Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 02:56
Static task
static1
Behavioral task
behavioral1
Sample
134fc5f505bd60f454537f877ce5286cf705ce05449acccfb4e9cd53b1a6776d.msi
Resource
win7-20240220-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
134fc5f505bd60f454537f877ce5286cf705ce05449acccfb4e9cd53b1a6776d.msi
Resource
win10v2004-20240508-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
134fc5f505bd60f454537f877ce5286cf705ce05449acccfb4e9cd53b1a6776d.msi
-
Size
19.5MB
-
MD5
76e8f3a04274f429c181814deecdced5
-
SHA1
054d2a928470874fad2bf1858f62b92e22bc3456
-
SHA256
134fc5f505bd60f454537f877ce5286cf705ce05449acccfb4e9cd53b1a6776d
-
SHA512
00768e51f00a11a00697a62367698b82c4c12984594eead5e2d58ea7ee978665c51c5c4d2df41aabfd5278b48df49358f5b627529c1ea6b887519b1e544c8494
-
SSDEEP
393216:YdJcNzZWuVOj6P5ptgOGT1V12Hak5RoR9/mjHjAyw+YDJ46e:YKccE6jET1V1y5avQjAyw+YDm
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lightshot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Sua Companhia\\Processo\\Lightshot.exe" Lightshot.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2768 Lightshot.exe 2768 Lightshot.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI19DA.tmp msiexec.exe File opened for modification C:\Windows\Installer\f761642.ipi msiexec.exe File created C:\Windows\Installer\f76163f.msi msiexec.exe File opened for modification C:\Windows\Installer\f76163f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI169C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1815.tmp msiexec.exe File created C:\Windows\Installer\f761642.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1797.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2768 Lightshot.exe -
Loads dropped DLL 4 IoCs
pid Process 2652 MsiExec.exe 2652 MsiExec.exe 2652 MsiExec.exe 2768 Lightshot.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main Lightshot.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Lightshot.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Lightshot.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2584 msiexec.exe 2584 msiexec.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe 2768 Lightshot.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 2860 msiexec.exe Token: SeIncreaseQuotaPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeSecurityPrivilege 2584 msiexec.exe Token: SeCreateTokenPrivilege 2860 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2860 msiexec.exe Token: SeLockMemoryPrivilege 2860 msiexec.exe Token: SeIncreaseQuotaPrivilege 2860 msiexec.exe Token: SeMachineAccountPrivilege 2860 msiexec.exe Token: SeTcbPrivilege 2860 msiexec.exe Token: SeSecurityPrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeLoadDriverPrivilege 2860 msiexec.exe Token: SeSystemProfilePrivilege 2860 msiexec.exe Token: SeSystemtimePrivilege 2860 msiexec.exe Token: SeProfSingleProcessPrivilege 2860 msiexec.exe Token: SeIncBasePriorityPrivilege 2860 msiexec.exe Token: SeCreatePagefilePrivilege 2860 msiexec.exe Token: SeCreatePermanentPrivilege 2860 msiexec.exe Token: SeBackupPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeShutdownPrivilege 2860 msiexec.exe Token: SeDebugPrivilege 2860 msiexec.exe Token: SeAuditPrivilege 2860 msiexec.exe Token: SeSystemEnvironmentPrivilege 2860 msiexec.exe Token: SeChangeNotifyPrivilege 2860 msiexec.exe Token: SeRemoteShutdownPrivilege 2860 msiexec.exe Token: SeUndockPrivilege 2860 msiexec.exe Token: SeSyncAgentPrivilege 2860 msiexec.exe Token: SeEnableDelegationPrivilege 2860 msiexec.exe Token: SeManageVolumePrivilege 2860 msiexec.exe Token: SeImpersonatePrivilege 2860 msiexec.exe Token: SeCreateGlobalPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2860 msiexec.exe 2860 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2768 Lightshot.exe 2768 Lightshot.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2652 2584 msiexec.exe 29 PID 2584 wrote to memory of 2652 2584 msiexec.exe 29 PID 2584 wrote to memory of 2652 2584 msiexec.exe 29 PID 2584 wrote to memory of 2652 2584 msiexec.exe 29 PID 2584 wrote to memory of 2652 2584 msiexec.exe 29 PID 2584 wrote to memory of 2652 2584 msiexec.exe 29 PID 2584 wrote to memory of 2652 2584 msiexec.exe 29 PID 2584 wrote to memory of 2768 2584 msiexec.exe 30 PID 2584 wrote to memory of 2768 2584 msiexec.exe 30 PID 2584 wrote to memory of 2768 2584 msiexec.exe 30 PID 2584 wrote to memory of 2768 2584 msiexec.exe 30
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\134fc5f505bd60f454537f877ce5286cf705ce05449acccfb4e9cd53b1a6776d.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2860
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 56D0850E81A5AA128ED9F3E9C1DFFCFC2⤵
- Loads dropped DLL
PID:2652
-
-
C:\Users\Admin\AppData\Roaming\Sua Companhia\Processo\Lightshot.exe"C:\Users\Admin\AppData\Roaming\Sua Companhia\Processo\Lightshot.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2768
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c8cebc2fc153fdff1aba8d1a5b912872
SHA14a9d930f2fc9458b10ab401f0247634637038205
SHA256150fcb13fdfe3155cec25a5fae562ca19084051244abea78d55f6f8c517af3f4
SHA51265d16d72a0b2e3bb46ce678d2cc496285ef932b9d796331de1021ed791d65f9d829160ff52a2dc200690122b5a9cfd25a42a77d091991719752ea4a05561d44c
-
Filesize
21KB
MD5993f0a75785a0336ef53d08297db018f
SHA1058292b70ab7d509693eb487100edcc78469f585
SHA2560809fbb1cbfe881dd4266366daa566ab8b7ff80b96faab4b4236925fb58da5e1
SHA51297f4a02269b015fa93c7aa81fbe0ae96ad19d24290ddbdac7fb5aae686bacafbbf13651ac77bcafb7bd328e4bdb190d17247d79e913e3117e6932ff31cd7e317
-
Filesize
18.5MB
MD556a8bcf76421c3b697e1f0ac7c0982b4
SHA1d1be3855a9a2a2503fd7f9bc063b7fa50f6b9ca0
SHA25672c4c7d10e70418147b2bb379555c527b7309601317b734120c8c7a469a22e44
SHA512861ccad2fc5eb686def00a2824f25247d4c2f9793d437686b18697ed305f0e5d607c58a3de32849a12ebe27c7efd6cfd225963db5ccb5b6a96dd71e0ab9fc0c9
-
Filesize
487KB
MD51e1c83b9680029ad4a9f8d3b3ac93197
SHA1fa7b69793454131a5b21b32867533305651e2dd4
SHA2560b899508777d7ed5159e2a99a5eff60c54d0724493df3d630525b837fa43aa51
SHA512fe6f8df3dbbcc7535ead60028ec3e45801a33ccc81c9137b2288bc0d18be42379564c907eb406ce9491f46930690efa9a86a9f6506414992b5dba75adb3d1136
-
Filesize
721KB
MD55a1f2196056c0a06b79a77ae981c7761
SHA1a880ae54395658f129e24732800e207ecd0b5603
SHA25652f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e
SHA5129afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a