15f01cf888792f4f3c3124b6e65a615342c7c8b9788941947f8131f3786a499c

General

Target

meu.agendamento28765768 zwrgikqa mcsh0e.msi
Size

269KB
MD5

0a6e3cafaf5cb2656e56be4440d06662
SHA1

01a311c11f47d5b85de8e05dfd3fc59f3b4e12ad
SHA256

15f01cf888792f4f3c3124b6e65a615342c7c8b9788941947f8131f3786a499c
SHA512

e14201a00dfefe8becb294d48c452dcabe74acde46dba0af6c82c315d8ed5f3a616c31fd26bb5473ccfd80985c317324152bc8f813c58a534b141c49e414b12d

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

MsiExec.exe

flow pid process

11 3560 MsiExec.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

3560 MsiExec.exe
3560 MsiExec.exe

flow	pid	process
11	3560	MsiExec.exe

pid	process
3560	MsiExec.exe
3560	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{4621DF3A-A393-4FF0-8DD9-E3A76D42EE2C}	msiexec.exe
File created	C:\Windows\Installer\f7456a1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7456a1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EEF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI577C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6104.tmp	msiexec.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1788 msiexec.exe
1788 msiexec.exe

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1788	msiexec.exe
1788	msiexec.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3492	msiexec.exe
Token: SeSecurityPrivilege	1788	msiexec.exe
Token: SeCreateTokenPrivilege	3492	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3492	msiexec.exe
Token: SeLockMemoryPrivilege	3492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3492	msiexec.exe
Token: SeMachineAccountPrivilege	3492	msiexec.exe
Token: SeTcbPrivilege	3492	msiexec.exe
Token: SeSecurityPrivilege	3492	msiexec.exe
Token: SeTakeOwnershipPrivilege	3492	msiexec.exe
Token: SeLoadDriverPrivilege	3492	msiexec.exe
Token: SeSystemProfilePrivilege	3492	msiexec.exe
Token: SeSystemtimePrivilege	3492	msiexec.exe
Token: SeProfSingleProcessPrivilege	3492	msiexec.exe
Token: SeIncBasePriorityPrivilege	3492	msiexec.exe
Token: SeCreatePagefilePrivilege	3492	msiexec.exe
Token: SeCreatePermanentPrivilege	3492	msiexec.exe
Token: SeBackupPrivilege	3492	msiexec.exe
Token: SeRestorePrivilege	3492	msiexec.exe
Token: SeShutdownPrivilege	3492	msiexec.exe
Token: SeDebugPrivilege	3492	msiexec.exe
Token: SeAuditPrivilege	3492	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3492	msiexec.exe
Token: SeChangeNotifyPrivilege	3492	msiexec.exe
Token: SeRemoteShutdownPrivilege	3492	msiexec.exe
Token: SeUndockPrivilege	3492	msiexec.exe
Token: SeSyncAgentPrivilege	3492	msiexec.exe
Token: SeEnableDelegationPrivilege	3492	msiexec.exe
Token: SeManageVolumePrivilege	3492	msiexec.exe
Token: SeImpersonatePrivilege	3492	msiexec.exe
Token: SeCreateGlobalPrivilege	3492	msiexec.exe
Token: SeRestorePrivilege	1788	msiexec.exe
Token: SeTakeOwnershipPrivilege	1788	msiexec.exe
Token: SeRestorePrivilege	1788	msiexec.exe
Token: SeTakeOwnershipPrivilege	1788	msiexec.exe
Token: SeRestorePrivilege	1788	msiexec.exe
Token: SeTakeOwnershipPrivilege	1788	msiexec.exe
Token: SeRestorePrivilege	1788	msiexec.exe
Token: SeTakeOwnershipPrivilege	1788	msiexec.exe
Token: SeRestorePrivilege	1788	msiexec.exe
Token: SeTakeOwnershipPrivilege	1788	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

3492 msiexec.exe

pid	process
3492	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1788 wrote to memory of 3560	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 3560	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 3560	1788	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\meu.agendamento28765768 zwrgikqa mcsh0e.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3492

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9A4C51C8228A3668025BB34E740FA3EE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI451ee.LOG
MD5
50ac04e1c5f0936d677bacadca445a2d

SHA1
5c5c73e60e6233c5dcc00ca354f002983dd884d9

SHA256
b188a47c64e36f3081671d74b27c3b039bd55a0cd7e4da642d911af34f61fe08

SHA512
85f8cdd3f8ff34d3c5b550319940b16f68583681185faeb78ab4c0053dbf97491a608e2cf2bfe08538dacb53effeb0eea1b7938319fcbada43d1c46bc5fdb3df

Download Submit
C:\Windows\Installer\MSI577C.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
C:\Windows\Installer\MSI5EEF.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Windows\Installer\MSI577C.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Windows\Installer\MSI5EEF.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
memory/3560-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads