Overview

overview

8

Static

static

PAGA-TUS-M...9b.msi

windows7-x64

8

PAGA-TUS-M...9b.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    188s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAGA-TUS-MULTAS-34ed1ecf-1a2c-4d26_____________________________________________________________________85ba-ba597ff6089b.msi

  • Size

    1.6MB

  • MD5

    895d068ffb4c4ca7c8e677a051bbbaae

  • SHA1

    faf3d6eedbcd49d446059c2bf1cfed6a1b9b6913

  • SHA256

    687ac0a86056ab61af2e1c34b053e7d58ab19b64bab5d13b81e2e3dcab878426

  • SHA512

    1877e98c58f21060ffbe9726320deb43a342f0d969164b760842f8fcbc13d7b8413e3b37434dcaaec9137514e217e7d7685a31b6eaf190425ea654d847549b11

  • SSDEEP

    49152:pCyNitjVqoA5AwxDOjSETeVfb/6LYE3c9ANB:qtMJAwOjSEPYP

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PAGA-TUS-MULTAS-34ed1ecf-1a2c-4d26_____________________________________________________________________85ba-ba597ff6089b.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1272
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3396
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads