77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-en-20211208
submitted
18-12-2021 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

encomendas010-5u44cr2luF.msi
Size

578KB
MD5

d1c43bb1c9758eee8d2643731af9be7f
SHA1

0614681917d21a1d06492583561643599d12d5ac
SHA256

77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44
SHA512

880ca382078957b3b27c289a9696ceac0add7140b11bfa1bd5335d92361682d43ed3d6c6166433dc90e6e7ecb20dffbb6e4bccd887c6cd15fd2478875ba12039

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 2 IoCs

Processes:

MsiExec.exe

flow pid process

3 572 MsiExec.exe
5 572 MsiExec.exe
Executes dropped EXE 1 IoCs

Processes:

2QEhUmIkN.exe

pid process

2036 2QEhUmIkN.exe

flow	pid	process
3	572	MsiExec.exe
5	572	MsiExec.exe

pid	process
2036	2QEhUmIkN.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2QEhUmIkN.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2QEhUmIkN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2QEhUmIkN.exe

Drops startup file 1 IoCs

Processes:

MsiExec.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IYJFAINZAK.lnk MsiExec.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exepowershell.exe2QEhUmIkN.exe

pid process

572 MsiExec.exe
572 MsiExec.exe
572 MsiExec.exe
984 powershell.exe
2036 2QEhUmIkN.exe
2036 2QEhUmIkN.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IYJFAINZAK.lnk	MsiExec.exe

pid	process
572	MsiExec.exe
572	MsiExec.exe
572	MsiExec.exe
984	powershell.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\N8p9FyOZpTgaPI\imgengine.dll	themida
\N8p9FyOZpTgaPI\imgengine.dll	themida
behavioral1/memory/2036-76-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral1/memory/2036-77-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral1/memory/2036-78-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral1/memory/2036-79-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral1/memory/2036-80-0x0000000000400000-0x0000000002245000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MsiExec.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\Microsoft\Windows\CurrentVersion\Run	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYJFAINZAK = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IYJFAINZAK.lnk"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\nimdA = "\"C:\\Starfox_SolitareÂ®\\8olbapp.exe\""	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2QEhUmIkN.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2QEhUmIkN.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2QEhUmIkN.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2QEhUmIkN.exe

pid process

2036 2QEhUmIkN.exe

pid	process
2036	2QEhUmIkN.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f75dc0d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCE7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE6F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB5B.tmp	msiexec.exe
File created	C:\Windows\Installer\f75dc0d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE20.tmp	msiexec.exe
File created	C:\Windows\Installer\f75dc0f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f75dc0f.ipi	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2QEhUmIkN.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2QEhUmIkN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	2QEhUmIkN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2QEhUmIkN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2QEhUmIkN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2QEhUmIkN.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

msiexec.exepowershell.exe2QEhUmIkN.exe

pid	process
656	msiexec.exe
656	msiexec.exe
984	powershell.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe
2036	2QEhUmIkN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2QEhUmIkN.exe

pid process

2036 2QEhUmIkN.exe

pid	process
2036	2QEhUmIkN.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

msiexec.exemsiexec.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	944	msiexec.exe
Token: SeIncreaseQuotaPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	656	msiexec.exe
Token: SeTakeOwnershipPrivilege	656	msiexec.exe
Token: SeSecurityPrivilege	656	msiexec.exe
Token: SeCreateTokenPrivilege	944	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	944	msiexec.exe
Token: SeLockMemoryPrivilege	944	msiexec.exe
Token: SeIncreaseQuotaPrivilege	944	msiexec.exe
Token: SeMachineAccountPrivilege	944	msiexec.exe
Token: SeTcbPrivilege	944	msiexec.exe
Token: SeSecurityPrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeLoadDriverPrivilege	944	msiexec.exe
Token: SeSystemProfilePrivilege	944	msiexec.exe
Token: SeSystemtimePrivilege	944	msiexec.exe
Token: SeProfSingleProcessPrivilege	944	msiexec.exe
Token: SeIncBasePriorityPrivilege	944	msiexec.exe
Token: SeCreatePagefilePrivilege	944	msiexec.exe
Token: SeCreatePermanentPrivilege	944	msiexec.exe
Token: SeBackupPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeShutdownPrivilege	944	msiexec.exe
Token: SeDebugPrivilege	944	msiexec.exe
Token: SeAuditPrivilege	944	msiexec.exe
Token: SeSystemEnvironmentPrivilege	944	msiexec.exe
Token: SeChangeNotifyPrivilege	944	msiexec.exe
Token: SeRemoteShutdownPrivilege	944	msiexec.exe
Token: SeUndockPrivilege	944	msiexec.exe
Token: SeSyncAgentPrivilege	944	msiexec.exe
Token: SeEnableDelegationPrivilege	944	msiexec.exe
Token: SeManageVolumePrivilege	944	msiexec.exe
Token: SeImpersonatePrivilege	944	msiexec.exe
Token: SeCreateGlobalPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	656	msiexec.exe
Token: SeTakeOwnershipPrivilege	656	msiexec.exe
Token: SeRestorePrivilege	656	msiexec.exe
Token: SeTakeOwnershipPrivilege	656	msiexec.exe
Token: SeRestorePrivilege	656	msiexec.exe
Token: SeTakeOwnershipPrivilege	656	msiexec.exe
Token: SeRestorePrivilege	656	msiexec.exe
Token: SeTakeOwnershipPrivilege	656	msiexec.exe
Token: SeRestorePrivilege	656	msiexec.exe
Token: SeTakeOwnershipPrivilege	656	msiexec.exe
Token: SeRestorePrivilege	656	msiexec.exe
Token: SeTakeOwnershipPrivilege	656	msiexec.exe
Token: SeRestorePrivilege	656	msiexec.exe
Token: SeTakeOwnershipPrivilege	656	msiexec.exe
Token: SeRestorePrivilege	656	msiexec.exe
Token: SeTakeOwnershipPrivilege	656	msiexec.exe
Token: SeDebugPrivilege	984	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exeMsiExec.exe2QEhUmIkN.exe

pid process

944 msiexec.exe
572 MsiExec.exe
944 msiexec.exe
2036 2QEhUmIkN.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

MsiExec.exe

pid process

572 MsiExec.exe

pid	process
944	msiexec.exe
572	MsiExec.exe
944	msiexec.exe
2036	2QEhUmIkN.exe

pid	process
572	MsiExec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

msiexec.exeMsiExec.exepowershell.exe2QEhUmIkN.execmd.exe

description	pid	process	target process
PID 656 wrote to memory of 572	656	msiexec.exe	MsiExec.exe
PID 656 wrote to memory of 572	656	msiexec.exe	MsiExec.exe
PID 656 wrote to memory of 572	656	msiexec.exe	MsiExec.exe
PID 656 wrote to memory of 572	656	msiexec.exe	MsiExec.exe
PID 656 wrote to memory of 572	656	msiexec.exe	MsiExec.exe
PID 656 wrote to memory of 572	656	msiexec.exe	MsiExec.exe
PID 656 wrote to memory of 572	656	msiexec.exe	MsiExec.exe
PID 572 wrote to memory of 984	572	MsiExec.exe	powershell.exe
PID 572 wrote to memory of 984	572	MsiExec.exe	powershell.exe
PID 572 wrote to memory of 984	572	MsiExec.exe	powershell.exe
PID 572 wrote to memory of 984	572	MsiExec.exe	powershell.exe
PID 984 wrote to memory of 2036	984	powershell.exe	2QEhUmIkN.exe
PID 984 wrote to memory of 2036	984	powershell.exe	2QEhUmIkN.exe
PID 984 wrote to memory of 2036	984	powershell.exe	2QEhUmIkN.exe
PID 984 wrote to memory of 2036	984	powershell.exe	2QEhUmIkN.exe
PID 2036 wrote to memory of 1864	2036	2QEhUmIkN.exe	cmd.exe
PID 2036 wrote to memory of 1864	2036	2QEhUmIkN.exe	cmd.exe
PID 2036 wrote to memory of 1864	2036	2QEhUmIkN.exe	cmd.exe
PID 1864 wrote to memory of 1524	1864	cmd.exe	reg.exe
PID 1864 wrote to memory of 1524	1864	cmd.exe	reg.exe
PID 1864 wrote to memory of 1524	1864	cmd.exe	reg.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\encomendas010-5u44cr2luF.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8915322EC4BAA7C7D09F541BB2F55276
2⤵
- Blocklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cd\;cd 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Start-Sleep -s 6;Invoke-Item 'IYJFAINZAK.lnk'
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\N8p9FyOZpTgaPI\2QEhUmIkN.exe
"C:\N8p9FyOZpTgaPI\2QEhUmIkN.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\cmd.exe
cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "nimdA" /t REG_SZ /F /D "\"C:\Starfox_SolitareÂ®\8olbapp.exe\"" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "nimdA" /t REG_SZ /F /D "\"C:\Starfox_SolitareÂ®\8olbapp.exe\""
6⤵
- Adds Run key to start application
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\N8p9FyOZpTgaPI\2QEhUmIkN.exe
MD5
53b00fffa618fe5ce3a1c84cc81f5c3e

SHA1
8dfd75408c7683082af6030b3318cd8401264b7d

SHA256
353133e9989fd0610b1696f24648c1eadb66b08f8b31bdf573ec2af84457598d

SHA512
f1cd162e0c0354af9f54b8836b35b286d63a40cbdc255e7f6beda2e94be8de3c68c15acad18aaadfceadaf0a8a8f41c28f4dacc0c27d1c7ac6e5b4bbf4cca968

Download Submit
C:\N8p9FyOZpTgaPI\2QEhUmIkN.exe
MD5
53b00fffa618fe5ce3a1c84cc81f5c3e

SHA1
8dfd75408c7683082af6030b3318cd8401264b7d

SHA256
353133e9989fd0610b1696f24648c1eadb66b08f8b31bdf573ec2af84457598d

SHA512
f1cd162e0c0354af9f54b8836b35b286d63a40cbdc255e7f6beda2e94be8de3c68c15acad18aaadfceadaf0a8a8f41c28f4dacc0c27d1c7ac6e5b4bbf4cca968

Download Submit
C:\N8p9FyOZpTgaPI\imgengine.dll
MD5
ef7de8e17a46bbb875ff5b48a5111f75

SHA1
1758ad8c4574dc8aba71ef4e541dd78579853826

SHA256
4563e5ab64572adb62bc0e4e6c472b4c6485c9e5af3aa40dc17d84170c442e82

SHA512
0a7a0316856c766fb0ec8dae0519acb480d3e1c738c4a2ba442cb8cc5e67b920839ade09bc69e54eb406bb4575cae9fd1958512c25a826e134d4d036b744fd80

Download Submit
C:\N8p9FyOZpTgaPI\sptdintf.dll
MD5
5b91b8ef0dd74486bcaa38004417e565

SHA1
01c5cfc191ca8006b43f355ee41a35ad49c34fd4

SHA256
7353ea393051b369f92e230459d6904f88938e1ef94562aaa86342b9aaea7762

SHA512
aedbfb925e23e216dd0b03e6e26c1852ecfdee6a79662ce327e4213cda8d97eac2d9dc4d86f65a287c1346ec1d57573135711f941fd98acecdfa6215ec4b3ab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
62ce1da7667e28d548c4c403de2f0c47

SHA1
63c32eabc8bfbff64156d18d2c54594cfa7bf801

SHA256
78e1347891e5bfb4f2091f4690301915635af72a3fbf4b7df52b002afe7e9a00

SHA512
cae0d9b4b0a3a936f8e7dc21cb41c72b0e5c67bf51a4a794e58312c30e16805962b968bc3194cc95cd7bcae739e752047d61149cccbcf6d267bdf1895d92898f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IYJFAINZAK.lnk
MD5
2c04f113628d061b72dc7d3ed30a23b8

SHA1
c618e8d948f7ba04325a7598988ad6ea4aaa5299

SHA256
3a5b05403995a75282f2e7b4f7d7b9c134895769fb3e1ef3e27afb2602dcaf07

SHA512
9907f628af550e83226deb91175406c46c2c0af32e60c07e110adb991e71e412fc83ca2b2a6d60d6fe78b47b052d567aaa18439a5c9c327be8fbb75c543559f0

Download Submit
C:\Windows\Installer\MSIDCE7.tmp
MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
C:\Windows\Installer\MSIDE20.tmp
MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
C:\Windows\Installer\MSIDE6F.tmp
MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
\N8p9FyOZpTgaPI\2QEhUmIkN.exe
MD5
53b00fffa618fe5ce3a1c84cc81f5c3e

SHA1
8dfd75408c7683082af6030b3318cd8401264b7d

SHA256
353133e9989fd0610b1696f24648c1eadb66b08f8b31bdf573ec2af84457598d

SHA512
f1cd162e0c0354af9f54b8836b35b286d63a40cbdc255e7f6beda2e94be8de3c68c15acad18aaadfceadaf0a8a8f41c28f4dacc0c27d1c7ac6e5b4bbf4cca968

Download Submit
\N8p9FyOZpTgaPI\imgengine.dll
MD5
ef7de8e17a46bbb875ff5b48a5111f75

SHA1
1758ad8c4574dc8aba71ef4e541dd78579853826

SHA256
4563e5ab64572adb62bc0e4e6c472b4c6485c9e5af3aa40dc17d84170c442e82

SHA512
0a7a0316856c766fb0ec8dae0519acb480d3e1c738c4a2ba442cb8cc5e67b920839ade09bc69e54eb406bb4575cae9fd1958512c25a826e134d4d036b744fd80

Download Submit
\N8p9FyOZpTgaPI\sptdintf.dll
MD5
5b91b8ef0dd74486bcaa38004417e565

SHA1
01c5cfc191ca8006b43f355ee41a35ad49c34fd4

SHA256
7353ea393051b369f92e230459d6904f88938e1ef94562aaa86342b9aaea7762

SHA512
aedbfb925e23e216dd0b03e6e26c1852ecfdee6a79662ce327e4213cda8d97eac2d9dc4d86f65a287c1346ec1d57573135711f941fd98acecdfa6215ec4b3ab1

Download Submit
\Windows\Installer\MSIDCE7.tmp
MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
\Windows\Installer\MSIDE20.tmp
MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
\Windows\Installer\MSIDE6F.tmp
MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
memory/572-57-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/572-56-0x0000000000000000-mapping.dmp

Download
memory/944-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/984-66-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/984-64-0x0000000000000000-mapping.dmp

Download
memory/1524-85-0x0000000000000000-mapping.dmp

Download
memory/1864-84-0x0000000000000000-mapping.dmp

Download
memory/2036-70-0x0000000000000000-mapping.dmp

Download
memory/2036-79-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/2036-80-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/2036-81-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2036-78-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/2036-77-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/2036-76-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download