d85571ef1ca53d5dcac1a99b06a64af069a20dca7e9d8b7706556b1317b4fb2f

Resubmissions

19/04/2023, 08:24

230419-ka3a6sbb6s 7

12/04/2023, 15:38

230412-s3a2dsdb75 10

Analysis

max time kernel
150s
max time network
195s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19/04/2023, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CFDI-418.msi
Size

1.7MB
MD5

436ec5aea13f250c2cccb899b09c30fb
SHA1

d34643db6cb8269bc1ef7472f76c0f7613e68768
SHA256

d85571ef1ca53d5dcac1a99b06a64af069a20dca7e9d8b7706556b1317b4fb2f
SHA512

b5d52b50544452dcd9b877c7f77a4f2fd4961bcab745d1666e6f2221bfd2c416873c8d88518f8471297873899125313c62d25885d7870eec04bbc3be11f502df
SSDEEP

49152:CgJZBYbX+lDiJ4H3fMUgmu1M88r6F5mCmR+iYVTA:lj8ulDHXDg/a8o6UYdA

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000700000001ae8b-141.dat	aspack_v212_v242
behavioral1/files/0x000700000001ae8b-142.dat	aspack_v212_v242

Loads dropped DLL 3 IoCs

pid	Process
2172	MsiExec.exe
2172	MsiExec.exe
2172	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6170.tmp	msiexec.exe
File created	C:\Windows\Installer\e565a88.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e565a88.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{60E1AB79-B269-4CAB-8F2F-5D392FB01D15}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI61DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B15.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E14.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4272	msiexec.exe
4272	msiexec.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4264	msiexec.exe
Token: SeSecurityPrivilege	4272	msiexec.exe
Token: SeCreateTokenPrivilege	4264	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4264	msiexec.exe
Token: SeLockMemoryPrivilege	4264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4264	msiexec.exe
Token: SeMachineAccountPrivilege	4264	msiexec.exe
Token: SeTcbPrivilege	4264	msiexec.exe
Token: SeSecurityPrivilege	4264	msiexec.exe
Token: SeTakeOwnershipPrivilege	4264	msiexec.exe
Token: SeLoadDriverPrivilege	4264	msiexec.exe
Token: SeSystemProfilePrivilege	4264	msiexec.exe
Token: SeSystemtimePrivilege	4264	msiexec.exe
Token: SeProfSingleProcessPrivilege	4264	msiexec.exe
Token: SeIncBasePriorityPrivilege	4264	msiexec.exe
Token: SeCreatePagefilePrivilege	4264	msiexec.exe
Token: SeCreatePermanentPrivilege	4264	msiexec.exe
Token: SeBackupPrivilege	4264	msiexec.exe
Token: SeRestorePrivilege	4264	msiexec.exe
Token: SeShutdownPrivilege	4264	msiexec.exe
Token: SeDebugPrivilege	4264	msiexec.exe
Token: SeAuditPrivilege	4264	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4264	msiexec.exe
Token: SeChangeNotifyPrivilege	4264	msiexec.exe
Token: SeRemoteShutdownPrivilege	4264	msiexec.exe
Token: SeUndockPrivilege	4264	msiexec.exe
Token: SeSyncAgentPrivilege	4264	msiexec.exe
Token: SeEnableDelegationPrivilege	4264	msiexec.exe
Token: SeManageVolumePrivilege	4264	msiexec.exe
Token: SeImpersonatePrivilege	4264	msiexec.exe
Token: SeCreateGlobalPrivilege	4264	msiexec.exe
Token: SeRestorePrivilege	4272	msiexec.exe
Token: SeTakeOwnershipPrivilege	4272	msiexec.exe
Token: SeRestorePrivilege	4272	msiexec.exe
Token: SeTakeOwnershipPrivilege	4272	msiexec.exe
Token: SeRestorePrivilege	4272	msiexec.exe
Token: SeTakeOwnershipPrivilege	4272	msiexec.exe
Token: SeRestorePrivilege	4272	msiexec.exe
Token: SeTakeOwnershipPrivilege	4272	msiexec.exe
Token: SeRestorePrivilege	4272	msiexec.exe
Token: SeTakeOwnershipPrivilege	4272	msiexec.exe
Token: SeRestorePrivilege	4272	msiexec.exe
Token: SeTakeOwnershipPrivilege	4272	msiexec.exe
Token: SeRestorePrivilege	4272	msiexec.exe
Token: SeTakeOwnershipPrivilege	4272	msiexec.exe
Token: SeRestorePrivilege	4272	msiexec.exe
Token: SeTakeOwnershipPrivilege	4272	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4264	msiexec.exe
4264	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 2172	4272	msiexec.exe	68
PID 4272 wrote to memory of 2172	4272	msiexec.exe	68
PID 4272 wrote to memory of 2172	4272	msiexec.exe	68

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CFDI-418.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB663E339D2136AFA00BF7CD936A6055
  2⤵
  - Loads dropped DLL
  PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e565a8a.rbs

Filesize
754B

MD5
38f63986f9514d9619d9ffea2d4d2ab0

SHA1
54ba7b8282eda5f5d497247ed85c6db6cb81cebd

SHA256
4f392a8581667b000beedad2132501e01f4437b32e761af7e9059b734b0b1830

SHA512
4ddf985a72679dca403a8d90a59a1a6cc66cef743616b5ddb25b4abcb42bfbfdf97da05337f42f0bd6f8af25817dcbf3ea715d8352201906c27ccad1a5437247

Download Submit
C:\Windows\Installer\MSI5B15.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI5E14.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI61DF.tmp

Filesize
1000KB

MD5
aaf6ae1ac7bcb61b5337d6446087d415

SHA1
0b21e6e4a0cd5486a043001bf1cf34e05fe5e9f0

SHA256
828bc53af70c73b1fb1464cc024c7d476ce6e16e75770865930d2635033c2137

SHA512
72f14c95c2f18946618e18a0b2189aa58fb413516241ab8257a2611877d06e533649099a3f11ef132cc5f20fe72f1fb19e9a72dc08b0c6f0894eb36c6a032c6a

Download Submit
\Windows\Installer\MSI5B15.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
\Windows\Installer\MSI5E14.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
\Windows\Installer\MSI61DF.tmp

Filesize
1000KB

MD5
aaf6ae1ac7bcb61b5337d6446087d415

SHA1
0b21e6e4a0cd5486a043001bf1cf34e05fe5e9f0

SHA256
828bc53af70c73b1fb1464cc024c7d476ce6e16e75770865930d2635033c2137

SHA512
72f14c95c2f18946618e18a0b2189aa58fb413516241ab8257a2611877d06e533649099a3f11ef132cc5f20fe72f1fb19e9a72dc08b0c6f0894eb36c6a032c6a

Download Submit
memory/2172-143-0x0000000072B00000-0x0000000072E35000-memory.dmp

Filesize
3.2MB

Download
memory/2172-145-0x0000000072B00000-0x0000000072E35000-memory.dmp

Filesize
3.2MB

Download
memory/2172-146-0x0000000072B00000-0x0000000072E35000-memory.dmp

Filesize
3.2MB

Download
memory/2172-147-0x0000000072B00000-0x0000000072E35000-memory.dmp

Filesize
3.2MB

Download
memory/2172-148-0x0000000072B00000-0x0000000072E35000-memory.dmp

Filesize
3.2MB

Download
memory/2172-144-0x0000000072B00000-0x0000000072E35000-memory.dmp

Filesize
3.2MB

Download