4ad88b6a825af9e1eba56356bc13c02c4e49e3af64ff0eb2d09c7aeefe17e1ed

Analysis

max time kernel
100s
max time network
79s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/01/2023, 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SAT-20220411-89287719adm-Reporte_Estado_Planilla_PDF.msi
Size

6.6MB
MD5

6d22f7d0d542224ba270aee85ed8b8d4
SHA1

97d45fe9391164cf6cee64c5a3c93632c491eb07
SHA256

4ad88b6a825af9e1eba56356bc13c02c4e49e3af64ff0eb2d09c7aeefe17e1ed
SHA512

b019cdef7118a13097b22efdb8e316bc1107b7288c63415a4a173b85f7e2b28b98cf73a3df8f6058131fa9db3be341ed11ca56bf4db02e26300fd0c98f27c6ad
SSDEEP

196608:V60PcuP3qU02+cr7J2F9J7htUZnb1H6d/:VF13qo+W2rtenb56Z

Score

9^/10

collection evasion persistence spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GEm.k.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	956	MsiExec.exe
6	956	MsiExec.exe
7	956	MsiExec.exe

Executes dropped EXE 1 IoCs

pid	Process
1548	GEm.k.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GEm.k.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GEm.k.exe

Loads dropped DLL 7 IoCs

pid	Process
956	MsiExec.exe
956	MsiExec.exe
956	MsiExec.exe
956	MsiExec.exe
956	MsiExec.exe
1548	GEm.k.exe
1548	GEm.k.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0006000000014463-77.dat	themida
behavioral1/files/0x0006000000014463-78.dat	themida
behavioral1/memory/1548-80-0x0000000003220000-0x0000000004F2E000-memory.dmp	themida
behavioral1/memory/1548-81-0x0000000003220000-0x0000000004F2E000-memory.dmp	themida
behavioral1/memory/1548-82-0x0000000003220000-0x0000000004F2E000-memory.dmp	themida
behavioral1/memory/1548-83-0x0000000003220000-0x0000000004F2E000-memory.dmp	themida
behavioral1/memory/1548-84-0x0000000003220000-0x0000000004F2E000-memory.dmp	themida
behavioral1/memory/1548-85-0x0000000003220000-0x0000000004F2E000-memory.dmp	themida
behavioral1/memory/1548-86-0x0000000003220000-0x0000000004F2E000-memory.dmp	themida
behavioral1/memory/1548-87-0x0000000003220000-0x0000000004F2E000-memory.dmp	themida
behavioral1/memory/1548-88-0x0000000003220000-0x0000000004F2E000-memory.dmp	themida
behavioral1/memory/1548-89-0x0000000003220000-0x0000000004F2E000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\qQJMcol = "\"C:\\Users\\Admin\\AppData\\Roaming\\gDux7Pu9s\\GEm.k.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\gDux7Pu9s\\GEm.k.ahk\" "	MsiExec.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GEm.k.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io
4	ipinfo.io
9	ipinfo.io

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
956	MsiExec.exe
1548	GEm.k.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7BB6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E84.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c7afd.ipi	msiexec.exe
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\Installer\6c7afb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F12.tmp	msiexec.exe
File created	C:\Windows\Installer\6c7afd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85C7.tmp	msiexec.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\Installer\6c7afb.msi	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No"	GEm.k.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No"	GEm.k.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No"	GEm.k.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ = "_ViewField"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ = "MAPIFolder"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\ = "_Store"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\ = "Selection"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\ = "ItemProperty"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ = "_OlkOptionButton"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ = "_NotesModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ = "_Category"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063086-0000-0000-C000-000000000046}\ = "SyncObjects"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ = "_FromRssFeedRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ = "_ExchangeDistributionList"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\ = "_SelectNamesDialog"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ = "_AttachmentSelection"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1548	GEm.k.exe
1924	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1256	msiexec.exe
1256	msiexec.exe
956	MsiExec.exe
956	MsiExec.exe
1548	GEm.k.exe
956	MsiExec.exe
956	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeSecurityPrivilege	1256	msiexec.exe
Token: SeCreateTokenPrivilege	1268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1268	msiexec.exe
Token: SeLockMemoryPrivilege	1268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1268	msiexec.exe
Token: SeMachineAccountPrivilege	1268	msiexec.exe
Token: SeTcbPrivilege	1268	msiexec.exe
Token: SeSecurityPrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeLoadDriverPrivilege	1268	msiexec.exe
Token: SeSystemProfilePrivilege	1268	msiexec.exe
Token: SeSystemtimePrivilege	1268	msiexec.exe
Token: SeProfSingleProcessPrivilege	1268	msiexec.exe
Token: SeIncBasePriorityPrivilege	1268	msiexec.exe
Token: SeCreatePagefilePrivilege	1268	msiexec.exe
Token: SeCreatePermanentPrivilege	1268	msiexec.exe
Token: SeBackupPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeShutdownPrivilege	1268	msiexec.exe
Token: SeDebugPrivilege	1268	msiexec.exe
Token: SeAuditPrivilege	1268	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1268	msiexec.exe
Token: SeChangeNotifyPrivilege	1268	msiexec.exe
Token: SeRemoteShutdownPrivilege	1268	msiexec.exe
Token: SeUndockPrivilege	1268	msiexec.exe
Token: SeSyncAgentPrivilege	1268	msiexec.exe
Token: SeEnableDelegationPrivilege	1268	msiexec.exe
Token: SeManageVolumePrivilege	1268	msiexec.exe
Token: SeImpersonatePrivilege	1268	msiexec.exe
Token: SeCreateGlobalPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1268	msiexec.exe
1548	GEm.k.exe
1548	GEm.k.exe
1548	GEm.k.exe
1268	msiexec.exe
1924	OUTLOOK.EXE
1924	OUTLOOK.EXE
1924	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1548	GEm.k.exe
1548	GEm.k.exe
1548	GEm.k.exe
1924	OUTLOOK.EXE
1924	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1924	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 956	1256	msiexec.exe	27
PID 1256 wrote to memory of 956	1256	msiexec.exe	27
PID 1256 wrote to memory of 956	1256	msiexec.exe	27
PID 1256 wrote to memory of 956	1256	msiexec.exe	27
PID 1256 wrote to memory of 956	1256	msiexec.exe	27
PID 1256 wrote to memory of 956	1256	msiexec.exe	27
PID 1256 wrote to memory of 956	1256	msiexec.exe	27
PID 956 wrote to memory of 1548	956	MsiExec.exe	30
PID 956 wrote to memory of 1548	956	MsiExec.exe	30
PID 956 wrote to memory of 1548	956	MsiExec.exe	30
PID 956 wrote to memory of 1548	956	MsiExec.exe	30

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SAT-20220411-89287719adm-Reporte_Estado_Planilla_PDF.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1268

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5FA73C4929B2B20E597DD92E4DC48C56
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Roaming\gDux7Pu9s\GEm.k.exe
    "C:\Users\Admin\AppData\Roaming\gDux7Pu9s\GEm.k.exe" "C:\Users\Admin\AppData\Roaming\gDux7Pu9s\GEm.k.ahk"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1548

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gDux7Pu9s\GEm.k.ahk

Filesize
182B

MD5
bbe2cf287e5645afb48101ab432e3cb4

SHA1
319741df7e197063380ed39d20313983b7602401

SHA256
02a66373eca0d21ffce822a61929e335af7ad545f005415119b746f24303d9fe

SHA512
ea5d9b40fc04a48e0740406202c02a4ef02a89c187203af88697b12f680391d32fdac499dbab7829aa74409e12c7aef95fa7f901aae51edccc9092da7e6657b7

Download Submit
C:\Users\Admin\AppData\Roaming\gDux7Pu9s\GEm.k.exe

Filesize
889KB

MD5
03c469798bf1827d989f09f346ce95f7

SHA1
05e491bc1b8fbfbfdca24b565f2464137f30691e

SHA256
de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

SHA512
d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

Download Submit
C:\Users\Admin\AppData\Roaming\gDux7Pu9s\tolsarycdy.bps

Filesize
11.2MB

MD5
76a05e82eae0755d7bf13d86725b639c

SHA1
cd25473556a098f889c378a615e014add1dc6849

SHA256
f9ef5a1498e4dc47df50b7540feac5337d8681283e33fb8531ae61a3c5669b14

SHA512
57b7b81daff29cf3fb72b05f4d6f5e1bbc9ad8ea585cff3cc18aba39ab83c296c96ae5c69b69f9ae4b9ea550ca131376f4ea0bdad86a84f3b812b364e7945f82

Download Submit
C:\Windows\Installer\MSI7BB6.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI7E84.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI7F12.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI85F7.tmp

Filesize
6.0MB

MD5
e73eae750b0e4a6a1eddb34440003f9b

SHA1
1b7f516bb5a5f0e7f62ff500eb7df3bb0c0b85ca

SHA256
c22ffa6263aae474c6af450b33793a40adda5eec2b66fd307917c4b650c2d9e1

SHA512
9591dbe78ab58232a9ee9b16267fc238dde74a40a3898dc7adf228fda9242e7630922afeb953e7820bf842b46d3529e218482df597f9d63f9b75bd48c187f84a

Download Submit
\Users\Admin\AppData\Local\Temp\7ae358a8.dll

Filesize
8KB

MD5
d8f4ab8284f0fda871d6834e24bc6f37

SHA1
641948e44a1dcfd0ef68910768eb4b1ea6b49d10

SHA256
c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912

SHA512
f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0

Download Submit
\Users\Admin\AppData\Roaming\gDux7Pu9s\GEm.k.exe

Filesize
889KB

MD5
03c469798bf1827d989f09f346ce95f7

SHA1
05e491bc1b8fbfbfdca24b565f2464137f30691e

SHA256
de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

SHA512
d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

Download Submit
\Users\Admin\AppData\Roaming\gDux7Pu9s\tolsarycdy.bps

Filesize
11.2MB

MD5
76a05e82eae0755d7bf13d86725b639c

SHA1
cd25473556a098f889c378a615e014add1dc6849

SHA256
f9ef5a1498e4dc47df50b7540feac5337d8681283e33fb8531ae61a3c5669b14

SHA512
57b7b81daff29cf3fb72b05f4d6f5e1bbc9ad8ea585cff3cc18aba39ab83c296c96ae5c69b69f9ae4b9ea550ca131376f4ea0bdad86a84f3b812b364e7945f82

Download Submit
\Windows\Installer\MSI7BB6.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSI7E84.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSI7F12.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSI85F7.tmp

Filesize
6.0MB

MD5
e73eae750b0e4a6a1eddb34440003f9b

SHA1
1b7f516bb5a5f0e7f62ff500eb7df3bb0c0b85ca

SHA256
c22ffa6263aae474c6af450b33793a40adda5eec2b66fd307917c4b650c2d9e1

SHA512
9591dbe78ab58232a9ee9b16267fc238dde74a40a3898dc7adf228fda9242e7630922afeb953e7820bf842b46d3529e218482df597f9d63f9b75bd48c187f84a

Download Submit
memory/956-70-0x0000000002640000-0x000000000328A000-memory.dmp

Filesize
12.3MB

Download
memory/956-71-0x0000000002640000-0x000000000328A000-memory.dmp

Filesize
12.3MB

Download
memory/956-69-0x0000000002640000-0x000000000328A000-memory.dmp

Filesize
12.3MB

Download
memory/956-111-0x0000000002640000-0x000000000328A000-memory.dmp

Filesize
12.3MB

Download
memory/956-67-0x0000000002640000-0x000000000328A000-memory.dmp

Filesize
12.3MB

Download
memory/956-66-0x0000000002E1F000-0x0000000003423000-memory.dmp

Filesize
6.0MB

Download
memory/956-57-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1268-54-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1548-85-0x0000000003220000-0x0000000004F2E000-memory.dmp

Filesize
29.1MB

Download
memory/1548-89-0x0000000003220000-0x0000000004F2E000-memory.dmp

Filesize
29.1MB

Download
memory/1548-82-0x0000000003220000-0x0000000004F2E000-memory.dmp

Filesize
29.1MB

Download
memory/1548-83-0x0000000003220000-0x0000000004F2E000-memory.dmp

Filesize
29.1MB

Download
memory/1548-84-0x0000000003220000-0x0000000004F2E000-memory.dmp

Filesize
29.1MB

Download
memory/1548-80-0x0000000003220000-0x0000000004F2E000-memory.dmp

Filesize
29.1MB

Download
memory/1548-86-0x0000000003220000-0x0000000004F2E000-memory.dmp

Filesize
29.1MB

Download
memory/1548-87-0x0000000003220000-0x0000000004F2E000-memory.dmp

Filesize
29.1MB

Download
memory/1548-88-0x0000000003220000-0x0000000004F2E000-memory.dmp

Filesize
29.1MB

Download
memory/1548-81-0x0000000003220000-0x0000000004F2E000-memory.dmp

Filesize
29.1MB

Download
memory/1548-91-0x0000000061E00000-0x0000000061EC1000-memory.dmp

Filesize
772KB

Download
memory/1548-79-0x0000000077440000-0x00000000775C0000-memory.dmp

Filesize
1.5MB

Download
memory/1548-110-0x0000000077440000-0x00000000775C0000-memory.dmp

Filesize
1.5MB

Download
memory/1924-112-0x0000000072671000-0x0000000072673000-memory.dmp

Filesize
8KB

Download
memory/1924-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1924-115-0x000000007365D000-0x0000000073668000-memory.dmp

Filesize
44KB

Download
memory/1924-116-0x000000006CE91000-0x000000006CE93000-memory.dmp

Filesize
8KB

Download
memory/1924-117-0x000000006C751000-0x000000006C753000-memory.dmp

Filesize
8KB

Download
memory/1924-118-0x000000007365D000-0x0000000073668000-memory.dmp

Filesize
44KB

Download