Overview

overview

7

Static

static

1

Nota-LG-em...qt.msi

windows7-x64

7

Nota-LG-em...qt.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2023, 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nota-LG-emitida-13488mhqt.msi

  • Size

    9.0MB

  • MD5

    1a451514d9b14181632c245331206894

  • SHA1

    9a0d7e3bbe5d4730af5fde8db005a6c86956f6cf

  • SHA256

    271c7dc9cd5156fcd76a9fd705b4bf3120ea64c05e8d771549b3d445b044348b

  • SHA512

    cd8c3ce8ecbe706c7485e0aeae96ca2ca195582c3a62979ebcfe1ee76720eb64b15366de6288b1f0f1abc1cb87b40a3e788f3c659c4820fe1e79fba9bc905966

  • SSDEEP

    196608:l0ZlBE1BdPeMytDLOvoeneHR3EltRKOi/kVyuNGIwRbxn2eKCXd3/:lofsBFZ+SFeHNmgV/kAuNGIwRF2gd

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Nota-LG-emitida-13488mhqt.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4836
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 3F169414939C0395E19ABAD280A1CA63
      2⤵
      • Loads dropped DLL
      PID:4804
    • C:\Users\Admin\AppData\Roaming\abd1ª.exe
      "C:\Users\Admin\AppData\Roaming\abd1ª.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4584
    • C:\Users\Admin\AppData\Roaming\abd1ª.exe
      "C:\Users\Admin\AppData\Roaming\abd1ª.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e567c3b.rbs
    Filesize

    1KB

    MD5

    a06563b4c83485482e8858c71df84be3

    SHA1

    f19bce63bd2442d5a1a90ec1827cdbd8aff0bfc2

    SHA256

    93f5d5b4c85827ee3766b7c8b313a4b2cdace141ab9b7def55adb31681f873f9

    SHA512

    b3452162faacadb28b360e514f5f481c640073f323488297962d289767bf0a97a58f097a1e76f821d5a067a11d24e34195e791045d7798b4691085fc218c1a5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI67a17.LOG
    Filesize

    20KB

    MD5

    1d19463226e2e06a9e2513ca1604c96d

    SHA1

    abc19753b468f1bdf08e6debe11f8c9ee017b831

    SHA256

    ab29c633bfb85a284dac3b4a41d52b2fa2a72e4975ae729766691f1c45d89ec5

    SHA512

    7621f6878c1131b667ec45e53106aa39843474ec522f237f52e8fea0e1244361ac602ff35639c3117ea3462621d1ccce6519ecec720cad307b9dc7c9a2f0321b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WebUI.dll
    Filesize

    7.1MB

    MD5

    415c575c70b7adafd6aac19a61b3b0b8

    SHA1

    17381a4ac3f19a7c5bf60f33e377e134b95e6948

    SHA256

    22f6b6629649c16daf79e61ba167a03039d8045765f3207352b82a7f252aa3aa

    SHA512

    9afd33668b101da84dae35824ffd2f59448066e780217d6fb1d461c06872e09ad74b31ebdadb8984a92f3932b1cba0aa76fd13adad90d39fa660c3e27c8352dc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WebUI.dll
    Filesize

    7.1MB

    MD5

    415c575c70b7adafd6aac19a61b3b0b8

    SHA1

    17381a4ac3f19a7c5bf60f33e377e134b95e6948

    SHA256

    22f6b6629649c16daf79e61ba167a03039d8045765f3207352b82a7f252aa3aa

    SHA512

    9afd33668b101da84dae35824ffd2f59448066e780217d6fb1d461c06872e09ad74b31ebdadb8984a92f3932b1cba0aa76fd13adad90d39fa660c3e27c8352dc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WebUI.dll
    Filesize

    7.1MB

    MD5

    415c575c70b7adafd6aac19a61b3b0b8

    SHA1

    17381a4ac3f19a7c5bf60f33e377e134b95e6948

    SHA256

    22f6b6629649c16daf79e61ba167a03039d8045765f3207352b82a7f252aa3aa

    SHA512

    9afd33668b101da84dae35824ffd2f59448066e780217d6fb1d461c06872e09ad74b31ebdadb8984a92f3932b1cba0aa76fd13adad90d39fa660c3e27c8352dc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\abd1ª.exe
    Filesize

    1.8MB

    MD5

    fefc27dc49a252727e5cdf333c5643b4

    SHA1

    260e9797baec142f764bcf35af7a0917805f0b98

    SHA256

    633d363baa5dd8b6353676843204ab91f899ab55b6e159cad39d24a459ff527b

    SHA512

    b37ac4fce06ea1bbd6400f46fa1af5c7d3e0c7da92242dd790d36d015ebc8121cdbbae739f52672bd8e5c5481ceb15f546fb48a2ca326f113cd34042fb56c5a3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\abd1ª.exe
    Filesize

    1.8MB

    MD5

    fefc27dc49a252727e5cdf333c5643b4

    SHA1

    260e9797baec142f764bcf35af7a0917805f0b98

    SHA256

    633d363baa5dd8b6353676843204ab91f899ab55b6e159cad39d24a459ff527b

    SHA512

    b37ac4fce06ea1bbd6400f46fa1af5c7d3e0c7da92242dd790d36d015ebc8121cdbbae739f52672bd8e5c5481ceb15f546fb48a2ca326f113cd34042fb56c5a3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\abd1ª.exe
    Filesize

    1.8MB

    MD5

    fefc27dc49a252727e5cdf333c5643b4

    SHA1

    260e9797baec142f764bcf35af7a0917805f0b98

    SHA256

    633d363baa5dd8b6353676843204ab91f899ab55b6e159cad39d24a459ff527b

    SHA512

    b37ac4fce06ea1bbd6400f46fa1af5c7d3e0c7da92242dd790d36d015ebc8121cdbbae739f52672bd8e5c5481ceb15f546fb48a2ca326f113cd34042fb56c5a3

    Download Submit

  • C:\Windows\Installer\MSI7CE5.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • C:\Windows\Installer\MSI7CE5.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • C:\Windows\Installer\MSI7F48.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • C:\Windows\Installer\MSI7F48.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • C:\Windows\Installer\MSI8023.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • C:\Windows\Installer\MSI8023.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • C:\Windows\Installer\MSI8023.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • C:\Windows\Installer\MSI80D0.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • C:\Windows\Installer\MSI80D0.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • C:\Windows\Installer\MSI81DB.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • C:\Windows\Installer\MSI81DB.tmp
    Filesize

    578KB

    MD5

    89afe34385ab2b63a7cb0121792be070

    SHA1

    56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

    SHA256

    36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

    SHA512

    14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

    Download Submit

  • memory/4584-184-0x0000000000400000-0x000000000061B000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4584-188-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4584-183-0x000000007FA70000-0x000000007FE41000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4584-182-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4584-185-0x0000000004670000-0x0000000004671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4584-186-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-195-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-199-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-189-0x000000007FA70000-0x000000007FE41000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4612-190-0x0000000002460000-0x0000000002461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4612-191-0x0000000000400000-0x000000000061B000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4612-192-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-193-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-181-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-197-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-187-0x0000000004670000-0x0000000004671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4612-201-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-204-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-207-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-209-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-211-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-213-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-215-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-217-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-219-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download

  • memory/4612-221-0x00000000711B0000-0x0000000073D42000-memory.dmp

    Filesize

    43.6MB

    Download