Analysis
-
max time kernel
17s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 20:02
Behavioral task
behavioral1
Sample
meu.agendamento28765768 zwrgikqa mcsh0e.msi
Resource
win7v20210408
Behavioral task
behavioral2
Sample
meu.agendamento28765768 zwrgikqa mcsh0e.msi
Resource
win10v20210408
General
-
Target
meu.agendamento28765768 zwrgikqa mcsh0e.msi
-
Size
269KB
-
MD5
0a6e3cafaf5cb2656e56be4440d06662
-
SHA1
01a311c11f47d5b85de8e05dfd3fc59f3b4e12ad
-
SHA256
15f01cf888792f4f3c3124b6e65a615342c7c8b9788941947f8131f3786a499c
-
SHA512
e14201a00dfefe8becb294d48c452dcabe74acde46dba0af6c82c315d8ed5f3a616c31fd26bb5473ccfd80985c317324152bc8f813c58a534b141c49e414b12d
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 11 3560 MsiExec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 3560 MsiExec.exe 3560 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{4621DF3A-A393-4FF0-8DD9-E3A76D42EE2C} msiexec.exe File created C:\Windows\Installer\f7456a1.msi msiexec.exe File opened for modification C:\Windows\Installer\f7456a1.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI5EEF.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI577C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6104.tmp msiexec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1788 msiexec.exe 1788 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3492 msiexec.exe Token: SeIncreaseQuotaPrivilege 3492 msiexec.exe Token: SeSecurityPrivilege 1788 msiexec.exe Token: SeCreateTokenPrivilege 3492 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3492 msiexec.exe Token: SeLockMemoryPrivilege 3492 msiexec.exe Token: SeIncreaseQuotaPrivilege 3492 msiexec.exe Token: SeMachineAccountPrivilege 3492 msiexec.exe Token: SeTcbPrivilege 3492 msiexec.exe Token: SeSecurityPrivilege 3492 msiexec.exe Token: SeTakeOwnershipPrivilege 3492 msiexec.exe Token: SeLoadDriverPrivilege 3492 msiexec.exe Token: SeSystemProfilePrivilege 3492 msiexec.exe Token: SeSystemtimePrivilege 3492 msiexec.exe Token: SeProfSingleProcessPrivilege 3492 msiexec.exe Token: SeIncBasePriorityPrivilege 3492 msiexec.exe Token: SeCreatePagefilePrivilege 3492 msiexec.exe Token: SeCreatePermanentPrivilege 3492 msiexec.exe Token: SeBackupPrivilege 3492 msiexec.exe Token: SeRestorePrivilege 3492 msiexec.exe Token: SeShutdownPrivilege 3492 msiexec.exe Token: SeDebugPrivilege 3492 msiexec.exe Token: SeAuditPrivilege 3492 msiexec.exe Token: SeSystemEnvironmentPrivilege 3492 msiexec.exe Token: SeChangeNotifyPrivilege 3492 msiexec.exe Token: SeRemoteShutdownPrivilege 3492 msiexec.exe Token: SeUndockPrivilege 3492 msiexec.exe Token: SeSyncAgentPrivilege 3492 msiexec.exe Token: SeEnableDelegationPrivilege 3492 msiexec.exe Token: SeManageVolumePrivilege 3492 msiexec.exe Token: SeImpersonatePrivilege 3492 msiexec.exe Token: SeCreateGlobalPrivilege 3492 msiexec.exe Token: SeRestorePrivilege 1788 msiexec.exe Token: SeTakeOwnershipPrivilege 1788 msiexec.exe Token: SeRestorePrivilege 1788 msiexec.exe Token: SeTakeOwnershipPrivilege 1788 msiexec.exe Token: SeRestorePrivilege 1788 msiexec.exe Token: SeTakeOwnershipPrivilege 1788 msiexec.exe Token: SeRestorePrivilege 1788 msiexec.exe Token: SeTakeOwnershipPrivilege 1788 msiexec.exe Token: SeRestorePrivilege 1788 msiexec.exe Token: SeTakeOwnershipPrivilege 1788 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3492 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 1788 wrote to memory of 3560 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 3560 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 3560 1788 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\meu.agendamento28765768 zwrgikqa mcsh0e.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9A4C51C8228A3668025BB34E740FA3EE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI451ee.LOGMD5
50ac04e1c5f0936d677bacadca445a2d
SHA15c5c73e60e6233c5dcc00ca354f002983dd884d9
SHA256b188a47c64e36f3081671d74b27c3b039bd55a0cd7e4da642d911af34f61fe08
SHA51285f8cdd3f8ff34d3c5b550319940b16f68583681185faeb78ab4c0053dbf97491a608e2cf2bfe08538dacb53effeb0eea1b7938319fcbada43d1c46bc5fdb3df
-
C:\Windows\Installer\MSI577C.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
C:\Windows\Installer\MSI5EEF.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI577C.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI5EEF.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
memory/3560-119-0x0000000000000000-mapping.dmp