Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 04:54
Static task
static1
Behavioral task
behavioral1
Sample
AfipInstal 3491467912.msi
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
AfipInstal 3491467912.msi
Resource
win11-20240419-en
General
-
Target
AfipInstal 3491467912.msi
-
Size
28.7MB
-
MD5
90a8aeea10139c563654d6fca6bf2e50
-
SHA1
c3bd41d576175e0ee0fe8c06b94720370e1f79f8
-
SHA256
1f76c709241f0fb8624e10ef2f969894af1de4b22b057fcd7e9064dba760a182
-
SHA512
3f3d3268711f2e8c355411967048a2c84b8b1f6b12b74d6c345c2e6ede27a3648a69e41855f19f2a201dcc102c723ba8a917a1c94946bda72d0c63ab98a7e01c
-
SSDEEP
786432:bG59Ebw+dsspncz4vvS1iP6KfHCp3N3QMVvF:bS9EXdL3CsP6wrGvF
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Afip\Factura\avutil.dll vmprotect behavioral2/memory/1276-50-0x0000000018000000-0x000000001CECC000-memory.dmp vmprotect behavioral2/memory/1276-61-0x0000000018000000-0x000000001CECC000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\new = "C:\\Users\\Admin\\AppData\\Roaming\\Afip\\Factura\\adobe.exe" msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
adobe.exepid process 1276 adobe.exe 1276 adobe.exe -
Drops file in Windows directory 16 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DFE475642D97D2ED07.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{8AA6BD2E-CFA5-4AC5-9C6B-281990EECCF2} msiexec.exe File created C:\Windows\SystemTemp\~DF9D03684728CAC5C1.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI5563.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI55F1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI566F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI56DE.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI567F.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF3F12B9720870F06E.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF2AA29BAC51715F43.TMP msiexec.exe File created C:\Windows\Installer\e5754d7.msi msiexec.exe File opened for modification C:\Windows\Installer\e5754d7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI579B.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
adobe.exepid process 1276 adobe.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exeadobe.exepid process 4432 MsiExec.exe 4432 MsiExec.exe 4432 MsiExec.exe 4432 MsiExec.exe 4432 MsiExec.exe 1276 adobe.exe 1276 adobe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeadobe.exepid process 2804 msiexec.exe 2804 msiexec.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe 1276 adobe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
adobe.exepid process 1276 adobe.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 5100 msiexec.exe Token: SeIncreaseQuotaPrivilege 5100 msiexec.exe Token: SeSecurityPrivilege 2804 msiexec.exe Token: SeCreateTokenPrivilege 5100 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5100 msiexec.exe Token: SeLockMemoryPrivilege 5100 msiexec.exe Token: SeIncreaseQuotaPrivilege 5100 msiexec.exe Token: SeMachineAccountPrivilege 5100 msiexec.exe Token: SeTcbPrivilege 5100 msiexec.exe Token: SeSecurityPrivilege 5100 msiexec.exe Token: SeTakeOwnershipPrivilege 5100 msiexec.exe Token: SeLoadDriverPrivilege 5100 msiexec.exe Token: SeSystemProfilePrivilege 5100 msiexec.exe Token: SeSystemtimePrivilege 5100 msiexec.exe Token: SeProfSingleProcessPrivilege 5100 msiexec.exe Token: SeIncBasePriorityPrivilege 5100 msiexec.exe Token: SeCreatePagefilePrivilege 5100 msiexec.exe Token: SeCreatePermanentPrivilege 5100 msiexec.exe Token: SeBackupPrivilege 5100 msiexec.exe Token: SeRestorePrivilege 5100 msiexec.exe Token: SeShutdownPrivilege 5100 msiexec.exe Token: SeDebugPrivilege 5100 msiexec.exe Token: SeAuditPrivilege 5100 msiexec.exe Token: SeSystemEnvironmentPrivilege 5100 msiexec.exe Token: SeChangeNotifyPrivilege 5100 msiexec.exe Token: SeRemoteShutdownPrivilege 5100 msiexec.exe Token: SeUndockPrivilege 5100 msiexec.exe Token: SeSyncAgentPrivilege 5100 msiexec.exe Token: SeEnableDelegationPrivilege 5100 msiexec.exe Token: SeManageVolumePrivilege 5100 msiexec.exe Token: SeImpersonatePrivilege 5100 msiexec.exe Token: SeCreateGlobalPrivilege 5100 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 5100 msiexec.exe 5100 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
adobe.exepid process 1276 adobe.exe 1276 adobe.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
msiexec.exedescription pid process target process PID 2804 wrote to memory of 4432 2804 msiexec.exe MsiExec.exe PID 2804 wrote to memory of 4432 2804 msiexec.exe MsiExec.exe PID 2804 wrote to memory of 4432 2804 msiexec.exe MsiExec.exe PID 2804 wrote to memory of 1276 2804 msiexec.exe adobe.exe PID 2804 wrote to memory of 1276 2804 msiexec.exe adobe.exe PID 2804 wrote to memory of 1276 2804 msiexec.exe adobe.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\AfipInstal 3491467912.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E571E432540DB3FA86B08C0F9FB9FD312⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Afip\Factura\adobe.exe"C:\Users\Admin\AppData\Roaming\Afip\Factura\adobe.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5754da.rbsFilesize
2KB
MD5639b1d238e63b83f8cc8c3cc9046f1fe
SHA147f16050b614ab5a02085a37546a2e9d8eebcfd1
SHA256772f7b4a15b19b5200ca223b9d33ec1dc01213465f8e7c0cabce785976845205
SHA512a5d5544483d22e02362799b620102c1b970ec8b5cb16e559d15d7b80f26fc57a0aaaade96a715b5db86b789b8400c68a7003b689772a6b33dd6e94130b389b96
-
C:\Users\Admin\AppData\Roaming\Afip\Factura\adobe.exeFilesize
26.3MB
MD557232fa398ec29f0cd79a95ed0361e46
SHA131720d0fd9c80ab016503194f0a7722339b187c9
SHA2563f60ab3822d5152fb4aee997803fcc98a55b2e7d615b9652289496a561ef6d7e
SHA5124c548fffa2e8f59b79ce1264a97e75dbcb8285214ccb916b337c1e794025042a521fbc8a4630ee39507fdf7e46c86a2693e4c725c404d55c52e07f8891948806
-
C:\Users\Admin\AppData\Roaming\Afip\Factura\avutil.dllFilesize
15.5MB
MD5749e623bfab8722fce171f034dbf2168
SHA1bc2f428b93329a2c8389cc8f487c1bf313951fca
SHA25613205d0363188c15ec881753a14150284f72c47204bfcc0fc92db847a16bf00e
SHA51279b9432f6f44a85e5d2819ddf35d0f94d3606f46a5fb49099674535c5f984c0ba2795e4abfedcc62f04150cca5ce29c8e084e21c1f9292fa07ac8c92e7f689f2
-
C:\Windows\Installer\MSI5563.tmpFilesize
819KB
MD53604517a3e6e69ba339239cf82fc94a5
SHA1c4757e31f9c8a90ee5de233792da71c8915050c5
SHA256bdd1d14c9cb54b19f6a7f37adbc7537ce8fd2f6fa59a74a4a90b08c7979708d2
SHA512c22ffc410886fae221dfee6ab469e44694f87cecce14d505a059f5fe01c1b4e1ad93c15b78c7623e821a37737491e89c627ddae5d03c407a877835ab6d611619
-
memory/1276-48-0x0000000007930000-0x0000000007931000-memory.dmpFilesize
4KB
-
memory/1276-53-0x00000000078C0000-0x00000000078C1000-memory.dmpFilesize
4KB
-
memory/1276-44-0x00000000078D0000-0x00000000078D1000-memory.dmpFilesize
4KB
-
memory/1276-45-0x0000000007900000-0x0000000007901000-memory.dmpFilesize
4KB
-
memory/1276-46-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/1276-47-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/1276-42-0x00000000078B0000-0x00000000078B1000-memory.dmpFilesize
4KB
-
memory/1276-49-0x0000000007940000-0x0000000007941000-memory.dmpFilesize
4KB
-
memory/1276-50-0x0000000018000000-0x000000001CECC000-memory.dmpFilesize
78.8MB
-
memory/1276-43-0x00000000078C0000-0x00000000078C1000-memory.dmpFilesize
4KB
-
memory/1276-54-0x00000000078D0000-0x00000000078D1000-memory.dmpFilesize
4KB
-
memory/1276-55-0x00000000078E0000-0x00000000078E1000-memory.dmpFilesize
4KB
-
memory/1276-56-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/1276-57-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/1276-58-0x0000000007930000-0x0000000007931000-memory.dmpFilesize
4KB
-
memory/1276-59-0x0000000007940000-0x0000000007941000-memory.dmpFilesize
4KB
-
memory/1276-60-0x0000000007950000-0x0000000007951000-memory.dmpFilesize
4KB
-
memory/1276-61-0x0000000018000000-0x000000001CECC000-memory.dmpFilesize
78.8MB
-
memory/1276-71-0x0000000000400000-0x0000000001F23000-memory.dmpFilesize
27.1MB