1992cf536e372a1c6274b7250898760b40a5d835175a1df9a7cf6be80ab47790

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

134fc5f505bd60f454537f877ce5286cf705ce05449acccfb4e9cd53b1a6776d.msi
Size

19.5MB
MD5

76e8f3a04274f429c181814deecdced5
SHA1

054d2a928470874fad2bf1858f62b92e22bc3456
SHA256

134fc5f505bd60f454537f877ce5286cf705ce05449acccfb4e9cd53b1a6776d
SHA512

00768e51f00a11a00697a62367698b82c4c12984594eead5e2d58ea7ee978665c51c5c4d2df41aabfd5278b48df49358f5b627529c1ea6b887519b1e544c8494
SSDEEP

393216:YdJcNzZWuVOj6P5ptgOGT1V12Hak5RoR9/mjHjAyw+YDJ46e:YKccE6jET1V1y5avQjAyw+YDm

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lightshot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Sua Companhia\\Processo\\Lightshot.exe"	Lightshot.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1548	Lightshot.exe
1548	Lightshot.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI692C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D7C8AE79-55B9-4DEB-BBE6-01780E37E185}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5767b3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6820.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B42.tmp	msiexec.exe
File created	C:\Windows\Installer\e5767b3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI698A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A47.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1548	Lightshot.exe

Loads dropped DLL 6 IoCs

pid	Process
1068	MsiExec.exe
1068	MsiExec.exe
1068	MsiExec.exe
1068	MsiExec.exe
1068	MsiExec.exe
1548	Lightshot.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5032	msiexec.exe
5032	msiexec.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe
1548	Lightshot.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2812	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2812	msiexec.exe
Token: SeSecurityPrivilege	5032	msiexec.exe
Token: SeCreateTokenPrivilege	2812	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2812	msiexec.exe
Token: SeLockMemoryPrivilege	2812	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2812	msiexec.exe
Token: SeMachineAccountPrivilege	2812	msiexec.exe
Token: SeTcbPrivilege	2812	msiexec.exe
Token: SeSecurityPrivilege	2812	msiexec.exe
Token: SeTakeOwnershipPrivilege	2812	msiexec.exe
Token: SeLoadDriverPrivilege	2812	msiexec.exe
Token: SeSystemProfilePrivilege	2812	msiexec.exe
Token: SeSystemtimePrivilege	2812	msiexec.exe
Token: SeProfSingleProcessPrivilege	2812	msiexec.exe
Token: SeIncBasePriorityPrivilege	2812	msiexec.exe
Token: SeCreatePagefilePrivilege	2812	msiexec.exe
Token: SeCreatePermanentPrivilege	2812	msiexec.exe
Token: SeBackupPrivilege	2812	msiexec.exe
Token: SeRestorePrivilege	2812	msiexec.exe
Token: SeShutdownPrivilege	2812	msiexec.exe
Token: SeDebugPrivilege	2812	msiexec.exe
Token: SeAuditPrivilege	2812	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2812	msiexec.exe
Token: SeChangeNotifyPrivilege	2812	msiexec.exe
Token: SeRemoteShutdownPrivilege	2812	msiexec.exe
Token: SeUndockPrivilege	2812	msiexec.exe
Token: SeSyncAgentPrivilege	2812	msiexec.exe
Token: SeEnableDelegationPrivilege	2812	msiexec.exe
Token: SeManageVolumePrivilege	2812	msiexec.exe
Token: SeImpersonatePrivilege	2812	msiexec.exe
Token: SeCreateGlobalPrivilege	2812	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2812	msiexec.exe
2812	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1548	Lightshot.exe
1548	Lightshot.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 1068	5032	msiexec.exe	85
PID 5032 wrote to memory of 1068	5032	msiexec.exe	85
PID 5032 wrote to memory of 1068	5032	msiexec.exe	85
PID 5032 wrote to memory of 1548	5032	msiexec.exe	88
PID 5032 wrote to memory of 1548	5032	msiexec.exe	88
PID 5032 wrote to memory of 1548	5032	msiexec.exe	88

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\134fc5f505bd60f454537f877ce5286cf705ce05449acccfb4e9cd53b1a6776d.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2D606161C19875A4EFFD5537B12A02B8
  2⤵
  - Loads dropped DLL
  PID:1068
- C:\Users\Admin\AppData\Roaming\Sua Companhia\Processo\Lightshot.exe
  "C:\Users\Admin\AppData\Roaming\Sua Companhia\Processo\Lightshot.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5767b6.rbs

Filesize
1KB

MD5
c8cebc2fc153fdff1aba8d1a5b912872

SHA1
4a9d930f2fc9458b10ab401f0247634637038205

SHA256
150fcb13fdfe3155cec25a5fae562ca19084051244abea78d55f6f8c517af3f4

SHA512
65d16d72a0b2e3bb46ce678d2cc496285ef932b9d796331de1021ed791d65f9d829160ff52a2dc200690122b5a9cfd25a42a77d091991719752ea4a05561d44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7665b.LOG

Filesize
21KB

MD5
52bbc0248e0a98c40faea586f0d8d72c

SHA1
51d44b42d1074fe608b3dabaee8e3a09bef514e2

SHA256
bb4e5fe8c4e92aa8209e8ee217cd81fc5a763b39608f070ad97a41e69a6163b5

SHA512
886709b34bc6273d7ed2f72441f779ba409225702759d7d2807968cae90f280748c1137ca8f5715f7de0531d7375af54297c60d832c06d0f354d0c5131b59ca4

Download Submit
C:\Users\Admin\AppData\Roaming\Sua Companhia\Processo\Lightshot.dll

Filesize
18.5MB

MD5
56a8bcf76421c3b697e1f0ac7c0982b4

SHA1
d1be3855a9a2a2503fd7f9bc063b7fa50f6b9ca0

SHA256
72c4c7d10e70418147b2bb379555c527b7309601317b734120c8c7a469a22e44

SHA512
861ccad2fc5eb686def00a2824f25247d4c2f9793d437686b18697ed305f0e5d607c58a3de32849a12ebe27c7efd6cfd225963db5ccb5b6a96dd71e0ab9fc0c9

Download Submit
C:\Users\Admin\AppData\Roaming\Sua Companhia\Processo\Lightshot.exe

Filesize
487KB

MD5
1e1c83b9680029ad4a9f8d3b3ac93197

SHA1
fa7b69793454131a5b21b32867533305651e2dd4

SHA256
0b899508777d7ed5159e2a99a5eff60c54d0724493df3d630525b837fa43aa51

SHA512
fe6f8df3dbbcc7535ead60028ec3e45801a33ccc81c9137b2288bc0d18be42379564c907eb406ce9491f46930690efa9a86a9f6506414992b5dba75adb3d1136

Download Submit
C:\Windows\Installer\MSI6820.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
memory/1548-46-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/1548-45-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1548-47-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1548-48-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1548-49-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1548-50-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1548-51-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1548-52-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1548-53-0x000000006F070000-0x0000000072E72000-memory.dmp

Filesize
62.0MB

Download