1d60758bf6e27842dc66287dd19665c877522da2eeb7e87e0919c68f52b4e339

Analysis

max time kernel
93s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
27/02/2024, 15:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CFE.CUENTA.MMEYFQNH裆.msi
Size

12.6MB
MD5

46272a5b9fe90d4ff02fa9574f074579
SHA1

905e60e4b443988537f47caed95b3477f1c30df2
SHA256

458bcd7fe2aab017fc3ce09eb91b7e7563c8336158eaff58bbf237b6f5d38e55
SHA512

ab21c8aedbd73f50a9e020074add714a61684dd83d1c2fb524c7ba7e5517e9e4fd836e71075b68ef326291d827e743266c42441d45732aac8ff5f9d5705287e2
SSDEEP

98304:52I9bl7uRbAUMHyIzu89NJ0h3NkQn8NzZ8DpzXMG3dK4I67WPkX0:53l7bHm89TeNkh8DNXMGtK4GS

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	5064	msiexec.exe
10	1556	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI31D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI323E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI332B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3057.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3161.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6B9LT0YF-UA8K-VXOG-30JO-C9OAZXS92H70}	msiexec.exe
File created	C:\Windows\Installer\e572f8c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e572f8c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32FB.tmp	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
1556	MsiExec.exe
1556	MsiExec.exe
1556	MsiExec.exe
1556	MsiExec.exe
1556	MsiExec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3712	1556	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	msiexec.exe
3880	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5064	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5064	msiexec.exe
Token: SeSecurityPrivilege	3880	msiexec.exe
Token: SeCreateTokenPrivilege	5064	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5064	msiexec.exe
Token: SeLockMemoryPrivilege	5064	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5064	msiexec.exe
Token: SeMachineAccountPrivilege	5064	msiexec.exe
Token: SeTcbPrivilege	5064	msiexec.exe
Token: SeSecurityPrivilege	5064	msiexec.exe
Token: SeTakeOwnershipPrivilege	5064	msiexec.exe
Token: SeLoadDriverPrivilege	5064	msiexec.exe
Token: SeSystemProfilePrivilege	5064	msiexec.exe
Token: SeSystemtimePrivilege	5064	msiexec.exe
Token: SeProfSingleProcessPrivilege	5064	msiexec.exe
Token: SeIncBasePriorityPrivilege	5064	msiexec.exe
Token: SeCreatePagefilePrivilege	5064	msiexec.exe
Token: SeCreatePermanentPrivilege	5064	msiexec.exe
Token: SeBackupPrivilege	5064	msiexec.exe
Token: SeRestorePrivilege	5064	msiexec.exe
Token: SeShutdownPrivilege	5064	msiexec.exe
Token: SeDebugPrivilege	5064	msiexec.exe
Token: SeAuditPrivilege	5064	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5064	msiexec.exe
Token: SeChangeNotifyPrivilege	5064	msiexec.exe
Token: SeRemoteShutdownPrivilege	5064	msiexec.exe
Token: SeUndockPrivilege	5064	msiexec.exe
Token: SeSyncAgentPrivilege	5064	msiexec.exe
Token: SeEnableDelegationPrivilege	5064	msiexec.exe
Token: SeManageVolumePrivilege	5064	msiexec.exe
Token: SeImpersonatePrivilege	5064	msiexec.exe
Token: SeCreateGlobalPrivilege	5064	msiexec.exe
Token: SeRestorePrivilege	3880	msiexec.exe
Token: SeTakeOwnershipPrivilege	3880	msiexec.exe
Token: SeRestorePrivilege	3880	msiexec.exe
Token: SeTakeOwnershipPrivilege	3880	msiexec.exe
Token: SeRestorePrivilege	3880	msiexec.exe
Token: SeTakeOwnershipPrivilege	3880	msiexec.exe
Token: SeRestorePrivilege	3880	msiexec.exe
Token: SeTakeOwnershipPrivilege	3880	msiexec.exe
Token: SeRestorePrivilege	3880	msiexec.exe
Token: SeTakeOwnershipPrivilege	3880	msiexec.exe
Token: SeRestorePrivilege	3880	msiexec.exe
Token: SeTakeOwnershipPrivilege	3880	msiexec.exe
Token: SeRestorePrivilege	3880	msiexec.exe
Token: SeTakeOwnershipPrivilege	3880	msiexec.exe
Token: SeRestorePrivilege	3880	msiexec.exe
Token: SeTakeOwnershipPrivilege	3880	msiexec.exe
Token: SeRestorePrivilege	3880	msiexec.exe
Token: SeTakeOwnershipPrivilege	3880	msiexec.exe
Token: SeRestorePrivilege	3880	msiexec.exe
Token: SeTakeOwnershipPrivilege	3880	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5064	msiexec.exe
5064	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1556	MsiExec.exe
1556	MsiExec.exe
1556	MsiExec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 1556	3880	msiexec.exe	94
PID 3880 wrote to memory of 1556	3880	msiexec.exe	94
PID 3880 wrote to memory of 1556	3880	msiexec.exe	94

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CFE.CUENTA.MMEYFQNH裆.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DFFB5DCB05D66B095143576E881674D6
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1076
    3⤵
    - Program crash
    PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1556 -ip 1556
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A1B4C7267E6BDB03502A89087B70156B

Filesize
1KB

MD5
c6d430394ac11467c50e3ed742b0f71f

SHA1
6445873a91dc63242c4da3862d4f14d4e9374bbb

SHA256
3f3f269f04ac7605a8d30765c2ab84917ec6d7854711aa444cacfb5e8efd44b3

SHA512
7e04d89af42bd4075cdec0ff1c7d508fa7ca5e4d643328e0488db7ca97ab6190ddc45be9dedb87f2e1136925acc65c9c84ae2e2f6a3bdb1fb32a5c5be11b343e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
6871bc553b607625eaf0c524b1b646f9

SHA1
1f676aedb4d20c8efd10736343006a39aaa6064d

SHA256
1a87806a901c4e1895b4c54ecb5eee8837f6d3c315d97448a809f7fc2335ad83

SHA512
a17eb4f09b43f64528b817d9678e913238f183954c2761aacaee8a0d9e4752b84e289a4dd987dd53ce2c9d5946207db625594e7b61d4fd24d4cfbe8e26387e47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A1B4C7267E6BDB03502A89087B70156B

Filesize
536B

MD5
197235ab1b06351f1d59b6449a05a9a8

SHA1
05a94cb10d33706081cc2f63fa2beb76d5491dd3

SHA256
c005881a26521326799f6686682e2a5313580d2d6e6527dfc5209c2150a3a5e3

SHA512
fe05a2673ec27d5dcf180971b790f9b2ed555e88786e9ed8f66730c947b374ed05ebe1538914e1157fa61971b174534487e0ef6e93a5386f94c176c8067dfa3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
79d90d120063370adaa7dd3a3cfcedad

SHA1
70b3b36609e14653effb0f5d8ffa659cee5a2aec

SHA256
f3a9cba7abd6b6ef5b0d1999b26ecef92d68ed0df24768a36060eff3f8f9bafe

SHA512
bf59ca87368483b1a0e4427ce634e930a4956b26b98846ba4b901799ede9d33fa75731cdb5641d600d8eab843cdbb45211715fb229ca7eb24c5d7ce098e8cd93

Download Submit
C:\Windows\Installer\MSI3057.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI332B.tmp

Filesize
10.7MB

MD5
184a42fa2a3df087d85db574bc70e97e

SHA1
390996409920d43cbc5f1cef27aecb1b3351faf2

SHA256
f1e875d96a562a45a564c615cfeb89ee0ba28016742bac59541d27d2f59e8ffb

SHA512
8174bcf0d67eab5e776923fefafa5a7ac6f2afe9865aac816e9b3635249a2e6e205c189747978fb0bd40881024fca7ac86131621e12f78c1411189d117e6ecae

Download Submit
C:\Windows\Installer\MSI332B.tmp

Filesize
11.5MB

MD5
9fc29dd27037f20c3ca54c3a986af1c8

SHA1
f39029dd50fd9888e419c784e0abd4bd1317f488

SHA256
28bcafc33e0804e031183be9c4a91cc727dfea83c5b0cddb0d5e372385a42d17

SHA512
27f1d2398c23dd519f0c3fba1c07634db84f41aa9e51f590cb731aed50f37dc248360b1c24f4fe64b67278370e1eb92897e9eccbee6f27f2e86befd69f1b84bc

Download Submit
memory/1556-36-0x00000000737C0000-0x00000000743E6000-memory.dmp

Filesize
12.1MB

Download
memory/1556-37-0x00000000737C0000-0x00000000743E6000-memory.dmp

Filesize
12.1MB

Download