0df76ee43e894dc5115c70c0feb5f0b656c40334480e00bf1d1c22b6987f9c6f

Analysis

max time kernel
90s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 17:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

formulario_citas.msi
Size

572KB
MD5

7a173cb2e914c865e290750ef112bc89
SHA1

0a12476d27dd706b1f54279c7f50224f26e44ef9
SHA256

6aa9111e91cd8c4f646f5d901d76884b0892228212ff0d071c2ce8f14ec917e1
SHA512

82469d141017154d42895958e42d40a2365460fce9d7291c72fc7a5e73d9993be09b4176ba1d7285eb0de5e8f4e2f6a5e99bf48c78bc18cedfbd1e0f5ba08150
SSDEEP

12288:5wEYq/qKIGlLJ9H7u8ugbYENLyVRq7HAyezI+2ctKBBQ:5jYq/qKIIDEVGHAyeC

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI76C8.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5FFB3B2D-C755-4528-A6E3-31DA24D66F1A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5774d2.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7520.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI764A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7736.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5774d6.msi	msiexec.exe
File created	C:\Windows\Installer\e5774d2.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	javaw.exe

Loads dropped DLL 4 IoCs

pid	Process
4592	MsiExec.exe
4592	MsiExec.exe
4592	MsiExec.exe
4592	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3272	msiexec.exe
3272	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3572	msiexec.exe
Token: SeSecurityPrivilege	3272	msiexec.exe
Token: SeCreateTokenPrivilege	3572	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3572	msiexec.exe
Token: SeLockMemoryPrivilege	3572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3572	msiexec.exe
Token: SeMachineAccountPrivilege	3572	msiexec.exe
Token: SeTcbPrivilege	3572	msiexec.exe
Token: SeSecurityPrivilege	3572	msiexec.exe
Token: SeTakeOwnershipPrivilege	3572	msiexec.exe
Token: SeLoadDriverPrivilege	3572	msiexec.exe
Token: SeSystemProfilePrivilege	3572	msiexec.exe
Token: SeSystemtimePrivilege	3572	msiexec.exe
Token: SeProfSingleProcessPrivilege	3572	msiexec.exe
Token: SeIncBasePriorityPrivilege	3572	msiexec.exe
Token: SeCreatePagefilePrivilege	3572	msiexec.exe
Token: SeCreatePermanentPrivilege	3572	msiexec.exe
Token: SeBackupPrivilege	3572	msiexec.exe
Token: SeRestorePrivilege	3572	msiexec.exe
Token: SeShutdownPrivilege	3572	msiexec.exe
Token: SeDebugPrivilege	3572	msiexec.exe
Token: SeAuditPrivilege	3572	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3572	msiexec.exe
Token: SeChangeNotifyPrivilege	3572	msiexec.exe
Token: SeRemoteShutdownPrivilege	3572	msiexec.exe
Token: SeUndockPrivilege	3572	msiexec.exe
Token: SeSyncAgentPrivilege	3572	msiexec.exe
Token: SeEnableDelegationPrivilege	3572	msiexec.exe
Token: SeManageVolumePrivilege	3572	msiexec.exe
Token: SeImpersonatePrivilege	3572	msiexec.exe
Token: SeCreateGlobalPrivilege	3572	msiexec.exe
Token: SeBackupPrivilege	2664	vssvc.exe
Token: SeRestorePrivilege	2664	vssvc.exe
Token: SeAuditPrivilege	2664	vssvc.exe
Token: SeBackupPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeBackupPrivilege	1460	srtasks.exe
Token: SeRestorePrivilege	1460	srtasks.exe
Token: SeSecurityPrivilege	1460	srtasks.exe
Token: SeTakeOwnershipPrivilege	1460	srtasks.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3572	msiexec.exe
3572	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 1460	3272	msiexec.exe	95
PID 3272 wrote to memory of 1460	3272	msiexec.exe	95
PID 3272 wrote to memory of 4592	3272	msiexec.exe	97
PID 3272 wrote to memory of 4592	3272	msiexec.exe	97
PID 3272 wrote to memory of 4592	3272	msiexec.exe	97
PID 3272 wrote to memory of 3064	3272	msiexec.exe	99
PID 3272 wrote to memory of 3064	3272	msiexec.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\formulario_citas.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9D99E258FB343A1A295F866047F7C454
  2⤵
  - Loads dropped DLL
  PID:4592
- C:\Users\Admin\AppData\Roaming\Leatherette\javaw.exe
  "C:\Users\Admin\AppData\Roaming\Leatherette\javaw.exe"
  2⤵
  - Executes dropped EXE
  PID:3064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5774d5.rbs

Filesize
11KB

MD5
a52d8c4f79404f9a42111a87d51da1f1

SHA1
ebcc6a3573b3b9a076a1e0adcb726d1b47d5542f

SHA256
924710f477f4a673840e9ce72a7f99e37ce4e5cc990e439c475537dd55e04eaf

SHA512
eb05ab5d8ad8d3b287aaae29d4d13fcb44b77effa7843ae39c72d0665f16d6dd2f2cff4fc215664c68ec819211caedcdeee8fbe1862b905e3892cdd0cdbdc273

Download Submit
C:\Users\Admin\AppData\Roaming\Leatherette\javaw.exe

Filesize
53KB

MD5
e5ea5d841cb79942698c4e952a199a29

SHA1
ebe0e313c26f87af8ddf4a5f0fad1a68fc5f59d5

SHA256
8e478da3eff27b1be19a893314927385156a62582d8ceffb5be2c8852aff19d7

SHA512
f3aad0d51939184282327a0ed5544f4a9dc71e6b46409909a11dd440680301b5d5c160d58c9586f68800ac544b6573c8215a0a32c270acf0bc611ebbb219e0c0

Download Submit
C:\Windows\Installer\MSI7520.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Windows\Installer\e5774d2.msi

Filesize
572KB

MD5
7a173cb2e914c865e290750ef112bc89

SHA1
0a12476d27dd706b1f54279c7f50224f26e44ef9

SHA256
6aa9111e91cd8c4f646f5d901d76884b0892228212ff0d071c2ce8f14ec917e1

SHA512
82469d141017154d42895958e42d40a2365460fce9d7291c72fc7a5e73d9993be09b4176ba1d7285eb0de5e8f4e2f6a5e99bf48c78bc18cedfbd1e0f5ba08150

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
2cd0583e1d931ed1be2bd5e9b535a006

SHA1
2b844d8609fe4801fafaa0c00cf9ba75c9773015

SHA256
4ca2a71cc9026298e2162dcf3e08465c40f8848114fea0be7aa4467d8d9b509e

SHA512
fa01fc61ad126ef4b6d5f62c13dab309b6d796801ef6aaa0cd2c77d95ebd40a06a9113d9f9d7230f324961235aa431fe1ba2571b9a130bd29607a10941d6c428

Download Submit
\??\Volume{14f6f45c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7486648a-af7b-4ecd-b9e7-ba675f6d8258}_OnDiskSnapshotProp

Filesize
6KB

MD5
0f960a3e97d7f8a8aed32b7aa7fb5ed6

SHA1
6776ae8351e9518fcb55aded7aaea1cfba0c0955

SHA256
52e320dae51f52d361f48eb44fc7b5face813bff5630eb983b5a0c4b92ec52de

SHA512
498966cb042d8ff2220faed52ce6ebf38dad8819adf8b75d90c083f34a2127692324ab3045ac063c1757170cefa93817e6584c68d0d5f80d3830292538e91ab9

Download Submit