010062f8e7a7a3346769daee4766b2294ab6a6fc03b84e22d57130b87fe90fd2

Analysis

max time kernel
299s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fin.869.msi
Size

14.3MB
MD5

cd3e308933ee055061195cb298312262
SHA1

851f2af2e194af6ca2f45e50d8fc96c82b8b0a10
SHA256

010062f8e7a7a3346769daee4766b2294ab6a6fc03b84e22d57130b87fe90fd2
SHA512

5208c9eda9bf0b0b23cf784393055036b975e21e019047b43dca6efd9d50af657711f772924b17316d82fcf7e6f02fa6bda71912071fd7e8cbffe6a2a4c81f94
SSDEEP

393216:CBCbzzMM/oXWclh4gEWJoOl4Uj54cYqQHHlG2ihWxxmawoG/:C0bHMMTpgrbbtNT4HlGSTwoG/

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI3526.tmp	msiexec.exe
File created	C:\Windows\Installer\f7633ff.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI36AD.tmp	msiexec.exe
File created	C:\Windows\Installer\f7633fc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7633fc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI342A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34D7.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2672	Hqnexasyncг.exe

Loads dropped DLL 9 IoCs

pid	Process
1332	MsiExec.exe
1332	MsiExec.exe
1332	MsiExec.exe
2820	MsiExec.exe
2820	MsiExec.exe
2672	Hqnexasyncг.exe
2672	Hqnexasyncг.exe
2672	Hqnexasyncг.exe
2672	Hqnexasyncг.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
2080	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	msiexec.exe
2884	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2080	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeSecurityPrivilege	2884	msiexec.exe
Token: SeCreateTokenPrivilege	2080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2080	msiexec.exe
Token: SeLockMemoryPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeMachineAccountPrivilege	2080	msiexec.exe
Token: SeTcbPrivilege	2080	msiexec.exe
Token: SeSecurityPrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeLoadDriverPrivilege	2080	msiexec.exe
Token: SeSystemProfilePrivilege	2080	msiexec.exe
Token: SeSystemtimePrivilege	2080	msiexec.exe
Token: SeProfSingleProcessPrivilege	2080	msiexec.exe
Token: SeIncBasePriorityPrivilege	2080	msiexec.exe
Token: SeCreatePagefilePrivilege	2080	msiexec.exe
Token: SeCreatePermanentPrivilege	2080	msiexec.exe
Token: SeBackupPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeDebugPrivilege	2080	msiexec.exe
Token: SeAuditPrivilege	2080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2080	msiexec.exe
Token: SeChangeNotifyPrivilege	2080	msiexec.exe
Token: SeRemoteShutdownPrivilege	2080	msiexec.exe
Token: SeUndockPrivilege	2080	msiexec.exe
Token: SeSyncAgentPrivilege	2080	msiexec.exe
Token: SeEnableDelegationPrivilege	2080	msiexec.exe
Token: SeManageVolumePrivilege	2080	msiexec.exe
Token: SeImpersonatePrivilege	2080	msiexec.exe
Token: SeCreateGlobalPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2080	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 1332	2884	msiexec.exe	29
PID 2884 wrote to memory of 1332	2884	msiexec.exe	29
PID 2884 wrote to memory of 1332	2884	msiexec.exe	29
PID 2884 wrote to memory of 1332	2884	msiexec.exe	29
PID 2884 wrote to memory of 1332	2884	msiexec.exe	29
PID 2884 wrote to memory of 1332	2884	msiexec.exe	29
PID 2884 wrote to memory of 1332	2884	msiexec.exe	29
PID 2884 wrote to memory of 2820	2884	msiexec.exe	30
PID 2884 wrote to memory of 2820	2884	msiexec.exe	30
PID 2884 wrote to memory of 2820	2884	msiexec.exe	30
PID 2884 wrote to memory of 2820	2884	msiexec.exe	30
PID 2884 wrote to memory of 2820	2884	msiexec.exe	30
PID 2820 wrote to memory of 2672	2820	MsiExec.exe	31
PID 2820 wrote to memory of 2672	2820	MsiExec.exe	31
PID 2820 wrote to memory of 2672	2820	MsiExec.exe	31

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fin.869.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1528996F871D4A4DC47B118C28554DC
  2⤵
  - Loads dropped DLL
  PID:1332
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding EDD063BB12AD316EDC00050EA8C91553
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\ProgramData\esgzf3jfxq\Hqnexasyncг.exe
    "C:\ProgramData\esgzf3jfxq\Hqnexasyncг.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\esgzf3jfxq\Hqnexasyncг.exe

Filesize
80KB

MD5
058eef946157b69ed5e51ada7575afb6

SHA1
45aaa639e7391a74f697265b4126a062981d866f

SHA256
040f24915ec39f1e978f325a9190a7e9c4521ee6faf860acf6eee13d796d6306

SHA512
5528eef32e2c3480eece4836fc98274dc4bb2f11b56a1b5f9c13e3fa70e8a2515bf2536b10f15672f648ae2ef9f750a161c014ae2f3e9fe452ef1439d6389c73

Download Submit
C:\ProgramData\esgzf3jfxq\VCRUNTIME140.dll

Filesize
101KB

MD5
4ffd50749cbbb87a400136bdb9d33334

SHA1
7711709d3cc2baf47f53a13effc1f25077e293e9

SHA256
a99be0c3e3abea781aba0ac6a3e075db2fbd60f58e94a322055cad4ef4d9ea31

SHA512
3cb98a1e2b1c43f9bc7901b5b72cc964cced02f881e5c8c73f33fa6d90ea8c4e6135c4a8d30c898dfafae761bf8e18012c2ccc0c2aba157cf70430ce186b1008

Download Submit
C:\ProgramData\esgzf3jfxq\hdykmVDMLA

Filesize
38KB

MD5
f1a0c9f749a3414b00867e5e2f2e4c75

SHA1
19f2aad3027dedce91eb143c4e1c313ba36bcddb

SHA256
6d444b2f757e3ba41fd5dcd1a676ed8a8642d331657eb84386a8e1015be02890

SHA512
d203f13b3406637ce7699dacae96ae2f7dde6ab7a737acc77d808b828322dd6eddb644812fb82d1ca45af73c22a45c4f1898d548b362319271f5aa822c50bac6

Download Submit
C:\Users\Admin\AppData\Roaming\AlbuquerqueSaraiva\GostosoBorrachaSabonete\BpfkVcLaW6Dye4hU7NW.dll

Filesize
467KB

MD5
98ddafe626df49c03e3ec12b9b6470e8

SHA1
e584e39bac9dfab017dd020003513b549ba197bf

SHA256
09659caa31a8459fa530fe5f8aeb26603ea77dfad5049b706b4e36e9a428d8e7

SHA512
14cbf3fe66251a10ca2abaac23309fc0db931120b54a7c0aa4c32649ee27b679c39cd887281a151ee17217f67a112d698aa4620269cb51b3c73bfe09fec38033

Download Submit
C:\Users\Admin\AppData\Roaming\AlbuquerqueSaraiva\GostosoBorrachaSabonete\TjxwC4NXT9paDXxebU55.bnd

Filesize
30.2MB

MD5
b7504fcc98ad9c09a958defa091d87e3

SHA1
b6cab9e3c112571ce4d73448f21b4b6a41cf6cd4

SHA256
f1721d6d4708ed066650aa59b9fb7ed8d99bb03732e1383b7c145980aee2589a

SHA512
4f6b2ffec6ea93900fe75cf8154a069121f22fbe852c26e02d731c60bfcf8958925437dd6ab7b8172fe263c2094b8d2f3ac68a0ffc363c04e27daca21513f246

Download Submit
C:\Users\Admin\AppData\Roaming\AlbuquerqueSaraiva\GostosoBorrachaSabonete\zGZaBDyUdk

Filesize
75KB

MD5
af7c1c4e5cc8de0734624e1f042d2bfe

SHA1
20a8a2a77a1989b71ecdc561bcd00eaa6c04ded0

SHA256
6275bfa449c92ac51a9cecf5b14f137ca5733b12bed4536e1b659d73ef3f0126

SHA512
f3188ec7af360e60b1be190427a86d2d3233d7f2aead20d0074a23fa3e1ae2ca77c832ec23a563f8de455acc73e74965d905ad2af0ac19fcaeba469fd7b53eb7

Download Submit
C:\Windows\Installer\MSI342A.tmp

Filesize
738KB

MD5
ee45c6dffaf86ed2a76d8f969c390c08

SHA1
ff5b2942ffa7d28ed3f72208e8e76391b2991b5a

SHA256
118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca

SHA512
a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664

Download Submit
\ProgramData\esgzf3jfxq\Enscape.dll

Filesize
467KB

MD5
87d5925f36fcc0e79c7ce171c8f0ae9c

SHA1
4b4ba30542515baa441d034d7796d991d0624e3a

SHA256
6b897f02025b8ac9299c07a304a15bc5dacf6d8a266e6deac8fe9e2fd483d6e2

SHA512
4bb2be9be5c3837e80ee0fc2e88e32522ba577b2d44b353c63b1e3afeb97b50342f9cac236b721940526aeb417534494b2e3f6d9dcb612148674d5b3f8992f0c

Download Submit
\ProgramData\esgzf3jfxq\msvcp140.dll

Filesize
580KB

MD5
e5943129c2b18a25cf77cf888844e5a1

SHA1
f3f5e32e33639b7b34c86759efe7fe15b08cb630

SHA256
0310893c2958a285382ddb19b94e7e654600acf94a75f5a363c844c52f2c5375

SHA512
71b894d7a4ffdb66af97c2453b99356f4ff306775428299c47a2af84023d994f1fd20af2950bc6aeaad5e2394b1b3b51905fbe82d800a2346b25a9d455a5ff5b

Download Submit
\ProgramData\esgzf3jfxq\vcruntime140_1.dll

Filesize
45KB

MD5
48297142fd46e8c31176806ad5f9694b

SHA1
ec193380cd3bbf03e5c530e971dbab85acf13e1b

SHA256
01730a0f7bf179ef419d2d29e5e906583fd0c9f94905aa61b74eb8d82ed70eb8

SHA512
ee54bff14980473776f6103f51e2196fdfe4ca898ae19b47be44dd692e78f524ef01e036cc153924d9c58989ba720ed2a3deb6b6d1a2eeeab7baa8d612b870c7

Download Submit
memory/2672-57-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2820-28-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download