Overview

overview

6

Static

static

1

Estimado_1...96.msi

windows7-x64

6

Estimado_1...96.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Estimado_1546359641.155196.msi

  • Size

    1.0MB

  • MD5

    e5a116f558c88e42bd617cc39cfe126c

  • SHA1

    c3741c01786cd4dd17aa07e3b4d28853d935e87d

  • SHA256

    7f08cc4588935ec23f8fd1cbfc64259b8ae6f5ecfe4ed333c0aad3f02c469ffd

  • SHA512

    11995ba7c5077a44824bb2a53f51a1284f557f7b44c18a55c3c654e291aeccb67f09ba698dc13e7565b468b8036b1640047de1b291721d6509c5e31e872ec97d

  • SSDEEP

    24576:SaGryDzAlr0ufTPh0lhSMXl0uN58NtvUZYwAl7:SaEkuqES58NtvUZYwAN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Estimado_1546359641.155196.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2400
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C1522756A2B2DFF55EB2D0A7C724DF1B
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C mkdir C:\Users\Admin\FTAdmin20\
        3⤵
          PID:2436
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C mkdir C:\Users\Admin\FTAdmin20\FTAdmin20
          3⤵
            PID:2808

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Installer\MSI648D.tmp
        Filesize

        816KB

        MD5

        aa88d8f40a286b6d40de0f3abc836cfa

        SHA1

        c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

        SHA256

        8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

        SHA512

        6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519

        Download Submit

      • memory/3028-1-0x0000000000560000-0x0000000000562000-memory.dmp

        Filesize

        8KB

        Download