0c85ad7c56d1675c13d1cdfdee4106fcd5ccf287829012004edcede8f1a80269

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-es
resource tags

arch:x64arch:x86image:win7-20240221-eslocale:es-esos:windows7-x64systemwindows
submitted
11/03/2024, 14:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CFE.SERV.ELECTRICO.NFGCCأ.msi
Size

12.7MB
MD5

7873e07921ab6821c7aa6f265e0db19a
SHA1

fefe5273a04bb1c415c1e9c9219690276c329f74
SHA256

0c85ad7c56d1675c13d1cdfdee4106fcd5ccf287829012004edcede8f1a80269
SHA512

f5aabd7885c9a1a39144feadc93528c5af5dac6d814f8cd104e5333a81cf244c38b6171532eede5ad1e7729016774add9f5099556ed980552294272490b6a34f
SSDEEP

393216:dZ1NhvRhX8RV+Iyw9zR3UlHtxTvwKXIE5glciKXrfBkuumH/h8h:fBd8h

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	1956	msiexec.exe
5	1956	msiexec.exe
6	2836	msiexec.exe
7	2044	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f761f63.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI231C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2561.tmp	msiexec.exe
File created	C:\Windows\Installer\f761f63.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2260.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI234C.tmp	msiexec.exe
File created	C:\Windows\Installer\f761f66.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2540.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f761f66.ipi	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
2044	MsiExec.exe
2044	MsiExec.exe
2044	MsiExec.exe
2044	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2836	msiexec.exe
2836	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeSecurityPrivilege	2836	msiexec.exe
Token: SeCreateTokenPrivilege	1956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1956	msiexec.exe
Token: SeLockMemoryPrivilege	1956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1956	msiexec.exe
Token: SeMachineAccountPrivilege	1956	msiexec.exe
Token: SeTcbPrivilege	1956	msiexec.exe
Token: SeSecurityPrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeLoadDriverPrivilege	1956	msiexec.exe
Token: SeSystemProfilePrivilege	1956	msiexec.exe
Token: SeSystemtimePrivilege	1956	msiexec.exe
Token: SeProfSingleProcessPrivilege	1956	msiexec.exe
Token: SeIncBasePriorityPrivilege	1956	msiexec.exe
Token: SeCreatePagefilePrivilege	1956	msiexec.exe
Token: SeCreatePermanentPrivilege	1956	msiexec.exe
Token: SeBackupPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeShutdownPrivilege	1956	msiexec.exe
Token: SeDebugPrivilege	1956	msiexec.exe
Token: SeAuditPrivilege	1956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1956	msiexec.exe
Token: SeChangeNotifyPrivilege	1956	msiexec.exe
Token: SeRemoteShutdownPrivilege	1956	msiexec.exe
Token: SeUndockPrivilege	1956	msiexec.exe
Token: SeSyncAgentPrivilege	1956	msiexec.exe
Token: SeEnableDelegationPrivilege	1956	msiexec.exe
Token: SeManageVolumePrivilege	1956	msiexec.exe
Token: SeImpersonatePrivilege	1956	msiexec.exe
Token: SeCreateGlobalPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1956	msiexec.exe
1956	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2044	MsiExec.exe
2044	MsiExec.exe
2044	MsiExec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2044	2836	msiexec.exe	29
PID 2836 wrote to memory of 2044	2836	msiexec.exe	29
PID 2836 wrote to memory of 2044	2836	msiexec.exe	29
PID 2836 wrote to memory of 2044	2836	msiexec.exe	29
PID 2836 wrote to memory of 2044	2836	msiexec.exe	29
PID 2836 wrote to memory of 2044	2836	msiexec.exe	29
PID 2836 wrote to memory of 2044	2836	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CFE.SERV.ELECTRICO.NFGCCأ.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 159FB6178EDC4986D0BA51E186334E97
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d11ff636b981ee4dfda4bb92f2a4fa9c

SHA1
089f1cc1c7ca38dc9d63012164a7656990a518e6

SHA256
3343f252c03d3e4cb5c1b0e3079ece4c0c69c3fa7c1b5bef39afc250fd95f226

SHA512
f90256c2e3e0d792eded0892f7967cd1bad8973d9c7681637efb26586db0ae70f1d2fdb175d9cf2fa604673be149a301491362fa25d20846b16c88a3c80e9db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1D29.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows\Installer\MSI2260.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI2561.tmp

Filesize
6.7MB

MD5
8ba0f5e8946cacc39b00bc91c9ee75d4

SHA1
f17c60869a0762e13a6c9ecc9bd6b55bc75bb4e1

SHA256
9596a3b6fd3311b14b5588550c3f73a9f09a7a2683b4ab0e26e8ccbbab5edb6a

SHA512
3f5a2eea76bebb1689d97caa636ba2766b12f7b9f6147a8e18e4ffd16eca0a95971c69a1de24076bb8d249a1ad725ad2982b6237ecd4a85579fa26dd9b748635

Download Submit
\Windows\Installer\MSI2561.tmp

Filesize
5.4MB

MD5
74734d32816ed41108d51c4c72eeafe4

SHA1
57da5e8f12738e4e538ace6a56625dc1dcfd7421

SHA256
00828692e03bb2beff361d4a122c651b49944dc760936ccc4368d86a6c87ffa5

SHA512
b110102396ce113098d0a5388285e71a4f8da7c01a79d58c04139207077416167cfbdcdd0ee84e8130d2f1a60fed3b0a2b4684f8f84ffb9aae65c67c1ca557b6

Download Submit