Overview

overview

9

Static

static

1

TRG_AQ2X51...43.msi

windows7-x64

8

TRG_AQ2X51...43.msi

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2023, 18:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    TRG_AQ2X510F3SSA7V0325430059543.msi

  • Size

    5.6MB

  • MD5

    75543cefc62c66dad840bec9a80f2919

  • SHA1

    d2863ad0aa4084d160e61598cf7fe5417db90b09

  • SHA256

    f1b1e0e27582995da9cf2c9545a41b18a3d4397b9e24cfc981f50ab0e20461e2

  • SHA512

    c8c0ed71923dc9369bb89266a9ed5a273c7f24046f7d5fdc6b5cecf2aa7e3fe3e0d504e8b5827a23ba61a5eb906cc89c38119080d72576ecfe8dd553a0a29124

  • SSDEEP

    98304:tYQtMvANKLzKaujwjlR/pHNR2si4CbChm+nOC5oQsduwBxnfkCf7XEvEksH1f:FFKLehg6sZg+nOC5oQsnBBf7TXE2

Score
9/10
discoveryevasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 4 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Themida packer 22 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TRG_AQ2X510F3SSA7V0325430059543.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4352
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 22A888D3A4A5276292EB842CCC220485
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Users\Admin\AppData\Local\0iITPskby\E2i.A.exe
        "C:\Users\Admin\AppData\Local\0iITPskby\E2i.A.exe" "C:\Users\Admin\AppData\Local\0iITPskby\E2i.A.ahk"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies Internet Explorer settings
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4308

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\e56a138.rbs
          Filesize

          1KB

          MD5

          250a38c24871c4ba665de801ebccff2c

          SHA1

          81040ca7ba4b85c2a8e4a49df876f993869b98f6

          SHA256

          e4645d00bf1ff0d09c4d407e0536bedbc3a539122c817dab56dd35c2e46dd411

          SHA512

          b83cd5ad81a763e0d39a0d7ca7f104adf6eb22223b4241aba800cacc3696f9bc00ed97198146a4c34f7b73ed2ce0309d2b69fbc96da6be793ea1707cd93762a2

          Download Submit

        • C:\Users\Admin\AppData\Local\0iITPskby\E2i.A.ahk
          Filesize

          192B

          MD5

          7d81c8480554b41ab493d228b6a57a56

          SHA1

          5f40c218326a4fe442a13682e5bb6875bc93a7bf

          SHA256

          d7969235ac7544074974df1d8d38b19498f1cbcfc5b6adf9b7c47822c96bed9b

          SHA512

          fd4e13fcdf2120f84466eddcbc42a7074e4d535508d5fe92a5e395cb3fef1d8f8c1d65a6f73b9b80097fa0777b4abd75043040fcf25498c2b9a8ec6ee37de257

          Download Submit

        • C:\Users\Admin\AppData\Local\0iITPskby\E2i.A.exe
          Filesize

          889KB

          MD5

          03c469798bf1827d989f09f346ce95f7

          SHA1

          05e491bc1b8fbfbfdca24b565f2464137f30691e

          SHA256

          de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

          SHA512

          d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

          Download Submit

        • C:\Users\Admin\AppData\Local\0iITPskby\E2i.A.exe
          Filesize

          889KB

          MD5

          03c469798bf1827d989f09f346ce95f7

          SHA1

          05e491bc1b8fbfbfdca24b565f2464137f30691e

          SHA256

          de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

          SHA512

          d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

          Download Submit

        • C:\Users\Admin\AppData\Local\0iITPskby\POYWQESZCC.HFp
          Filesize

          11.5MB

          MD5

          59af2a9dae54dd2b604a2a45658a0a5f

          SHA1

          4d83e707e520aa308a9fea70d9243652f65dde29

          SHA256

          fe2b187f223d323379ff82e2f561ec3b559e6422166800debf2d192d5cd8cb56

          SHA512

          66ad982ca26eff36254057f3a59895ab0435c9154cfd6c65a44802b429662c599e0873d4215997e15d7d3564ffbb216e08c660faddcc676ea25a7d52c7ba2f95

          Download Submit

        • C:\Users\Admin\AppData\Local\0iITPskby\POYWQESZCC.HFp
          Filesize

          11.5MB

          MD5

          59af2a9dae54dd2b604a2a45658a0a5f

          SHA1

          4d83e707e520aa308a9fea70d9243652f65dde29

          SHA256

          fe2b187f223d323379ff82e2f561ec3b559e6422166800debf2d192d5cd8cb56

          SHA512

          66ad982ca26eff36254057f3a59895ab0435c9154cfd6c65a44802b429662c599e0873d4215997e15d7d3564ffbb216e08c660faddcc676ea25a7d52c7ba2f95

          Download Submit

        • C:\Users\Admin\AppData\Local\0iITPskby\POYWQESZCC.HFp
          Filesize

          11.5MB

          MD5

          59af2a9dae54dd2b604a2a45658a0a5f

          SHA1

          4d83e707e520aa308a9fea70d9243652f65dde29

          SHA256

          fe2b187f223d323379ff82e2f561ec3b559e6422166800debf2d192d5cd8cb56

          SHA512

          66ad982ca26eff36254057f3a59895ab0435c9154cfd6c65a44802b429662c599e0873d4215997e15d7d3564ffbb216e08c660faddcc676ea25a7d52c7ba2f95

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\58ffa968.dll
          Filesize

          8KB

          MD5

          d8f4ab8284f0fda871d6834e24bc6f37

          SHA1

          641948e44a1dcfd0ef68910768eb4b1ea6b49d10

          SHA256

          c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912

          SHA512

          f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0

          Download Submit

        • C:\Windows\Installer\MSIA1E2.tmp
          Filesize

          376KB

          MD5

          e12c5bcc254c953b1a46d1434804f4d2

          SHA1

          99f67acf34af1294f3c6e5eb521c862e1c772397

          SHA256

          5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

          SHA512

          9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

          Download Submit

        • C:\Windows\Installer\MSIA1E2.tmp
          Filesize

          376KB

          MD5

          e12c5bcc254c953b1a46d1434804f4d2

          SHA1

          99f67acf34af1294f3c6e5eb521c862e1c772397

          SHA256

          5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

          SHA512

          9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

          Download Submit

        • C:\Windows\Installer\MSIA4C1.tmp
          Filesize

          376KB

          MD5

          e12c5bcc254c953b1a46d1434804f4d2

          SHA1

          99f67acf34af1294f3c6e5eb521c862e1c772397

          SHA256

          5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

          SHA512

          9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

          Download Submit

        • C:\Windows\Installer\MSIA4C1.tmp
          Filesize

          376KB

          MD5

          e12c5bcc254c953b1a46d1434804f4d2

          SHA1

          99f67acf34af1294f3c6e5eb521c862e1c772397

          SHA256

          5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

          SHA512

          9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

          Download Submit

        • C:\Windows\Installer\MSIA57E.tmp
          Filesize

          376KB

          MD5

          e12c5bcc254c953b1a46d1434804f4d2

          SHA1

          99f67acf34af1294f3c6e5eb521c862e1c772397

          SHA256

          5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

          SHA512

          9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

          Download Submit

        • C:\Windows\Installer\MSIA57E.tmp
          Filesize

          376KB

          MD5

          e12c5bcc254c953b1a46d1434804f4d2

          SHA1

          99f67acf34af1294f3c6e5eb521c862e1c772397

          SHA256

          5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

          SHA512

          9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

          Download Submit

        • C:\Windows\Installer\MSIA57E.tmp
          Filesize

          376KB

          MD5

          e12c5bcc254c953b1a46d1434804f4d2

          SHA1

          99f67acf34af1294f3c6e5eb521c862e1c772397

          SHA256

          5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

          SHA512

          9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

          Download Submit

        • C:\Windows\Installer\MSIA5AE.tmp
          Filesize

          376KB

          MD5

          e12c5bcc254c953b1a46d1434804f4d2

          SHA1

          99f67acf34af1294f3c6e5eb521c862e1c772397

          SHA256

          5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

          SHA512

          9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

          Download Submit

        • C:\Windows\Installer\MSIA5AE.tmp
          Filesize

          376KB

          MD5

          e12c5bcc254c953b1a46d1434804f4d2

          SHA1

          99f67acf34af1294f3c6e5eb521c862e1c772397

          SHA256

          5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

          SHA512

          9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

          Download Submit

        • C:\Windows\Installer\MSIA8BD.tmp
          Filesize

          5.1MB

          MD5

          4449d1aacfd59fd8f1372d87c69f3fb1

          SHA1

          0dbc5851f021d291659574d08be106d5b73d0476

          SHA256

          fce3e3fdfe205e6a8765aa002b48185e5855e585d0b26f2db59a2086c6b8e9f5

          SHA512

          be9c5ec72935e61a0c63b03dfa0f9254a2c09a9e7014d76ec7516a922ce679208685c578163bc1993e67f2b375450f89f65bfed0563e0105917265a467e416ef

          Download Submit

        • C:\Windows\Installer\MSIA8BD.tmp
          Filesize

          5.1MB

          MD5

          4449d1aacfd59fd8f1372d87c69f3fb1

          SHA1

          0dbc5851f021d291659574d08be106d5b73d0476

          SHA256

          fce3e3fdfe205e6a8765aa002b48185e5855e585d0b26f2db59a2086c6b8e9f5

          SHA512

          be9c5ec72935e61a0c63b03dfa0f9254a2c09a9e7014d76ec7516a922ce679208685c578163bc1993e67f2b375450f89f65bfed0563e0105917265a467e416ef

          Download Submit

        • C:\Windows\Installer\MSIA8BD.tmp
          Filesize

          5.1MB

          MD5

          4449d1aacfd59fd8f1372d87c69f3fb1

          SHA1

          0dbc5851f021d291659574d08be106d5b73d0476

          SHA256

          fce3e3fdfe205e6a8765aa002b48185e5855e585d0b26f2db59a2086c6b8e9f5

          SHA512

          be9c5ec72935e61a0c63b03dfa0f9254a2c09a9e7014d76ec7516a922ce679208685c578163bc1993e67f2b375450f89f65bfed0563e0105917265a467e416ef

          Download Submit

        • memory/3404-156-0x0000000002660000-0x0000000002661000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-173-0x0000000003380000-0x0000000003381000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-165-0x0000000003380000-0x0000000003381000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-163-0x0000000002680000-0x00000000030AD000-memory.dmp

          Filesize

          10.2MB

          Download

        • memory/3404-162-0x0000000003210000-0x0000000003211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-161-0x0000000003200000-0x0000000003201000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-160-0x00000000031F0000-0x00000000031F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-159-0x00000000031E0000-0x00000000031E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-158-0x00000000031C0000-0x00000000031C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-157-0x00000000031B0000-0x00000000031B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4308-191-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-193-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-194-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-195-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-197-0x0000000061E00000-0x0000000061EC1000-memory.dmp

          Filesize

          772KB

          Download

        • memory/4308-192-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-219-0x0000000000A50000-0x0000000000A51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4308-222-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-190-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-189-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-238-0x0000000000A50000-0x0000000000A51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4308-240-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-241-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-243-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-244-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-245-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-246-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-247-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-248-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-249-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-250-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download

        • memory/4308-251-0x0000000004B60000-0x00000000068CB000-memory.dmp

          Filesize

          29.4MB

          Download