Overview

overview

8

Static

static

PAGA-TUS-M...9b.msi

windows7-x64

8

PAGA-TUS-M...9b.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    58s
  • max time network
    61s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAGA-TUS-MULTAS-34ed1ecf-1a2c-4d26_____________________________________________________________________85ba-ba597ff6089b.msi

  • Size

    1.6MB

  • MD5

    895d068ffb4c4ca7c8e677a051bbbaae

  • SHA1

    faf3d6eedbcd49d446059c2bf1cfed6a1b9b6913

  • SHA256

    687ac0a86056ab61af2e1c34b053e7d58ab19b64bab5d13b81e2e3dcab878426

  • SHA512

    1877e98c58f21060ffbe9726320deb43a342f0d969164b760842f8fcbc13d7b8413e3b37434dcaaec9137514e217e7d7685a31b6eaf190425ea654d847549b11

  • SSDEEP

    49152:pCyNitjVqoA5AwxDOjSETeVfb/6LYE3c9ANB:qtMJAwOjSEPYP

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 17 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PAGA-TUS-MULTAS-34ed1ecf-1a2c-4d26_____________________________________________________________________85ba-ba597ff6089b.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:768
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1000
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B7DDCF471251DC52A586BB631500F10E
      2⤵
      • Loads dropped DLL
      PID:1092
    • C:\Users\Admin\Documents\dsdns\nuehcwc11.exe
      "C:\Users\Admin\Documents\dsdns\nuehcwc11.exe"
      2⤵
      • Executes dropped EXE
      PID:1712
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2028
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000588" "00000000000004B4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:428

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\dsdns\JSON.ahk
    Filesize

    11KB

    MD5

    b88765b31bb98b5139c128a0bfd410a5

    SHA1

    dfc19d87e98b8ce942ca79ede35dbf1ba7951ef0

    SHA256

    bb85e4530ccd6355b3ef3506548b4f513bea844d1af37a69624c9c455521c70f

    SHA512

    9d4abf332c42f4070ab3d4d38873291b248722cf67d24944fd74f10174e029c49e2b11e2d20bd202f5e2aeb92ae5bd9e151e15a4a7debda4947b86574083634a

    Download Submit

  • C:\Users\Admin\Documents\dsdns\nuehcwc11.ahk
    Filesize

    3KB

    MD5

    60bb2fe1c95c51072ee8250ebce43c48

    SHA1

    4fc1598ac261e8773072c3559c55344a29df03d1

    SHA256

    405132da9bf048c0277a1d5a56cc9a2a9a357218032d629ba3a5ddd44a732b3b

    SHA512

    643fe21ab5726cb4dd99ce539ca400660bd7a8aa9ed0f785ce16d35679d0c5d253747038a423208588ee27dee1af3ce9bc2bbc1429632a1ed7b0e2422c801823

    Download Submit

  • C:\Users\Admin\Documents\dsdns\nuehcwc11.exe
    Filesize

    884KB

    MD5

    4685811c853ceaebc991c3a8406694bf

    SHA1

    9cd382eb91bfea5782dd09f589a31b47c2c2b53e

    SHA256

    3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4

    SHA512

    a504fbca674f15d8964ebc6fac11d9431d700ca22736c00d5bb1e51551b0d2b9e4b2b6824bdf1a778111a0ba8d2601eada2f726b9ec7a9cfa5a53fd43c235b46

    Download Submit

  • C:\Windows\Installer\MSIC054.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSIC277.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSIC610.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSICD72.tmp
    Filesize

    663KB

    MD5

    b4dc5e6ce2dded474e55297e3a97f153

    SHA1

    f5bc4ab34b709118d705150c1e6e6139b78dfff2

    SHA256

    08c8ca31a5b892e9c7159361d668a28766d611ec879be073a9157c9ece03cf2f

    SHA512

    47089b00dc0867f4585da8ff073c26cf4be4fd6e16150afe39b8b38fcf0e001ca31fde27b70ddba9794c851ca24450d73a416e38f209a64532f2d8d4ed5915ce

    Download Submit

  • C:\Windows\Installer\MSICEBB.tmp
    Filesize

    663KB

    MD5

    b4dc5e6ce2dded474e55297e3a97f153

    SHA1

    f5bc4ab34b709118d705150c1e6e6139b78dfff2

    SHA256

    08c8ca31a5b892e9c7159361d668a28766d611ec879be073a9157c9ece03cf2f

    SHA512

    47089b00dc0867f4585da8ff073c26cf4be4fd6e16150afe39b8b38fcf0e001ca31fde27b70ddba9794c851ca24450d73a416e38f209a64532f2d8d4ed5915ce

    Download Submit

  • C:\Windows\Installer\MSICF68.tmp
    Filesize

    663KB

    MD5

    b4dc5e6ce2dded474e55297e3a97f153

    SHA1

    f5bc4ab34b709118d705150c1e6e6139b78dfff2

    SHA256

    08c8ca31a5b892e9c7159361d668a28766d611ec879be073a9157c9ece03cf2f

    SHA512

    47089b00dc0867f4585da8ff073c26cf4be4fd6e16150afe39b8b38fcf0e001ca31fde27b70ddba9794c851ca24450d73a416e38f209a64532f2d8d4ed5915ce

    Download Submit

  • C:\Windows\Installer\MSID35F.tmp
    Filesize

    663KB

    MD5

    b4dc5e6ce2dded474e55297e3a97f153

    SHA1

    f5bc4ab34b709118d705150c1e6e6139b78dfff2

    SHA256

    08c8ca31a5b892e9c7159361d668a28766d611ec879be073a9157c9ece03cf2f

    SHA512

    47089b00dc0867f4585da8ff073c26cf4be4fd6e16150afe39b8b38fcf0e001ca31fde27b70ddba9794c851ca24450d73a416e38f209a64532f2d8d4ed5915ce

    Download Submit

  • C:\Windows\Installer\MSID4C7.tmp
    Filesize

    663KB

    MD5

    b4dc5e6ce2dded474e55297e3a97f153

    SHA1

    f5bc4ab34b709118d705150c1e6e6139b78dfff2

    SHA256

    08c8ca31a5b892e9c7159361d668a28766d611ec879be073a9157c9ece03cf2f

    SHA512

    47089b00dc0867f4585da8ff073c26cf4be4fd6e16150afe39b8b38fcf0e001ca31fde27b70ddba9794c851ca24450d73a416e38f209a64532f2d8d4ed5915ce

    Download Submit

  • \Windows\Installer\MSIC054.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • \Windows\Installer\MSIC277.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • \Windows\Installer\MSIC610.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • \Windows\Installer\MSICD72.tmp
    Filesize

    663KB

    MD5

    b4dc5e6ce2dded474e55297e3a97f153

    SHA1

    f5bc4ab34b709118d705150c1e6e6139b78dfff2

    SHA256

    08c8ca31a5b892e9c7159361d668a28766d611ec879be073a9157c9ece03cf2f

    SHA512

    47089b00dc0867f4585da8ff073c26cf4be4fd6e16150afe39b8b38fcf0e001ca31fde27b70ddba9794c851ca24450d73a416e38f209a64532f2d8d4ed5915ce

    Download Submit

  • \Windows\Installer\MSICEBB.tmp
    Filesize

    663KB

    MD5

    b4dc5e6ce2dded474e55297e3a97f153

    SHA1

    f5bc4ab34b709118d705150c1e6e6139b78dfff2

    SHA256

    08c8ca31a5b892e9c7159361d668a28766d611ec879be073a9157c9ece03cf2f

    SHA512

    47089b00dc0867f4585da8ff073c26cf4be4fd6e16150afe39b8b38fcf0e001ca31fde27b70ddba9794c851ca24450d73a416e38f209a64532f2d8d4ed5915ce

    Download Submit

  • \Windows\Installer\MSICF68.tmp
    Filesize

    663KB

    MD5

    b4dc5e6ce2dded474e55297e3a97f153

    SHA1

    f5bc4ab34b709118d705150c1e6e6139b78dfff2

    SHA256

    08c8ca31a5b892e9c7159361d668a28766d611ec879be073a9157c9ece03cf2f

    SHA512

    47089b00dc0867f4585da8ff073c26cf4be4fd6e16150afe39b8b38fcf0e001ca31fde27b70ddba9794c851ca24450d73a416e38f209a64532f2d8d4ed5915ce

    Download Submit

  • \Windows\Installer\MSID35F.tmp
    Filesize

    663KB

    MD5

    b4dc5e6ce2dded474e55297e3a97f153

    SHA1

    f5bc4ab34b709118d705150c1e6e6139b78dfff2

    SHA256

    08c8ca31a5b892e9c7159361d668a28766d611ec879be073a9157c9ece03cf2f

    SHA512

    47089b00dc0867f4585da8ff073c26cf4be4fd6e16150afe39b8b38fcf0e001ca31fde27b70ddba9794c851ca24450d73a416e38f209a64532f2d8d4ed5915ce

    Download Submit

  • \Windows\Installer\MSID4C7.tmp
    Filesize

    663KB

    MD5

    b4dc5e6ce2dded474e55297e3a97f153

    SHA1

    f5bc4ab34b709118d705150c1e6e6139b78dfff2

    SHA256

    08c8ca31a5b892e9c7159361d668a28766d611ec879be073a9157c9ece03cf2f

    SHA512

    47089b00dc0867f4585da8ff073c26cf4be4fd6e16150afe39b8b38fcf0e001ca31fde27b70ddba9794c851ca24450d73a416e38f209a64532f2d8d4ed5915ce

    Download Submit

  • memory/768-54-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1092-57-0x0000000076871000-0x0000000076873000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1092-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1712-74-0x0000000000000000-mapping.dmp

    Download