Overview

overview

7

Static

static

1

AfipInstal...12.msi

windows10-2004-x64

7

AfipInstal...12.msi

windows11-21h2-x64

7

Analysis

  • max time kernel
    77s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2024 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AfipInstal 3491467912.msi

  • Size

    28.7MB

  • MD5

    90a8aeea10139c563654d6fca6bf2e50

  • SHA1

    c3bd41d576175e0ee0fe8c06b94720370e1f79f8

  • SHA256

    1f76c709241f0fb8624e10ef2f969894af1de4b22b057fcd7e9064dba760a182

  • SHA512

    3f3d3268711f2e8c355411967048a2c84b8b1f6b12b74d6c345c2e6ede27a3648a69e41855f19f2a201dcc102c723ba8a917a1c94946bda72d0c63ab98a7e01c

  • SSDEEP

    786432:bG59Ebw+dsspncz4vvS1iP6KfHCp3N3QMVvF:bS9EXdL3CsP6wrGvF

Score
7/10
persistencevmprotect

Malware Config

Signatures

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\AfipInstal 3491467912.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2960
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 46564ED777B0986C2A5CD3B11311D021
      2⤵
      • Loads dropped DLL
      PID:5092
    • C:\Users\Admin\AppData\Roaming\Afip\Factura\adobe.exe
      "C:\Users\Admin\AppData\Roaming\Afip\Factura\adobe.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:4764
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3528
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4572

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57ead0.rbs
        Filesize

        2KB

        MD5

        bab18d8467b688d437c72780104a500c

        SHA1

        9571bbc732223ef2481709b53e3d1398e8d878fe

        SHA256

        e83187d2930fc8358c9659eda9165eb9f3db6baf487bf2e7f73632d5941aa9ae

        SHA512

        148b3c43db111643e1f43a6368c1d430c1be4e70256a1f68e7621fafe375e29e16c0491249d1c0d7542d81875783f5496daed7e4cdc4e487c90570bfe2e2842e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Afip\Factura\adobe.exe
        Filesize

        26.3MB

        MD5

        57232fa398ec29f0cd79a95ed0361e46

        SHA1

        31720d0fd9c80ab016503194f0a7722339b187c9

        SHA256

        3f60ab3822d5152fb4aee997803fcc98a55b2e7d615b9652289496a561ef6d7e

        SHA512

        4c548fffa2e8f59b79ce1264a97e75dbcb8285214ccb916b337c1e794025042a521fbc8a4630ee39507fdf7e46c86a2693e4c725c404d55c52e07f8891948806

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Afip\Factura\avutil.dll
        Filesize

        15.5MB

        MD5

        749e623bfab8722fce171f034dbf2168

        SHA1

        bc2f428b93329a2c8389cc8f487c1bf313951fca

        SHA256

        13205d0363188c15ec881753a14150284f72c47204bfcc0fc92db847a16bf00e

        SHA512

        79b9432f6f44a85e5d2819ddf35d0f94d3606f46a5fb49099674535c5f984c0ba2795e4abfedcc62f04150cca5ce29c8e084e21c1f9292fa07ac8c92e7f689f2

        Download Submit
      • C:\Windows\Installer\MSIECD1.tmp
        Filesize

        819KB

        MD5

        3604517a3e6e69ba339239cf82fc94a5

        SHA1

        c4757e31f9c8a90ee5de233792da71c8915050c5

        SHA256

        bdd1d14c9cb54b19f6a7f37adbc7537ce8fd2f6fa59a74a4a90b08c7979708d2

        SHA512

        c22ffc410886fae221dfee6ab469e44694f87cecce14d505a059f5fe01c1b4e1ad93c15b78c7623e821a37737491e89c627ddae5d03c407a877835ab6d611619

        Download Submit
      • memory/4764-49-0x0000000005FD0000-0x0000000005FD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-56-0x0000000005F60000-0x0000000005F61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-48-0x0000000005FC0000-0x0000000005FC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-44-0x0000000005F60000-0x0000000005F61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-46-0x0000000005FA0000-0x0000000005FA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-45-0x0000000005F70000-0x0000000005F71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-43-0x0000000005F50000-0x0000000005F51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-50-0x0000000005FE0000-0x0000000005FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-42-0x0000000000400000-0x0000000001F23000-memory.dmp
        Filesize

        27.1MB

        Download
      • memory/4764-51-0x0000000018000000-0x000000001CECC000-memory.dmp
        Filesize

        78.8MB

        Download
      • memory/4764-54-0x0000000000400000-0x0000000001F23000-memory.dmp
        Filesize

        27.1MB

        Download
      • memory/4764-47-0x0000000005FB0000-0x0000000005FB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-57-0x0000000005F70000-0x0000000005F71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-58-0x0000000005F80000-0x0000000005F81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-59-0x0000000005FB0000-0x0000000005FB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-60-0x0000000005FC0000-0x0000000005FC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-61-0x0000000005FD0000-0x0000000005FD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-62-0x0000000005FE0000-0x0000000005FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-63-0x0000000005FF0000-0x0000000005FF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-64-0x0000000018000000-0x000000001CECC000-memory.dmp
        Filesize

        78.8MB

        Download
      • memory/4764-72-0x0000000000400000-0x0000000001F23000-memory.dmp
        Filesize

        27.1MB

        Download
      • memory/4764-73-0x0000000000400000-0x0000000001F23000-memory.dmp
        Filesize

        27.1MB

        Download