58399bfc49dfa256e09fab1b2c561b1e48c04f1ddb43e55e95c80acf06583dab

Analysis

max time kernel
144s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 19:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

z83Danfe-Pedido18042024.msi
Size

19.0MB
MD5

7e0b0dd36d786a018dc9713dc16c7e7e
SHA1

1aedb6941c6b40332c6e596c35a78da77666d914
SHA256

58399bfc49dfa256e09fab1b2c561b1e48c04f1ddb43e55e95c80acf06583dab
SHA512

9466900b6d90fdbf04242c9fa5821fc710f8258ded700c84103611c7f443eb275e3273d068705159e2693cf83a48c20853d7b1c939e42f692e681b3945806758
SSDEEP

196608:ArYM+ICT2y3E0iQRA8ckyGebpJJZ7tFT5:AsXI82x0iQR8kyNbpJJltX

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI3B4F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3CE7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DF2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E32.tmp	msiexec.exe
File created	C:\Windows\Installer\e583b00.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D07.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{KP7N5DU3-YRB8-F3W0-6A9Y-PNZ8XOZV0G5A}	msiexec.exe
File opened for modification	C:\Windows\Installer\e583b00.msi	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
4388	MsiExec.exe
4388	MsiExec.exe
4388	MsiExec.exe
4388	MsiExec.exe
4388	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3620	msiexec.exe
3620	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4412	msiexec.exe
Token: SeSecurityPrivilege	3620	msiexec.exe
Token: SeCreateTokenPrivilege	4412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4412	msiexec.exe
Token: SeLockMemoryPrivilege	4412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4412	msiexec.exe
Token: SeMachineAccountPrivilege	4412	msiexec.exe
Token: SeTcbPrivilege	4412	msiexec.exe
Token: SeSecurityPrivilege	4412	msiexec.exe
Token: SeTakeOwnershipPrivilege	4412	msiexec.exe
Token: SeLoadDriverPrivilege	4412	msiexec.exe
Token: SeSystemProfilePrivilege	4412	msiexec.exe
Token: SeSystemtimePrivilege	4412	msiexec.exe
Token: SeProfSingleProcessPrivilege	4412	msiexec.exe
Token: SeIncBasePriorityPrivilege	4412	msiexec.exe
Token: SeCreatePagefilePrivilege	4412	msiexec.exe
Token: SeCreatePermanentPrivilege	4412	msiexec.exe
Token: SeBackupPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeShutdownPrivilege	4412	msiexec.exe
Token: SeDebugPrivilege	4412	msiexec.exe
Token: SeAuditPrivilege	4412	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4412	msiexec.exe
Token: SeChangeNotifyPrivilege	4412	msiexec.exe
Token: SeRemoteShutdownPrivilege	4412	msiexec.exe
Token: SeUndockPrivilege	4412	msiexec.exe
Token: SeSyncAgentPrivilege	4412	msiexec.exe
Token: SeEnableDelegationPrivilege	4412	msiexec.exe
Token: SeManageVolumePrivilege	4412	msiexec.exe
Token: SeImpersonatePrivilege	4412	msiexec.exe
Token: SeCreateGlobalPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4412	msiexec.exe
4412	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4388	MsiExec.exe
4388	MsiExec.exe
4388	MsiExec.exe
4388	MsiExec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4388	3620	msiexec.exe	89
PID 3620 wrote to memory of 4388	3620	msiexec.exe	89
PID 3620 wrote to memory of 4388	3620	msiexec.exe	89

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\z83Danfe-Pedido18042024.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4412

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7BDD2B71F840F582200262652904860F
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583b03.rbs

Filesize
577B

MD5
7fdeb863f8b2bfa5ea369ea3b1739c74

SHA1
3fb4eaa01404b402511118e1a42e7f8a5ee3d725

SHA256
c479d5b04a805ef1606fea540557ee5e35a77bd05185b5c35a42251a7a85298e

SHA512
676cecd7d5a0fa8f305d6e361ba7de9fde65f98055d6075161b30b749c5fa7f3498ff3ad1010af7caead8d90c3c48ee2619ef17c2770545ad1b97c03ca095710

Download Submit
C:\Windows\Installer\MSI3B4F.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI3E32.tmp

Filesize
17.8MB

MD5
b3c483cc215012e2f7da8d4bf2204143

SHA1
5fcfa023eb558178a74bd6d9433b43fdc50ec40a

SHA256
a1ac46766f739eb5317a45047897bf20e0945611b30ea5a927e5181472f8dbc6

SHA512
c4f59486801ff9dbf448d6efdb300cf52a7b1de7604c066eb776c35042135510a37f8ba6c5728188742898cc0c6e821d659c83601f1156646f8acfc99e7975d0

Download Submit