Overview

overview

8

Static

static

1

z1Mb_NFEmitida1.msi

windows7-x64

z1Mb_NFEmitida1.msi

windows10-2004-x64

Analysis

  • max time kernel
    59s
  • max time network
    63s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2023, 12:21

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    z1Mb_NFEmitida1.msi

  • Size

    1.4MB

  • MD5

    f390d567bfebaecba7eb5a792ff6249b

  • SHA1

    02aa56247d63b6037e7adc4492d3f494fcbdf003

  • SHA256

    ac8ba32c27d3dc8fa0eef48f3d3de5032df74dd476cf0669f92fecd617c4e10d

  • SHA512

    69b0ac8dd55f84ebb38d9f9dbac95df55c5c173c924ebd394683f35a9517284721a4d97e57aaef5dcd3ec76aa775e46ac15e83feb87947b4b2909fada8268a17

  • SSDEEP

    24576:/DA+gxxN9Y5OcW7LIJ1MXCOJ05YbswFbT52d7xLZrudIAL8wiUYT:/DHW9YDqbCOJ05Yb59QzLZrudIAITUI

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\z1Mb_NFEmitida1.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4360
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding EF7A2D8BD58F7A571E51D41BDB1D274F
      2⤵
      • Loads dropped DLL
      PID:1892
    • C:\Windows\Installer\MSID21F.tmp
      "C:\Windows\Installer\MSID21F.tmp" /DontWait /HideWindow "C:\Users\Admin\AppData\Roaming\MB_NFEXpressLTD05CrDhWbZS2Qpftwu785iNdm17Za5b®xrttlsb\MB_NFEXpressLTD05CrDhWbZS2Qpftwu785iNdm17Za5b\ba0Bmg.cmd"
      2⤵
      • Executes dropped EXE
      PID:4980
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\MB_NFEXpressLTD05CrDhWbZS2Qpftwu785iNdm17Za5b®xrttlsb\MB_NFEXpressLTD05CrDhWbZS2Qpftwu785iNdm17Za5b\ba0Bmg.cmd" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo %uMalVYMxLtga??l▀% "
      2⤵
        PID:5012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -NoProfile -windowstyle hidden -ExecutionPolicy Bypass -nop -NoExit -Command -
        2⤵
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\system32\shutdown.exe
          "C:\Windows\system32\shutdown.exe" -r -f -t 10 -c "Windows Updated Successfully"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3636
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39f7055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:744

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e56c829.rbs
      Filesize

      3KB

      MD5

      d4736a6400a3066f330f0580d6bafc49

      SHA1

      3f887c8cdc39953a567356e6d0fa05b3420f15b1

      SHA256

      7d42ce21466fc5fd83b5ea18c3289e35c021bde60f907c735aec4bbd23935db0

      SHA512

      5f4a5a3dd1e2bdbd2e1e8f05c5ef6b8927f7ae2a593587dadae7a5fc1b085ffdd5966983c18ea54048b779821931823d683696785647c540f7e4137b86e150d4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5it0r43f.cyr.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MB_NFEXpressLTD05CrDhWbZS2Qpftwu785iNdm17Za5b®xrttlsb\MB_NFEXpressLTD05CrDhWbZS2Qpftwu785iNdm17Za5b\MB_NFEXpressLTD05CrDhWbZS2Qpftwu785iNdm17Za5b.ini
      Filesize

      397B

      MD5

      53b81f14f0df5036499ce157d0967e5e

      SHA1

      1c702e2b7c0fd6ea78a9707f07b5812626e16ede

      SHA256

      70acc54d123663d153a2ddf74a768e077672046e8171cb625cdef3e8e0729c9b

      SHA512

      ec3b42f29ec75698d5bb63fb60f9a2cb4ccaab42d1e232f755b4e14196df8388ba0abe5b9890082529cd73cdc758ace42bcceba5a709f5984122443bc3f2999e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MB_NFEXpressLTD05CrDhWbZS2Qpftwu785iNdm17Za5b®xrttlsb\MB_NFEXpressLTD05CrDhWbZS2Qpftwu785iNdm17Za5b\ba0Bmg.cmd
      Filesize

      32KB

      MD5

      1a327c9254766fe95996782ac580cbe4

      SHA1

      b31a227c0b1d2562c2796b4ffc1add6df75ee59e

      SHA256

      21ba6a3b45b8bc8ea1ddc1215f34c4c0384770f534329cc268d5324e426d2954

      SHA512

      2138e72ae47040620e5c99e1a962b34af1c4421451b058aefe952ca1b2d086bdab00123b8620e18a844488856338261a633c71f58c211b105b6831b5ef51bf01

      Download Submit

    • C:\Users\Admin\Pictures\AMD64_\D81MyDoct83264D6\4975A7AD66B.zip
      Filesize

      9.9MB

      MD5

      78c2a7a030a4773891a7f3b85ca3dee4

      SHA1

      3497c8c61795cd547860308a07b63f6abd56329a

      SHA256

      1d9aa7661d666c59de6eaec6d59b0dc8929ddfd734c0de7694c653e1521786ec

      SHA512

      cd5cd506a0a93148ee2b35d35cf59ed166e891d7f3d36bcebe8a9e739bedcea26cc36549dd96cc75cd9fb2923b6eb2bda59daee3e598be6b340c9f55b9bc8337

      Download Submit

    • C:\Windows\Installer\MSIC8F2.tmp
      Filesize

      540KB

      MD5

      dfc682d9f93d6dcd39524f1afcd0e00d

      SHA1

      adb81b1077d14dbe76d9ececfc3e027303075705

      SHA256

      f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

      SHA512

      52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

      Download Submit

    • C:\Windows\Installer\MSIC8F2.tmp
      Filesize

      540KB

      MD5

      dfc682d9f93d6dcd39524f1afcd0e00d

      SHA1

      adb81b1077d14dbe76d9ececfc3e027303075705

      SHA256

      f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

      SHA512

      52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

      Download Submit

    • C:\Windows\Installer\MSICC3F.tmp
      Filesize

      540KB

      MD5

      dfc682d9f93d6dcd39524f1afcd0e00d

      SHA1

      adb81b1077d14dbe76d9ececfc3e027303075705

      SHA256

      f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

      SHA512

      52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

      Download Submit

    • C:\Windows\Installer\MSICC3F.tmp
      Filesize

      540KB

      MD5

      dfc682d9f93d6dcd39524f1afcd0e00d

      SHA1

      adb81b1077d14dbe76d9ececfc3e027303075705

      SHA256

      f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

      SHA512

      52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

      Download Submit

    • C:\Windows\Installer\MSICD59.tmp
      Filesize

      540KB

      MD5

      dfc682d9f93d6dcd39524f1afcd0e00d

      SHA1

      adb81b1077d14dbe76d9ececfc3e027303075705

      SHA256

      f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

      SHA512

      52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

      Download Submit

    • C:\Windows\Installer\MSICD59.tmp
      Filesize

      540KB

      MD5

      dfc682d9f93d6dcd39524f1afcd0e00d

      SHA1

      adb81b1077d14dbe76d9ececfc3e027303075705

      SHA256

      f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

      SHA512

      52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

      Download Submit

    • C:\Windows\Installer\MSICD59.tmp
      Filesize

      540KB

      MD5

      dfc682d9f93d6dcd39524f1afcd0e00d

      SHA1

      adb81b1077d14dbe76d9ececfc3e027303075705

      SHA256

      f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

      SHA512

      52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

      Download Submit

    • C:\Windows\Installer\MSICE16.tmp
      Filesize

      540KB

      MD5

      dfc682d9f93d6dcd39524f1afcd0e00d

      SHA1

      adb81b1077d14dbe76d9ececfc3e027303075705

      SHA256

      f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

      SHA512

      52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

      Download Submit

    • C:\Windows\Installer\MSICE16.tmp
      Filesize

      540KB

      MD5

      dfc682d9f93d6dcd39524f1afcd0e00d

      SHA1

      adb81b1077d14dbe76d9ececfc3e027303075705

      SHA256

      f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

      SHA512

      52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

      Download Submit

    • C:\Windows\Installer\MSID21F.tmp
      Filesize

      410KB

      MD5

      20010f9d322a1260ee0953852264a7cd

      SHA1

      6ac58fdf5e414bd6396443a420da99b87ee0e0a2

      SHA256

      d6973be60891c55e0e97d218347dcb2009e2fe687b7df5cfd43536d2af6ea165

      SHA512

      2f62cb4269d929f8bc97c103156de3588b38e9f4c2776d7441db270b8427c2b47bc8e57d786c06da37455b105b077b789e161b21a145a33e420522864d1f913a

      Download Submit

    • C:\Windows\Installer\MSID21F.tmp
      Filesize

      410KB

      MD5

      20010f9d322a1260ee0953852264a7cd

      SHA1

      6ac58fdf5e414bd6396443a420da99b87ee0e0a2

      SHA256

      d6973be60891c55e0e97d218347dcb2009e2fe687b7df5cfd43536d2af6ea165

      SHA512

      2f62cb4269d929f8bc97c103156de3588b38e9f4c2776d7441db270b8427c2b47bc8e57d786c06da37455b105b077b789e161b21a145a33e420522864d1f913a

      Download Submit

    • memory/2636-206-0x000001DDF65B0000-0x000001DDF65D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2636-207-0x000001DDF9560000-0x000001DDF95A4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2636-208-0x000001DDF99D0000-0x000001DDF9A46000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2636-209-0x000001DDF65E0000-0x000001DDF65F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2636-210-0x000001DDF65E0000-0x000001DDF65F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2636-211-0x000001DDF65E0000-0x000001DDF65F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2636-282-0x000001DDF65E0000-0x000001DDF65F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2636-283-0x000001DDF65E0000-0x000001DDF65F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2636-284-0x000001DDF65E0000-0x000001DDF65F0000-memory.dmp

      Filesize

      64KB

      Download