c5348deafddbf3beed31d22285cabbb1f3c55c0123b3e0d47a3edd79586c4a1d

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2022, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6c39cc0b7a7ad889fd345475f0b7d5ea740caba70bc4f57564e760e8a52f6ad.msi
Size

1.4MB
MD5

563f30a6c6d9978c30e8416542ad6041
SHA1

44ea4b43e5cb20ce9140297f7bcf87f028e0830b
SHA256

e6c39cc0b7a7ad889fd345475f0b7d5ea740caba70bc4f57564e760e8a52f6ad
SHA512

3d1fcb48c2ac03ac9c1e7fa6fdda611b45e4f36fba0ddf42fa2d7ab8027a19ae8b3937c97ef004812bfb9dd99c5c0f00c6b5162a5f6d536a0cedb47ad063d3b5
SSDEEP

24576:jJjyyzQyz5io+HExGWUAyiqZpBqnGIQ5M6DLrVVdWGA13IqMXSpS2SDTQuV+vJFo:jJjrz5io+HGGWxyzXlrXVVdWGA13I1Xd

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
14	4140	MsiExec.exe
16	4140	MsiExec.exe
18	4140	MsiExec.exe
20	4140	MsiExec.exe

Executes dropped EXE 2 IoCs

pid	Process
2244	MSID000.tmp
5104	Homologo.exe

Loads dropped DLL 9 IoCs

pid	Process
4140	MsiExec.exe
4140	MsiExec.exe
4140	MsiExec.exe
4140	MsiExec.exe
4140	MsiExec.exe
4140	MsiExec.exe
4140	MsiExec.exe
4140	MsiExec.exe
5104	Homologo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\REAGIR = "C:\\Users\\Admin\\AppData\\Roaming\\Comercialis\\Documentos Objects\\Homologo.exe"	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56b0d6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID000.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBE6.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2D8F23AC-C4C0-4E38-9FF0-809B125A0FB3}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD8E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e56b0d6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB26C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC55.tmp	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\meudicionario.org\Total = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "861060980"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988529"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "869188921"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f05f2338f1d8d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000000c6711a8d22933bc371fa23b95d5c4bcbd6de7e8307b27320922091e0f6e76a6000000000e80000000020000200000006cc047e6b943fbd8c5fc8830be72a913ff5e317532fe7b51d383488f7540a41920000000ba45f8e856e05b5abd8ba25a45fad5f9e0bede4d508953973fe8b491d743fd5340000000251c87a759168338b7f73fd7ed8adc1cb434bc71800128db438ffc860e9d25e052c41612359c70a735b679816eedd636d6b53a5694d1d63b363a8c73e82f7298	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5EA41741-44E4-11ED-AECB-C264E7FE3618} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\meudicionario.org	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\meudicionario.org\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "29"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.meudicionario.org	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.meudicionario.org\ = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000fc5f09d006279e4c2a67e138c030ea641b40e7b2f3b0bfa5f05f65240dd0bf2c000000000e8000000002000020000000337827759b7e95ce868070cf57f958c1dacf1663429c79acc804930d5d517e5620000000bfb3f2be3615fbb4a777ec20ecd81a40c13bfc73a5d3623f787f22a1aabc81bd40000000043231444c285cf9e571ac1c6e359bf8442c2bf8af1f67ad246089ef35660d11712e4e2eaa736f35963c36beecff26fe876f400a15576a2fdf411d08487bf8b9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0013438f1d8d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\meudicionario.org	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988529"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "54"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "861060980"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988529"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4856	msiexec.exe
4856	msiexec.exe
5104	Homologo.exe
5104	Homologo.exe
5104	Homologo.exe
5104	Homologo.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4620	msiexec.exe
Token: SeSecurityPrivilege	4856	msiexec.exe
Token: SeCreateTokenPrivilege	4620	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4620	msiexec.exe
Token: SeLockMemoryPrivilege	4620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4620	msiexec.exe
Token: SeMachineAccountPrivilege	4620	msiexec.exe
Token: SeTcbPrivilege	4620	msiexec.exe
Token: SeSecurityPrivilege	4620	msiexec.exe
Token: SeTakeOwnershipPrivilege	4620	msiexec.exe
Token: SeLoadDriverPrivilege	4620	msiexec.exe
Token: SeSystemProfilePrivilege	4620	msiexec.exe
Token: SeSystemtimePrivilege	4620	msiexec.exe
Token: SeProfSingleProcessPrivilege	4620	msiexec.exe
Token: SeIncBasePriorityPrivilege	4620	msiexec.exe
Token: SeCreatePagefilePrivilege	4620	msiexec.exe
Token: SeCreatePermanentPrivilege	4620	msiexec.exe
Token: SeBackupPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4620	msiexec.exe
Token: SeShutdownPrivilege	4620	msiexec.exe
Token: SeDebugPrivilege	4620	msiexec.exe
Token: SeAuditPrivilege	4620	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4620	msiexec.exe
Token: SeChangeNotifyPrivilege	4620	msiexec.exe
Token: SeRemoteShutdownPrivilege	4620	msiexec.exe
Token: SeUndockPrivilege	4620	msiexec.exe
Token: SeSyncAgentPrivilege	4620	msiexec.exe
Token: SeEnableDelegationPrivilege	4620	msiexec.exe
Token: SeManageVolumePrivilege	4620	msiexec.exe
Token: SeImpersonatePrivilege	4620	msiexec.exe
Token: SeCreateGlobalPrivilege	4620	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4620	msiexec.exe
4620	msiexec.exe
2972	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2972	iexplore.exe
2972	iexplore.exe
4800	IEXPLORE.EXE
4800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4140	4856	msiexec.exe	84
PID 4856 wrote to memory of 4140	4856	msiexec.exe	84
PID 4856 wrote to memory of 4140	4856	msiexec.exe	84
PID 4856 wrote to memory of 2244	4856	msiexec.exe	88
PID 4856 wrote to memory of 2244	4856	msiexec.exe	88
PID 4856 wrote to memory of 2244	4856	msiexec.exe	88
PID 5104 wrote to memory of 2972	5104	Homologo.exe	94
PID 5104 wrote to memory of 2972	5104	Homologo.exe	94
PID 2972 wrote to memory of 4800	2972	iexplore.exe	95
PID 2972 wrote to memory of 4800	2972	iexplore.exe	95
PID 2972 wrote to memory of 4800	2972	iexplore.exe	95

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e6c39cc0b7a7ad889fd345475f0b7d5ea740caba70bc4f57564e760e8a52f6ad.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 754E7CA05BBCA368FDE60F0BA907F2F5
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4140
- C:\Windows\Installer\MSID000.tmp
  "C:\Windows\Installer\MSID000.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\Comercialis\Documentos Objects\Homologo.exe"
  2⤵
  - Executes dropped EXE
  PID:2244

C:\Users\Admin\AppData\Roaming\Comercialis\Documentos Objects\Homologo.exe
"C:\Users\Admin\AppData\Roaming\Comercialis\Documentos Objects\Homologo.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" %1 "https://bit.ly/3CvJZvd"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
81c96dfdc78955baf5c089e53bc0c46a

SHA1
f648c51cd0d2d784d0e8d73c30d6474487162127

SHA256
397b12f65672c174b45d98e34e35a655b2ad506e7e180c7714abfac8acb30549

SHA512
1991d628ef5e1a0a457cea5ef46a29043ed08ae60727d340fe1a6a759bd09693a3b48b78c9c396afd336b2f7b115ee93c5f0dd1dfabcadb111d2928781e6c51d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
864a191ecf4cdb8fde1907f2012ebb34

SHA1
e2addcf6e73937235418257deda783fe77a1929d

SHA256
758f3f40bd78a8eaaa803eba2b033737f16ac7b9bf622c6a314f7eee33478d64

SHA512
817c3253c8843d263cc250170233a8a4c7ccaedaa4b7aaded15d7284f63b344fb1f3409443efd455dca2a1ab56a36046736c1c6ad42826fbb3746766aff4015e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z2evvp3\imagestore.dat

Filesize
1KB

MD5
ce2e0ca60fa2364e41b19ed939e912e0

SHA1
f55079136d0fc3ce6c61d6246717aa4d885c3fa8

SHA256
f474d6e2521867fcd8982e212a862c49767518b6f856511e388c27c915cbecdf

SHA512
8e52b246b3df09705ec2931995c138f174e23bbfdc4a90440fcd50d4bf518e635e42074996572470adecb60882777183b1cb6e0dc7da72dada3353ccec082504

Download Submit
C:\Users\Admin\AppData\Roaming\Comercialis\Documentos Objects\Homologo.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Roaming\Comercialis\Documentos Objects\dbgeng.dll

Filesize
23.2MB

MD5
b4c0640c87dbbcea793251a3749cc290

SHA1
3d136f91b0cc9753a6b796bf354d5d70fa8ee0d1

SHA256
604ee858da5ffab29bd02ab64a57fb7a89abc6b82e76b8d18230b6d7c607e9b1

SHA512
c96c81bf089b06e5bde9be65b3b7e77ae331b28244c74b31f9bba6f54d11fcf2de324c014530e1891e4a67926bde095c0bf833a191e4b0a45f6d0e674abfd984

Download Submit
C:\Users\Admin\AppData\Roaming\Comercialis\Documentos Objects\dbgeng.dll

Filesize
23.2MB

MD5
b4c0640c87dbbcea793251a3749cc290

SHA1
3d136f91b0cc9753a6b796bf354d5d70fa8ee0d1

SHA256
604ee858da5ffab29bd02ab64a57fb7a89abc6b82e76b8d18230b6d7c607e9b1

SHA512
c96c81bf089b06e5bde9be65b3b7e77ae331b28244c74b31f9bba6f54d11fcf2de324c014530e1891e4a67926bde095c0bf833a191e4b0a45f6d0e674abfd984

Download Submit
C:\Windows\Installer\MSIB26C.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB26C.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB8E6.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB8E6.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB9E1.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB9E1.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIBA30.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIBA30.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIBC55.tmp

Filesize
463KB

MD5
dd777abc5e3abff6e35f866470fd8d2d

SHA1
11d68b3cf2f9628729622e76e82ce58f3b8d4561

SHA256
c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

SHA512
aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

Download Submit
C:\Windows\Installer\MSIBC55.tmp

Filesize
463KB

MD5
dd777abc5e3abff6e35f866470fd8d2d

SHA1
11d68b3cf2f9628729622e76e82ce58f3b8d4561

SHA256
c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

SHA512
aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

Download Submit
C:\Windows\Installer\MSIBD8E.tmp

Filesize
463KB

MD5
dd777abc5e3abff6e35f866470fd8d2d

SHA1
11d68b3cf2f9628729622e76e82ce58f3b8d4561

SHA256
c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

SHA512
aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

Download Submit
C:\Windows\Installer\MSIBD8E.tmp

Filesize
463KB

MD5
dd777abc5e3abff6e35f866470fd8d2d

SHA1
11d68b3cf2f9628729622e76e82ce58f3b8d4561

SHA256
c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

SHA512
aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

Download Submit
C:\Windows\Installer\MSIBE89.tmp

Filesize
463KB

MD5
dd777abc5e3abff6e35f866470fd8d2d

SHA1
11d68b3cf2f9628729622e76e82ce58f3b8d4561

SHA256
c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

SHA512
aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

Download Submit
C:\Windows\Installer\MSIBE89.tmp

Filesize
463KB

MD5
dd777abc5e3abff6e35f866470fd8d2d

SHA1
11d68b3cf2f9628729622e76e82ce58f3b8d4561

SHA256
c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

SHA512
aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

Download Submit
C:\Windows\Installer\MSICD30.tmp

Filesize
463KB

MD5
dd777abc5e3abff6e35f866470fd8d2d

SHA1
11d68b3cf2f9628729622e76e82ce58f3b8d4561

SHA256
c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

SHA512
aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

Download Submit
C:\Windows\Installer\MSICD30.tmp

Filesize
463KB

MD5
dd777abc5e3abff6e35f866470fd8d2d

SHA1
11d68b3cf2f9628729622e76e82ce58f3b8d4561

SHA256
c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

SHA512
aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

Download Submit
C:\Windows\Installer\MSID000.tmp

Filesize
404KB

MD5
a34d4f165087b11d9e06781d52262868

SHA1
1b7b6a5bb53b7c12fb45325f261ad7a61b485ce1

SHA256
55ad26c17f4aac71e6db6a6edee6ebf695510dc7e533e3fee64afc3eb06291e5

SHA512
aa62ff3b601ddb83133dd3659b0881f523454dc7eea921da7cfefc50426e70bb36b4ebc337a8f16620da610784a81a8e4aa1cf5e0959d28aa155d1f026a81aaf

Download Submit
memory/5104-154-0x0000000002060000-0x00000000036D3000-memory.dmp

Filesize
22.4MB

Download
memory/5104-155-0x0000000002060000-0x00000000036D3000-memory.dmp

Filesize
22.4MB

Download