4e085dd4d721815f4757f125761fddbf42d7d672380eb6627efd138c21146e42

Analysis

max time kernel
135s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
27/03/2024, 18:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Visualizar-PDF.38105.msi
Size

732KB
MD5

bf440e49375e237d109f66a7cee79fc1
SHA1

32ee9706c1d532867af3ded30dfd67aea596028c
SHA256

4e085dd4d721815f4757f125761fddbf42d7d672380eb6627efd138c21146e42
SHA512

88d503d2dc8cd9970eeb489e89b772c8a56abe831c6aebae1b39824e22b913bc61ec42c3715b60ee3ec51afdeb809ba039fc5a59a85343c328d9d9f06b50baaf
SSDEEP

12288:UvXCtQ6QsN5lNOsw6vAUnBU7qax0EzIVYgvfVYsAgkWZT:UmQxsNcswvEU7J8VlvfVYsAgvZT

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLWALTTDOB.lnk	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLWALTTDOB = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MLWALTTDOB.lnk"	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	3404	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e575eba.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI60CF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e575ebe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e575eba.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F08.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6061.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI612E.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CAF34CE6-3C74-4E8A-80F9-3F2B5341CA43}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI61CB.tmp	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
3404	MsiExec.exe
3404	MsiExec.exe
3404	MsiExec.exe
3404	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4492	msiexec.exe
4492	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4660	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4660	msiexec.exe
Token: SeSecurityPrivilege	4492	msiexec.exe
Token: SeCreateTokenPrivilege	4660	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4660	msiexec.exe
Token: SeLockMemoryPrivilege	4660	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4660	msiexec.exe
Token: SeMachineAccountPrivilege	4660	msiexec.exe
Token: SeTcbPrivilege	4660	msiexec.exe
Token: SeSecurityPrivilege	4660	msiexec.exe
Token: SeTakeOwnershipPrivilege	4660	msiexec.exe
Token: SeLoadDriverPrivilege	4660	msiexec.exe
Token: SeSystemProfilePrivilege	4660	msiexec.exe
Token: SeSystemtimePrivilege	4660	msiexec.exe
Token: SeProfSingleProcessPrivilege	4660	msiexec.exe
Token: SeIncBasePriorityPrivilege	4660	msiexec.exe
Token: SeCreatePagefilePrivilege	4660	msiexec.exe
Token: SeCreatePermanentPrivilege	4660	msiexec.exe
Token: SeBackupPrivilege	4660	msiexec.exe
Token: SeRestorePrivilege	4660	msiexec.exe
Token: SeShutdownPrivilege	4660	msiexec.exe
Token: SeDebugPrivilege	4660	msiexec.exe
Token: SeAuditPrivilege	4660	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4660	msiexec.exe
Token: SeChangeNotifyPrivilege	4660	msiexec.exe
Token: SeRemoteShutdownPrivilege	4660	msiexec.exe
Token: SeUndockPrivilege	4660	msiexec.exe
Token: SeSyncAgentPrivilege	4660	msiexec.exe
Token: SeEnableDelegationPrivilege	4660	msiexec.exe
Token: SeManageVolumePrivilege	4660	msiexec.exe
Token: SeImpersonatePrivilege	4660	msiexec.exe
Token: SeCreateGlobalPrivilege	4660	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4660	msiexec.exe
3404	MsiExec.exe
4660	msiexec.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3404	MsiExec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 3404	4492	msiexec.exe	88
PID 4492 wrote to memory of 3404	4492	msiexec.exe	88
PID 4492 wrote to memory of 3404	4492	msiexec.exe	88

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Visualizar-PDF.38105.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C0EB06F9EAD5B633CE2ECBC18C0B3CF7
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575ebd.rbs

Filesize
9KB

MD5
93f74b110b761cfff4249193673ebbea

SHA1
7173337365e8c1139f380ed9b77b1ea914d707ab

SHA256
78061c914efd71cce30e4fda3bfffa71300709ab40d0285ff5c5a3074580ddd4

SHA512
6bb89e2f148c385a4934016d5f5018b7b40e5f5fae7309c57b5dc1a9f149d6f03d26a6a69f4e8df16f76cbc446702eb8afb6c2222059552b15082a9df0d557ed

Download Submit
C:\Windows\Installer\MSI5F08.tmp

Filesize
393KB

MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit