c63e4f6a5dfc81387f153cba1168a35c1d76d805ea4a1d72f3fb4bc578a6c029

Analysis

max time kernel
0s
max time network
137s
platform
windows7_x64
resource
win7-20231129-es
resource tags

arch:x64arch:x86image:win7-20231129-eslocale:es-esos:windows7-x64systemwindows
submitted
10/01/2024, 19:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ADVERTENCIA_23_01099.msi
Size

13.8MB
MD5

831c986dcadc28eef1fb843db00e6674
SHA1

233561089cb47d0f7753a869c55486db530b0c40
SHA256

1cd9b6a09b78ab7a7d2f71c80dd86a1098f7626cdcfdbb257e5325858c3b6451
SHA512

f2589762ef4faa4d4a1195d130a6ac08281e6e2503f722455ea70890435308e0ed1098c93de769415626c7bf62428b2a613590c0d8316a82cdc12fe40db90a73
SSDEEP

196608:GP7ftnVdbgz1X0K0IR2Ezsu7208vgHYtinivNuTAIhyHAsEjj:GT1Vdicju7208vgHYAnNM2iEjj

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000160a7-68.dat	acprotect
behavioral1/files/0x00060000000160f5-70.dat	acprotect
behavioral1/files/0x00060000000160f5-69.dat	acprotect
behavioral1/files/0x00060000000160a7-67.dat	acprotect

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000160a7-68.dat	upx
behavioral1/memory/2824-72-0x0000000002040000-0x000000000208C000-memory.dmp	upx
behavioral1/memory/2824-71-0x0000000010000000-0x0000000010149000-memory.dmp	upx
behavioral1/files/0x00060000000160f5-70.dat	upx
behavioral1/files/0x00060000000160f5-69.dat	upx
behavioral1/files/0x00060000000160a7-67.dat	upx
behavioral1/memory/2824-75-0x0000000010000000-0x0000000010149000-memory.dmp	upx
behavioral1/memory/2824-184-0x0000000010000000-0x0000000010149000-memory.dmp	upx
behavioral1/memory/2824-187-0x0000000002040000-0x000000000208C000-memory.dmp	upx

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io
5	ipinfo.io

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f7618ce.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7618ce.msi	msiexec.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2204	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeSecurityPrivilege	2656	msiexec.exe
Token: SeCreateTokenPrivilege	2204	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2204	msiexec.exe
Token: SeLockMemoryPrivilege	2204	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2204	msiexec.exe
Token: SeMachineAccountPrivilege	2204	msiexec.exe
Token: SeTcbPrivilege	2204	msiexec.exe
Token: SeSecurityPrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeLoadDriverPrivilege	2204	msiexec.exe
Token: SeSystemProfilePrivilege	2204	msiexec.exe
Token: SeSystemtimePrivilege	2204	msiexec.exe
Token: SeProfSingleProcessPrivilege	2204	msiexec.exe
Token: SeIncBasePriorityPrivilege	2204	msiexec.exe
Token: SeCreatePagefilePrivilege	2204	msiexec.exe
Token: SeCreatePermanentPrivilege	2204	msiexec.exe
Token: SeBackupPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeShutdownPrivilege	2204	msiexec.exe
Token: SeDebugPrivilege	2204	msiexec.exe
Token: SeAuditPrivilege	2204	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2204	msiexec.exe
Token: SeChangeNotifyPrivilege	2204	msiexec.exe
Token: SeRemoteShutdownPrivilege	2204	msiexec.exe
Token: SeUndockPrivilege	2204	msiexec.exe
Token: SeSyncAgentPrivilege	2204	msiexec.exe
Token: SeEnableDelegationPrivilege	2204	msiexec.exe
Token: SeManageVolumePrivilege	2204	msiexec.exe
Token: SeImpersonatePrivilege	2204	msiexec.exe
Token: SeCreateGlobalPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2204	msiexec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ADVERTENCIA_23_01099.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2204

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBC95F8E7D5971A8A51852228C24B600
  2⤵
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
14KB

MD5
823dc7b5d1dd3de45ab2c59b008fbb8c

SHA1
cae2a928b44a4e9f3980479c10675b4e65de1788

SHA256
0864ee138727841ce921ee971232db4e5584349d7807f8e92f5351f151800de6

SHA512
87e2bf3fabcb4e2ee4163761524678f63daf8a4cf974c7ef8e1b5592922467430c622061fc08ea8aa59cc051083773e38d290ae25975cacdf18bb9f4d8202877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69d126e43098eb0a4a1702dbbeac5c0d

SHA1
2a46be60e4c8fdd613314e968788c23d026dae33

SHA256
7d65c51a88d2d80d4be8c5e8bcf22491ec4408bc4c9851f3dbd73e323efb7e34

SHA512
91988eedc0eff37dfff35974c7f1a1f4da39fddc4be5e3433a8a2a503a86262a5b34d1b8012cca38e19aaf0b8b4d3dcbd5fbcf89906a3f642b27e5a06e0e124f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
db5a988eeea6adee3ea54453075c4336

SHA1
825868c50bcd4284e9e9dbeefc67b3cd9edad417

SHA256
0384974a5d4baf71d9454c6f459c9db178d3426b077531f9c18531d262a72abf

SHA512
26876177df34d0b2cfbd332313af8a36de0c418868d85acc6a8f34a984dcced8d75ecf753b3f50f9def7fbdec4991b40ad000d18f27fe703ba24ff6483c38de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5601.tmp

Filesize
45KB

MD5
22282d8394a0da9cd7828ed1bbc54fc0

SHA1
6226252c7bd443175bb5c24b2d897ca396d3a927

SHA256
3aceccc2cbf0496ffed3197bd32d200a0adfc6b431782c1f58470e806c7682da

SHA512
e1ec000e6be86fd6487860267b95ebde1d660d396829e5441e53c8d1f69f8a996039a110ff891d5ca7da2cbe2c774cb0bc0959782a7e799738ae877ae837a5ba

Download Submit
C:\Windows\Installer\MSI18ED.tmp

Filesize
133KB

MD5
58f83021f30a781f3b3736b4b98a108c

SHA1
1a0f76ea7fb600c58e89fd4a91f61df3da77d776

SHA256
8a058ef27d66fc2e0eb8e19eeadf907d3fcebeb51e04905f14c40fb79b0ebab8

SHA512
74ad9184a1b42028e29a874b73c0760be9a95f2e4814c8fe5199b3b79d93e99934d3b2f92f706c0003dccb8eaa325bc0da8680f060db7e192e2d22ed4dd59c54

Download Submit
C:\Windows\Installer\MSI19C9.tmp

Filesize
68KB

MD5
b67d97a681fd954a8d4ed023caca0226

SHA1
769947d54b0e8a2c2554cd2c5959d772d89f218b

SHA256
984b9f5ce1f667a105b75ef7ea914d26a5e14451d682f99638110febe0de507b

SHA512
9856e9491706dcca0df2c65bc4940a75ef25f6ddafd1dc127bac13b35f0c7c8e291c14135425919ead38a48c4bd8faa84555bf07030d4ed4b9b855f459b68f82

Download Submit
C:\Windows\Installer\MSI1A46.tmp

Filesize
60KB

MD5
cd045956d0cd393e6894108448403db4

SHA1
d71d2c312df8362f102745f857296ceddf3b6a32

SHA256
baef80677f8a79bbf4067af74307480348542cf95e0acf5113d8cc9db0e7b689

SHA512
3e41614fca7a16bcf2bd0c43722ab9c5c450e271f9e13ab580b302b75d93a1d195853243f7dd322482a1f54167f46a15b85dfc084bfe09ac6fd20f327d60563d

Download Submit
C:\Windows\Installer\MSI1AC4.tmp

Filesize
5KB

MD5
014f36121e951ae4e04ccdbc463ca36f

SHA1
1a73079a3b7ac7f864dee9efbd0c0192254d813b

SHA256
95ac010501ac77e3ed934e6a8df76b02e17393d5e1d1ab97958b37e2108c4f64

SHA512
b6eaa6cbb1844b35f01aeee14e3b474d2c21b18a597a718ad0f5198ed0d02677a99fd4721fbf5f520151e3d925503f013f3ac33f5de5f760774cf398bd55f0dc

Download Submit
C:\Windows\Installer\MSI1AC4.tmp

Filesize
24KB

MD5
02a7d12e310cbfdd286b99d55fca7893

SHA1
eda76cb501dd9a3a5a327c8605c4002f35b8286d

SHA256
add4ad88b29630117ac98fad96768f27011aaffec9ad8bc232e15c7e28dc9fbf

SHA512
6ec6fd391ebd7e62aaf60345f433e0ef124581283b8928a7492c8feebc43bebbe6d14dd741a7f52d81511feac36bd29067f4c78e1f690d881884c488dfef28ec

Download Submit
C:\Windows\Installer\MSI1CF9.tmp

Filesize
37KB

MD5
d9e0da36e97ec7bf16cfa1624c65fcd5

SHA1
0fb74fcebf3f1ee6fa850256794ac21e657477a1

SHA256
a29155bc63ccbb96e747424c8247b7496ea47ca9eca5a08eea29d408d37eda19

SHA512
f7e202b5a3af4ef2af314758802cf30dd179cf12d39128da769f2ac9521173b7925f735cc277f5bb7d5b17dcbf291cce14bbce887441bcb9fbfe4438507d99ce

Download Submit
\??\c:\programdata\ssleay32.dll

Filesize
50KB

MD5
07d8adf27a48a326bac15dee2d694de8

SHA1
f7549b9b6947c4a271d11d483b676bc7edd461b3

SHA256
550c89eea3f912fd2b8bd24da574f49206b9121a0ed5d34ede7f39d194e49596

SHA512
15ed426b14ca5575fb2373eef538a98a017ec60551188bc8ff5863f507c8af50c5ceb13e0c6d3e6fa3ffa293c4471d729c12e28dab555c3beca3baa6a004c929

Download Submit
\ProgramData\libeay32.dll

Filesize
27KB

MD5
72d57d742e213981613fbcbce271b06b

SHA1
2dccd05a7f422b7c1dd5b2d4f877ce968422d271

SHA256
1c1c12af51a109faccb590f9ba178e519e52b00cdfcacf87232473bca0ccac0d

SHA512
43bab3cab3d704fa2d037903c52aa9a1bf72983790b028ad58a0a60a4df19ccb88646984838049ad4c43a07d3c05e3fe74077c66d4c7aa9203c0b8a677f809e2

Download Submit
\ProgramData\ssleay32.dll

Filesize
7KB

MD5
10f9b74801a99a802f79c95c200be66a

SHA1
6289f61ee4355b4b84bab4228e9ac60949c3b404

SHA256
2ac7ee6eeb824bb2d7cf7cafb21bebdb941b8cd1d25ddde54afa963a5b6802f4

SHA512
5341fd5dbc922130eee0fd2caff9c0ae5cbdff9269b1621eb548c82bce1df2a97d36cf356260ffc59e2def7cfd4b0fd130164be01a45dcabde36c8b41b284d98

Download Submit
\Windows\Installer\MSI18ED.tmp

Filesize
93KB

MD5
a54dc7622e6e3ab258796a0fe8762922

SHA1
9cd99966a5c2f9c8133951ed839508f5cbaa10ad

SHA256
37801060bd67625b401ee215e78af15a10801487726e64e6c8fd205d0096bcfe

SHA512
69a734087310497fd567c145c4fb672fc2f9a591f7546c4f592f2fbe984b7d28abd86782a26294145b6c10d2b0254409d6a21acd3ef3ccb1e8112f7cadb9d6fe

Download Submit
\Windows\Installer\MSI19C9.tmp

Filesize
52KB

MD5
d10b28af3ce49e7f356c9dda78edaf58

SHA1
804eefed2c993fd4bd49f6f959f36a8946be1749

SHA256
bbb61817d7ccb477f6209637d6bcea5862776b0d28d18e11e61da7e729151d8f

SHA512
db4e5512dc77a4390755f9eb027dc3ad0a7437c9d4352654454373cab37f0b69347385e9e312704821d787288c3927e353e5a907e0cb95c4672e4f5e8430627b

Download Submit
\Windows\Installer\MSI1A46.tmp

Filesize
124KB

MD5
3d22761236dc436ac618d8c5ae16b368

SHA1
91aee6409e98f2477be3446ef675a8a8a8456bcc

SHA256
606bb0c8a2f9131a1150b5b543d9f4b305d44bf8020a6815c43f718306cc80af

SHA512
d87615e89c5627f02c6bdea7010886b422e5d4f003bbf4af511358c908ed75a8b90109459a9341a413e0114d779a492b36e3e2fdc7ec6ee9292e43adfee1c795

Download Submit
\Windows\Installer\MSI1AC4.tmp

Filesize
17KB

MD5
249fe6d1f3611bfb1ae7153062045d8f

SHA1
cc209945c816edb4f9fc4597f8d9369df16efa60

SHA256
76da2c5eb74cfbb8d0489cf935833c4da1accaa9a92ce5b98d02cff56a449552

SHA512
09d7c348fba67d9a6e3829627851230cb6c1a7665952828d5e2f3e3749ed713011c57df1095acc90a02efc739ca879b7ab6868e36f84f4aad32fbe2bcdd66646

Download Submit
\Windows\Installer\MSI1CF9.tmp

Filesize
36KB

MD5
c549a06cb2da9667923ff190ed886591

SHA1
c2725e45ffb3703f5c7be828b0387d86ad715069

SHA256
0bab8ee23f0fccbaca8115bb2d8d4f3bf74901b723b01c15420ec82bd07bd1d6

SHA512
8e0b7fb2c1d563a269225338072d96c23bfa58e06a74bfb078cbadb34c9482cfd814e3a2cd663b56c326ea9f2d9a5371dc05946f6b1599b8440bb36b83c6061b

Download Submit
memory/2824-29-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2824-71-0x0000000010000000-0x0000000010149000-memory.dmp

Filesize
1.3MB

Download
memory/2824-47-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2824-44-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2824-42-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2824-40-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2824-39-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2824-37-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2824-31-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2824-52-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2824-72-0x0000000002040000-0x000000000208C000-memory.dmp

Filesize
304KB

Download
memory/2824-49-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2824-54-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2824-57-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2824-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2824-75-0x0000000010000000-0x0000000010149000-memory.dmp

Filesize
1.3MB

Download
memory/2824-62-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2824-64-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2824-35-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2824-34-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2824-32-0x0000000002960000-0x0000000003CE2000-memory.dmp

Filesize
19.5MB

Download
memory/2824-183-0x0000000002960000-0x0000000003CE2000-memory.dmp

Filesize
19.5MB

Download
memory/2824-184-0x0000000010000000-0x0000000010149000-memory.dmp

Filesize
1.3MB

Download
memory/2824-187-0x0000000002040000-0x000000000208C000-memory.dmp

Filesize
304KB

Download