Analysis
-
max time kernel
77s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 04:54
Static task
static1
Behavioral task
behavioral1
Sample
AfipInstal 3491467912.msi
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
AfipInstal 3491467912.msi
Resource
win11-20240419-en
General
-
Target
AfipInstal 3491467912.msi
-
Size
28.7MB
-
MD5
90a8aeea10139c563654d6fca6bf2e50
-
SHA1
c3bd41d576175e0ee0fe8c06b94720370e1f79f8
-
SHA256
1f76c709241f0fb8624e10ef2f969894af1de4b22b057fcd7e9064dba760a182
-
SHA512
3f3d3268711f2e8c355411967048a2c84b8b1f6b12b74d6c345c2e6ede27a3648a69e41855f19f2a201dcc102c723ba8a917a1c94946bda72d0c63ab98a7e01c
-
SSDEEP
786432:bG59Ebw+dsspncz4vvS1iP6KfHCp3N3QMVvF:bS9EXdL3CsP6wrGvF
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Afip\Factura\avutil.dll vmprotect behavioral1/memory/4764-51-0x0000000018000000-0x000000001CECC000-memory.dmp vmprotect behavioral1/memory/4764-64-0x0000000018000000-0x000000001CECC000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\new = "C:\\Users\\Admin\\AppData\\Roaming\\Afip\\Factura\\adobe.exe" msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
adobe.exepid process 4764 adobe.exe 4764 adobe.exe -
Drops file in Windows directory 12 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{8AA6BD2E-CFA5-4AC5-9C6B-281990EECCF2} msiexec.exe File opened for modification C:\Windows\Installer\MSIFF25.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57eacd.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF780.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFA12.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFC27.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e57eacd.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIECD1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF975.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
adobe.exepid process 4764 adobe.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exeadobe.exepid process 5092 MsiExec.exe 5092 MsiExec.exe 5092 MsiExec.exe 5092 MsiExec.exe 5092 MsiExec.exe 4764 adobe.exe 4764 adobe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeadobe.exepid process 3520 msiexec.exe 3520 msiexec.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe 4764 adobe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
adobe.exepid process 4764 adobe.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2960 msiexec.exe Token: SeIncreaseQuotaPrivilege 2960 msiexec.exe Token: SeSecurityPrivilege 3520 msiexec.exe Token: SeCreateTokenPrivilege 2960 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2960 msiexec.exe Token: SeLockMemoryPrivilege 2960 msiexec.exe Token: SeIncreaseQuotaPrivilege 2960 msiexec.exe Token: SeMachineAccountPrivilege 2960 msiexec.exe Token: SeTcbPrivilege 2960 msiexec.exe Token: SeSecurityPrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeLoadDriverPrivilege 2960 msiexec.exe Token: SeSystemProfilePrivilege 2960 msiexec.exe Token: SeSystemtimePrivilege 2960 msiexec.exe Token: SeProfSingleProcessPrivilege 2960 msiexec.exe Token: SeIncBasePriorityPrivilege 2960 msiexec.exe Token: SeCreatePagefilePrivilege 2960 msiexec.exe Token: SeCreatePermanentPrivilege 2960 msiexec.exe Token: SeBackupPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeShutdownPrivilege 2960 msiexec.exe Token: SeDebugPrivilege 2960 msiexec.exe Token: SeAuditPrivilege 2960 msiexec.exe Token: SeSystemEnvironmentPrivilege 2960 msiexec.exe Token: SeChangeNotifyPrivilege 2960 msiexec.exe Token: SeRemoteShutdownPrivilege 2960 msiexec.exe Token: SeUndockPrivilege 2960 msiexec.exe Token: SeSyncAgentPrivilege 2960 msiexec.exe Token: SeEnableDelegationPrivilege 2960 msiexec.exe Token: SeManageVolumePrivilege 2960 msiexec.exe Token: SeImpersonatePrivilege 2960 msiexec.exe Token: SeCreateGlobalPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 3520 msiexec.exe Token: SeTakeOwnershipPrivilege 3520 msiexec.exe Token: SeRestorePrivilege 3520 msiexec.exe Token: SeTakeOwnershipPrivilege 3520 msiexec.exe Token: SeRestorePrivilege 3520 msiexec.exe Token: SeTakeOwnershipPrivilege 3520 msiexec.exe Token: SeRestorePrivilege 3520 msiexec.exe Token: SeTakeOwnershipPrivilege 3520 msiexec.exe Token: SeRestorePrivilege 3520 msiexec.exe Token: SeTakeOwnershipPrivilege 3520 msiexec.exe Token: SeRestorePrivilege 3520 msiexec.exe Token: SeTakeOwnershipPrivilege 3520 msiexec.exe Token: SeRestorePrivilege 3520 msiexec.exe Token: SeTakeOwnershipPrivilege 3520 msiexec.exe Token: SeRestorePrivilege 3520 msiexec.exe Token: SeTakeOwnershipPrivilege 3520 msiexec.exe Token: SeRestorePrivilege 3520 msiexec.exe Token: SeTakeOwnershipPrivilege 3520 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2960 msiexec.exe 2960 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
adobe.exepid process 4764 adobe.exe 4764 adobe.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
msiexec.exedescription pid process target process PID 3520 wrote to memory of 5092 3520 msiexec.exe MsiExec.exe PID 3520 wrote to memory of 5092 3520 msiexec.exe MsiExec.exe PID 3520 wrote to memory of 5092 3520 msiexec.exe MsiExec.exe PID 3520 wrote to memory of 4764 3520 msiexec.exe adobe.exe PID 3520 wrote to memory of 4764 3520 msiexec.exe adobe.exe PID 3520 wrote to memory of 4764 3520 msiexec.exe adobe.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\AfipInstal 3491467912.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 46564ED777B0986C2A5CD3B11311D0212⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Afip\Factura\adobe.exe"C:\Users\Admin\AppData\Roaming\Afip\Factura\adobe.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e57ead0.rbsFilesize
2KB
MD5bab18d8467b688d437c72780104a500c
SHA19571bbc732223ef2481709b53e3d1398e8d878fe
SHA256e83187d2930fc8358c9659eda9165eb9f3db6baf487bf2e7f73632d5941aa9ae
SHA512148b3c43db111643e1f43a6368c1d430c1be4e70256a1f68e7621fafe375e29e16c0491249d1c0d7542d81875783f5496daed7e4cdc4e487c90570bfe2e2842e
-
C:\Users\Admin\AppData\Roaming\Afip\Factura\adobe.exeFilesize
26.3MB
MD557232fa398ec29f0cd79a95ed0361e46
SHA131720d0fd9c80ab016503194f0a7722339b187c9
SHA2563f60ab3822d5152fb4aee997803fcc98a55b2e7d615b9652289496a561ef6d7e
SHA5124c548fffa2e8f59b79ce1264a97e75dbcb8285214ccb916b337c1e794025042a521fbc8a4630ee39507fdf7e46c86a2693e4c725c404d55c52e07f8891948806
-
C:\Users\Admin\AppData\Roaming\Afip\Factura\avutil.dllFilesize
15.5MB
MD5749e623bfab8722fce171f034dbf2168
SHA1bc2f428b93329a2c8389cc8f487c1bf313951fca
SHA25613205d0363188c15ec881753a14150284f72c47204bfcc0fc92db847a16bf00e
SHA51279b9432f6f44a85e5d2819ddf35d0f94d3606f46a5fb49099674535c5f984c0ba2795e4abfedcc62f04150cca5ce29c8e084e21c1f9292fa07ac8c92e7f689f2
-
C:\Windows\Installer\MSIECD1.tmpFilesize
819KB
MD53604517a3e6e69ba339239cf82fc94a5
SHA1c4757e31f9c8a90ee5de233792da71c8915050c5
SHA256bdd1d14c9cb54b19f6a7f37adbc7537ce8fd2f6fa59a74a4a90b08c7979708d2
SHA512c22ffc410886fae221dfee6ab469e44694f87cecce14d505a059f5fe01c1b4e1ad93c15b78c7623e821a37737491e89c627ddae5d03c407a877835ab6d611619
-
memory/4764-49-0x0000000005FD0000-0x0000000005FD1000-memory.dmpFilesize
4KB
-
memory/4764-56-0x0000000005F60000-0x0000000005F61000-memory.dmpFilesize
4KB
-
memory/4764-48-0x0000000005FC0000-0x0000000005FC1000-memory.dmpFilesize
4KB
-
memory/4764-44-0x0000000005F60000-0x0000000005F61000-memory.dmpFilesize
4KB
-
memory/4764-46-0x0000000005FA0000-0x0000000005FA1000-memory.dmpFilesize
4KB
-
memory/4764-45-0x0000000005F70000-0x0000000005F71000-memory.dmpFilesize
4KB
-
memory/4764-43-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/4764-50-0x0000000005FE0000-0x0000000005FE1000-memory.dmpFilesize
4KB
-
memory/4764-42-0x0000000000400000-0x0000000001F23000-memory.dmpFilesize
27.1MB
-
memory/4764-51-0x0000000018000000-0x000000001CECC000-memory.dmpFilesize
78.8MB
-
memory/4764-54-0x0000000000400000-0x0000000001F23000-memory.dmpFilesize
27.1MB
-
memory/4764-47-0x0000000005FB0000-0x0000000005FB1000-memory.dmpFilesize
4KB
-
memory/4764-57-0x0000000005F70000-0x0000000005F71000-memory.dmpFilesize
4KB
-
memory/4764-58-0x0000000005F80000-0x0000000005F81000-memory.dmpFilesize
4KB
-
memory/4764-59-0x0000000005FB0000-0x0000000005FB1000-memory.dmpFilesize
4KB
-
memory/4764-60-0x0000000005FC0000-0x0000000005FC1000-memory.dmpFilesize
4KB
-
memory/4764-61-0x0000000005FD0000-0x0000000005FD1000-memory.dmpFilesize
4KB
-
memory/4764-62-0x0000000005FE0000-0x0000000005FE1000-memory.dmpFilesize
4KB
-
memory/4764-63-0x0000000005FF0000-0x0000000005FF1000-memory.dmpFilesize
4KB
-
memory/4764-64-0x0000000018000000-0x000000001CECC000-memory.dmpFilesize
78.8MB
-
memory/4764-72-0x0000000000400000-0x0000000001F23000-memory.dmpFilesize
27.1MB
-
memory/4764-73-0x0000000000400000-0x0000000001F23000-memory.dmpFilesize
27.1MB