Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 21:18
Static task
static1
Behavioral task
behavioral1
Sample
nopagadanueva.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
nopagadanueva.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
nopagadanueva.msi
-
Size
19.5MB
-
MD5
c0f6066a362f1f0a6bc04e0d16119ff8
-
SHA1
b89ecfbadc421881b549dcbf87483784081c21a8
-
SHA256
28b18c105c82cd23a71516cec81f6ffd6c2ea30ecbf3084cd7c54eb2f2a6a92e
-
SHA512
41d92de4543767245658350c7fc9d4bbf2002a52194d72aafec98e621314b63727de146e20b68f48f29a25cb6ce2caf9ee9be6c823869dcc249d93141a309f64
-
SSDEEP
393216:VLOTINI1t+huyjI7sMA8xdZ6F2W494kdw+re6pK7gpagVxtBqIRgF4MO0:NO0e1Qts7sMA8xdK/kvSP7gY6tBjBMO0
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023210-51.dat acprotect behavioral2/files/0x0007000000023211-56.dat acprotect -
resource yara_rule behavioral2/files/0x0007000000023210-51.dat upx behavioral2/memory/3760-53-0x0000000010000000-0x0000000010149000-memory.dmp upx behavioral2/files/0x0007000000023211-56.dat upx behavioral2/memory/3760-57-0x00000000045E0000-0x000000000462C000-memory.dmp upx behavioral2/memory/3760-65-0x0000000010000000-0x0000000010149000-memory.dmp upx behavioral2/memory/3760-66-0x00000000045E0000-0x000000000462C000-memory.dmp upx -
Blocklisted process makes network request 4 IoCs
flow pid Process 33 3760 MsiExec.exe 35 3760 MsiExec.exe 39 3760 MsiExec.exe 43 3760 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 ipinfo.io 33 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\LOG\MsiExec.exe.DEBUG.log MsiExec.exe File created C:\Windows\SysWOW64\LOG\MsiExec.exe.DEBUG.log MsiExec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI420E.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{929AD129-8AD0-4EEC-A829-45BCE4A3D6A7} msiexec.exe File opened for modification C:\Windows\Installer\e573f5b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI41A0.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4491.tmp msiexec.exe File created C:\Windows\Installer\e573f5b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3FB8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI40E2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4151.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI42F9.tmp msiexec.exe -
Loads dropped DLL 10 IoCs
pid Process 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1124 msiexec.exe 1124 msiexec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe 3760 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeShutdownPrivilege 2032 msiexec.exe Token: SeIncreaseQuotaPrivilege 2032 msiexec.exe Token: SeSecurityPrivilege 1124 msiexec.exe Token: SeCreateTokenPrivilege 2032 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2032 msiexec.exe Token: SeLockMemoryPrivilege 2032 msiexec.exe Token: SeIncreaseQuotaPrivilege 2032 msiexec.exe Token: SeMachineAccountPrivilege 2032 msiexec.exe Token: SeTcbPrivilege 2032 msiexec.exe Token: SeSecurityPrivilege 2032 msiexec.exe Token: SeTakeOwnershipPrivilege 2032 msiexec.exe Token: SeLoadDriverPrivilege 2032 msiexec.exe Token: SeSystemProfilePrivilege 2032 msiexec.exe Token: SeSystemtimePrivilege 2032 msiexec.exe Token: SeProfSingleProcessPrivilege 2032 msiexec.exe Token: SeIncBasePriorityPrivilege 2032 msiexec.exe Token: SeCreatePagefilePrivilege 2032 msiexec.exe Token: SeCreatePermanentPrivilege 2032 msiexec.exe Token: SeBackupPrivilege 2032 msiexec.exe Token: SeRestorePrivilege 2032 msiexec.exe Token: SeShutdownPrivilege 2032 msiexec.exe Token: SeDebugPrivilege 2032 msiexec.exe Token: SeAuditPrivilege 2032 msiexec.exe Token: SeSystemEnvironmentPrivilege 2032 msiexec.exe Token: SeChangeNotifyPrivilege 2032 msiexec.exe Token: SeRemoteShutdownPrivilege 2032 msiexec.exe Token: SeUndockPrivilege 2032 msiexec.exe Token: SeSyncAgentPrivilege 2032 msiexec.exe Token: SeEnableDelegationPrivilege 2032 msiexec.exe Token: SeManageVolumePrivilege 2032 msiexec.exe Token: SeImpersonatePrivilege 2032 msiexec.exe Token: SeCreateGlobalPrivilege 2032 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2032 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1124 wrote to memory of 3760 1124 msiexec.exe 92 PID 1124 wrote to memory of 3760 1124 msiexec.exe 92 PID 1124 wrote to memory of 3760 1124 msiexec.exe 92
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nopagadanueva.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2032
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A71334A7F1F94DEECCFE2AD28886FBEE2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD5931c97553b3319f21b9ef249aa3cd244
SHA142c6611da2154bb6e0911993cf97071908b48bf2
SHA2567e643c188a1ee3b0251b7dfcab000b7c48fd840eff35189e8a45901852e3910a
SHA512790141b758aa68c6384aaf6f85b09f9bc641a300a4e7fa05a74c3f89af090fbbfdcfe3dce24842a8d0c75b874839d505692c1951ed66f57e9840c559820514d3
-
Filesize
738KB
MD536cd2870d577ff917ba93c9f50f86374
SHA1e51baf257f5a3c3cd7b68690e36945fa3284e710
SHA2568d3e94c47af3da706a9fe9e4428b2fefd5e9e6c7145e96927fffdf3dd5e472b8
SHA512426fe493a25e99ca9630ad4706ca5ac062445391ab2087793637339f3742a5e1af2cedb4682babc0c4e7f9e06fed0b4ed543ddeb6f4e6f75c50349c0354aceda
-
Filesize
4.6MB
MD561e2225e318ba9a79ef9248d687b8deb
SHA1ad0a2e0710586ddf8ea9951991757bcd9d3466f3
SHA2562fbb78692fc7a24ff2186c6efe122e2eadb52a2de4bd4bbc052bb4ad234e3352
SHA512d6332a1c5278b3b990853257b9a196ae5e6bfe49b012e4c90b97bc74d158b7175f3c908db75d22b66d751ca18afaee145d5db94648f624915ab563a80386b22a
-
Filesize
4.4MB
MD50e32706eb81154f857f3963e20541fca
SHA16289ed0c1e8137b1f7d92fe98daea5bad75c7e31
SHA256e8f3288da0c4f0982e74c41c68e103b9de91f6e2ae405bfed8d8596932e1e9d7
SHA512cbb6dda9be5021056e73973b9962866f0c830839551c5bdd4e19f9afb731e5be8e6f93e79b8301cb8b9af841e5bdc1545a6bb92b0ae979de667c352f08cbc987
-
Filesize
4.2MB
MD51b44f737cd85a2f460189b387d9a6455
SHA10ce5de35e95449b73495ed8da0838ea04fb6aac8
SHA25626c86ea4d7e8f07e9126d3ec126c6adea911ea2955115ec4b097484daf4ed4fb
SHA512eaf8b12d51938f0f036dcf9187e75489156f888d194a2cfbc76abb0afbd71833fd099ef07e6e0a88862de940c3d78e27b4e4442add87a673b6d0d2ff17a127c3
-
Filesize
245B
MD5574976fa40d6f84d28c60f4477a19753
SHA15863b6186dcb4d5e3d1aefe6b9a047f305396125
SHA25615c642f26b955fee916dccf4ed4859b4d37709d15c05728ab105360e188a4372
SHA5125bf2020bfe74461aaac51c68c2e111a826c17d60c8bce9a7db5686dafeb34f3b7b00597ab7df908044d7b65732e07139b30c176bab239d4d7f9cf314f2af25e0
-
Filesize
482KB
MD5c2703965b8ba0ecf8c5d8a043976facc
SHA1c578c694d4fe5c15acc3b7aa60e9874d0ded3d54
SHA256e28e34fbdaff077669586dcdb4e10f0ba2ca6c9973ed4d372a5c3ec3b8ad20e7
SHA512cb729665206594928a90b29e5c7592120345e92a605122ec6aea564250c4d5d48e1d39c8803820eccde7920aa4d9af99fb3748671de076476d833710b9491d61