Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 12:08
Static task
static1
Behavioral task
behavioral1
Sample
Aplicativo Seguro.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Aplicativo Seguro.msi
Resource
win10v2004-20220414-en
General
-
Target
Aplicativo Seguro.msi
-
Size
10.3MB
-
MD5
6b73ba5e07eb91c504be1ad2506a9c63
-
SHA1
3d423b4c3c6fe9d35af3681762a664e226436e90
-
SHA256
92dc494adf6c173a0fdae32868d57489b75fd9fb7b14c4d7fa9a6e06a2329ad3
-
SHA512
5c033bf913c0173e2d454daa8cb50bc8ae22932cf0c46a18f150510789e2a7d2ff72d38813a6a0b8f27637991efdf30d5bdb8d8e2306b6056d2198331793e19e
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
MxStart.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MxStart.exe -
Executes dropped EXE 1 IoCs
Processes:
MxStart.exepid process 584 MxStart.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MxStart.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MxStart.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MxStart.exe -
Drops startup file 2 IoCs
Processes:
MxStart.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.lnk MxStart.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adminochwdcajib.vbs MxStart.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exeMxStart.exepid process 1980 MsiExec.exe 1980 MsiExec.exe 1980 MsiExec.exe 584 MxStart.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\aspack.dll themida \Users\Admin\AppData\Roaming\Windows\Aplicação Segura\aspack.dll themida behavioral1/memory/584-71-0x0000000000550000-0x000000000302B000-memory.dmp themida behavioral1/memory/584-72-0x0000000000550000-0x000000000302B000-memory.dmp themida behavioral1/memory/584-73-0x0000000000550000-0x000000000302B000-memory.dmp themida behavioral1/memory/584-74-0x0000000000550000-0x000000000302B000-memory.dmp themida behavioral1/memory/584-75-0x0000000000550000-0x000000000302B000-memory.dmp themida behavioral1/memory/584-76-0x0000000000550000-0x000000000302B000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MxStart.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MxStart.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Aplicação Segura\\MxStart.exe" MxStart.exe -
Processes:
MxStart.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MxStart.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
MxStart.exepid process 584 MxStart.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\6bfd55.ipi msiexec.exe File opened for modification C:\Windows\Installer\6bfd53.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFF27.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1A9.tmp msiexec.exe File created C:\Windows\Installer\6bfd55.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9A5.tmp msiexec.exe File created C:\Windows\Installer\6bfd53.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFC.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeMxStart.exepid process 2000 msiexec.exe 2000 msiexec.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe 584 MxStart.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1152 msiexec.exe Token: SeIncreaseQuotaPrivilege 1152 msiexec.exe Token: SeRestorePrivilege 2000 msiexec.exe Token: SeTakeOwnershipPrivilege 2000 msiexec.exe Token: SeSecurityPrivilege 2000 msiexec.exe Token: SeCreateTokenPrivilege 1152 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1152 msiexec.exe Token: SeLockMemoryPrivilege 1152 msiexec.exe Token: SeIncreaseQuotaPrivilege 1152 msiexec.exe Token: SeMachineAccountPrivilege 1152 msiexec.exe Token: SeTcbPrivilege 1152 msiexec.exe Token: SeSecurityPrivilege 1152 msiexec.exe Token: SeTakeOwnershipPrivilege 1152 msiexec.exe Token: SeLoadDriverPrivilege 1152 msiexec.exe Token: SeSystemProfilePrivilege 1152 msiexec.exe Token: SeSystemtimePrivilege 1152 msiexec.exe Token: SeProfSingleProcessPrivilege 1152 msiexec.exe Token: SeIncBasePriorityPrivilege 1152 msiexec.exe Token: SeCreatePagefilePrivilege 1152 msiexec.exe Token: SeCreatePermanentPrivilege 1152 msiexec.exe Token: SeBackupPrivilege 1152 msiexec.exe Token: SeRestorePrivilege 1152 msiexec.exe Token: SeShutdownPrivilege 1152 msiexec.exe Token: SeDebugPrivilege 1152 msiexec.exe Token: SeAuditPrivilege 1152 msiexec.exe Token: SeSystemEnvironmentPrivilege 1152 msiexec.exe Token: SeChangeNotifyPrivilege 1152 msiexec.exe Token: SeRemoteShutdownPrivilege 1152 msiexec.exe Token: SeUndockPrivilege 1152 msiexec.exe Token: SeSyncAgentPrivilege 1152 msiexec.exe Token: SeEnableDelegationPrivilege 1152 msiexec.exe Token: SeManageVolumePrivilege 1152 msiexec.exe Token: SeImpersonatePrivilege 1152 msiexec.exe Token: SeCreateGlobalPrivilege 1152 msiexec.exe Token: SeRestorePrivilege 2000 msiexec.exe Token: SeTakeOwnershipPrivilege 2000 msiexec.exe Token: SeRestorePrivilege 2000 msiexec.exe Token: SeTakeOwnershipPrivilege 2000 msiexec.exe Token: SeRestorePrivilege 2000 msiexec.exe Token: SeTakeOwnershipPrivilege 2000 msiexec.exe Token: SeRestorePrivilege 2000 msiexec.exe Token: SeTakeOwnershipPrivilege 2000 msiexec.exe Token: SeRestorePrivilege 2000 msiexec.exe Token: SeTakeOwnershipPrivilege 2000 msiexec.exe Token: SeRestorePrivilege 2000 msiexec.exe Token: SeTakeOwnershipPrivilege 2000 msiexec.exe Token: SeRestorePrivilege 2000 msiexec.exe Token: SeTakeOwnershipPrivilege 2000 msiexec.exe Token: SeRestorePrivilege 2000 msiexec.exe Token: SeTakeOwnershipPrivilege 2000 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1152 msiexec.exe 1152 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exedescription pid process target process PID 2000 wrote to memory of 1980 2000 msiexec.exe MsiExec.exe PID 2000 wrote to memory of 1980 2000 msiexec.exe MsiExec.exe PID 2000 wrote to memory of 1980 2000 msiexec.exe MsiExec.exe PID 2000 wrote to memory of 1980 2000 msiexec.exe MsiExec.exe PID 2000 wrote to memory of 1980 2000 msiexec.exe MsiExec.exe PID 2000 wrote to memory of 1980 2000 msiexec.exe MsiExec.exe PID 2000 wrote to memory of 1980 2000 msiexec.exe MsiExec.exe PID 2000 wrote to memory of 584 2000 msiexec.exe MxStart.exe PID 2000 wrote to memory of 584 2000 msiexec.exe MxStart.exe PID 2000 wrote to memory of 584 2000 msiexec.exe MxStart.exe PID 2000 wrote to memory of 584 2000 msiexec.exe MxStart.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Aplicativo Seguro.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 05538CCEC046DFB647C8A30E96D7D0992⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\MxStart.exe"C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\MxStart.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\MxStart.exeFilesize
557KB
MD5e33bcdd61d70a1961df2c6d7f0c18351
SHA1958ff5402b7e05be694b00bb760f124b79fe0c7d
SHA256b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4
SHA512d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b
-
C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\MxStart.exeFilesize
557KB
MD5e33bcdd61d70a1961df2c6d7f0c18351
SHA1958ff5402b7e05be694b00bb760f124b79fe0c7d
SHA256b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4
SHA512d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b
-
C:\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\aspack.dllFilesize
580.3MB
MD50582afa730d47789165af96500a50abe
SHA13a04076e846b13a94ba9605ca33c4ea7e5dc3cec
SHA25633200e0cb7bf6b51a02e8eb8edf86c70a2a9b337a75a8b22873244dfbdded885
SHA512b447a9f615b6653eef82da1d4fae81f3dcba5df2a4345df78e9768ebea6e44cb468257d3fe801ded102a4ca7e9892a57dcb94fbb78f73ce4514566fc02ce70e5
-
C:\Windows\Installer\MSI1A9.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
C:\Windows\Installer\MSIFC.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
C:\Windows\Installer\MSIFF27.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
\Users\Admin\AppData\Roaming\Windows\Aplicação Segura\aspack.dllFilesize
580.3MB
MD50582afa730d47789165af96500a50abe
SHA13a04076e846b13a94ba9605ca33c4ea7e5dc3cec
SHA25633200e0cb7bf6b51a02e8eb8edf86c70a2a9b337a75a8b22873244dfbdded885
SHA512b447a9f615b6653eef82da1d4fae81f3dcba5df2a4345df78e9768ebea6e44cb468257d3fe801ded102a4ca7e9892a57dcb94fbb78f73ce4514566fc02ce70e5
-
\Windows\Installer\MSI1A9.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
\Windows\Installer\MSIFC.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
\Windows\Installer\MSIFF27.tmpFilesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
memory/584-73-0x0000000000550000-0x000000000302B000-memory.dmpFilesize
42.9MB
-
memory/584-64-0x0000000000000000-mapping.dmp
-
memory/584-70-0x0000000077490000-0x0000000077610000-memory.dmpFilesize
1.5MB
-
memory/584-71-0x0000000000550000-0x000000000302B000-memory.dmpFilesize
42.9MB
-
memory/584-72-0x0000000000550000-0x000000000302B000-memory.dmpFilesize
42.9MB
-
memory/584-74-0x0000000000550000-0x000000000302B000-memory.dmpFilesize
42.9MB
-
memory/584-75-0x0000000000550000-0x000000000302B000-memory.dmpFilesize
42.9MB
-
memory/584-76-0x0000000000550000-0x000000000302B000-memory.dmpFilesize
42.9MB
-
memory/584-77-0x0000000077490000-0x0000000077610000-memory.dmpFilesize
1.5MB
-
memory/1152-54-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmpFilesize
8KB
-
memory/1980-57-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1980-56-0x0000000000000000-mapping.dmp