Analysis
-
max time kernel
146s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-es -
resource tags
arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
13/03/2024, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
BVGQVFC-92845Ref-UVLDD9259338142.msi
Resource
win7-20240221-es
windows7-x64
Behavioral task
behavioral2
Sample
BVGQVFC-92845Ref-UVLDD9259338142.msi
Resource
win10v2004-20240226-es
windows10-2004-x64
Behavioral task
behavioral3
Sample
_________________________________________________________________________24144ULJRY06378DTAIJ.dll
Resource
win7-20240221-es
windows7-x64
Behavioral task
behavioral4
Sample
_________________________________________________________________________24144ULJRY06378DTAIJ.dll
Resource
win10v2004-20240226-es
windows10-2004-x64
General
-
Target
BVGQVFC-92845Ref-UVLDD9259338142.msi
-
Size
12.5MB
-
MD5
395f6fb782949263cd15e0a1ed131d65
-
SHA1
67bd4dea0da0d667464be026a710b92a25531c5a
-
SHA256
47eee2815a27c49b230bdf661f938068c5d3347c37ada6bf5940b1f6fc98288c
-
SHA512
1251ac9278d87f4e2d97635787a0d3ff5c7f105692a73ecc39e8890e6f488473ad8c96464baf530719f446fe5a6923518b4ec52de0755475044a9b734d07f659
-
SSDEEP
98304:8O+IroUnDAN1baX4brxnmDQXNAdXKIX04WDXkK++F8fVPkPf0:8crdGaeADQXcX0bkSyGX
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 18 2468 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI7822.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI78A0.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI764C.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI75DE.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{S9V97PZW-S0PQ-ICUF-1VPL-5PKMN3S31IWQ} msiexec.exe File created C:\Windows\Installer\e576f83.msi msiexec.exe File opened for modification C:\Windows\Installer\e576f83.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI709C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7502.tmp msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 2468 MsiExec.exe 2468 MsiExec.exe 2468 MsiExec.exe 2468 MsiExec.exe 2468 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3332 msiexec.exe 3332 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 2276 msiexec.exe Token: SeIncreaseQuotaPrivilege 2276 msiexec.exe Token: SeSecurityPrivilege 3332 msiexec.exe Token: SeCreateTokenPrivilege 2276 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2276 msiexec.exe Token: SeLockMemoryPrivilege 2276 msiexec.exe Token: SeIncreaseQuotaPrivilege 2276 msiexec.exe Token: SeMachineAccountPrivilege 2276 msiexec.exe Token: SeTcbPrivilege 2276 msiexec.exe Token: SeSecurityPrivilege 2276 msiexec.exe Token: SeTakeOwnershipPrivilege 2276 msiexec.exe Token: SeLoadDriverPrivilege 2276 msiexec.exe Token: SeSystemProfilePrivilege 2276 msiexec.exe Token: SeSystemtimePrivilege 2276 msiexec.exe Token: SeProfSingleProcessPrivilege 2276 msiexec.exe Token: SeIncBasePriorityPrivilege 2276 msiexec.exe Token: SeCreatePagefilePrivilege 2276 msiexec.exe Token: SeCreatePermanentPrivilege 2276 msiexec.exe Token: SeBackupPrivilege 2276 msiexec.exe Token: SeRestorePrivilege 2276 msiexec.exe Token: SeShutdownPrivilege 2276 msiexec.exe Token: SeDebugPrivilege 2276 msiexec.exe Token: SeAuditPrivilege 2276 msiexec.exe Token: SeSystemEnvironmentPrivilege 2276 msiexec.exe Token: SeChangeNotifyPrivilege 2276 msiexec.exe Token: SeRemoteShutdownPrivilege 2276 msiexec.exe Token: SeUndockPrivilege 2276 msiexec.exe Token: SeSyncAgentPrivilege 2276 msiexec.exe Token: SeEnableDelegationPrivilege 2276 msiexec.exe Token: SeManageVolumePrivilege 2276 msiexec.exe Token: SeImpersonatePrivilege 2276 msiexec.exe Token: SeCreateGlobalPrivilege 2276 msiexec.exe Token: SeRestorePrivilege 3332 msiexec.exe Token: SeTakeOwnershipPrivilege 3332 msiexec.exe Token: SeRestorePrivilege 3332 msiexec.exe Token: SeTakeOwnershipPrivilege 3332 msiexec.exe Token: SeRestorePrivilege 3332 msiexec.exe Token: SeTakeOwnershipPrivilege 3332 msiexec.exe Token: SeRestorePrivilege 3332 msiexec.exe Token: SeTakeOwnershipPrivilege 3332 msiexec.exe Token: SeRestorePrivilege 3332 msiexec.exe Token: SeTakeOwnershipPrivilege 3332 msiexec.exe Token: SeRestorePrivilege 3332 msiexec.exe Token: SeTakeOwnershipPrivilege 3332 msiexec.exe Token: SeRestorePrivilege 3332 msiexec.exe Token: SeTakeOwnershipPrivilege 3332 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2276 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2468 MsiExec.exe 2468 MsiExec.exe 2468 MsiExec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3332 wrote to memory of 2468 3332 msiexec.exe 90 PID 3332 wrote to memory of 2468 3332 msiexec.exe 90 PID 3332 wrote to memory of 2468 3332 msiexec.exe 90
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\BVGQVFC-92845Ref-UVLDD9259338142.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2276
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 79846D528ED759055FAFAC1B3FAC5C172⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
1.9MB
MD518e9c51e49fcf3cc7abe6999017ce6ed
SHA1bcb50d358bdd02b16a2f8ad2dfbdace6f7fa80f7
SHA256432fa604b95b02ebd1dcdaa452f1dc05d1ffa46ecf89d66beedc41c3c55ea7ae
SHA51201d79ced58ac3979d4424dfb43763b94333c2c9faec95091295fa86451bad0602b7eacc14c8723d0d2b1b5366077afcdc97fc8dfe53367c5eb1dd8846b0336f0
-
Filesize
841KB
MD5b7c7d1cba40b27eaf39f2076bfa3c8c0
SHA1fab19b261ae9893277f9dc52d9229cdc8cdbd781
SHA256a47c3497e9bc9291aead4f18a16bbe11050979a88ef1e9491b393a76f4a81012
SHA512b44a261e5527b568149503fed9d502e74e066715bddf028d6a63672cc6c94e69a8728f39ceee4cb5985d21ff56a14cd271a0d1112baf21496e84b2a7f189558e