91eb973a8bafa8cb19d6adc7dae4e547314472bfb48869cceccb2fb926280d94

Analysis

max time kernel
54s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2023, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documento-@_Incidencia-Declaracion.msi
Size

9.4MB
MD5

769cf5c13907bdf8d8d0fefd5bf3fa3e
SHA1

6c70363ac061729605367296207b11f4be50ed82
SHA256

c095f9a7c38fe589cace06c6544c4c102ffdd6457cf5d404d1ac64722d44c9aa
SHA512

ba66d88647b313f0ba5b1b7c83b5f0609a1c274cb7cc3d855d7dab3f4717e346f659c71784602c2503a4c0c3efb9fe3fcf5efcd3fdd0df9d19462decbb59b348
SSDEEP

49152:d+fLE73I5WQNDf/9vBfl8Q+w3HjSMAO26DrWaEy3VwyPsm8IqTCVk6UfzwdMaofJ:D3I9zbCmPO+2I+2sic0

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
3352	MsiExec.exe
3352	MsiExec.exe
3352	MsiExec.exe
3352	MsiExec.exe
4736	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8311.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI839F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3428HC9T-0XXB-T0UL-6PBP-ISZC8KM69U2V}	msiexec.exe
File created	C:\Windows\Installer\e567f27.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e567f27.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FD3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8245.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8575.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1332	msiexec.exe
1332	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1296	msiexec.exe
Token: SeSecurityPrivilege	1332	msiexec.exe
Token: SeCreateTokenPrivilege	1296	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1296	msiexec.exe
Token: SeLockMemoryPrivilege	1296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1296	msiexec.exe
Token: SeMachineAccountPrivilege	1296	msiexec.exe
Token: SeTcbPrivilege	1296	msiexec.exe
Token: SeSecurityPrivilege	1296	msiexec.exe
Token: SeTakeOwnershipPrivilege	1296	msiexec.exe
Token: SeLoadDriverPrivilege	1296	msiexec.exe
Token: SeSystemProfilePrivilege	1296	msiexec.exe
Token: SeSystemtimePrivilege	1296	msiexec.exe
Token: SeProfSingleProcessPrivilege	1296	msiexec.exe
Token: SeIncBasePriorityPrivilege	1296	msiexec.exe
Token: SeCreatePagefilePrivilege	1296	msiexec.exe
Token: SeCreatePermanentPrivilege	1296	msiexec.exe
Token: SeBackupPrivilege	1296	msiexec.exe
Token: SeRestorePrivilege	1296	msiexec.exe
Token: SeShutdownPrivilege	1296	msiexec.exe
Token: SeDebugPrivilege	1296	msiexec.exe
Token: SeAuditPrivilege	1296	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1296	msiexec.exe
Token: SeChangeNotifyPrivilege	1296	msiexec.exe
Token: SeRemoteShutdownPrivilege	1296	msiexec.exe
Token: SeUndockPrivilege	1296	msiexec.exe
Token: SeSyncAgentPrivilege	1296	msiexec.exe
Token: SeEnableDelegationPrivilege	1296	msiexec.exe
Token: SeManageVolumePrivilege	1296	msiexec.exe
Token: SeImpersonatePrivilege	1296	msiexec.exe
Token: SeCreateGlobalPrivilege	1296	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1296	msiexec.exe
1296	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 3352	1332	msiexec.exe	84
PID 1332 wrote to memory of 3352	1332	msiexec.exe	84
PID 1332 wrote to memory of 3352	1332	msiexec.exe	84
PID 1332 wrote to memory of 4736	1332	msiexec.exe	85
PID 1332 wrote to memory of 4736	1332	msiexec.exe	85

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Documento-@_Incidencia-Declaracion.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1296

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D34318E44FE7EF1AB485005125335763
  2⤵
  - Loads dropped DLL
  PID:3352
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 259644E6EC9AED0B2222A93CBD3AA646
  2⤵
  - Loads dropped DLL
  PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e567f2a.rbs

Filesize
592B

MD5
6debd1cc4e377ab1b944b5f85464aa6d

SHA1
48b2e79de902735ef58efc7e606dbb61735e07c1

SHA256
9079ccbee07e704b624a2349fe250f3641aec4c1eb90ced8716e63110af29f8f

SHA512
7b1d002851580c780ab73916d7754dc5f4793c4a8fb4d6ad5c7b76085aef1f483f587e6e089fd8c9a6177dc3dbb0ee376ebb132d9b292aff5562213b94effff2

Download Submit
C:\Windows\Installer\MSI7FD3.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI7FD3.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI8245.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI8245.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI8311.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI8311.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI8311.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI839F.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI839F.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI85C4.tmp

Filesize
8.3MB

MD5
b3c62e73148225d6edad740b0425cbd7

SHA1
090bc4f244b1237bd9626485a59eddf388575683

SHA256
a5e8843825dfdb9972b9a6334a33fb865adc39d351f9b301b23227c58a230d32

SHA512
a3d4d136b33e08e4ce2a8a6258c411d6c89ec85b9a2fa4974ff1a72ca7424b92da01bdff7a6a5b6be34c1b798ee518e38fc10a2dcb16dc34c785ef1a7bd8fd91

Download Submit
C:\Windows\Installer\MSI85C4.tmp

Filesize
8.3MB

MD5
b3c62e73148225d6edad740b0425cbd7

SHA1
090bc4f244b1237bd9626485a59eddf388575683

SHA256
a5e8843825dfdb9972b9a6334a33fb865adc39d351f9b301b23227c58a230d32

SHA512
a3d4d136b33e08e4ce2a8a6258c411d6c89ec85b9a2fa4974ff1a72ca7424b92da01bdff7a6a5b6be34c1b798ee518e38fc10a2dcb16dc34c785ef1a7bd8fd91

Download Submit
memory/4736-159-0x0000000070040000-0x00000000708A0000-memory.dmp

Filesize
8.4MB

Download