65fe86ed5b3edf17a891ba83d85c279f9e2675d22c99ff109480136ff9321358

Analysis

max time kernel
12s
max time network
9s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCPS_SIST_JUS.msi
Size

15.6MB
MD5

da3ce34b8e2211e34296d7823f23fbc6
SHA1

f4192e0ef8e44604479a298f46dd1eaf3f563cc4
SHA256

65fe86ed5b3edf17a891ba83d85c279f9e2675d22c99ff109480136ff9321358
SHA512

b0cfbb3c01511e88b31f5fc5761c5f2711bc62a370755928a1f2c3f21478991c3045fd51ee6cb69c7b4942f97dd48cf26d80ce00c05d707d609e564638ec795e
SSDEEP

196608:VHropyCEIPC0McvquK/EupKffBjJtfOLs1TbsDUD43aacMyehJIR/xrkUlUMghz2:9rLC35PK9pKfp7bUWRMy9x4NFo95wRG

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2668	Bulking.exe

Loads dropped DLL 10 IoCs

pid	Process
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
2668	Bulking.exe
2668	Bulking.exe
2668	Bulking.exe
2668	Bulking.exe
2668	Bulking.exe
2668	Bulking.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Plsayers = "C:\\Users\\Admin\\AppData\\Roaming\\Relatorios\\Urgency Communits\\Bulking.exe"	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI3381.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI33DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582eeb.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FB6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32A5.tmp	msiexec.exe
File created	C:\Windows\Installer\e582eeb.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E0F4D968-BD3F-4417-9565-D730145B75F2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35C5.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	msiexec.exe
220	msiexec.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2500	msiexec.exe
Token: SeSecurityPrivilege	220	msiexec.exe
Token: SeCreateTokenPrivilege	2500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2500	msiexec.exe
Token: SeLockMemoryPrivilege	2500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2500	msiexec.exe
Token: SeMachineAccountPrivilege	2500	msiexec.exe
Token: SeTcbPrivilege	2500	msiexec.exe
Token: SeSecurityPrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeLoadDriverPrivilege	2500	msiexec.exe
Token: SeSystemProfilePrivilege	2500	msiexec.exe
Token: SeSystemtimePrivilege	2500	msiexec.exe
Token: SeProfSingleProcessPrivilege	2500	msiexec.exe
Token: SeIncBasePriorityPrivilege	2500	msiexec.exe
Token: SeCreatePagefilePrivilege	2500	msiexec.exe
Token: SeCreatePermanentPrivilege	2500	msiexec.exe
Token: SeBackupPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeShutdownPrivilege	2500	msiexec.exe
Token: SeDebugPrivilege	2500	msiexec.exe
Token: SeAuditPrivilege	2500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2500	msiexec.exe
Token: SeChangeNotifyPrivilege	2500	msiexec.exe
Token: SeRemoteShutdownPrivilege	2500	msiexec.exe
Token: SeUndockPrivilege	2500	msiexec.exe
Token: SeSyncAgentPrivilege	2500	msiexec.exe
Token: SeEnableDelegationPrivilege	2500	msiexec.exe
Token: SeManageVolumePrivilege	2500	msiexec.exe
Token: SeImpersonatePrivilege	2500	msiexec.exe
Token: SeCreateGlobalPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2500	msiexec.exe
2500	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3464	220	msiexec.exe	89
PID 220 wrote to memory of 3464	220	msiexec.exe	89
PID 220 wrote to memory of 3464	220	msiexec.exe	89
PID 220 wrote to memory of 2668	220	msiexec.exe	91
PID 220 wrote to memory of 2668	220	msiexec.exe	91
PID 220 wrote to memory of 2668	220	msiexec.exe	91

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DOCPS_SIST_JUS.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB733054C19B2026532F4B9BA8AA044C
  2⤵
  - Loads dropped DLL
  PID:3464
- C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\Bulking.exe
  "C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\Bulking.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582eee.rbs

Filesize
3KB

MD5
f88aaf40624cb64b61d1fe1b3d0eea38

SHA1
6fc1a815cd1f7a214c9d2eecbe78f638abbeb7bc

SHA256
8b1101cb30fdfabef7187132143455ee07c2a937a0b45bb5f50367e8403d0e92

SHA512
d2855417e3012fa00021775625140f0dbdc104c08ad6515549be7d4940c4e24b4a773ca1c3383225428d2ce12ddbdabb244de961cc7eb3da17fdaaaa91dae9f2

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\Bulking.exe

Filesize
2.0MB

MD5
fe84f125c65b81039acc9ea54b887ea8

SHA1
8d68d1fdd365f9fa40ef25d0ab1ead4361c7f9be

SHA256
546dbcc7a073099096a027efba2598b8242476a0ee20d7026ddee2251b0edf57

SHA512
188f81c6fe7d8839cf9b35e38512cec7ef63c1cf6a630ca5ed836023e2c1fc333a9f5dbd2446d9fa4d72f1044edbae981358062eec1951badf9626c8c7f518d8

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\Bulking.exe

Filesize
2.0MB

MD5
fe84f125c65b81039acc9ea54b887ea8

SHA1
8d68d1fdd365f9fa40ef25d0ab1ead4361c7f9be

SHA256
546dbcc7a073099096a027efba2598b8242476a0ee20d7026ddee2251b0edf57

SHA512
188f81c6fe7d8839cf9b35e38512cec7ef63c1cf6a630ca5ed836023e2c1fc333a9f5dbd2446d9fa4d72f1044edbae981358062eec1951badf9626c8c7f518d8

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\CBSCreateVC.dll

Filesize
40.1MB

MD5
3a1c578c1b2679e276a7bb10dae4f7ab

SHA1
92e4ee2cb568f5b36a32a8e60b63feb90dcaaf12

SHA256
30c6054ac5bf9f7a4f34acb0ff9a9f680a995aa4e0a7240f735f1ecc70eccb13

SHA512
550481a87224b56bb0eb9accab0b965be9bb54bc315db0ea5d9437dca2bc6830d214933192b0e5197f925e3f67382c6327e82ce5aff4a05529c5bc5d8d74f961

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\CBSCreateVC.dll

Filesize
40.1MB

MD5
3a1c578c1b2679e276a7bb10dae4f7ab

SHA1
92e4ee2cb568f5b36a32a8e60b63feb90dcaaf12

SHA256
30c6054ac5bf9f7a4f34acb0ff9a9f680a995aa4e0a7240f735f1ecc70eccb13

SHA512
550481a87224b56bb0eb9accab0b965be9bb54bc315db0ea5d9437dca2bc6830d214933192b0e5197f925e3f67382c6327e82ce5aff4a05529c5bc5d8d74f961

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\CBSCreateVC.dll

Filesize
40.1MB

MD5
3a1c578c1b2679e276a7bb10dae4f7ab

SHA1
92e4ee2cb568f5b36a32a8e60b63feb90dcaaf12

SHA256
30c6054ac5bf9f7a4f34acb0ff9a9f680a995aa4e0a7240f735f1ecc70eccb13

SHA512
550481a87224b56bb0eb9accab0b965be9bb54bc315db0ea5d9437dca2bc6830d214933192b0e5197f925e3f67382c6327e82ce5aff4a05529c5bc5d8d74f961

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\CBSProducstInfo.dll

Filesize
692KB

MD5
e867ab7faf5462d37969565962275e3a

SHA1
6e33c444f016183dbf24117931130eebb02bc763

SHA256
c22d5cdca62e16567f8c130a5e9ddf7e77212904af5ae34c7888f3aac89e1bb1

SHA512
58710340fe2285179332bb34df544f49b54db3bf898557231c71c940b4427242f0d06e430ed25f71ced643d52d4586258830b3ed1cfc3a94eab4d9c9802c6cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\CBSProducstInfo.dll

Filesize
692KB

MD5
e867ab7faf5462d37969565962275e3a

SHA1
6e33c444f016183dbf24117931130eebb02bc763

SHA256
c22d5cdca62e16567f8c130a5e9ddf7e77212904af5ae34c7888f3aac89e1bb1

SHA512
58710340fe2285179332bb34df544f49b54db3bf898557231c71c940b4427242f0d06e430ed25f71ced643d52d4586258830b3ed1cfc3a94eab4d9c9802c6cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\CBSProducstInfo.dll

Filesize
692KB

MD5
e867ab7faf5462d37969565962275e3a

SHA1
6e33c444f016183dbf24117931130eebb02bc763

SHA256
c22d5cdca62e16567f8c130a5e9ddf7e77212904af5ae34c7888f3aac89e1bb1

SHA512
58710340fe2285179332bb34df544f49b54db3bf898557231c71c940b4427242f0d06e430ed25f71ced643d52d4586258830b3ed1cfc3a94eab4d9c9802c6cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\CBSProducstInfo.dll

Filesize
692KB

MD5
e867ab7faf5462d37969565962275e3a

SHA1
6e33c444f016183dbf24117931130eebb02bc763

SHA256
c22d5cdca62e16567f8c130a5e9ddf7e77212904af5ae34c7888f3aac89e1bb1

SHA512
58710340fe2285179332bb34df544f49b54db3bf898557231c71c940b4427242f0d06e430ed25f71ced643d52d4586258830b3ed1cfc3a94eab4d9c9802c6cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\DAQExp.dll

Filesize
1.4MB

MD5
ead517fe26df369aa13cf9aa620b935e

SHA1
0797d65e0e90f9f2c9e6ae4a673261389aa8b2e5

SHA256
e57e457c56447640011298bf85d589964eacdfe8125b36d6ad0f12d2ec053efd

SHA512
61f3cda3fc26da9b6a98c1912c3df9fce056a7cd553ca365f6992d8ee91c4be18dc50d84f2c42c498326b76f36eb7ac406d0e566b30ba1b4e3f14004e9373cbe

Download Submit
C:\Users\Admin\AppData\Roaming\Relatorios\Urgency Communits\DAQExp.dll

Filesize
1.4MB

MD5
ead517fe26df369aa13cf9aa620b935e

SHA1
0797d65e0e90f9f2c9e6ae4a673261389aa8b2e5

SHA256
e57e457c56447640011298bf85d589964eacdfe8125b36d6ad0f12d2ec053efd

SHA512
61f3cda3fc26da9b6a98c1912c3df9fce056a7cd553ca365f6992d8ee91c4be18dc50d84f2c42c498326b76f36eb7ac406d0e566b30ba1b4e3f14004e9373cbe

Download Submit
C:\Windows\Installer\MSI2FB6.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI2FB6.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI32A5.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI32A5.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI3381.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI3381.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI3381.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI33DF.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI33DF.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
memory/2668-177-0x0000000000C40000-0x0000000000CF8000-memory.dmp

Filesize
736KB

Download