d85571ef1ca53d5dcac1a99b06a64af069a20dca7e9d8b7706556b1317b4fb2f

Resubmissions

19/04/2023, 08:24

230419-ka3a6sbb6s 7

12/04/2023, 15:38

230412-s3a2dsdb75 10

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
12/04/2023, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CFDI-418.msi
Size

1.7MB
MD5

436ec5aea13f250c2cccb899b09c30fb
SHA1

d34643db6cb8269bc1ef7472f76c0f7613e68768
SHA256

d85571ef1ca53d5dcac1a99b06a64af069a20dca7e9d8b7706556b1317b4fb2f
SHA512

b5d52b50544452dcd9b877c7f77a4f2fd4961bcab745d1666e6f2221bfd2c416873c8d88518f8471297873899125313c62d25885d7870eec04bbc3be11f502df
SSDEEP

49152:CgJZBYbX+lDiJ4H3fMUgmu1M88r6F5mCmR+iYVTA:lj8ulDHXDg/a8o6UYdA

Score

8^/10

aspackv2

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	476	MsiExec.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00070000000139f9-69.dat	aspack_v212_v242
behavioral1/files/0x00070000000139f9-70.dat	aspack_v212_v242

Loads dropped DLL 3 IoCs

pid	Process
476	MsiExec.exe
476	MsiExec.exe
476	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6212.tmp	msiexec.exe
File created	C:\Windows\Installer\6c5783.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c5783.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI57F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C93.tmp	msiexec.exe
File created	C:\Windows\Installer\6c5785.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6193.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c5785.ipi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
872	msiexec.exe
872	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeSecurityPrivilege	872	msiexec.exe
Token: SeCreateTokenPrivilege	1084	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1084	msiexec.exe
Token: SeLockMemoryPrivilege	1084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1084	msiexec.exe
Token: SeMachineAccountPrivilege	1084	msiexec.exe
Token: SeTcbPrivilege	1084	msiexec.exe
Token: SeSecurityPrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeLoadDriverPrivilege	1084	msiexec.exe
Token: SeSystemProfilePrivilege	1084	msiexec.exe
Token: SeSystemtimePrivilege	1084	msiexec.exe
Token: SeProfSingleProcessPrivilege	1084	msiexec.exe
Token: SeIncBasePriorityPrivilege	1084	msiexec.exe
Token: SeCreatePagefilePrivilege	1084	msiexec.exe
Token: SeCreatePermanentPrivilege	1084	msiexec.exe
Token: SeBackupPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeShutdownPrivilege	1084	msiexec.exe
Token: SeDebugPrivilege	1084	msiexec.exe
Token: SeAuditPrivilege	1084	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1084	msiexec.exe
Token: SeChangeNotifyPrivilege	1084	msiexec.exe
Token: SeRemoteShutdownPrivilege	1084	msiexec.exe
Token: SeUndockPrivilege	1084	msiexec.exe
Token: SeSyncAgentPrivilege	1084	msiexec.exe
Token: SeEnableDelegationPrivilege	1084	msiexec.exe
Token: SeManageVolumePrivilege	1084	msiexec.exe
Token: SeImpersonatePrivilege	1084	msiexec.exe
Token: SeCreateGlobalPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1084	msiexec.exe
1084	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 476	872	msiexec.exe	28
PID 872 wrote to memory of 476	872	msiexec.exe	28
PID 872 wrote to memory of 476	872	msiexec.exe	28
PID 872 wrote to memory of 476	872	msiexec.exe	28
PID 872 wrote to memory of 476	872	msiexec.exe	28
PID 872 wrote to memory of 476	872	msiexec.exe	28
PID 872 wrote to memory of 476	872	msiexec.exe	28

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CFDI-418.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CEDB53DE228E858903A4B232244EDCC0
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c5786.rbs

Filesize
754B

MD5
30041535412d0a2e1b55a3bf9498ba43

SHA1
64ec57f945be08de3963cf48a73809a5c621dd25

SHA256
9b5f9f1405ab87c80b079eb099ec5a292259dc7e210d12ca6bc0cfcd57126e29

SHA512
d19f61fccda7ede4e98f598b53c81dd82bbff4c35e9577e44545658b7cf1545e0528b21a43b0c4f608323d3a37ef24681266c1107b793130eff6ad4c63795859

Download Submit
C:\Windows\Installer\MSI57F1.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI5C93.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI6212.tmp

Filesize
1000KB

MD5
aaf6ae1ac7bcb61b5337d6446087d415

SHA1
0b21e6e4a0cd5486a043001bf1cf34e05fe5e9f0

SHA256
828bc53af70c73b1fb1464cc024c7d476ce6e16e75770865930d2635033c2137

SHA512
72f14c95c2f18946618e18a0b2189aa58fb413516241ab8257a2611877d06e533649099a3f11ef132cc5f20fe72f1fb19e9a72dc08b0c6f0894eb36c6a032c6a

Download Submit
\Windows\Installer\MSI57F1.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
\Windows\Installer\MSI5C93.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
\Windows\Installer\MSI6212.tmp

Filesize
1000KB

MD5
aaf6ae1ac7bcb61b5337d6446087d415

SHA1
0b21e6e4a0cd5486a043001bf1cf34e05fe5e9f0

SHA256
828bc53af70c73b1fb1464cc024c7d476ce6e16e75770865930d2635033c2137

SHA512
72f14c95c2f18946618e18a0b2189aa58fb413516241ab8257a2611877d06e533649099a3f11ef132cc5f20fe72f1fb19e9a72dc08b0c6f0894eb36c6a032c6a

Download Submit
memory/476-71-0x0000000073FB0000-0x00000000742E5000-memory.dmp

Filesize
3.2MB

Download
memory/476-74-0x0000000073FB0000-0x00000000742E5000-memory.dmp

Filesize
3.2MB

Download
memory/476-75-0x0000000073FB0000-0x00000000742E5000-memory.dmp

Filesize
3.2MB

Download
memory/476-77-0x0000000073FB0000-0x00000000742E5000-memory.dmp

Filesize
3.2MB

Download
memory/476-81-0x0000000073FB0000-0x00000000742E5000-memory.dmp

Filesize
3.2MB

Download
memory/476-72-0x0000000073FB0000-0x00000000742E5000-memory.dmp

Filesize
3.2MB

Download