Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
23-11-2021 13:27
Static task
static1
Behavioral task
behavioral1
Sample
Proc.Eeletronico80rdgkj4 qoz4br.msi
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Proc.Eeletronico80rdgkj4 qoz4br.msi
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
Proc.Eeletronico80rdgkj4 qoz4br.msi
-
Size
4.0MB
-
MD5
1321ee6809d5368dc9ec125e04bc4cf8
-
SHA1
f1c0503e18eba4af77c5e637b38f2cf323e6c2bc
-
SHA256
c8c447eabc388282ef6ee8678cce4aa65557bf557a936109485648fd217baae8
-
SHA512
c348633687ec45a8c6a82fb7339ceb54bcc7c7448108841d4c4aa54ab15de582dd4b2b981ce76c743dd6d3f5ceaf96491cf2a9065df3439aafd33d1398900597
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 9 1336 MsiExec.exe 25 1336 MsiExec.exe -
Executes dropped EXE 2 IoCs
pid Process 1512 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sBcGIFVNBsze.lnk MsiExec.exe -
Loads dropped DLL 20 IoCs
pid Process 1336 MsiExec.exe 1336 MsiExec.exe 1336 MsiExec.exe 1336 MsiExec.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{F052CD00-AFDE-4113-AD0D-F4D8E61D7685} msiexec.exe File opened for modification C:\Windows\Installer\MSI3B33.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3C5F.tmp msiexec.exe File opened for modification C:\Windows\Installer\f75cc2a.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICDA1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDC78.tmp msiexec.exe File created C:\Windows\Installer\f75cc2a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIDBAC.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 4028 msiexec.exe 4028 msiexec.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2752 msiexec.exe Token: SeIncreaseQuotaPrivilege 2752 msiexec.exe Token: SeSecurityPrivilege 4028 msiexec.exe Token: SeCreateTokenPrivilege 2752 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2752 msiexec.exe Token: SeLockMemoryPrivilege 2752 msiexec.exe Token: SeIncreaseQuotaPrivilege 2752 msiexec.exe Token: SeMachineAccountPrivilege 2752 msiexec.exe Token: SeTcbPrivilege 2752 msiexec.exe Token: SeSecurityPrivilege 2752 msiexec.exe Token: SeTakeOwnershipPrivilege 2752 msiexec.exe Token: SeLoadDriverPrivilege 2752 msiexec.exe Token: SeSystemProfilePrivilege 2752 msiexec.exe Token: SeSystemtimePrivilege 2752 msiexec.exe Token: SeProfSingleProcessPrivilege 2752 msiexec.exe Token: SeIncBasePriorityPrivilege 2752 msiexec.exe Token: SeCreatePagefilePrivilege 2752 msiexec.exe Token: SeCreatePermanentPrivilege 2752 msiexec.exe Token: SeBackupPrivilege 2752 msiexec.exe Token: SeRestorePrivilege 2752 msiexec.exe Token: SeShutdownPrivilege 2752 msiexec.exe Token: SeDebugPrivilege 2752 msiexec.exe Token: SeAuditPrivilege 2752 msiexec.exe Token: SeSystemEnvironmentPrivilege 2752 msiexec.exe Token: SeChangeNotifyPrivilege 2752 msiexec.exe Token: SeRemoteShutdownPrivilege 2752 msiexec.exe Token: SeUndockPrivilege 2752 msiexec.exe Token: SeSyncAgentPrivilege 2752 msiexec.exe Token: SeEnableDelegationPrivilege 2752 msiexec.exe Token: SeManageVolumePrivilege 2752 msiexec.exe Token: SeImpersonatePrivilege 2752 msiexec.exe Token: SeCreateGlobalPrivilege 2752 msiexec.exe Token: SeRestorePrivilege 4028 msiexec.exe Token: SeTakeOwnershipPrivilege 4028 msiexec.exe Token: SeRestorePrivilege 4028 msiexec.exe Token: SeTakeOwnershipPrivilege 4028 msiexec.exe Token: SeRestorePrivilege 4028 msiexec.exe Token: SeTakeOwnershipPrivilege 4028 msiexec.exe Token: SeRestorePrivilege 4028 msiexec.exe Token: SeTakeOwnershipPrivilege 4028 msiexec.exe Token: SeIncreaseQuotaPrivilege 1448 WMIC.exe Token: SeSecurityPrivilege 1448 WMIC.exe Token: SeTakeOwnershipPrivilege 1448 WMIC.exe Token: SeLoadDriverPrivilege 1448 WMIC.exe Token: SeSystemProfilePrivilege 1448 WMIC.exe Token: SeSystemtimePrivilege 1448 WMIC.exe Token: SeProfSingleProcessPrivilege 1448 WMIC.exe Token: SeIncBasePriorityPrivilege 1448 WMIC.exe Token: SeCreatePagefilePrivilege 1448 WMIC.exe Token: SeBackupPrivilege 1448 WMIC.exe Token: SeRestorePrivilege 1448 WMIC.exe Token: SeShutdownPrivilege 1448 WMIC.exe Token: SeDebugPrivilege 1448 WMIC.exe Token: SeSystemEnvironmentPrivilege 1448 WMIC.exe Token: SeRemoteShutdownPrivilege 1448 WMIC.exe Token: SeUndockPrivilege 1448 WMIC.exe Token: SeManageVolumePrivilege 1448 WMIC.exe Token: 33 1448 WMIC.exe Token: 34 1448 WMIC.exe Token: 35 1448 WMIC.exe Token: 36 1448 WMIC.exe Token: SeRestorePrivilege 4028 msiexec.exe Token: SeTakeOwnershipPrivilege 4028 msiexec.exe Token: SeRestorePrivilege 4028 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2752 msiexec.exe 1336 MsiExec.exe 2752 msiexec.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1512 GRddlOiVKuZF.exe 1512 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe 808 GRddlOiVKuZF.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4028 wrote to memory of 1336 4028 msiexec.exe 70 PID 4028 wrote to memory of 1336 4028 msiexec.exe 70 PID 4028 wrote to memory of 1336 4028 msiexec.exe 70 PID 1336 wrote to memory of 1448 1336 MsiExec.exe 73 PID 1336 wrote to memory of 1448 1336 MsiExec.exe 73 PID 1336 wrote to memory of 1448 1336 MsiExec.exe 73 PID 1512 wrote to memory of 808 1512 GRddlOiVKuZF.exe 80 PID 1512 wrote to memory of 808 1512 GRddlOiVKuZF.exe 80 PID 1512 wrote to memory of 808 1512 GRddlOiVKuZF.exe 80
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Proc.Eeletronico80rdgkj4 qoz4br.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2752
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4BB21E6BE5A818F7EADB6FB1D559CAEE2⤵
- Blocklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\uKDHzDNmHwvj\GRddlOiVKuZF.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
-
C:\Users\Admin\uKDHzDNmHwvj\GRddlOiVKuZF.exeC:\Users\Admin\uKDHzDNmHwvj\GRddlOiVKuZF.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\uKDHzDNmHwvj\GRddlOiVKuZF.exe"C:\Users\Admin\uKDHzDNmHwvj\GRddlOiVKuZF.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:808
-