3e033ac5385c7a77ef87090674c19061d8fce08a48d451d78a03d32eda516243

Resubmissions

05/05/2023, 18:01

230505-wlymxadg5v 10

05/04/2023, 12:09

230405-pbfwsage6z 7

Analysis

max time kernel
61s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2023, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archivo.EndesaFactur-A4-SIMPLEX-TLLK_B23032023E294942222422244454.MSI.msi
Size

3.0MB
MD5

f8e3482185e2c916fc032786e676d320
SHA1

f605b599179349ec50919c521191daf718a587c8
SHA256

3e033ac5385c7a77ef87090674c19061d8fce08a48d451d78a03d32eda516243
SHA512

1024136d4fbcfe68de382d22fb160b16ed9a95e54ccf240a0a09c27bf49bd0ec3e7f0ad15e35701698a0d49cf0bda7649a66cf81db19ec272fe501517db8987e
SSDEEP

49152:LoYafBZfn6JDi5FQ5dtSdgIH/5roi5VzQ78r6F5mCmR+CYuNA:YfPf/BoEzMo6cYIA

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1844	MsiExec.exe
1844	MsiExec.exe
1844	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e569f23.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e569f23.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA465.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA56F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2FC.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F6F4774B-4CA1-41A3-84D8-A46269C2E457}	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4368	msiexec.exe
4368	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	452	msiexec.exe
Token: SeSecurityPrivilege	4368	msiexec.exe
Token: SeCreateTokenPrivilege	452	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	452	msiexec.exe
Token: SeLockMemoryPrivilege	452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	452	msiexec.exe
Token: SeMachineAccountPrivilege	452	msiexec.exe
Token: SeTcbPrivilege	452	msiexec.exe
Token: SeSecurityPrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeLoadDriverPrivilege	452	msiexec.exe
Token: SeSystemProfilePrivilege	452	msiexec.exe
Token: SeSystemtimePrivilege	452	msiexec.exe
Token: SeProfSingleProcessPrivilege	452	msiexec.exe
Token: SeIncBasePriorityPrivilege	452	msiexec.exe
Token: SeCreatePagefilePrivilege	452	msiexec.exe
Token: SeCreatePermanentPrivilege	452	msiexec.exe
Token: SeBackupPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeShutdownPrivilege	452	msiexec.exe
Token: SeDebugPrivilege	452	msiexec.exe
Token: SeAuditPrivilege	452	msiexec.exe
Token: SeSystemEnvironmentPrivilege	452	msiexec.exe
Token: SeChangeNotifyPrivilege	452	msiexec.exe
Token: SeRemoteShutdownPrivilege	452	msiexec.exe
Token: SeUndockPrivilege	452	msiexec.exe
Token: SeSyncAgentPrivilege	452	msiexec.exe
Token: SeEnableDelegationPrivilege	452	msiexec.exe
Token: SeManageVolumePrivilege	452	msiexec.exe
Token: SeImpersonatePrivilege	452	msiexec.exe
Token: SeCreateGlobalPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	4368	msiexec.exe
Token: SeTakeOwnershipPrivilege	4368	msiexec.exe
Token: SeRestorePrivilege	4368	msiexec.exe
Token: SeTakeOwnershipPrivilege	4368	msiexec.exe
Token: SeRestorePrivilege	4368	msiexec.exe
Token: SeTakeOwnershipPrivilege	4368	msiexec.exe
Token: SeRestorePrivilege	4368	msiexec.exe
Token: SeTakeOwnershipPrivilege	4368	msiexec.exe
Token: SeRestorePrivilege	4368	msiexec.exe
Token: SeTakeOwnershipPrivilege	4368	msiexec.exe
Token: SeRestorePrivilege	4368	msiexec.exe
Token: SeTakeOwnershipPrivilege	4368	msiexec.exe
Token: SeRestorePrivilege	4368	msiexec.exe
Token: SeTakeOwnershipPrivilege	4368	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
452	msiexec.exe
452	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 1844	4368	msiexec.exe	86
PID 4368 wrote to memory of 1844	4368	msiexec.exe	86
PID 4368 wrote to memory of 1844	4368	msiexec.exe	86

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Archivo.EndesaFactur-A4-SIMPLEX-TLLK_B23032023E294942222422244454.MSI.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9DA09CE3FBF7535DD097A7CA21631386
  2⤵
  - Loads dropped DLL
  PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e569f25.rbs

Filesize
815B

MD5
d37b649b3aadc0701b6a77252872a1af

SHA1
51f2bb4b1e220e76f396372c7088bd0bc57b5f9f

SHA256
d9d7f1ef3bd313d533240f1ecb137d1756c2f91240571046e6a9fe7f4b914b9b

SHA512
0de60a8594c11347d7ef051fb3c84371fefa688bb5aa60b837bf9af27a65ce61ccd9b3c46262594671860b209927049b7f8fc771b21498f1650021bb94304311

Download Submit
C:\Windows\Installer\MSI9FCF.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI9FCF.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSIA2FC.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSIA2FC.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSIA56F.tmp

Filesize
2.3MB

MD5
997dd8e1f951664764d16d33fac161d2

SHA1
a7d5542193af4d8caec561940174b1bff3e1167f

SHA256
70f987fab68e6d87aa1aa6e98fc76acb20f8e8fd8621e56c5764f48c3aa517bd

SHA512
d08e644e741f985e5b2ec65f6fe0eead3707a7cb7a26c4ad8063d559e4a32bce79d1daef12c556a874f9cac043dac995d1e65ae775879a63dd608f6ea5b85dde

Download Submit
C:\Windows\Installer\MSIA56F.tmp

Filesize
2.3MB

MD5
997dd8e1f951664764d16d33fac161d2

SHA1
a7d5542193af4d8caec561940174b1bff3e1167f

SHA256
70f987fab68e6d87aa1aa6e98fc76acb20f8e8fd8621e56c5764f48c3aa517bd

SHA512
d08e644e741f985e5b2ec65f6fe0eead3707a7cb7a26c4ad8063d559e4a32bce79d1daef12c556a874f9cac043dac995d1e65ae775879a63dd608f6ea5b85dde

Download Submit
memory/1844-151-0x0000000073E10000-0x0000000074064000-memory.dmp

Filesize
2.3MB

Download