132b407090ee6245110b77bee17447e2c700a3b06deffa55a0fd1605691cd17b

Analysis

max time kernel
594s
max time network
451s
platform
windows10-2004_x64
resource
win10v2004-20240508-es
resource tags

arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
31/05/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DFC.530.msi
Size

21.6MB
MD5

29bd31f6b73955c2d4891c80b57cdc38
SHA1

dd5b1caa91025f847377bcbcd15e537649e605e4
SHA256

132b407090ee6245110b77bee17447e2c700a3b06deffa55a0fd1605691cd17b
SHA512

f2160db5ed7138de7b50dbc0e71b07741a443abb10f55213053fa3fa7c0b388065f064b6e78b179f38a1738c44a878df444c04da40c655977e4d307f73dd416b
SSDEEP

196608:Snv1sPXIIh4hez5nU65YEdrZU0n/34c2p1SFWZ+fMh5AQeF:SnvHIqhi5nd2Arj34fbCWZ+fMDze

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UruinaSts = "C:\\rieg2g4e\\STEAL.exe"	STEAL.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
6	1072	msiexec.exe
10	1072	msiexec.exe
20	1032	MsiExec.exe
36	1032	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67D5.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{XGK2KYVJ-2AZ1-CM7G-AUQ4-17QL4KH0VEWP}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68FF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI697D.tmp	msiexec.exe
File created	C:\Windows\Installer\e576571.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576571.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI663C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6776.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	STEAL.exe

Loads dropped DLL 8 IoCs

pid	Process
1032	MsiExec.exe
1032	MsiExec.exe
1032	MsiExec.exe
1032	MsiExec.exe
1032	MsiExec.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2136	msiexec.exe
2136	msiexec.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2616	STEAL.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1072	msiexec.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeCreateTokenPrivilege	1072	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1072	msiexec.exe
Token: SeLockMemoryPrivilege	1072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1072	msiexec.exe
Token: SeMachineAccountPrivilege	1072	msiexec.exe
Token: SeTcbPrivilege	1072	msiexec.exe
Token: SeSecurityPrivilege	1072	msiexec.exe
Token: SeTakeOwnershipPrivilege	1072	msiexec.exe
Token: SeLoadDriverPrivilege	1072	msiexec.exe
Token: SeSystemProfilePrivilege	1072	msiexec.exe
Token: SeSystemtimePrivilege	1072	msiexec.exe
Token: SeProfSingleProcessPrivilege	1072	msiexec.exe
Token: SeIncBasePriorityPrivilege	1072	msiexec.exe
Token: SeCreatePagefilePrivilege	1072	msiexec.exe
Token: SeCreatePermanentPrivilege	1072	msiexec.exe
Token: SeBackupPrivilege	1072	msiexec.exe
Token: SeRestorePrivilege	1072	msiexec.exe
Token: SeShutdownPrivilege	1072	msiexec.exe
Token: SeDebugPrivilege	1072	msiexec.exe
Token: SeAuditPrivilege	1072	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1072	msiexec.exe
Token: SeChangeNotifyPrivilege	1072	msiexec.exe
Token: SeRemoteShutdownPrivilege	1072	msiexec.exe
Token: SeUndockPrivilege	1072	msiexec.exe
Token: SeSyncAgentPrivilege	1072	msiexec.exe
Token: SeEnableDelegationPrivilege	1072	msiexec.exe
Token: SeManageVolumePrivilege	1072	msiexec.exe
Token: SeImpersonatePrivilege	1072	msiexec.exe
Token: SeCreateGlobalPrivilege	1072	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1072	msiexec.exe
1072	msiexec.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1032	MsiExec.exe
1032	MsiExec.exe
1032	MsiExec.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe
2616	STEAL.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1032	2136	msiexec.exe	88
PID 2136 wrote to memory of 1032	2136	msiexec.exe	88
PID 2136 wrote to memory of 1032	2136	msiexec.exe	88
PID 1032 wrote to memory of 2616	1032	MsiExec.exe	97
PID 1032 wrote to memory of 2616	1032	MsiExec.exe	97
PID 1032 wrote to memory of 2616	1032	MsiExec.exe	97

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DFC.530.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1072

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 953A0D265EDF8D726EC7F66A7698B431
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\rieg2g4e\STEAL.exe
    "C:\rieg2g4e\STEAL.exe"
    3⤵
    - Adds Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_09B37B1D13D68619FD5280E35214FE13

Filesize
1KB

MD5
a63ccc56969df215c0be54ab9a06c413

SHA1
cac2af454324025d0c4d86814978e8e7d50a5a30

SHA256
d5db8956789150f7c3424d0271f1356600a91819453f8666b882a736190f1641

SHA512
30c2bd0414d673b98ebe35c0ac25281bdac206b7e528efe5f8446f5c93eaf4aadfa27c95a2f5494f876dd6ca3954c482a93b6431df98dcaa53113bc09d65ad38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
11c76a11be5d4ec1511e15632be0039e

SHA1
9fad5a136d3e69a72d287287617efecc36794b27

SHA256
0347669871aa1458839c5d2053df261ed75be9c04a72896b76e8e535339735f8

SHA512
60b6b1b6e8fa22af55824b44e6877d0fdf45d70dc8bb1e7edab0c664d61feb7c1710a59d76a01ebfb5474b1211525ce4727ee639f165bc6132466485f5c1c117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_09B37B1D13D68619FD5280E35214FE13

Filesize
536B

MD5
59eae3b5581353a4a7c40d6846296292

SHA1
24fd99d8d97bb6803fb1b33d60148dc8f729de85

SHA256
4e6c3f7aaf0cf2bc31a2ed5b0b23c69fae99ac1f20a7d102ceed8acf545358e0

SHA512
7f446046d95bbbd59fd2db94845abea97f007e0b43f61e4b1defd0e6b07e78eae5baa45d6142de406a7b379d361f5f2a88be1a33ef0f91507eb71562b0ac68ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
5f3cf40f88232a4dec7b1987e3473d4b

SHA1
34cf6d57f568fc4819146357f6b3cfc05e7bb570

SHA256
a347410a804787fcaf99157fc7aa250b9a12c2c6f3bd7381df266d57a8df80b5

SHA512
31802ecbe899e5848e8703ba37e16edff9a1cb2d82c0a4fb9e2c8ed42481f670e4ce944200d42cb2d58f2f025fe7d3c4c8a2ddd37a2bf7f09c3b36f1c4672abe

Download Submit
C:\Windows\Installer\MSI663C.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI697D.tmp

Filesize
20.4MB

MD5
82ae9c41bde2721eeac6b6a945793bd6

SHA1
edc21041c456116c63074adc0ff35697a032e1b1

SHA256
a8e34860b9d3e0b66504616984a17e2a3bb125bc11bad04e148dead9577b9954

SHA512
e02793e2d7db73a9202690c8f6d66a75098c6fa2ca9c9a10fdb48d954f845882422d515161575e6c6005603ea736f00c2850b5cc4ec8d4d5dfcb58ecb2c010b1

Download Submit
C:\rieg2g4e\HumbillQT5.dll

Filesize
1.5MB

MD5
9e5aa15a31eb279cc89aa4aab29e5611

SHA1
8534d576fa9e9b1b5d4cfe697b71d0a87a379381

SHA256
d76c62368c4460ba683893adea061652900ba9cc923fe30585b8a169f58baa8a

SHA512
2c0fdd5170ba82a47884ceefa0c83d9cd9d740eb7fb18a7ec3baec76c8c6f890e2397dff65baf6197e1690e2e8765bb081c6a1d91bcc7f4ea2a34616832a9ea6

Download Submit
C:\rieg2g4e\STEAL.exe

Filesize
9.1MB

MD5
74d3f521a38b23cd25ed61e4f8d99f16

SHA1
c4cd0e519aeca41e94665f2c5ea60a322deb3680

SHA256
1d822b3faabb8f65fc30076d32a95757a2c369ccb64ae54572e9f562280ae845

SHA512
ec1c8b0eb895fd8947cad6126abc5bca3a712e42475228b9dcb3496098e720abb83d4cba4621edbd8d3ad7f306a5f57ced9c2c98fe2c2d0c8ebbbf99d7faf0f1

Download Submit
C:\rieg2g4e\unrar.dll

Filesize
174KB

MD5
4289541be75e95bcfff04857f7144d87

SHA1
5ec8085e30d75ec18b8b1e193b3d5aa1648b0d2e

SHA256
2631fcdf920610557736549e27939b9c760743a2cddec0b2c2254cfa40003fb0

SHA512
3137a7790de74a6413aca6c80fd57288bcc30a7df3a416f3c6e8666041cd47a9609136c91405eee23224c4ae67c9aebbba4dd9c4e5786b09b83318755b4a55fd

Download Submit
memory/1032-40-0x00000000732A0000-0x00000000747CA000-memory.dmp

Filesize
21.2MB

Download
memory/1032-56-0x00000000732A0000-0x00000000747CA000-memory.dmp

Filesize
21.2MB

Download
memory/2616-92-0x000000000A500000-0x000000000A684000-memory.dmp

Filesize
1.5MB

Download
memory/2616-110-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-88-0x000000000A500000-0x000000000A684000-memory.dmp

Filesize
1.5MB

Download
memory/2616-89-0x000000000A500000-0x000000000A684000-memory.dmp

Filesize
1.5MB

Download
memory/2616-90-0x000000000A500000-0x000000000A684000-memory.dmp

Filesize
1.5MB

Download
memory/2616-94-0x000000000A500000-0x000000000A684000-memory.dmp

Filesize
1.5MB

Download
memory/2616-93-0x000000000A500000-0x000000000A684000-memory.dmp

Filesize
1.5MB

Download
memory/2616-85-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-91-0x000000000A500000-0x000000000A684000-memory.dmp

Filesize
1.5MB

Download
memory/2616-95-0x0000000000400000-0x0000000000D36000-memory.dmp

Filesize
9.2MB

Download
memory/2616-96-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-98-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-103-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-87-0x000000000A500000-0x000000000A684000-memory.dmp

Filesize
1.5MB

Download
memory/2616-114-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-118-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-120-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-122-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-124-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-130-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-134-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-136-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-140-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-146-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download
memory/2616-148-0x0000000005490000-0x0000000007078000-memory.dmp

Filesize
27.9MB

Download