959b5d70863cb4eea556651730399902dbe84a951b050dfcd598c542b70e589f

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Instale_SAFOResumen_v2.0_JC.exe
Size

1.7MB
MD5

c14e952a9f505a7f780740d1e3f80b3c
SHA1

378585b6e9d9bba2c6ced479019162b096d4930f
SHA256

959b5d70863cb4eea556651730399902dbe84a951b050dfcd598c542b70e589f
SHA512

1f20f95ad72c2ebf866417c9c980dd2a45adf3ec6e3f47b8520b27e605073c44013fd63082bb6f5fc9c195620193e3016af2ee1fe52e6582af49fc5e609ba42b
SSDEEP

49152:pTSwr4H0J/6EBC4AEG8WOZKow8SJBj0uR4lpvYMiKoQ:pTSwr4yAWKow8GBj+lY9RQ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
3548	MsiExec.exe
3548	MsiExec.exe
3548	MsiExec.exe
3548	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1644	msiexec.exe
Token: SeSecurityPrivilege	2292	msiexec.exe
Token: SeCreateTokenPrivilege	1644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1644	msiexec.exe
Token: SeLockMemoryPrivilege	1644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1644	msiexec.exe
Token: SeMachineAccountPrivilege	1644	msiexec.exe
Token: SeTcbPrivilege	1644	msiexec.exe
Token: SeSecurityPrivilege	1644	msiexec.exe
Token: SeTakeOwnershipPrivilege	1644	msiexec.exe
Token: SeLoadDriverPrivilege	1644	msiexec.exe
Token: SeSystemProfilePrivilege	1644	msiexec.exe
Token: SeSystemtimePrivilege	1644	msiexec.exe
Token: SeProfSingleProcessPrivilege	1644	msiexec.exe
Token: SeIncBasePriorityPrivilege	1644	msiexec.exe
Token: SeCreatePagefilePrivilege	1644	msiexec.exe
Token: SeCreatePermanentPrivilege	1644	msiexec.exe
Token: SeBackupPrivilege	1644	msiexec.exe
Token: SeRestorePrivilege	1644	msiexec.exe
Token: SeShutdownPrivilege	1644	msiexec.exe
Token: SeDebugPrivilege	1644	msiexec.exe
Token: SeAuditPrivilege	1644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1644	msiexec.exe
Token: SeChangeNotifyPrivilege	1644	msiexec.exe
Token: SeRemoteShutdownPrivilege	1644	msiexec.exe
Token: SeUndockPrivilege	1644	msiexec.exe
Token: SeSyncAgentPrivilege	1644	msiexec.exe
Token: SeEnableDelegationPrivilege	1644	msiexec.exe
Token: SeManageVolumePrivilege	1644	msiexec.exe
Token: SeImpersonatePrivilege	1644	msiexec.exe
Token: SeCreateGlobalPrivilege	1644	msiexec.exe
Token: SeCreateTokenPrivilege	1644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1644	msiexec.exe
Token: SeLockMemoryPrivilege	1644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1644	msiexec.exe
Token: SeMachineAccountPrivilege	1644	msiexec.exe
Token: SeTcbPrivilege	1644	msiexec.exe
Token: SeSecurityPrivilege	1644	msiexec.exe
Token: SeTakeOwnershipPrivilege	1644	msiexec.exe
Token: SeLoadDriverPrivilege	1644	msiexec.exe
Token: SeSystemProfilePrivilege	1644	msiexec.exe
Token: SeSystemtimePrivilege	1644	msiexec.exe
Token: SeProfSingleProcessPrivilege	1644	msiexec.exe
Token: SeIncBasePriorityPrivilege	1644	msiexec.exe
Token: SeCreatePagefilePrivilege	1644	msiexec.exe
Token: SeCreatePermanentPrivilege	1644	msiexec.exe
Token: SeBackupPrivilege	1644	msiexec.exe
Token: SeRestorePrivilege	1644	msiexec.exe
Token: SeShutdownPrivilege	1644	msiexec.exe
Token: SeDebugPrivilege	1644	msiexec.exe
Token: SeAuditPrivilege	1644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1644	msiexec.exe
Token: SeChangeNotifyPrivilege	1644	msiexec.exe
Token: SeRemoteShutdownPrivilege	1644	msiexec.exe
Token: SeUndockPrivilege	1644	msiexec.exe
Token: SeSyncAgentPrivilege	1644	msiexec.exe
Token: SeEnableDelegationPrivilege	1644	msiexec.exe
Token: SeManageVolumePrivilege	1644	msiexec.exe
Token: SeImpersonatePrivilege	1644	msiexec.exe
Token: SeCreateGlobalPrivilege	1644	msiexec.exe
Token: SeCreateTokenPrivilege	1644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1644	msiexec.exe
Token: SeLockMemoryPrivilege	1644	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1668	Instale_SAFOResumen_v2.0_JC.exe
1644	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1644	1668	Instale_SAFOResumen_v2.0_JC.exe	79
PID 1668 wrote to memory of 1644	1668	Instale_SAFOResumen_v2.0_JC.exe	79
PID 2292 wrote to memory of 3548	2292	msiexec.exe	82
PID 2292 wrote to memory of 3548	2292	msiexec.exe	82
PID 2292 wrote to memory of 3548	2292	msiexec.exe	82

C:\Users\Admin\AppData\Local\Temp\Instale_SAFOResumen_v2.0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\Instale_SAFOResumen_v2.0_JC.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\SICAD de Costa Rica\SAFOResumen 2.0.0\install\Instale_SAFOResumen_v2.0.msi" /L*V "C:\SAFOResumen_Install.log" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Instale_SAFOResumen_v2.0_JC.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1644

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B2EB3404D24FA4E874AE1D6CFCD06827 C
  2⤵
  - Loads dropped DLL
  PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIB3EE.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3EE.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5A5.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5A5.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5D5.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5D5.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5D5.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB78B.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB78B.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Roaming\SICAD de Costa Rica\SAFOResumen 2.0.0\install\Instale_SAFOResumen_v2.0.msi

Filesize
1.1MB

MD5
13f45b58b4be1601445dcd4e66f71b4e

SHA1
617dd9b33ab0241746e37229ada5e5ab72941df2

SHA256
ff31554f3a2e20c32c0fb83127754a0be4d4fa4e20e50074e2bf5dac0c5a81c9

SHA512
27ecbe5e56ccfb7eac7593c1001393da9d2a466bbd5ac6e0bed59994abae497af617ca77eb49f39ce2b2a08d07bd969861b581546dffe95419344cda481a7221

Download Submit
memory/1668-0-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1668-23-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download