.exe Token: SeCreatePermanentPrivilege 604 msiexec.exe Token: SeBackupPrivilege 604 msiexec.exe Token: SeRestorePrivilege 604 msiexec.exe Token: SeShutdownPrivilege 604 msiexec.exe Token: SeDebugPrivilege 604 msiexec.exe Token: SeAuditPrivilege 604 msiexec.exe Token: SeSystemEnvironmentPrivilege 604 msiexec.exe Token: SeChangeNotifyPrivilege 604 msiexec.exe Token: SeRemoteShutdownPrivilege 604 msiexec.exe Token: SeUndockPrivilege 604 msiexec.exe Token: SeSyncAgentPrivilege 604 msiexec.exe Token: SeEnableDelegationPrivilege 604 msiexec.exe Token: SeManageVolumePrivilege 604 msiexec.exe Token: SeImpersonatePrivilege 604 msiexec.exe Token: SeCreateGlobalPrivilege 604 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 604 msiexec.exe 604 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 1648 wrote to memory of 2044 1648 msiexec.exe MsiExec.exe PID 1648 wrote to memory of 2044 1648 msiexec.exe MsiExec.exe PID 1648 wrote to memory of 2044 1648 msiexec.exe MsiExec.exe PID 1648 wrote to memory of 2044 1648 msiexec.exe MsiExec.exe PID 1648 wrote to memory of 2044 1648 msiexec.exe MsiExec.exe PID 1648 wrote to memory of 2044 1648 msiexec.exe MsiExec.exe PID 1648 wrote to memory of 2044 1648 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\meu.agendamento28765768 zwrgikqa mcsh0e.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 86B681B15143F8DF17312463B20E03812⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI5006e.LOGMD5
841b9b3c15dda27144050c41c63fa12d
SHA1fdb473efea0897c4d58fe6edc7b291dc870fadc6
SHA2566f878da5405ed58c04a07099859e49c3e67104a95c4cf4f8aef452493d5cc634
SHA512168815490f15776dec77788f8eb6bfdd457f05862a2d9cdfbc9b217e7df0bdf05669a01c61a6da5a15f5ba94584ca0f26606b76b3aab0cb38aa1d88abd673f90
-
C:\Windows\Installer\MSI474.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
C:\Windows\Installer\MSI723.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI474.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI723.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
memory/604-60-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmpFilesize
8KB
-
memory/2044-63-0x0000000000000000-mapping.dmp
-
memory/2044-64-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB