f00a4236996d42168bda5ccaa09d1bc844477f548ec2bdf3b161d26004f8091e

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
27-06-2022 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aplicativo Seguro.msi
Size

10.3MB
MD5

6b73ba5e07eb91c504be1ad2506a9c63
SHA1

3d423b4c3c6fe9d35af3681762a664e226436e90
SHA256

92dc494adf6c173a0fdae32868d57489b75fd9fb7b14c4d7fa9a6e06a2329ad3
SHA512

5c033bf913c0173e2d454daa8cb50bc8ae22932cf0c46a18f150510789e2a7d2ff72d38813a6a0b8f27637991efdf30d5bdb8d8e2306b6056d2198331793e19e

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

MxStart.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MxStart.exe
Executes dropped EXE 1 IoCs

Processes:

MxStart.exe

pid process

584 MxStart.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MxStart.exe

pid	process
584	MxStart.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MxStart.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MxStart.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MxStart.exe

Drops startup file 2 IoCs

Processes:

MxStart.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.lnk	MxStart.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adminochwdcajib.vbs	MxStart.exe

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exeMxStart.exe

pid process

1980 MsiExec.exe
1980 MsiExec.exe
1980 MsiExec.exe
584 MxStart.exe

pid	process
1980	MsiExec.exe
1980	MsiExec.exe
1980	MsiExec.exe
584	MxStart.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\aspack.dll	themida
\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\aspack.dll	themida
behavioral1/memory/584-71-0x0000000000550000-0x000000000302B000-memory.dmp	themida
behavioral1/memory/584-72-0x0000000000550000-0x000000000302B000-memory.dmp	themida
behavioral1/memory/584-73-0x0000000000550000-0x000000000302B000-memory.dmp	themida
behavioral1/memory/584-74-0x0000000000550000-0x000000000302B000-memory.dmp	themida
behavioral1/memory/584-75-0x0000000000550000-0x000000000302B000-memory.dmp	themida
behavioral1/memory/584-76-0x0000000000550000-0x000000000302B000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MxStart.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MxStart.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Aplicação Segura\\MxStart.exe"	MxStart.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MxStart.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MxStart.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MxStart.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

MxStart.exe

pid process

584 MxStart.exe

pid	process
584	MxStart.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\6bfd55.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\6bfd53.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF27.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A9.tmp	msiexec.exe
File created	C:\Windows\Installer\6bfd55.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A5.tmp	msiexec.exe
File created	C:\Windows\Installer\6bfd53.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMxStart.exe

pid	process
2000	msiexec.exe
2000	msiexec.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe
584	MxStart.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1152	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeSecurityPrivilege	2000	msiexec.exe
Token: SeCreateTokenPrivilege	1152	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1152	msiexec.exe
Token: SeLockMemoryPrivilege	1152	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1152	msiexec.exe
Token: SeMachineAccountPrivilege	1152	msiexec.exe
Token: SeTcbPrivilege	1152	msiexec.exe
Token: SeSecurityPrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeLoadDriverPrivilege	1152	msiexec.exe
Token: SeSystemProfilePrivilege	1152	msiexec.exe
Token: SeSystemtimePrivilege	1152	msiexec.exe
Token: SeProfSingleProcessPrivilege	1152	msiexec.exe
Token: SeIncBasePriorityPrivilege	1152	msiexec.exe
Token: SeCreatePagefilePrivilege	1152	msiexec.exe
Token: SeCreatePermanentPrivilege	1152	msiexec.exe
Token: SeBackupPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeShutdownPrivilege	1152	msiexec.exe
Token: SeDebugPrivilege	1152	msiexec.exe
Token: SeAuditPrivilege	1152	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1152	msiexec.exe
Token: SeChangeNotifyPrivilege	1152	msiexec.exe
Token: SeRemoteShutdownPrivilege	1152	msiexec.exe
Token: SeUndockPrivilege	1152	msiexec.exe
Token: SeSyncAgentPrivilege	1152	msiexec.exe
Token: SeEnableDelegationPrivilege	1152	msiexec.exe
Token: SeManageVolumePrivilege	1152	msiexec.exe
Token: SeImpersonatePrivilege	1152	msiexec.exe
Token: SeCreateGlobalPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1152 msiexec.exe
1152 msiexec.exe

pid	process
1152	msiexec.exe
1152	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2000 wrote to memory of 1980	2000	msiexec.exe	MsiExec.exe
PID 2000 wrote to memory of 1980	2000	msiexec.exe	MsiExec.exe
PID 2000 wrote to memory of 1980	2000	msiexec.exe	MsiExec.exe
PID 2000 wrote to memory of 1980	2000	msiexec.exe	MsiExec.exe
PID 2000 wrote to memory of 1980	2000	msiexec.exe	MsiExec.exe
PID 2000 wrote to memory of 1980	2000	msiexec.exe	MsiExec.exe
PID 2000 wrote to memory of 1980	2000	msiexec.exe	MsiExec.exe
PID 2000 wrote to memory of 584	2000	msiexec.exe	MxStart.exe
PID 2000 wrote to memory of 584	2000	msiexec.exe	MxStart.exe
PID 2000 wrote to memory of 584	2000	msiexec.exe	MxStart.exe
PID 2000 wrote to memory of 584	2000	msiexec.exe	MxStart.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Aplicativo Seguro.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1152

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 05538CCEC046DFB647C8A30E96D7D099
2⤵
- Loads dropped DLL
PID:1980

C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\MxStart.exe
"C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\MxStart.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\MxStart.exe
Filesize
557KB

MD5
e33bcdd61d70a1961df2c6d7f0c18351

SHA1
958ff5402b7e05be694b00bb760f124b79fe0c7d

SHA256
b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4

SHA512
d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\MxStart.exe
Filesize
557KB

MD5
e33bcdd61d70a1961df2c6d7f0c18351

SHA1
958ff5402b7e05be694b00bb760f124b79fe0c7d

SHA256
b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4

SHA512
d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\aspack.dll
Filesize
580.3MB

MD5
0582afa730d47789165af96500a50abe

SHA1
3a04076e846b13a94ba9605ca33c4ea7e5dc3cec

SHA256
33200e0cb7bf6b51a02e8eb8edf86c70a2a9b337a75a8b22873244dfbdded885

SHA512
b447a9f615b6653eef82da1d4fae81f3dcba5df2a4345df78e9768ebea6e44cb468257d3fe801ded102a4ca7e9892a57dcb94fbb78f73ce4514566fc02ce70e5

Download Submit
C:\Windows\Installer\MSI1A9.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\MSIFC.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\MSIFF27.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\aspack.dll
Filesize
580.3MB

MD5
0582afa730d47789165af96500a50abe

SHA1
3a04076e846b13a94ba9605ca33c4ea7e5dc3cec

SHA256
33200e0cb7bf6b51a02e8eb8edf86c70a2a9b337a75a8b22873244dfbdded885

SHA512
b447a9f615b6653eef82da1d4fae81f3dcba5df2a4345df78e9768ebea6e44cb468257d3fe801ded102a4ca7e9892a57dcb94fbb78f73ce4514566fc02ce70e5

Download Submit
\Windows\Installer\MSI1A9.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Windows\Installer\MSIFC.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Windows\Installer\MSIFF27.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
memory/584-73-0x0000000000550000-0x000000000302B000-memory.dmp

Filesize
42.9MB

Download
memory/584-64-0x0000000000000000-mapping.dmp

Download
memory/584-70-0x0000000077490000-0x0000000077610000-memory.dmp

Filesize
1.5MB

Download
memory/584-71-0x0000000000550000-0x000000000302B000-memory.dmp

Filesize
42.9MB

Download
memory/584-72-0x0000000000550000-0x000000000302B000-memory.dmp

Filesize
42.9MB

Download
memory/584-74-0x0000000000550000-0x000000000302B000-memory.dmp

Filesize
42.9MB

Download
memory/584-75-0x0000000000550000-0x000000000302B000-memory.dmp

Filesize
42.9MB

Download
memory/584-76-0x0000000000550000-0x000000000302B000-memory.dmp

Filesize
42.9MB

Download
memory/584-77-0x0000000077490000-0x0000000077610000-memory.dmp

Filesize
1.5MB

Download
memory/1152-54-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp

Filesize
8KB

Download
memory/1980-57-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1980-56-0x0000000000000000-mapping.dmp

Download