Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 06:19
Static task
static1
Behavioral task
behavioral1
Sample
z21Pedido_Faturado-1505.msi
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
z21Pedido_Faturado-1505.msi
Resource
win10v2004-20240426-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
z21Pedido_Faturado-1505.msi
-
Size
4.4MB
-
MD5
36da2b2974f33f1a599720d404e01039
-
SHA1
3769e6eb59991d6a8ac42110cd0538e4162e9dc2
-
SHA256
a5fff2dd84c04da572de9fac37b5d4e30db2e2e81cf41955de340c70f776d611
-
SHA512
65cf7b99d68016db9bede860372432cdd8daccb53d47415c7c02c1cba89d611ce30299944f5e89169532be95f9401aa3d8ad98544e548311c41c33a0d5370c34
-
SSDEEP
98304:1e9RY3ue9SPuzxM8tprVmAcpmWqEzKy9+W:oXt3SxM8vrVmAcpmJHe+W
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI37E8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3924.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{7CF68476-6C14-470A-B502-0AF87529D6C4} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3A5E.tmp msiexec.exe File created C:\Windows\Installer\e57378b.msi msiexec.exe File opened for modification C:\Windows\Installer\e57378b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3876.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI38C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI39C1.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2976 FomsTudioª.exe -
Loads dropped DLL 6 IoCs
pid Process 516 MsiExec.exe 516 MsiExec.exe 516 MsiExec.exe 516 MsiExec.exe 516 MsiExec.exe 2976 FomsTudioª.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 548 msiexec.exe 548 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 1848 msiexec.exe Token: SeIncreaseQuotaPrivilege 1848 msiexec.exe Token: SeSecurityPrivilege 548 msiexec.exe Token: SeCreateTokenPrivilege 1848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1848 msiexec.exe Token: SeLockMemoryPrivilege 1848 msiexec.exe Token: SeIncreaseQuotaPrivilege 1848 msiexec.exe Token: SeMachineAccountPrivilege 1848 msiexec.exe Token: SeTcbPrivilege 1848 msiexec.exe Token: SeSecurityPrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeLoadDriverPrivilege 1848 msiexec.exe Token: SeSystemProfilePrivilege 1848 msiexec.exe Token: SeSystemtimePrivilege 1848 msiexec.exe Token: SeProfSingleProcessPrivilege 1848 msiexec.exe Token: SeIncBasePriorityPrivilege 1848 msiexec.exe Token: SeCreatePagefilePrivilege 1848 msiexec.exe Token: SeCreatePermanentPrivilege 1848 msiexec.exe Token: SeBackupPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeShutdownPrivilege 1848 msiexec.exe Token: SeDebugPrivilege 1848 msiexec.exe Token: SeAuditPrivilege 1848 msiexec.exe Token: SeSystemEnvironmentPrivilege 1848 msiexec.exe Token: SeChangeNotifyPrivilege 1848 msiexec.exe Token: SeRemoteShutdownPrivilege 1848 msiexec.exe Token: SeUndockPrivilege 1848 msiexec.exe Token: SeSyncAgentPrivilege 1848 msiexec.exe Token: SeEnableDelegationPrivilege 1848 msiexec.exe Token: SeManageVolumePrivilege 1848 msiexec.exe Token: SeImpersonatePrivilege 1848 msiexec.exe Token: SeCreateGlobalPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 548 msiexec.exe Token: SeTakeOwnershipPrivilege 548 msiexec.exe Token: SeRestorePrivilege 548 msiexec.exe Token: SeTakeOwnershipPrivilege 548 msiexec.exe Token: SeRestorePrivilege 548 msiexec.exe Token: SeTakeOwnershipPrivilege 548 msiexec.exe Token: SeRestorePrivilege 548 msiexec.exe Token: SeTakeOwnershipPrivilege 548 msiexec.exe Token: SeRestorePrivilege 548 msiexec.exe Token: SeTakeOwnershipPrivilege 548 msiexec.exe Token: SeRestorePrivilege 548 msiexec.exe Token: SeTakeOwnershipPrivilege 548 msiexec.exe Token: SeRestorePrivilege 548 msiexec.exe Token: SeTakeOwnershipPrivilege 548 msiexec.exe Token: SeRestorePrivilege 548 msiexec.exe Token: SeTakeOwnershipPrivilege 548 msiexec.exe Token: SeRestorePrivilege 548 msiexec.exe Token: SeTakeOwnershipPrivilege 548 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1848 msiexec.exe 1848 msiexec.exe 2976 FomsTudioª.exe 2976 FomsTudioª.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 548 wrote to memory of 516 548 msiexec.exe 85 PID 548 wrote to memory of 516 548 msiexec.exe 85 PID 548 wrote to memory of 516 548 msiexec.exe 85 PID 548 wrote to memory of 2976 548 msiexec.exe 89 PID 548 wrote to memory of 2976 548 msiexec.exe 89
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\z21Pedido_Faturado-1505.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1848
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1E46E199C094624ECCBBFB4E4A3DF94F2⤵
- Loads dropped DLL
PID:516
-
-
C:\Users\Admin\AppData\Roaming\FomsTudioª.exe"C:\Users\Admin\AppData\Roaming\FomsTudioª.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e03f7d5ba1b938cf224bb51b0b420367
SHA192698e36d11e37f22b23be57eedd84543b88b49f
SHA2561e60e23b32cb782264d3869a13f68110e72705984c046f4eafa52240c9ba56f5
SHA512951faa08f3408d4c67ae56164c3411cdf04a87052c79a31274e8d3350cdf0687176e948e526af082f68aaded454dbca71ea41fa3fedd3e382ee687965ae59c72
-
Filesize
4.8MB
MD504eedb1cbf0026ca6731975c54645f85
SHA1c784243eea6c8b968f79319ed1b84ca1db86155b
SHA256282fc28644db919fee960f1d09c94076eb5cc57c266e25d47dc1c13e38eac27a
SHA5122aa145c9204491dee9e24a215e8443ed64cb080829fe7548994cf3e876ac9503f9cbff91de20282e91f561aa326a3898397ade7846190635737f96683ee581f5
-
Filesize
3.9MB
MD58a242aeba83c7da62dff095417cccd31
SHA12f93e5c9e75e4de7d9a82826ace4dfaa763e6db7
SHA25651915ee49701927a930a033ac2b84c3303b8cf7ac88869b0d2ba6aabc5fa66f8
SHA512b91742f74367f7bcbb4f3956fdbbb27edf1589c7badb9a835391c6c003f7ddd52c73632c92d272aca0a056b54801a9f9e0b5faead7242170c5c7d2c261fe614b
-
Filesize
721KB
MD55a1f2196056c0a06b79a77ae981c7761
SHA1a880ae54395658f129e24732800e207ecd0b5603
SHA25652f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e
SHA5129afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a