4e085dd4d721815f4757f125761fddbf42d7d672380eb6627efd138c21146e42

Analysis

max time kernel
122s
max time network
130s
platform
windows7_x64
resource
win7-20240221-es
resource tags

arch:x64arch:x86image:win7-20240221-eslocale:es-esos:windows7-x64systemwindows
submitted
27-03-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Visualizar-PDF.38105.msi
Size

732KB
MD5

bf440e49375e237d109f66a7cee79fc1
SHA1

32ee9706c1d532867af3ded30dfd67aea596028c
SHA256

4e085dd4d721815f4757f125761fddbf42d7d672380eb6627efd138c21146e42
SHA512

88d503d2dc8cd9970eeb489e89b772c8a56abe831c6aebae1b39824e22b913bc61ec42c3715b60ee3ec51afdeb809ba039fc5a59a85343c328d9d9f06b50baaf
SSDEEP

12288:UvXCtQ6QsN5lNOsw6vAUnBU7qax0EzIVYgvfVYsAgkWZT:UmQxsNcswvEU7J8VlvfVYsAgvZT

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AOVBIJNJYT.lnk	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\AOVBIJNJYT = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\AOVBIJNJYT.lnk"	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2704	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI9D7A.tmp	msiexec.exe
File created	C:\Windows\Installer\f768d18.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f768d16.ipi	msiexec.exe
File created	C:\Windows\Installer\f768d13.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f768d13.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90FB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI907E.tmp	msiexec.exe
File created	C:\Windows\Installer\f768d16.ipi	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
2704	MsiExec.exe
2704	MsiExec.exe
2704	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	msiexec.exe
3008	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2252	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeSecurityPrivilege	3008	msiexec.exe
Token: SeCreateTokenPrivilege	2252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2252	msiexec.exe
Token: SeLockMemoryPrivilege	2252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2252	msiexec.exe
Token: SeMachineAccountPrivilege	2252	msiexec.exe
Token: SeTcbPrivilege	2252	msiexec.exe
Token: SeSecurityPrivilege	2252	msiexec.exe
Token: SeTakeOwnershipPrivilege	2252	msiexec.exe
Token: SeLoadDriverPrivilege	2252	msiexec.exe
Token: SeSystemProfilePrivilege	2252	msiexec.exe
Token: SeSystemtimePrivilege	2252	msiexec.exe
Token: SeProfSingleProcessPrivilege	2252	msiexec.exe
Token: SeIncBasePriorityPrivilege	2252	msiexec.exe
Token: SeCreatePagefilePrivilege	2252	msiexec.exe
Token: SeCreatePermanentPrivilege	2252	msiexec.exe
Token: SeBackupPrivilege	2252	msiexec.exe
Token: SeRestorePrivilege	2252	msiexec.exe
Token: SeShutdownPrivilege	2252	msiexec.exe
Token: SeDebugPrivilege	2252	msiexec.exe
Token: SeAuditPrivilege	2252	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2252	msiexec.exe
Token: SeChangeNotifyPrivilege	2252	msiexec.exe
Token: SeRemoteShutdownPrivilege	2252	msiexec.exe
Token: SeUndockPrivilege	2252	msiexec.exe
Token: SeSyncAgentPrivilege	2252	msiexec.exe
Token: SeEnableDelegationPrivilege	2252	msiexec.exe
Token: SeManageVolumePrivilege	2252	msiexec.exe
Token: SeImpersonatePrivilege	2252	msiexec.exe
Token: SeCreateGlobalPrivilege	2252	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe
Token: SeRestorePrivilege	3008	msiexec.exe
Token: SeTakeOwnershipPrivilege	3008	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2252	msiexec.exe
2704	MsiExec.exe
2252	msiexec.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2704	MsiExec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2704	3008	msiexec.exe	29
PID 3008 wrote to memory of 2704	3008	msiexec.exe	29
PID 3008 wrote to memory of 2704	3008	msiexec.exe	29
PID 3008 wrote to memory of 2704	3008	msiexec.exe	29
PID 3008 wrote to memory of 2704	3008	msiexec.exe	29
PID 3008 wrote to memory of 2704	3008	msiexec.exe	29
PID 3008 wrote to memory of 2704	3008	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Visualizar-PDF.38105.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CBA278189B7155E0EDF0359BBD75185
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f768d17.rbs

Filesize
8KB

MD5
ebd3bcd8899b05060dca3dbe7200fbb3

SHA1
4e90f8222352b702274a8cc1b90bc773138e1522

SHA256
367168309c5bf97005bac401008d2b61704722a91b0f1e1fd87555af52333e04

SHA512
49e47c2311d00c32b4203155bd0057c7fa6038ab9864e15d95754b4c8b11ec811de7ebde6bc9a313f26ec499ea75c593d276f94f8e6fa945c63727f5676a497f

Download Submit
C:\Windows\Installer\MSI8D71.tmp

Filesize
393KB

MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Windows\Installer\MSI90FB.tmp

Filesize
320KB

MD5
16203547b643cecb28b7294574dd56a8

SHA1
2c0e5cb16eb1228655f585bddae9bea45ac145aa

SHA256
3c5d0d154383fc71c78dcf0e6220b7e6388d8c50e9135227933ea5016e51c18f

SHA512
4b8d4cefd8ad821038267b18ab6f08238061b145f3bb6db8f7bd866266189f4f4333bfb61c5e0bd2d1a93fa6e05534e0b3339a37ad68e80eb01d8cc140d854a5

Download Submit
\Windows\Installer\MSI90FB.tmp

Filesize
128KB

MD5
2ca416d2c77464e249ab5fb10a300612

SHA1
d5a3dbaf21b593d46981f5bdf5db52d79ab41d31

SHA256
6ccee7d499ce5ac751d5be9dfe3774139b8add74ebe65904a922c612bd7fe04a

SHA512
cc612eec446219f36ac640ed0a958f07c2618666ba2e572323c68cb79819f6f01578dfff7b4400dfba89bbabd724bc2f205a05f0b7bfc90f579be09100a14d53

Download Submit
memory/2704-14-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download