Overview

overview

9

Static

static

SAT-202204...DF.msi

windows7-x64

9

SAT-202204...DF.msi

windows10-2004-x64

9

Resubmissions

05-01-2023 22:52

230105-2tv5mshb5z 9

05-01-2023 20:34

230105-zcsl3sdb79 9

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    05-01-2023 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SAT-20220411-89287719adm-Reporte_Estado_Planilla_PDF.msi

  • Size

    6.6MB

  • MD5

    6d22f7d0d542224ba270aee85ed8b8d4

  • SHA1

    97d45fe9391164cf6cee64c5a3c93632c491eb07

  • SHA256

    4ad88b6a825af9e1eba56356bc13c02c4e49e3af64ff0eb2d09c7aeefe17e1ed

  • SHA512

    b019cdef7118a13097b22efdb8e316bc1107b7288c63415a4a173b85f7e2b28b98cf73a3df8f6058131fa9db3be341ed11ca56bf4db02e26300fd0c98f27c6ad

  • SSDEEP

    196608:V60PcuP3qU02+cr7J2F9J7htUZnb1H6d/:VF13qo+W2rtenb56Z

Score
9/10
evasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 13 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SAT-20220411-89287719adm-Reporte_Estado_Planilla_PDF.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2452
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding FD2AAC869D179290158D93F8A6AF8499
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Users\Admin\AppData\Roaming\RG9f5HT6g\Gex.5.exe
        "C:\Users\Admin\AppData\Roaming\RG9f5HT6g\Gex.5.exe" "C:\Users\Admin\AppData\Roaming\RG9f5HT6g\Gex.5.ahk"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3080

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ae358a8.dll
    Filesize

    8KB

    MD5

    d8f4ab8284f0fda871d6834e24bc6f37

    SHA1

    641948e44a1dcfd0ef68910768eb4b1ea6b49d10

    SHA256

    c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912

    SHA512

    f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RG9f5HT6g\Gex.5.ahk
    Filesize

    182B

    MD5

    bbe2cf287e5645afb48101ab432e3cb4

    SHA1

    319741df7e197063380ed39d20313983b7602401

    SHA256

    02a66373eca0d21ffce822a61929e335af7ad545f005415119b746f24303d9fe

    SHA512

    ea5d9b40fc04a48e0740406202c02a4ef02a89c187203af88697b12f680391d32fdac499dbab7829aa74409e12c7aef95fa7f901aae51edccc9092da7e6657b7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RG9f5HT6g\Gex.5.exe
    Filesize

    889KB

    MD5

    03c469798bf1827d989f09f346ce95f7

    SHA1

    05e491bc1b8fbfbfdca24b565f2464137f30691e

    SHA256

    de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

    SHA512

    d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RG9f5HT6g\Gex.5.exe
    Filesize

    889KB

    MD5

    03c469798bf1827d989f09f346ce95f7

    SHA1

    05e491bc1b8fbfbfdca24b565f2464137f30691e

    SHA256

    de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

    SHA512

    d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RG9f5HT6g\tolsarycdy.bps
    Filesize

    11.2MB

    MD5

    76a05e82eae0755d7bf13d86725b639c

    SHA1

    cd25473556a098f889c378a615e014add1dc6849

    SHA256

    f9ef5a1498e4dc47df50b7540feac5337d8681283e33fb8531ae61a3c5669b14

    SHA512

    57b7b81daff29cf3fb72b05f4d6f5e1bbc9ad8ea585cff3cc18aba39ab83c296c96ae5c69b69f9ae4b9ea550ca131376f4ea0bdad86a84f3b812b364e7945f82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RG9f5HT6g\tolsarycdy.bps
    Filesize

    11.2MB

    MD5

    76a05e82eae0755d7bf13d86725b639c

    SHA1

    cd25473556a098f889c378a615e014add1dc6849

    SHA256

    f9ef5a1498e4dc47df50b7540feac5337d8681283e33fb8531ae61a3c5669b14

    SHA512

    57b7b81daff29cf3fb72b05f4d6f5e1bbc9ad8ea585cff3cc18aba39ab83c296c96ae5c69b69f9ae4b9ea550ca131376f4ea0bdad86a84f3b812b364e7945f82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RG9f5HT6g\tolsarycdy.bps
    Filesize

    11.2MB

    MD5

    76a05e82eae0755d7bf13d86725b639c

    SHA1

    cd25473556a098f889c378a615e014add1dc6849

    SHA256

    f9ef5a1498e4dc47df50b7540feac5337d8681283e33fb8531ae61a3c5669b14

    SHA512

    57b7b81daff29cf3fb72b05f4d6f5e1bbc9ad8ea585cff3cc18aba39ab83c296c96ae5c69b69f9ae4b9ea550ca131376f4ea0bdad86a84f3b812b364e7945f82

    Download Submit

  • C:\Windows\Installer\MSI6E6E.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI6E6E.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI70B1.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI70B1.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI714F.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI714F.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI719E.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI719E.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI7307.tmp
    Filesize

    6.0MB

    MD5

    e73eae750b0e4a6a1eddb34440003f9b

    SHA1

    1b7f516bb5a5f0e7f62ff500eb7df3bb0c0b85ca

    SHA256

    c22ffa6263aae474c6af450b33793a40adda5eec2b66fd307917c4b650c2d9e1

    SHA512

    9591dbe78ab58232a9ee9b16267fc238dde74a40a3898dc7adf228fda9242e7630922afeb953e7820bf842b46d3529e218482df597f9d63f9b75bd48c187f84a

    Download Submit

  • C:\Windows\Installer\MSI7307.tmp
    Filesize

    6.0MB

    MD5

    e73eae750b0e4a6a1eddb34440003f9b

    SHA1

    1b7f516bb5a5f0e7f62ff500eb7df3bb0c0b85ca

    SHA256

    c22ffa6263aae474c6af450b33793a40adda5eec2b66fd307917c4b650c2d9e1

    SHA512

    9591dbe78ab58232a9ee9b16267fc238dde74a40a3898dc7adf228fda9242e7630922afeb953e7820bf842b46d3529e218482df597f9d63f9b75bd48c187f84a

    Download Submit

  • C:\Windows\Installer\MSI7307.tmp
    Filesize

    6.0MB

    MD5

    e73eae750b0e4a6a1eddb34440003f9b

    SHA1

    1b7f516bb5a5f0e7f62ff500eb7df3bb0c0b85ca

    SHA256

    c22ffa6263aae474c6af450b33793a40adda5eec2b66fd307917c4b650c2d9e1

    SHA512

    9591dbe78ab58232a9ee9b16267fc238dde74a40a3898dc7adf228fda9242e7630922afeb953e7820bf842b46d3529e218482df597f9d63f9b75bd48c187f84a

    Download Submit

  • memory/3080-166-0x0000000004B20000-0x000000000682E000-memory.dmp

    Filesize

    29.1MB

    Download

  • memory/3080-167-0x0000000004B20000-0x000000000682E000-memory.dmp

    Filesize

    29.1MB

    Download

  • memory/3080-162-0x0000000004B20000-0x000000000682E000-memory.dmp

    Filesize

    29.1MB

    Download

  • memory/3080-161-0x0000000004B20000-0x000000000682E000-memory.dmp

    Filesize

    29.1MB

    Download

  • memory/3080-188-0x0000000077BF0000-0x0000000077D93000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3080-169-0x0000000061E00000-0x0000000061EC1000-memory.dmp

    Filesize

    772KB

    Download

  • memory/3080-157-0x0000000077BF0000-0x0000000077D93000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3080-158-0x0000000004B20000-0x000000000682E000-memory.dmp

    Filesize

    29.1MB

    Download

  • memory/3080-163-0x0000000004B20000-0x000000000682E000-memory.dmp

    Filesize

    29.1MB

    Download

  • memory/3080-160-0x0000000004B20000-0x000000000682E000-memory.dmp

    Filesize

    29.1MB

    Download

  • memory/3080-150-0x0000000000000000-mapping.dmp

    Download

  • memory/3080-165-0x0000000004B20000-0x000000000682E000-memory.dmp

    Filesize

    29.1MB

    Download

  • memory/3080-159-0x0000000004B20000-0x000000000682E000-memory.dmp

    Filesize

    29.1MB

    Download

  • memory/3080-164-0x0000000004B20000-0x000000000682E000-memory.dmp

    Filesize

    29.1MB

    Download

  • memory/4676-148-0x0000000003300000-0x00000000040E4000-memory.dmp

    Filesize

    13.9MB

    Download

  • memory/4676-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4676-149-0x0000000003300000-0x00000000040E4000-memory.dmp

    Filesize

    13.9MB

    Download

  • memory/4676-156-0x0000000003300000-0x00000000040E4000-memory.dmp

    Filesize

    13.9MB

    Download

  • memory/4676-144-0x0000000003300000-0x00000000040E4000-memory.dmp

    Filesize

    13.9MB

    Download

  • memory/4676-145-0x0000000003300000-0x00000000040E4000-memory.dmp

    Filesize

    13.9MB

    Download

  • memory/4676-189-0x0000000003300000-0x00000000040E4000-memory.dmp

    Filesize

    13.9MB

    Download

  • memory/4676-147-0x0000000003300000-0x00000000040E4000-memory.dmp

    Filesize

    13.9MB

    Download