5d12af1bcac2c14156deada92e22d0dc7872ab548d343d97e7f58d4e4f84a653

Analysis

max time kernel
98s
max time network
69s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
13/02/2023, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Processo 09-02-2023 dfyc.msi
Size

48.1MB
MD5

38da942ba4401ee52f663781ddded2ca
SHA1

b4ae66a99499dd02cc21cb6b3e22463db7fa67f0
SHA256

9e9dbb8ac378eaf561a1d2ceef411cc3bd0e225f649f9c2de5f7eff05bde54ef
SHA512

43624f63bcb83534c8f8fb8955dd1b88447ad3f218ce78751cb7863990b8407d9d2669e85354325f8621ede078f8d0cbd228df90a3431e030b25af5364d85e22
SSDEEP

786432:LVB9oDvwu7MpTmGXKq9QVgglClybzPnrQsdkJQBqm:LH9oDwuopTmGL9OgNyE6Ggqm

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1532	msiexec.exe
3	1164	msiexec.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000013a0e-66.dat	acprotect
behavioral1/files/0x0007000000013a0e-67.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
452	MsiExec.exe
452	MsiExec.exe
452	MsiExec.exe
452	MsiExec.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000013a0e-66.dat	upx
behavioral1/files/0x0007000000013a0e-67.dat	upx
behavioral1/memory/452-68-0x0000000002600000-0x00000000032B2000-memory.dmp	upx
behavioral1/memory/452-69-0x0000000002600000-0x00000000032B2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F66.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c1ed7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27F5.tmp	msiexec.exe
File created	C:\Windows\Installer\6c1ed9.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI30DE.tmp	msiexec.exe
File created	C:\Windows\Installer\6c1ed7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2536.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2873.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1164	msiexec.exe
1164	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
452	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1532	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeSecurityPrivilege	1164	msiexec.exe
Token: SeCreateTokenPrivilege	1532	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1532	msiexec.exe
Token: SeLockMemoryPrivilege	1532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1532	msiexec.exe
Token: SeMachineAccountPrivilege	1532	msiexec.exe
Token: SeTcbPrivilege	1532	msiexec.exe
Token: SeSecurityPrivilege	1532	msiexec.exe
Token: SeTakeOwnershipPrivilege	1532	msiexec.exe
Token: SeLoadDriverPrivilege	1532	msiexec.exe
Token: SeSystemProfilePrivilege	1532	msiexec.exe
Token: SeSystemtimePrivilege	1532	msiexec.exe
Token: SeProfSingleProcessPrivilege	1532	msiexec.exe
Token: SeIncBasePriorityPrivilege	1532	msiexec.exe
Token: SeCreatePagefilePrivilege	1532	msiexec.exe
Token: SeCreatePermanentPrivilege	1532	msiexec.exe
Token: SeBackupPrivilege	1532	msiexec.exe
Token: SeRestorePrivilege	1532	msiexec.exe
Token: SeShutdownPrivilege	1532	msiexec.exe
Token: SeDebugPrivilege	1532	msiexec.exe
Token: SeAuditPrivilege	1532	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1532	msiexec.exe
Token: SeChangeNotifyPrivilege	1532	msiexec.exe
Token: SeRemoteShutdownPrivilege	1532	msiexec.exe
Token: SeUndockPrivilege	1532	msiexec.exe
Token: SeSyncAgentPrivilege	1532	msiexec.exe
Token: SeEnableDelegationPrivilege	1532	msiexec.exe
Token: SeManageVolumePrivilege	1532	msiexec.exe
Token: SeImpersonatePrivilege	1532	msiexec.exe
Token: SeCreateGlobalPrivilege	1532	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1532	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 452	1164	msiexec.exe	29
PID 1164 wrote to memory of 452	1164	msiexec.exe	29
PID 1164 wrote to memory of 452	1164	msiexec.exe	29
PID 1164 wrote to memory of 452	1164	msiexec.exe	29
PID 1164 wrote to memory of 452	1164	msiexec.exe	29
PID 1164 wrote to memory of 452	1164	msiexec.exe	29
PID 1164 wrote to memory of 452	1164	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Processo 09-02-2023 dfyc.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FC29A5D4E9DDDF1585631781B2DB76F3
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d5a36a81e5302309ae19ceb580deb46

SHA1
3f04acf2f090dec3a001f07c0a9eab6d0c7fa9a5

SHA256
9441705df9c62ca771c6cba6b9d671f5e5d43bb673b6ab37ab4bbb49fa2008d8

SHA512
30f47f32407ddc89cdbc87f5ca14268a2f2d809333ae2fe278e0168b4b4d8fd1a16a089e47241d771913d6d32b076919a40986c48b84963f295702d3d1a03f94

Download Submit
C:\Windows\Installer\MSI2536.tmp

Filesize
381KB

MD5
e2b1df34e19a3ce763747b12ab33fdd2

SHA1
e9cc67780be7e148950870ee4a812349b6255f39

SHA256
14daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8

SHA512
a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0

Download Submit
C:\Windows\Installer\MSI27F5.tmp

Filesize
381KB

MD5
e2b1df34e19a3ce763747b12ab33fdd2

SHA1
e9cc67780be7e148950870ee4a812349b6255f39

SHA256
14daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8

SHA512
a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0

Download Submit
C:\Windows\Installer\MSI2873.tmp

Filesize
381KB

MD5
e2b1df34e19a3ce763747b12ab33fdd2

SHA1
e9cc67780be7e148950870ee4a812349b6255f39

SHA256
14daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8

SHA512
a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0

Download Submit
C:\Windows\Installer\MSI30DE.tmp

Filesize
26.5MB

MD5
dd735cf27f5e3d684e3112f15f442dfc

SHA1
17efa740cdb76b6c59cc90f16b7693d7b3742785

SHA256
65cdb22633adb79b4904e3e14e843c16a3f7c13546e93679f29f0c57a195a851

SHA512
5ef3ad3e488027c9261a15f167aded8ce45428b36b4040c4149d34a709a008a8baaa8b474f01b9a4fd5eeb9a92a5027d71560867909183a82751b7b6ae0fc944

Download Submit
\Windows\Installer\MSI2536.tmp

Filesize
381KB

MD5
e2b1df34e19a3ce763747b12ab33fdd2

SHA1
e9cc67780be7e148950870ee4a812349b6255f39

SHA256
14daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8

SHA512
a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0

Download Submit
\Windows\Installer\MSI27F5.tmp

Filesize
381KB

MD5
e2b1df34e19a3ce763747b12ab33fdd2

SHA1
e9cc67780be7e148950870ee4a812349b6255f39

SHA256
14daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8

SHA512
a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0

Download Submit
\Windows\Installer\MSI2873.tmp

Filesize
381KB

MD5
e2b1df34e19a3ce763747b12ab33fdd2

SHA1
e9cc67780be7e148950870ee4a812349b6255f39

SHA256
14daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8

SHA512
a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0

Download Submit
\Windows\Installer\MSI30DE.tmp

Filesize
26.5MB

MD5
dd735cf27f5e3d684e3112f15f442dfc

SHA1
17efa740cdb76b6c59cc90f16b7693d7b3742785

SHA256
65cdb22633adb79b4904e3e14e843c16a3f7c13546e93679f29f0c57a195a851

SHA512
5ef3ad3e488027c9261a15f167aded8ce45428b36b4040c4149d34a709a008a8baaa8b474f01b9a4fd5eeb9a92a5027d71560867909183a82751b7b6ae0fc944

Download Submit
memory/452-59-0x0000000075E71000-0x0000000075E73000-memory.dmp

Filesize
8KB

Download
memory/452-68-0x0000000002600000-0x00000000032B2000-memory.dmp

Filesize
12.7MB

Download
memory/452-69-0x0000000002600000-0x00000000032B2000-memory.dmp

Filesize
12.7MB

Download
memory/1532-54-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp

Filesize
8KB

Download