cb704305afe6f0f5869d8cabc63437fae2ec58293661d3ad486d3d77f83d7bca

Analysis

max time kernel
897s
max time network
923s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
11/02/2023, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

correioseletronicoHXLKWUGYEZDZ.msi
Size

21.2MB
MD5

bf8e278fdcb2510822c07b45281eb7c1
SHA1

c937f2370260ff90367bb52c90db783eb112899b
SHA256

cb704305afe6f0f5869d8cabc63437fae2ec58293661d3ad486d3d77f83d7bca
SHA512

68bea78f6270ce245ca9429d9bb60ed7e0d455870d53f243f72b0581a082724bb1f4dc6e4a54a6acd46cd1db6c1de1835caf83f3fe1b88dd41f3b078b5b7872f
SSDEEP

393216:qZe+/s2bE9uf7bQRLbiKn0M3bhVKQnYjNJdRkDEmtHg:+bE91biCoQr4me

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1176	g2mupload.exe

Loads dropped DLL 4 IoCs

pid	Process
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
1176	g2mupload.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\AppData\\Roaming\\gerando liberacao\\gerando liberacao\\g2mupload.exe"	g2mupload.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgffgddd = "C:\\Users\\Admin\\AppData\\Roaming\\gerando liberacao\\gerando liberacao\\g2mupload.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	g2mupload.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1176	g2mupload.exe
1176	g2mupload.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c4647.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6c4645.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5478.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5573.tmp	msiexec.exe
File created	C:\Windows\Installer\6c4645.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E0C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c4647.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1696	msiexec.exe
1696	msiexec.exe
1176	g2mupload.exe
1176	g2mupload.exe
1176	g2mupload.exe
1176	g2mupload.exe
1176	g2mupload.exe
1176	g2mupload.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1312	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	1696	msiexec.exe
Token: SeCreateTokenPrivilege	1312	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1312	msiexec.exe
Token: SeLockMemoryPrivilege	1312	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1312	msiexec.exe
Token: SeMachineAccountPrivilege	1312	msiexec.exe
Token: SeTcbPrivilege	1312	msiexec.exe
Token: SeSecurityPrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeLoadDriverPrivilege	1312	msiexec.exe
Token: SeSystemProfilePrivilege	1312	msiexec.exe
Token: SeSystemtimePrivilege	1312	msiexec.exe
Token: SeProfSingleProcessPrivilege	1312	msiexec.exe
Token: SeIncBasePriorityPrivilege	1312	msiexec.exe
Token: SeCreatePagefilePrivilege	1312	msiexec.exe
Token: SeCreatePermanentPrivilege	1312	msiexec.exe
Token: SeBackupPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeShutdownPrivilege	1312	msiexec.exe
Token: SeDebugPrivilege	1312	msiexec.exe
Token: SeAuditPrivilege	1312	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1312	msiexec.exe
Token: SeChangeNotifyPrivilege	1312	msiexec.exe
Token: SeRemoteShutdownPrivilege	1312	msiexec.exe
Token: SeUndockPrivilege	1312	msiexec.exe
Token: SeSyncAgentPrivilege	1312	msiexec.exe
Token: SeEnableDelegationPrivilege	1312	msiexec.exe
Token: SeManageVolumePrivilege	1312	msiexec.exe
Token: SeImpersonatePrivilege	1312	msiexec.exe
Token: SeCreateGlobalPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1312	msiexec.exe
1312	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 960	1696	msiexec.exe	29
PID 1696 wrote to memory of 960	1696	msiexec.exe	29
PID 1696 wrote to memory of 960	1696	msiexec.exe	29
PID 1696 wrote to memory of 960	1696	msiexec.exe	29
PID 1696 wrote to memory of 960	1696	msiexec.exe	29
PID 1696 wrote to memory of 960	1696	msiexec.exe	29
PID 1696 wrote to memory of 960	1696	msiexec.exe	29
PID 1696 wrote to memory of 1176	1696	msiexec.exe	30
PID 1696 wrote to memory of 1176	1696	msiexec.exe	30
PID 1696 wrote to memory of 1176	1696	msiexec.exe	30
PID 1696 wrote to memory of 1176	1696	msiexec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\correioseletronicoHXLKWUGYEZDZ.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03DFA733F1C9275474FCDB2457296AE9
  2⤵
  - Loads dropped DLL
  PID:960
- C:\Users\Admin\AppData\Roaming\gerando liberacao\gerando liberacao\g2mupload.exe
  "C:\Users\Admin\AppData\Roaming\gerando liberacao\gerando liberacao\g2mupload.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gerando liberacao\gerando liberacao\g2m.dll

Filesize
1147.5MB

MD5
be81e3359b843ef8912ac56f8005eada

SHA1
86ef5591fa00f256294540a3693ef5b090ce8bba

SHA256
bb4c852286b9e19038d7dc29b232aa5299bfd2562ba9b12398a986b13498818a

SHA512
f645079c8c2d100d264ea2d77ed6934c5813b0dc80fda336e60765345763c97ddc4b1c48c8211be3c49db02243b9d7aab6412f89d9374339594281539d600b9a

Download Submit
C:\Users\Admin\AppData\Roaming\gerando liberacao\gerando liberacao\g2mupload.exe

Filesize
30KB

MD5
2bd61ee91994b3e9f9ebc002498d02ea

SHA1
5a85836809782f06a6cdf8bcff5fa86f1b2cb315

SHA256
07762231da2a8ce1dd2a211c49a27a2f06d7d2b7d5426fc5b6b114f845f1eca6

SHA512
6e52884592c364a42f1acf2bbd7b867004f232e323e7673bce99e1ddaf39b32986d44120ab26d943e40105a2d2d870d003493154b46b9230921665a4719dd9f5

Download Submit
C:\Users\Admin\AppData\Roaming\gerando liberacao\gerando liberacao\g2mupload.exe

Filesize
30KB

MD5
2bd61ee91994b3e9f9ebc002498d02ea

SHA1
5a85836809782f06a6cdf8bcff5fa86f1b2cb315

SHA256
07762231da2a8ce1dd2a211c49a27a2f06d7d2b7d5426fc5b6b114f845f1eca6

SHA512
6e52884592c364a42f1acf2bbd7b867004f232e323e7673bce99e1ddaf39b32986d44120ab26d943e40105a2d2d870d003493154b46b9230921665a4719dd9f5

Download Submit
C:\Windows\Installer\MSI50A1.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI5478.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI5573.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
\Users\Admin\AppData\Roaming\gerando liberacao\gerando liberacao\g2m.dll

Filesize
1147.5MB

MD5
be81e3359b843ef8912ac56f8005eada

SHA1
86ef5591fa00f256294540a3693ef5b090ce8bba

SHA256
bb4c852286b9e19038d7dc29b232aa5299bfd2562ba9b12398a986b13498818a

SHA512
f645079c8c2d100d264ea2d77ed6934c5813b0dc80fda336e60765345763c97ddc4b1c48c8211be3c49db02243b9d7aab6412f89d9374339594281539d600b9a

Download Submit
\Windows\Installer\MSI50A1.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
\Windows\Installer\MSI5478.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
\Windows\Installer\MSI5573.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
memory/960-57-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1176-70-0x0000000000410000-0x0000000004A51000-memory.dmp

Filesize
70.3MB

Download
memory/1176-72-0x0000000000410000-0x0000000004A51000-memory.dmp

Filesize
70.3MB

Download
memory/1176-75-0x0000000000410000-0x0000000004A51000-memory.dmp

Filesize
70.3MB

Download
memory/1176-76-0x0000000000410000-0x0000000004A51000-memory.dmp

Filesize
70.3MB

Download
memory/1176-77-0x0000000000410000-0x0000000004A51000-memory.dmp

Filesize
70.3MB

Download
memory/1312-54-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

Filesize
8KB

Download