Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-es -
resource tags
-
submitted
21-05-2024 19:27
General
-
Target
2ba8759f5242caae300a97a0b39c89170b985db477e48b201d1c6747f586f0bd.msi
-
Size
7.5MB
-
MD5
2c1a16976c0ddf925ab45466dce7e03d
-
SHA1
5b260dd8aac2e881eed23053461223d5f0882b06
-
SHA256
2ba8759f5242caae300a97a0b39c89170b985db477e48b201d1c6747f586f0bd
-
SHA512
0f387930657043f23c97490a16d088f583b1d66440c833744ed84f1f5493d5bdd073e56e55ad11ada5c70305a7824868db78307e498520a45268514c7a4f9be7
-
SSDEEP
196608:SJB4ZesJ8uae1gnwpQOODlOt+lvToBwiIGMYioceaa1YqXpaU:SJWZesmX2xL+lFG5ser1la
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 54 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2ba8759f5242caae300a97a0b39c89170b985db477e48b201d1c6747f586f0bd.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F8D0B227B7A40329A7913CA03389AA292⤵
- Loads dropped DLL
-
C:\Windows\Installer\MSI2330.tmp"C:\Windows\Installer\MSI2330.tmp" /DontWait /HideWindow "C:\Users\Admin\Pictures\MercadoEnvios\SuporteColeta\1.bat"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Pictures\MercadoEnvios\SuporteColeta\1.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c dDt.P.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\MercadoEnvios\SuporteColeta\dDt.P.exedDt.P.exe3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f9e09a671cbc81d15e118570612e0408
SHA1eb5300d757dde4618c180a7046173978fec230f4
SHA256f1ef207292bfe1019e243131d3da3a96f89ca293b578ef4e9071955b8c522cd2
SHA512f8c6e1b1bf3308899b74b4c269040038999fb78ba642e621a958b7aa8be2f4ed2228f5b105420ec85892b0ecd6396309e3f4384c7fcfff143a681f4263c93d3f
-
Filesize
62B
MD5a9feb7994d611a691e1fe7c64f1ddf70
SHA1226983163ce847ba4002cbc55913f0302510e289
SHA25623562dec086981d6eef1e7b40acf0fa62b153698f6e0b409de027997a2acd741
SHA512d05b52452e0968b696802a17e46fe6194c36e3045261729f0d4017700afb3db5a3d65bcd5a60aecd09db8ed8ed56e300204b9ac9bf09fe9593972e878c31cf7c
-
Filesize
3.5MB
MD57ca3e7c7feb597a6058be09008484829
SHA1b4b129f50dddb6800cfe2a90d1ae590d02298fd5
SHA2561f125ecf9c8b611e6857446895aaf6141b21d6c3147856b2526f9bbe590e222d
SHA51209ee2e51efd7c159179ce83fff35ed4536a2ed0a46f274e65c220a5dfe6fb57724356f179e6e67c133ef4c8cef8309ef2a76b29282d8a0d649f2c15f0d649ddf
-
Filesize
94B
MD506776cc1a37e98869a74e6f8759a143e
SHA1ef7dc871b60c5699ffffbb0213e7f69b98e20d29
SHA25630585de2dbe9b643e8562c6578a46da05b0a2b4a5d5b6291578e8610687068b3
SHA51209751f4831a3a3eeb6a9993018b94e38676aeb6dda76e0fced9af8039a2a5b6e271ff6cad59e7bbba28f0135dcef1cf7c3125dab8993e85cfff75f834441f688
-
Filesize
956KB
MD5e2bc50c3ae1ef4c82e72e5adb3bc8da2
SHA1b21a7250fba3f033f9f412a8272ee4d7e313862d
SHA2565909ab34354db1da3a6bd53febd59270e1866221c835c7abaae4885f39421278
SHA512e730a3ad558e3888c46dc45a34d15727ee9b2cfde4dfbad04a2c281aec01dfec07c68daa0fe314260c2a4fba546b82f43c39c06d74baff5e41d20fcf47de6861
-
Filesize
555KB
MD553ebdf6bc20011120b06e94de66adc51
SHA10c47a3be0ee2dce2e1ffd8c1b40d2ca52d0014f3
SHA256997b258b3f6dd1448fd4d135a56c138813f45f728e57be0eb1908df5b68f031b
SHA51216f2b1ec3e6628f49640afedcad302b0af1fe42b8a7a45b99a16fcec5ed68014ee5aa43672ecc92d7fbd83af18bdc3d1ae3efd0a7b7314ba6a4a156aaa5d37cd
-
Filesize
945KB
MD576c976999d9e47327db9ba24c7ea5269
SHA11568fd9a66ccc910f479f2120e774d5723872d3a
SHA25664acd55e74a3f81a636390e6cfa59930af104f3078c3ce6590a9017e821d6503
SHA512b6a2f2919a04c5b001c68e46f96057f580213c0981d5c45b28562694c6ae81f7624aad9532eda9a29c9503577c6cc392e4dfb969b8fa7d06b5e776f98601644f
-
Filesize
409KB
MD5a7286d5354ef27044c98aad51fc4468e
SHA1c553b71a417baa43758b241673496ee52579ad81
SHA256747479cf05918baf2fc3e9228778a1fc2aa7e6660c40bd6105519c52b4f28c67
SHA5127e0d200b9ba5d983234f8da372e9f683bf5f7bd029a0dea3acb725128be631fc2cf34e941b5eed0654d5101ea7dddf7e094248e4bd5f84351b850c5aec4b244f
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
284KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
6.5MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
8KB