Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
23-11-2021 13:27
General
-
Target
Proc.Eeletronico80rdgkj4 qoz4br.msi
-
Size
4.0MB
-
MD5
1321ee6809d5368dc9ec125e04bc4cf8
-
SHA1
f1c0503e18eba4af77c5e637b38f2cf323e6c2bc
-
SHA256
c8c447eabc388282ef6ee8678cce4aa65557bf557a936109485648fd217baae8
-
SHA512
c348633687ec45a8c6a82fb7339ceb54bcc7c7448108841d4c4aa54ab15de582dd4b2b981ce76c743dd6d3f5ceaf96491cf2a9065df3439aafd33d1398900597
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Proc.Eeletronico80rdgkj4 qoz4br.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85E9CFE13329B663F4D0B2039FA018A12⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIBCD9.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSIBFE6.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSIC0B2.tmpMD5
0872fc86ddb1c0c51beab1deaaa80218
SHA1abe143cfe0053d6e93c042815f020ff4714794bc
SHA25699f2f155dfed73c33416e82ca6cd8f6dc66abbf50513a5e2a857d12e49504c60
SHA5121b15ea0122d5adef9098381a2dc9659257ba13704fc4b51105c535044c94e370b9ea24e70c836e85cd0b4c9cc4dab63522c74af2ab913619984e86c27888a346
-
\Windows\Installer\MSIBCD9.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSIBFE6.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSIC0B2.tmpMD5
0872fc86ddb1c0c51beab1deaaa80218
SHA1abe143cfe0053d6e93c042815f020ff4714794bc
SHA25699f2f155dfed73c33416e82ca6cd8f6dc66abbf50513a5e2a857d12e49504c60
SHA5121b15ea0122d5adef9098381a2dc9659257ba13704fc4b51105c535044c94e370b9ea24e70c836e85cd0b4c9cc4dab63522c74af2ab913619984e86c27888a346
-
memory/540-57-0x0000000000000000-mapping.dmp
-
memory/540-58-0x0000000075731000-0x0000000075733000-memory.dmpFilesize
8KB
-
memory/2032-55-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmpFilesize
8KB