7321a205de31cb4c93f10a090316502922d9083dfc076c93903377f36ada3aca

Analysis

max time kernel
151s
max time network
75s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-06-2022 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aplicativo Seguro.msi
Size

10.3MB
MD5

49c3e11795b5d0099ff2d33a5559471b
SHA1

d80f339bfaaf76794133be5e9364555636e6f68d
SHA256

7321a205de31cb4c93f10a090316502922d9083dfc076c93903377f36ada3aca
SHA512

515150687958abb273119a271dde066bbf491c884a22d744bc6564e1ef4b7266b695f4131c21f91352263a1a1111549da66304ad7f0d427f56fb100f94e56b88

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

MxStart.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MxStart.exe
Executes dropped EXE 1 IoCs

Processes:

MxStart.exe

pid process

384 MxStart.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MxStart.exe

pid	process
384	MxStart.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MxStart.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MxStart.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MxStart.exe

Drops startup file 2 IoCs

Processes:

MxStart.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.lnk	MxStart.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adminmasvdwyoag.vbs	MxStart.exe

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exeMxStart.exe

pid process

684 MsiExec.exe
684 MsiExec.exe
684 MsiExec.exe
384 MxStart.exe

pid	process
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
384	MxStart.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\aspack.dll	themida
\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\aspack.dll	themida
behavioral1/memory/384-70-0x0000000000740000-0x000000000321D000-memory.dmp	themida
behavioral1/memory/384-72-0x0000000000740000-0x000000000321D000-memory.dmp	themida
behavioral1/memory/384-73-0x0000000000740000-0x000000000321D000-memory.dmp	themida
behavioral1/memory/384-74-0x0000000000740000-0x000000000321D000-memory.dmp	themida
behavioral1/memory/384-75-0x0000000000740000-0x000000000321D000-memory.dmp	themida
behavioral1/memory/384-76-0x0000000000740000-0x000000000321D000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MxStart.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MxStart.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Aplicativo Seguro\\MxStart.exe"	MxStart.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MxStart.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MxStart.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MxStart.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

MxStart.exe

pid process

384 MxStart.exe

pid	process
384	MxStart.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI5FA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c0c72.ipi	msiexec.exe
File created	C:\Windows\Installer\6c0c70.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI126B.tmp	msiexec.exe
File created	C:\Windows\Installer\6c0c72.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c0c70.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCE.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMxStart.exe

pid	process
948	msiexec.exe
948	msiexec.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe
384	MxStart.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	948	msiexec.exe
Token: SeTakeOwnershipPrivilege	948	msiexec.exe
Token: SeSecurityPrivilege	948	msiexec.exe
Token: SeCreateTokenPrivilege	1592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1592	msiexec.exe
Token: SeLockMemoryPrivilege	1592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1592	msiexec.exe
Token: SeMachineAccountPrivilege	1592	msiexec.exe
Token: SeTcbPrivilege	1592	msiexec.exe
Token: SeSecurityPrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeLoadDriverPrivilege	1592	msiexec.exe
Token: SeSystemProfilePrivilege	1592	msiexec.exe
Token: SeSystemtimePrivilege	1592	msiexec.exe
Token: SeProfSingleProcessPrivilege	1592	msiexec.exe
Token: SeIncBasePriorityPrivilege	1592	msiexec.exe
Token: SeCreatePagefilePrivilege	1592	msiexec.exe
Token: SeCreatePermanentPrivilege	1592	msiexec.exe
Token: SeBackupPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeShutdownPrivilege	1592	msiexec.exe
Token: SeDebugPrivilege	1592	msiexec.exe
Token: SeAuditPrivilege	1592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1592	msiexec.exe
Token: SeChangeNotifyPrivilege	1592	msiexec.exe
Token: SeRemoteShutdownPrivilege	1592	msiexec.exe
Token: SeUndockPrivilege	1592	msiexec.exe
Token: SeSyncAgentPrivilege	1592	msiexec.exe
Token: SeEnableDelegationPrivilege	1592	msiexec.exe
Token: SeManageVolumePrivilege	1592	msiexec.exe
Token: SeImpersonatePrivilege	1592	msiexec.exe
Token: SeCreateGlobalPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	948	msiexec.exe
Token: SeTakeOwnershipPrivilege	948	msiexec.exe
Token: SeRestorePrivilege	948	msiexec.exe
Token: SeTakeOwnershipPrivilege	948	msiexec.exe
Token: SeRestorePrivilege	948	msiexec.exe
Token: SeTakeOwnershipPrivilege	948	msiexec.exe
Token: SeRestorePrivilege	948	msiexec.exe
Token: SeTakeOwnershipPrivilege	948	msiexec.exe
Token: SeRestorePrivilege	948	msiexec.exe
Token: SeTakeOwnershipPrivilege	948	msiexec.exe
Token: SeRestorePrivilege	948	msiexec.exe
Token: SeTakeOwnershipPrivilege	948	msiexec.exe
Token: SeRestorePrivilege	948	msiexec.exe
Token: SeTakeOwnershipPrivilege	948	msiexec.exe
Token: SeRestorePrivilege	948	msiexec.exe
Token: SeTakeOwnershipPrivilege	948	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1592 msiexec.exe
1592 msiexec.exe

pid	process
1592	msiexec.exe
1592	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 948 wrote to memory of 684	948	msiexec.exe	MsiExec.exe
PID 948 wrote to memory of 684	948	msiexec.exe	MsiExec.exe
PID 948 wrote to memory of 684	948	msiexec.exe	MsiExec.exe
PID 948 wrote to memory of 684	948	msiexec.exe	MsiExec.exe
PID 948 wrote to memory of 684	948	msiexec.exe	MsiExec.exe
PID 948 wrote to memory of 684	948	msiexec.exe	MsiExec.exe
PID 948 wrote to memory of 684	948	msiexec.exe	MsiExec.exe
PID 948 wrote to memory of 384	948	msiexec.exe	MxStart.exe
PID 948 wrote to memory of 384	948	msiexec.exe	MxStart.exe
PID 948 wrote to memory of 384	948	msiexec.exe	MxStart.exe
PID 948 wrote to memory of 384	948	msiexec.exe	MxStart.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Aplicativo Seguro.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 53FCC91586BBE985D79FA0D9DC24A4B6
2⤵
- Loads dropped DLL
PID:684

C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\MxStart.exe
"C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\MxStart.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\MxStart.exe
Filesize
557KB

MD5
e33bcdd61d70a1961df2c6d7f0c18351

SHA1
958ff5402b7e05be694b00bb760f124b79fe0c7d

SHA256
b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4

SHA512
d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\MxStart.exe
Filesize
557KB

MD5
e33bcdd61d70a1961df2c6d7f0c18351

SHA1
958ff5402b7e05be694b00bb760f124b79fe0c7d

SHA256
b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4

SHA512
d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\aspack.dll
Filesize
35.1MB

MD5
9d6cacc75a663b67ca6b4de770dc08f9

SHA1
64a9e7e153d63cb37cf58e86db0cbc1ef078ebf7

SHA256
49dd39c531bc1d8cdff47f5f28095948100f9706be9074ff4fd64cc97fa872db

SHA512
16e15437f03686ab792e657c11c9b385fd1bdebafef85d10b06f2a4b48340e258eb540b51eb69deb2258efe21bf9e7117fe8b0f8c84dacd03233a8ac5840aa0a

Download Submit
C:\Windows\Installer\MSI126B.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\MSICCE.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\MSIEC2.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\aspack.dll
Filesize
33.7MB

MD5
4953c3cd293dc1758b273c2e0a704fdf

SHA1
d95829aebb177a0474f1e1a6f5cfdd01d6a99c62

SHA256
b32440207977641cdc489b52259878971bf9841993defd20b3b51a832871d692

SHA512
13ac76c7c1ee35ef542a1806a65b90d0675ffca027a3460c5376e7f0138c6f3315f77d6811521f153efe0c71ad9f0d990bd0cd4f4ea0b9bc1f8775d92be7c42a

Download Submit
\Windows\Installer\MSI126B.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Windows\Installer\MSICCE.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Windows\Installer\MSIEC2.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
memory/384-71-0x0000000077660000-0x00000000777E0000-memory.dmp

Filesize
1.5MB

Download
memory/384-64-0x0000000000000000-mapping.dmp

Download
memory/384-70-0x0000000000740000-0x000000000321D000-memory.dmp

Filesize
42.9MB

Download
memory/384-72-0x0000000000740000-0x000000000321D000-memory.dmp

Filesize
42.9MB

Download
memory/384-73-0x0000000000740000-0x000000000321D000-memory.dmp

Filesize
42.9MB

Download
memory/384-74-0x0000000000740000-0x000000000321D000-memory.dmp

Filesize
42.9MB

Download
memory/384-75-0x0000000000740000-0x000000000321D000-memory.dmp

Filesize
42.9MB

Download
memory/384-76-0x0000000000740000-0x000000000321D000-memory.dmp

Filesize
42.9MB

Download
memory/384-77-0x0000000077660000-0x00000000777E0000-memory.dmp

Filesize
1.5MB

Download
memory/684-57-0x0000000075581000-0x0000000075583000-memory.dmp

Filesize
8KB

Download
memory/684-56-0x0000000000000000-mapping.dmp

Download
memory/1592-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download