Overview

overview

9

Static

static

1

Multa_0125...in.msi

windows7-x64

9

Multa_0125...in.msi

windows10-2004-x64

9

Analysis

  • max time kernel
    185s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2023 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Multa_012544502.msi.bin.msi

  • Size

    6.4MB

  • MD5

    34b4652577806731f50e489999b5b800

  • SHA1

    2ea6202b8ceb7b839964ebc2f8db1d7ccad6d3a7

  • SHA256

    8774ab405a35ab53a2254ca8f52250ad7f98d9c65c7dcd45632de15e5c447b49

  • SHA512

    399dbec0062ef57f2bc5223bb5a55ad47a7bdecd25b8cceca4054bab6aa1f42aa278e4b630ac373e53313825b429888f1f7af6d2755d1999b75a83f119e61781

  • SSDEEP

    98304:x+hZETGO7pWl9qZgBkMCMo6f93ncyk7jqNpG1K/hTOz/xFYptMHA:x+bed7pZM26Vsyks5u/xs

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 4 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Multa_012544502.msi.bin.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1804
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3804
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 76731A504CAD3F1EECF3153BC2732407
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Users\Admin\AppData\Local\nuynLLDB0\EtQ.l.exe
        "C:\Users\Admin\AppData\Local\nuynLLDB0\EtQ.l.exe" "C:\Users\Admin\AppData\Local\nuynLLDB0\EtQ.l.ahk"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3252

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\nuynLLDB0\EtQ.l.ahk
    Filesize

    202B

    MD5

    74067f2cb49ff17b2b393a4a6ba1b1e5

    SHA1

    5be7656c71bbb4450df4e5c5a1d02ad2a6e2ce48

    SHA256

    0ce75ec5575b544f6e9130182e58fea81ff573c9262c28fe125c91877f3cec3a

    SHA512

    7c7ee8c1471a693faa83973d7bfc68b248dd97875169f94eb275aedefe0e026ab3ae93a996181018bcc155e7f3e183b5b15463c7e0901bec0585627ac2bd0b3a

    Download Submit

  • C:\Users\Admin\AppData\Local\nuynLLDB0\EtQ.l.exe
    Filesize

    889KB

    MD5

    03c469798bf1827d989f09f346ce95f7

    SHA1

    05e491bc1b8fbfbfdca24b565f2464137f30691e

    SHA256

    de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

    SHA512

    d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

    Download Submit

  • C:\Users\Admin\AppData\Local\nuynLLDB0\TEBXHEJAON.OXo
    Filesize

    13.6MB

    MD5

    f89ac2e29ffd616ed6abb0d1ae5d8cc9

    SHA1

    7a326a05e116ac575f40ee18bffd00854780a2d8

    SHA256

    004186b6246c2a2f021c9c4c7d5da2fea29eae23e6a2068fe8ab666ced9b3867

    SHA512

    c7160a5fcdd36847ed646a5ca7b22d7d7d162de220a73b806277cdf66ca872193d8f870d7fd0e987375e91b15f104733efe33f562b48d00ff2750be94dcf3697

    Download Submit

  • C:\Users\Admin\AppData\Local\nuynLLDB0\TEBXHEJAON.OXo
    Filesize

    13.6MB

    MD5

    f89ac2e29ffd616ed6abb0d1ae5d8cc9

    SHA1

    7a326a05e116ac575f40ee18bffd00854780a2d8

    SHA256

    004186b6246c2a2f021c9c4c7d5da2fea29eae23e6a2068fe8ab666ced9b3867

    SHA512

    c7160a5fcdd36847ed646a5ca7b22d7d7d162de220a73b806277cdf66ca872193d8f870d7fd0e987375e91b15f104733efe33f562b48d00ff2750be94dcf3697

    Download Submit

  • C:\Users\Admin\AppData\Local\nuynLLDB0\TEBXHEJAON.OXo
    Filesize

    13.6MB

    MD5

    f89ac2e29ffd616ed6abb0d1ae5d8cc9

    SHA1

    7a326a05e116ac575f40ee18bffd00854780a2d8

    SHA256

    004186b6246c2a2f021c9c4c7d5da2fea29eae23e6a2068fe8ab666ced9b3867

    SHA512

    c7160a5fcdd36847ed646a5ca7b22d7d7d162de220a73b806277cdf66ca872193d8f870d7fd0e987375e91b15f104733efe33f562b48d00ff2750be94dcf3697

    Download Submit

  • C:\Windows\Installer\MSI2163.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI2163.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI2490.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSI2490.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSIA615.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSIA615.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSIA615.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSIA6F1.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSIA6F1.tmp
    Filesize

    376KB

    MD5

    e12c5bcc254c953b1a46d1434804f4d2

    SHA1

    99f67acf34af1294f3c6e5eb521c862e1c772397

    SHA256

    5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

    SHA512

    9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

    Download Submit

  • C:\Windows\Installer\MSIAD8B.tmp
    Filesize

    5.8MB

    MD5

    a5094c4e30ad9cb9774ecf8d5ad880bb

    SHA1

    e866b5f356a60696a93a35aec1d4ef6b99b8da49

    SHA256

    55773203d973222565c520b50cd2dd83c1be0067e70dd6369ec9dc0c9e903286

    SHA512

    be1908623f82ee0a54e7fa9057f38ec8dd60cebeaddd30f0a382cdd4162294ed80d51656a1ef3923e79852755ba5cdc6b274d305547aac2eb9178dd41194c205

    Download Submit

  • C:\Windows\Installer\MSIAD8B.tmp
    Filesize

    5.8MB

    MD5

    a5094c4e30ad9cb9774ecf8d5ad880bb

    SHA1

    e866b5f356a60696a93a35aec1d4ef6b99b8da49

    SHA256

    55773203d973222565c520b50cd2dd83c1be0067e70dd6369ec9dc0c9e903286

    SHA512

    be1908623f82ee0a54e7fa9057f38ec8dd60cebeaddd30f0a382cdd4162294ed80d51656a1ef3923e79852755ba5cdc6b274d305547aac2eb9178dd41194c205

    Download Submit

  • C:\Windows\Installer\MSIAD8B.tmp
    Filesize

    5.8MB

    MD5

    a5094c4e30ad9cb9774ecf8d5ad880bb

    SHA1

    e866b5f356a60696a93a35aec1d4ef6b99b8da49

    SHA256

    55773203d973222565c520b50cd2dd83c1be0067e70dd6369ec9dc0c9e903286

    SHA512

    be1908623f82ee0a54e7fa9057f38ec8dd60cebeaddd30f0a382cdd4162294ed80d51656a1ef3923e79852755ba5cdc6b274d305547aac2eb9178dd41194c205

    Download Submit

  • memory/1812-162-0x0000000003880000-0x0000000003881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-161-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-163-0x0000000002A30000-0x000000000373B000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/1812-165-0x00000000038A0000-0x00000000038A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-166-0x00000000038A0000-0x00000000038A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-157-0x0000000002A00000-0x0000000002A01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-156-0x00000000029F0000-0x00000000029F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-158-0x0000000002A10000-0x0000000002A11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-160-0x0000000003860000-0x0000000003861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-159-0x0000000003850000-0x0000000003851000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3252-191-0x0000000004C70000-0x000000000701D000-memory.dmp

    Filesize

    35.7MB

    Download

  • memory/3252-192-0x0000000004C70000-0x000000000701D000-memory.dmp

    Filesize

    35.7MB

    Download

  • memory/3252-193-0x0000000004C70000-0x000000000701D000-memory.dmp

    Filesize

    35.7MB

    Download

  • memory/3252-194-0x0000000004C70000-0x000000000701D000-memory.dmp

    Filesize

    35.7MB

    Download

  • memory/3252-195-0x0000000004C70000-0x000000000701D000-memory.dmp

    Filesize

    35.7MB

    Download