9a014178ddd4a0f7ec8cb639dd27f695d8599cb224efded5cd706faec9fb1e11

Resubmissions

30/06/2023, 17:49

230630-wd8g5seb76 8

30/06/2023, 17:45

230630-wbqvbaeb69 8

29/06/2023, 17:53

230629-wgaqaaed89 8

Analysis

max time kernel
54s
max time network
118s
platform
windows7_x64
resource
win7-20230621-es
resource tags

arch:x64arch:x86image:win7-20230621-eslocale:es-esos:windows7-x64systemwindows
submitted
30/06/2023, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

formularioimprimibleCLE.msi
Size

6.3MB
MD5

043dfa1567871c033c9514b544c7fef2
SHA1

97c9f86276885dcecc0e8108ebe4feef0a231518
SHA256

55ec807f6f52f3145fc046e64bcf4fa42ed595f10214f22025c07f7c900f3e4b
SHA512

a86ec480977715b8969d0b11c354acb7694526615006af9e5b1946997905464f0657cca614698cebcc6d7f5b866d6cb1c2220c2385c1bbbd9284f92c9c03d72e
SSDEEP

196608:u29Ik7oVQ2CAmYcA13ikoGhE4qLSupNxfTC:u2SMJ25mVA1xvzuLM

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	1504	MsiExec.exe
6	1504	MsiExec.exe
8	1504	MsiExec.exe
10	1504	MsiExec.exe
12	1504	MsiExec.exe
13	1504	MsiExec.exe

Loads dropped DLL 5 IoCs

pid	Process
1504	MsiExec.exe
1504	MsiExec.exe
1504	MsiExec.exe
1504	MsiExec.exe
1504	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io
4	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1504	MsiExec.exe
1504	MsiExec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6c3776.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D41.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3FC2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4485.tmp	msiexec.exe
File created	C:\Windows\Installer\6c3776.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DDE.tmp	msiexec.exe
File created	C:\Windows\Installer\6c3778.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4455.tmp	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1364	1504	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1220	msiexec.exe
1220	msiexec.exe
1504	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1324	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeSecurityPrivilege	1220	msiexec.exe
Token: SeCreateTokenPrivilege	1324	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1324	msiexec.exe
Token: SeLockMemoryPrivilege	1324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1324	msiexec.exe
Token: SeMachineAccountPrivilege	1324	msiexec.exe
Token: SeTcbPrivilege	1324	msiexec.exe
Token: SeSecurityPrivilege	1324	msiexec.exe
Token: SeTakeOwnershipPrivilege	1324	msiexec.exe
Token: SeLoadDriverPrivilege	1324	msiexec.exe
Token: SeSystemProfilePrivilege	1324	msiexec.exe
Token: SeSystemtimePrivilege	1324	msiexec.exe
Token: SeProfSingleProcessPrivilege	1324	msiexec.exe
Token: SeIncBasePriorityPrivilege	1324	msiexec.exe
Token: SeCreatePagefilePrivilege	1324	msiexec.exe
Token: SeCreatePermanentPrivilege	1324	msiexec.exe
Token: SeBackupPrivilege	1324	msiexec.exe
Token: SeRestorePrivilege	1324	msiexec.exe
Token: SeShutdownPrivilege	1324	msiexec.exe
Token: SeDebugPrivilege	1324	msiexec.exe
Token: SeAuditPrivilege	1324	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1324	msiexec.exe
Token: SeChangeNotifyPrivilege	1324	msiexec.exe
Token: SeRemoteShutdownPrivilege	1324	msiexec.exe
Token: SeUndockPrivilege	1324	msiexec.exe
Token: SeSyncAgentPrivilege	1324	msiexec.exe
Token: SeEnableDelegationPrivilege	1324	msiexec.exe
Token: SeManageVolumePrivilege	1324	msiexec.exe
Token: SeImpersonatePrivilege	1324	msiexec.exe
Token: SeCreateGlobalPrivilege	1324	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1324	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1504	1220	msiexec.exe	29
PID 1220 wrote to memory of 1504	1220	msiexec.exe	29
PID 1220 wrote to memory of 1504	1220	msiexec.exe	29
PID 1220 wrote to memory of 1504	1220	msiexec.exe	29
PID 1220 wrote to memory of 1504	1220	msiexec.exe	29
PID 1220 wrote to memory of 1504	1220	msiexec.exe	29
PID 1220 wrote to memory of 1504	1220	msiexec.exe	29
PID 1504 wrote to memory of 1364	1504	MsiExec.exe	33
PID 1504 wrote to memory of 1364	1504	MsiExec.exe	33
PID 1504 wrote to memory of 1364	1504	MsiExec.exe	33
PID 1504 wrote to memory of 1364	1504	MsiExec.exe	33

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\formularioimprimibleCLE.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1324

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FC2903DB49D7A79F4A99F5A11889E9FC
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 576
    3⤵
    - Program crash
    PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3637e477bf2d96df16f46d6fe42ceb00

SHA1
7b0f1074aff9bdc5bef4ead764545d8910c5e2e1

SHA256
4f29dc34d0cc27a104af3a8e4d633c33db862a80ad379206e51ded7138966559

SHA512
8d582845e1039b4be0345092d050cec4a6b0c0d78d4718847e0d7ecc18ec0f90c9d2a0c28144b742cb75ae33ca631beaa72d248db6497ec8014cb89234bbd558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab820E.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8491.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Windows\Installer\MSI3B2D.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI3D41.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI3DDE.tmp

Filesize
860KB

MD5
71b541254864bd52f85e932e2040cbe8

SHA1
713766e1818f8d7ca814c86109c9cdd5d57914ef

SHA256
b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538

SHA512
4d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2

Download Submit
C:\Windows\Installer\MSI3FC2.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI3FC2.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
C:\Windows\Installer\MSI4485.tmp

Filesize
4.9MB

MD5
092eca934d678084a26cd40a4d3c820e

SHA1
a3a3f338429b2621bf02dde24f931925b522cc9d

SHA256
d35e11b78d14db8c976c7a800f4c2caf092f63b1ea0c29742564317c28701cbf

SHA512
98002b475a798883263b0c2ae81cd893d77c8272dd16a9ecda99bd8d68f221a77950bf65e1322c665bbec6ed035639c2365f943d5f918a62c5ef7664ae1d70ba

Download Submit
\Windows\Installer\MSI3B2D.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSI3D41.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSI3DDE.tmp

Filesize
860KB

MD5
71b541254864bd52f85e932e2040cbe8

SHA1
713766e1818f8d7ca814c86109c9cdd5d57914ef

SHA256
b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538

SHA512
4d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2

Download Submit
\Windows\Installer\MSI3FC2.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit
\Windows\Installer\MSI4485.tmp

Filesize
4.9MB

MD5
092eca934d678084a26cd40a4d3c820e

SHA1
a3a3f338429b2621bf02dde24f931925b522cc9d

SHA256
d35e11b78d14db8c976c7a800f4c2caf092f63b1ea0c29742564317c28701cbf

SHA512
98002b475a798883263b0c2ae81cd893d77c8272dd16a9ecda99bd8d68f221a77950bf65e1322c665bbec6ed035639c2365f943d5f918a62c5ef7664ae1d70ba

Download Submit
memory/1504-80-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1504-92-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1504-78-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1504-81-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1504-82-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1504-83-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1504-84-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1504-86-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1504-87-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1504-89-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1504-90-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1504-79-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1504-93-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1504-95-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1504-96-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1504-97-0x0000000002920000-0x00000000034AE000-memory.dmp

Filesize
11.6MB

Download
memory/1504-99-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1504-77-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1504-76-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1504-75-0x0000000002920000-0x00000000034AE000-memory.dmp

Filesize
11.6MB

Download
memory/1504-178-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download