0c85ad7c56d1675c13d1cdfdee4106fcd5ccf287829012004edcede8f1a80269

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
11-03-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CFE.SERV.ELECTRICO.NFGCCأ.msi
Size

12.7MB
MD5

7873e07921ab6821c7aa6f265e0db19a
SHA1

fefe5273a04bb1c415c1e9c9219690276c329f74
SHA256

0c85ad7c56d1675c13d1cdfdee4106fcd5ccf287829012004edcede8f1a80269
SHA512

f5aabd7885c9a1a39144feadc93528c5af5dac6d814f8cd104e5333a81cf244c38b6171532eede5ad1e7729016774add9f5099556ed980552294272490b6a34f
SSDEEP

393216:dZ1NhvRhX8RV+Iyw9zR3UlHtxTvwKXIE5glciKXrfBkuumH/h8h:fBd8h

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	3204	msiexec.exe
15	3204	msiexec.exe
21	1560	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57441d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4651.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46B0.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{X2CH5K04-TYBC-IF2Y-LEVE-7ACTFNIJXN9A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47EA.tmp	msiexec.exe
File created	C:\Windows\Installer\e57441d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI482A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46FF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4527.tmp	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1556	1560	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
544	msiexec.exe
544	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3204	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3204	msiexec.exe
Token: SeSecurityPrivilege	544	msiexec.exe
Token: SeCreateTokenPrivilege	3204	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3204	msiexec.exe
Token: SeLockMemoryPrivilege	3204	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3204	msiexec.exe
Token: SeMachineAccountPrivilege	3204	msiexec.exe
Token: SeTcbPrivilege	3204	msiexec.exe
Token: SeSecurityPrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeLoadDriverPrivilege	3204	msiexec.exe
Token: SeSystemProfilePrivilege	3204	msiexec.exe
Token: SeSystemtimePrivilege	3204	msiexec.exe
Token: SeProfSingleProcessPrivilege	3204	msiexec.exe
Token: SeIncBasePriorityPrivilege	3204	msiexec.exe
Token: SeCreatePagefilePrivilege	3204	msiexec.exe
Token: SeCreatePermanentPrivilege	3204	msiexec.exe
Token: SeBackupPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeShutdownPrivilege	3204	msiexec.exe
Token: SeDebugPrivilege	3204	msiexec.exe
Token: SeAuditPrivilege	3204	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3204	msiexec.exe
Token: SeChangeNotifyPrivilege	3204	msiexec.exe
Token: SeRemoteShutdownPrivilege	3204	msiexec.exe
Token: SeUndockPrivilege	3204	msiexec.exe
Token: SeSyncAgentPrivilege	3204	msiexec.exe
Token: SeEnableDelegationPrivilege	3204	msiexec.exe
Token: SeManageVolumePrivilege	3204	msiexec.exe
Token: SeImpersonatePrivilege	3204	msiexec.exe
Token: SeCreateGlobalPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3204	msiexec.exe
3204	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1560	544	msiexec.exe	92
PID 544 wrote to memory of 1560	544	msiexec.exe	92
PID 544 wrote to memory of 1560	544	msiexec.exe	92

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CFE.SERV.ELECTRICO.NFGCCأ.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3204

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A3A008734AAE5940EA8B4228BD7154F4
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1092
    3⤵
    - Program crash
    PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1560 -ip 1560
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A1B4C7267E6BDB03502A89087B70156B

Filesize
1KB

MD5
8d884a34fe91afb63e92eb4bb2e830cc

SHA1
d4e4491f813b83a54d432ac6595430b541c38148

SHA256
926fbfb09bff296f1ad6ab943ed2043bb30f9b477739aba029e571a33b52154f

SHA512
e3ebde061c76059203ea08591f62b247b965f41b17fcb4bf891961fa42784d785f50652ed266f6f5adde0eab3d8bbe31b32f09585c26cbc07d1cf79fac96035b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
d9a5e1d0b37e1617b4d2c768c8cce56b

SHA1
001980984b063355dd4844304623859075c3f439

SHA256
bd7d614b004749bcd61df4ba82950c244005d91055e1797b7307a2bf37b5e2fe

SHA512
0635730aeab8d1dfd686316167b2d9325563a80248e9956799aac28c64d1d71e1ec400e93f17429043f8188eb277e6e78f55dc4da57b699ef07e488555f19050

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A1B4C7267E6BDB03502A89087B70156B

Filesize
536B

MD5
35650ebcd53f70ef617b505181e428c6

SHA1
d0fdb1e29b8bf7d73ae93272f02050e5d483a643

SHA256
3602002a03af50b5a5d268159083de02cbd4e1bd60a3047e867fa38d66c4e2d2

SHA512
1ff9cee27005eec70df9cb99917eeb0f2862e2b6df97d5d047714c69be33658c740e8bf00f9fcf2d1f78c7d3455f34a3bd9e89cd6af3ea9b317cb5b22512d02e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
540b5420c96b634825295c7d5a3f2db6

SHA1
9d387b7677eb236b803841e968cf7a1f1fada786

SHA256
eda350981e382b97660ded5401cca21cad315dcbf7e21c2d41e3bd9efaa8ba70

SHA512
aded230470598aebd5423933348b10a4b5b326fa03d7e73a976fae40c320a1536f2306c540436ad3ce075a927b0ddef410b93139b24043922b2ba274ef46b82f

Download Submit
C:\Windows\Installer\MSI4527.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI482A.tmp

Filesize
7.5MB

MD5
f4a0c219fc699120aa0b089676294273

SHA1
ec9028d49091b624be212d92651aeecee1567d69

SHA256
aae6970b2f924541e3baff2654e34da0b5ca344f5785bdd3a8c5ee7eb7cd2a93

SHA512
4c6332c8af9ef6ceb1afcc65089cdce56ce9fb601f67cd71d612264de3f7160a021f1973cc2f34bfd5543792f5cf54b6744ef4e247f2854476aa039ac2aa8ee5

Download Submit
C:\Windows\Installer\MSI482A.tmp

Filesize
8.1MB

MD5
f0bd7f1c1ba2552cf5c41a5d17369f07

SHA1
24824c9d3704ac639cf8880ebaa87d3c8612a34d

SHA256
371111929dc85689457e7dc7d16ecba327b0bcb95a3c78123cffbe8915e269b7

SHA512
dd756e41de91430f49a71f615aee4c7b722041d07f13bb6667b4183df8e4f2dd6ca14bd8e8cdd99c07fea51e608f7fd21c477754c3b3f9afbbee013c5ebcf55d

Download Submit