Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
25-11-2021 16:55
Static task
static1
Behavioral task
behavioral1
Sample
634141ba2a59b2474677ce121e65d8c6.msi
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
634141ba2a59b2474677ce121e65d8c6.msi
Resource
win10-en-20211014
General
-
Target
634141ba2a59b2474677ce121e65d8c6.msi
-
Size
2.9MB
-
MD5
634141ba2a59b2474677ce121e65d8c6
-
SHA1
9fd4068c432e354d2e2c67c96f84ce96abe2406e
-
SHA256
67525ed96e0f69af2de778ad3679ba45b620b8f80b45d46035c7fde19eab9648
-
SHA512
32e0e1a28c645563d5500e05a7cdc3131f9c845fa7e55da716d53347cd99839a54fdb66ac3b43e851901edf77a318a3329a7b2c60e6eeb5f2ccfc75c6f8df087
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 5 888 MsiExec.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 888 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in Windows directory 3 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f75d385.msi msiexec.exe File opened for modification C:\Windows\Installer\f75d385.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID549.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8BB3581-4E10-11EC-84B6-6204D1D61C15} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "344624510" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab000000000200000000001066000000010000200000001cc57781de7ba63d68da4fd983b4170d3407ef4be05cbf7d796550aa33f4ded1000000000e8000000002000020000000f7c6e0b1535dc9286e3b97b0a378d882c774916c6e89a32f0851556fce4a53c190000000b0c52d1326d97937bd5e5ff5644acd69039c0b4d20882956f084c220683160fd9a4fc178f11f83090d6dfa08949586a0ebfbbaaa7b02d42ec521b4022a2c6dcf4b0ec453be26fdd24c0bb0ef1c55ed4f58247d62cdb07c72c5794a43335bdb1167eebc4d27772b701f4fd29f8e7d190d445f0ad5ac56f0ca2eaa7199092002e43759515bee72b748d7cba93d92c00c06400000009e23d60e8e2449c7a9774c4f91e8bb6e552d3f81b6e4eb9544e1e25b696cd907225c20ff692f3f58e7b27e8aedc9a5c7f8bae3d13b454e603b8d33dd6eabfaed iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603835d61de2d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab0000000002000000000010660000000100002000000068b1309e13030c32345ec4f79039fc8bace34c5bb2dff87d90cb5ddba5120792000000000e8000000002000020000000239778f665bbad3d33c536675f10e5bfa113b6b9651317028943c0b08208000120000000c7cc516a73de88fa2a871321824c3a77fd34afe1ac349f13698dd4cc8fcdcd6b400000007d79a6e5bb7650fc310765752a1a13fa6420dd737ec5aa531d33e31b4842c8371677902720c89d9de91aeebe6b95c6954f5d98e88042cabc4ce8995f6c4a0cee iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 572 msiexec.exe Token: SeIncreaseQuotaPrivilege 572 msiexec.exe Token: SeRestorePrivilege 576 msiexec.exe Token: SeTakeOwnershipPrivilege 576 msiexec.exe Token: SeSecurityPrivilege 576 msiexec.exe Token: SeCreateTokenPrivilege 572 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 572 msiexec.exe Token: SeLockMemoryPrivilege 572 msiexec.exe Token: SeIncreaseQuotaPrivilege 572 msiexec.exe Token: SeMachineAccountPrivilege 572 msiexec.exe Token: SeTcbPrivilege 572 msiexec.exe Token: SeSecurityPrivilege 572 msiexec.exe Token: SeTakeOwnershipPrivilege 572 msiexec.exe Token: SeLoadDriverPrivilege 572 msiexec.exe Token: SeSystemProfilePrivilege 572 msiexec.exe Token: SeSystemtimePrivilege 572 msiexec.exe Token: SeProfSingleProcessPrivilege 572 msiexec.exe Token: SeIncBasePriorityPrivilege 572 msiexec.exe Token: SeCreatePagefilePrivilege 572 msiexec.exe Token: SeCreatePermanentPrivilege 572 msiexec.exe Token: SeBackupPrivilege 572 msiexec.exe Token: SeRestorePrivilege 572 msiexec.exe Token: SeShutdownPrivilege 572 msiexec.exe Token: SeDebugPrivilege 572 msiexec.exe Token: SeAuditPrivilege 572 msiexec.exe Token: SeSystemEnvironmentPrivilege 572 msiexec.exe Token: SeChangeNotifyPrivilege 572 msiexec.exe Token: SeRemoteShutdownPrivilege 572 msiexec.exe Token: SeUndockPrivilege 572 msiexec.exe Token: SeSyncAgentPrivilege 572 msiexec.exe Token: SeEnableDelegationPrivilege 572 msiexec.exe Token: SeManageVolumePrivilege 572 msiexec.exe Token: SeImpersonatePrivilege 572 msiexec.exe Token: SeCreateGlobalPrivilege 572 msiexec.exe Token: SeRestorePrivilege 576 msiexec.exe Token: SeTakeOwnershipPrivilege 576 msiexec.exe Token: SeRestorePrivilege 576 msiexec.exe Token: SeTakeOwnershipPrivilege 576 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeiexplore.exepid process 572 msiexec.exe 1552 iexplore.exe 572 msiexec.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1552 iexplore.exe 1552 iexplore.exe 1760 IEXPLORE.EXE 1760 IEXPLORE.EXE 1760 IEXPLORE.EXE 1760 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
msiexec.exeMsiExec.execmd.exeiexplore.exedescription pid process target process PID 576 wrote to memory of 888 576 msiexec.exe MsiExec.exe PID 576 wrote to memory of 888 576 msiexec.exe MsiExec.exe PID 576 wrote to memory of 888 576 msiexec.exe MsiExec.exe PID 576 wrote to memory of 888 576 msiexec.exe MsiExec.exe PID 576 wrote to memory of 888 576 msiexec.exe MsiExec.exe PID 576 wrote to memory of 888 576 msiexec.exe MsiExec.exe PID 576 wrote to memory of 888 576 msiexec.exe MsiExec.exe PID 888 wrote to memory of 1416 888 MsiExec.exe cmd.exe PID 888 wrote to memory of 1416 888 MsiExec.exe cmd.exe PID 888 wrote to memory of 1416 888 MsiExec.exe cmd.exe PID 888 wrote to memory of 1416 888 MsiExec.exe cmd.exe PID 1416 wrote to memory of 1552 1416 cmd.exe iexplore.exe PID 1416 wrote to memory of 1552 1416 cmd.exe iexplore.exe PID 1416 wrote to memory of 1552 1416 cmd.exe iexplore.exe PID 1416 wrote to memory of 1552 1416 cmd.exe iexplore.exe PID 1552 wrote to memory of 1760 1552 iexplore.exe IEXPLORE.EXE PID 1552 wrote to memory of 1760 1552 iexplore.exe IEXPLORE.EXE PID 1552 wrote to memory of 1760 1552 iexplore.exe IEXPLORE.EXE PID 1552 wrote to memory of 1760 1552 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\634141ba2a59b2474677ce121e65d8c6.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85E96E47D93385DCAD617652A729DCC12⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start /MIN https://paulosantanna.com/2021/01/27/ambientes-legados-erro-codigo-80072efe-no-windows-update-em-pc-com-windows-7/3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://paulosantanna.com/2021/01/27/ambientes-legados-erro-codigo-80072efe-no-windows-update-em-pc-com-windows-7/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1552 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
f8c44fb395351a944a86a80fb2a56af8
SHA13e0eb96ca361fc0a3f61002f1c865cc0d6fd67ef
SHA2562d2260c5f6342d5245d98aa90426652092e44833be180c891979ac5c9cccff9e
SHA5128594e572a75da5d2cc1f2371066ddd313e592f8858ea08beb8860ac104043932993bd2f914f03d83510f07ba7ee8cb1d83f34f139ead3ec4a1c0e96c33bc7729
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\01ppg24\imagestore.datMD5
acec705ca6925f497312b37e3d450937
SHA1d7193b692cfd63883b26aadba7903d0532f2bb96
SHA256597544f3e5e31a623593a2b3d72ee930384f19b687d0118169b5786fefc2880c
SHA512a73ce3ce4a4ed0a5f22e77a3b5b4f38e54b53bd72a615a23b8ae892045f0684f101f533f6664ab83a4c67dd4ef9a6be5ed0964267ec776b547668edec62e3b9e
-
C:\Users\Admin\AppData\Local\Temp\MSI5cbc7.LOGMD5
ea1d96861552323c10bbab2f3242b4de
SHA1c409ee5befbc2e9bb14216d0e667aad68883dd6b
SHA25632b1cd7150f1fe5891fa4a28f7b84052da92090535a66ba958931a56b78b8cf6
SHA512221169fca081d29c1f799cc0aab11870ad0e357fad6fa015680a5099069ef76140e60e793d39b0665b0cd37937d7524f4ec8a34dfb51ef12f7b7795deb1eb328
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DL5WH0PQ.txtMD5
f891dce1626e24eebd8a6d53766a4fb9
SHA1fab35d4099a050db027765841d7a36e12cd70f49
SHA256314f26d9b4a8afc31a7e0c15f258fb58fe6234a251e7a28daa0df0915ff062f1
SHA5120470756535ac7ed2aaa0d4adec6b22cdc070a28ba8b47002b25c1ce0514182c4f6ae534bc39ae4de2c64e5a014779076ab35992303661bc48b2e3bbb5d555bab
-
C:\Windows\Installer\MSID549.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSID549.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
memory/572-55-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmpFilesize
8KB
-
memory/888-58-0x0000000000000000-mapping.dmp
-
memory/888-59-0x0000000075461000-0x0000000075463000-memory.dmpFilesize
8KB
-
memory/1416-62-0x0000000000000000-mapping.dmp
-
memory/1552-64-0x0000000000000000-mapping.dmp
-
memory/1760-65-0x0000000000000000-mapping.dmp