Analysis
-
max time kernel
151s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-06-2022 20:00
Static task
static1
Behavioral task
behavioral1
Sample
Aplicativo Seguro.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Aplicativo Seguro.msi
Resource
win10v2004-20220414-en
General
-
Target
Aplicativo Seguro.msi
-
Size
10.3MB
-
MD5
49c3e11795b5d0099ff2d33a5559471b
-
SHA1
d80f339bfaaf76794133be5e9364555636e6f68d
-
SHA256
7321a205de31cb4c93f10a090316502922d9083dfc076c93903377f36ada3aca
-
SHA512
515150687958abb273119a271dde066bbf491c884a22d744bc6564e1ef4b7266b695f4131c21f91352263a1a1111549da66304ad7f0d427f56fb100f94e56b88
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
MxStart.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MxStart.exe -
Executes dropped EXE 1 IoCs
Processes:
MxStart.exepid process 384 MxStart.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MxStart.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MxStart.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MxStart.exe -
Drops startup file 2 IoCs
Processes:
MxStart.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.lnk MxStart.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adminmasvdwyoag.vbs MxStart.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exeMxStart.exepid process 684 MsiExec.exe 684 MsiExec.exe 684 MsiExec.exe 384 MxStart.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\aspack.dll themida \Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\aspack.dll themida behavioral1/memory/384-70-0x0000000000740000-0x000000000321D000-memory.dmp themida behavioral1/memory/384-72-0x0000000000740000-0x000000000321D000-memory.dmp themida behavioral1/memory/384-73-0x0000000000740000-0x000000000321D000-memory.dmp themida behavioral1/memory/384-74-0x0000000000740000-0x000000000321D000-memory.dmp themida behavioral1/memory/384-75-0x0000000000740000-0x000000000321D000-memory.dmp themida behavioral1/memory/384-76-0x0000000000740000-0x000000000321D000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MxStart.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MxStart.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Aplicativo Seguro\\MxStart.exe" MxStart.exe -
Processes:
MxStart.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MxStart.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
MxStart.exepid process 384 MxStart.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI5FA1.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c0c72.ipi msiexec.exe File created C:\Windows\Installer\6c0c70.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIEC2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI126B.tmp msiexec.exe File created C:\Windows\Installer\6c0c72.ipi msiexec.exe File opened for modification C:\Windows\Installer\6c0c70.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICCE.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeMxStart.exepid process 948 msiexec.exe 948 msiexec.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe 384 MxStart.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1592 msiexec.exe Token: SeIncreaseQuotaPrivilege 1592 msiexec.exe Token: SeRestorePrivilege 948 msiexec.exe Token: SeTakeOwnershipPrivilege 948 msiexec.exe Token: SeSecurityPrivilege 948 msiexec.exe Token: SeCreateTokenPrivilege 1592 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1592 msiexec.exe Token: SeLockMemoryPrivilege 1592 msiexec.exe Token: SeIncreaseQuotaPrivilege 1592 msiexec.exe Token: SeMachineAccountPrivilege 1592 msiexec.exe Token: SeTcbPrivilege 1592 msiexec.exe Token: SeSecurityPrivilege 1592 msiexec.exe Token: SeTakeOwnershipPrivilege 1592 msiexec.exe Token: SeLoadDriverPrivilege 1592 msiexec.exe Token: SeSystemProfilePrivilege 1592 msiexec.exe Token: SeSystemtimePrivilege 1592 msiexec.exe Token: SeProfSingleProcessPrivilege 1592 msiexec.exe Token: SeIncBasePriorityPrivilege 1592 msiexec.exe Token: SeCreatePagefilePrivilege 1592 msiexec.exe Token: SeCreatePermanentPrivilege 1592 msiexec.exe Token: SeBackupPrivilege 1592 msiexec.exe Token: SeRestorePrivilege 1592 msiexec.exe Token: SeShutdownPrivilege 1592 msiexec.exe Token: SeDebugPrivilege 1592 msiexec.exe Token: SeAuditPrivilege 1592 msiexec.exe Token: SeSystemEnvironmentPrivilege 1592 msiexec.exe Token: SeChangeNotifyPrivilege 1592 msiexec.exe Token: SeRemoteShutdownPrivilege 1592 msiexec.exe Token: SeUndockPrivilege 1592 msiexec.exe Token: SeSyncAgentPrivilege 1592 msiexec.exe Token: SeEnableDelegationPrivilege 1592 msiexec.exe Token: SeManageVolumePrivilege 1592 msiexec.exe Token: SeImpersonatePrivilege 1592 msiexec.exe Token: SeCreateGlobalPrivilege 1592 msiexec.exe Token: SeRestorePrivilege 948 msiexec.exe Token: SeTakeOwnershipPrivilege 948 msiexec.exe Token: SeRestorePrivilege 948 msiexec.exe Token: SeTakeOwnershipPrivilege 948 msiexec.exe Token: SeRestorePrivilege 948 msiexec.exe Token: SeTakeOwnershipPrivilege 948 msiexec.exe Token: SeRestorePrivilege 948 msiexec.exe Token: SeTakeOwnershipPrivilege 948 msiexec.exe Token: SeRestorePrivilege 948 msiexec.exe Token: SeTakeOwnershipPrivilege 948 msiexec.exe Token: SeRestorePrivilege 948 msiexec.exe Token: SeTakeOwnershipPrivilege 948 msiexec.exe Token: SeRestorePrivilege 948 msiexec.exe Token: SeTakeOwnershipPrivilege 948 msiexec.exe Token: SeRestorePrivilege 948 msiexec.exe Token: SeTakeOwnershipPrivilege 948 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1592 msiexec.exe 1592 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exedescription pid process target process PID 948 wrote to memory of 684 948 msiexec.exe MsiExec.exe PID 948 wrote to memory of 684 948 msiexec.exe MsiExec.exe PID 948 wrote to memory of 684 948 msiexec.exe MsiExec.exe PID 948 wrote to memory of 684 948 msiexec.exe MsiExec.exe PID 948 wrote to memory of 684 948 msiexec.exe MsiExec.exe PID 948 wrote to memory of 684 948 msiexec.exe MsiExec.exe PID 948 wrote to memory of 684 948 msiexec.exe MsiExec.exe PID 948 wrote to memory of 384 948 msiexec.exe MxStart.exe PID 948 wrote to memory of 384 948 msiexec.exe MxStart.exe PID 948 wrote to memory of 384 948 msiexec.exe MxStart.exe PID 948 wrote to memory of 384 948 msiexec.exe MxStart.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Aplicativo Seguro.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 53FCC91586BBE985D79FA0D9DC24A4B62⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\MxStart.exe"C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\MxStart.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\MxStart.exeFilesize
557KB
MD5e33bcdd61d70a1961df2c6d7f0c18351
SHA1958ff5402b7e05be694b00bb760f124b79fe0c7d
SHA256b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4
SHA512d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b
-
C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\MxStart.exeFilesize
557KB
MD5e33bcdd61d70a1961df2c6d7f0c18351
SHA1958ff5402b7e05be694b00bb760f124b79fe0c7d
SHA256b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4
SHA512d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b
-
C:\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\aspack.dllFilesize
35.1MB
MD59d6cacc75a663b67ca6b4de770dc08f9
SHA164a9e7e153d63cb37cf58e86db0cbc1ef078ebf7
SHA25649dd39c531bc1d8cdff47f5f28095948100f9706be9074ff4fd64cc97fa872db
SHA51216e15437f03686ab792e657c11c9b385fd1bdebafef85d10b06f2a4b48340e258eb540b51eb69deb2258efe21bf9e7117fe8b0f8c84dacd03233a8ac5840aa0a
-
C:\Windows\Installer\MSI126B.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
C:\Windows\Installer\MSICCE.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
C:\Windows\Installer\MSIEC2.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
\Users\Admin\AppData\Roaming\Windows\Aplicativo Seguro\aspack.dllFilesize
33.7MB
MD54953c3cd293dc1758b273c2e0a704fdf
SHA1d95829aebb177a0474f1e1a6f5cfdd01d6a99c62
SHA256b32440207977641cdc489b52259878971bf9841993defd20b3b51a832871d692
SHA51213ac76c7c1ee35ef542a1806a65b90d0675ffca027a3460c5376e7f0138c6f3315f77d6811521f153efe0c71ad9f0d990bd0cd4f4ea0b9bc1f8775d92be7c42a
-
\Windows\Installer\MSI126B.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
\Windows\Installer\MSICCE.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
\Windows\Installer\MSIEC2.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
memory/384-71-0x0000000077660000-0x00000000777E0000-memory.dmpFilesize
1.5MB
-
memory/384-64-0x0000000000000000-mapping.dmp
-
memory/384-70-0x0000000000740000-0x000000000321D000-memory.dmpFilesize
42.9MB
-
memory/384-72-0x0000000000740000-0x000000000321D000-memory.dmpFilesize
42.9MB
-
memory/384-73-0x0000000000740000-0x000000000321D000-memory.dmpFilesize
42.9MB
-
memory/384-74-0x0000000000740000-0x000000000321D000-memory.dmpFilesize
42.9MB
-
memory/384-75-0x0000000000740000-0x000000000321D000-memory.dmpFilesize
42.9MB
-
memory/384-76-0x0000000000740000-0x000000000321D000-memory.dmpFilesize
42.9MB
-
memory/384-77-0x0000000077660000-0x00000000777E0000-memory.dmpFilesize
1.5MB
-
memory/684-57-0x0000000075581000-0x0000000075583000-memory.dmpFilesize
8KB
-
memory/684-56-0x0000000000000000-mapping.dmp
-
memory/1592-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmpFilesize
8KB