50bd7f3b019578963e911efbfe28213c17e343a4abc75c7215fd9822b6c26e8f

Analysis

max time kernel
201s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fin.746.msi
Size

14.3MB
MD5

0c155413d590719567a350fd96a57a56
SHA1

ef08e339f207f36dac3fb276e3d431d96ef9fed1
SHA256

f75c52684ec2fe9479f4ceb28c3cec36885e304003f02308b5be11cdd08187f3
SHA512

5a5dd5fd54069486a67d6d498ad5bb623ceb1891106192d470024c2496d3d3182793456ed48e0d6bca0b13d42f52870725586b06df548f98fd9dfbb80dd5f046
SSDEEP

393216:7Ong80sutL0BoGgDijgbDCF1IugHfqV7LMvZLI5bnFxylXzSFVcMy65Qz:7mg80sW4vNjgbWzFWfqZLEmbOSy6M

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4844.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4893.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48A4.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AC9.tmp	msiexec.exe
File created	C:\Windows\Installer\e574805.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e574805.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48B4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A4B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8D165FE7-9800-4EBE-9B21-7A0BAFBD125B}	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

Sqgigashiftо.exe

pid process

4572 Sqgigashiftо.exe

pid	process
4572	Sqgigashiftо.exe

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exeSqgigashiftо.exe

pid	process
752	MsiExec.exe
752	MsiExec.exe
752	MsiExec.exe
752	MsiExec.exe
752	MsiExec.exe
4504	MsiExec.exe
4572	Sqgigashiftо.exe
4572	Sqgigashiftо.exe
4572	Sqgigashiftо.exe
4572	Sqgigashiftо.exe
4572	Sqgigashiftо.exe
4572	Sqgigashiftо.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

3280 msiexec.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3180 msiexec.exe
3180 msiexec.exe

pid	process
3280	msiexec.exe

pid	process
3180	msiexec.exe
3180	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3280	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3280	msiexec.exe
Token: SeSecurityPrivilege	3180	msiexec.exe
Token: SeCreateTokenPrivilege	3280	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3280	msiexec.exe
Token: SeLockMemoryPrivilege	3280	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3280	msiexec.exe
Token: SeMachineAccountPrivilege	3280	msiexec.exe
Token: SeTcbPrivilege	3280	msiexec.exe
Token: SeSecurityPrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeLoadDriverPrivilege	3280	msiexec.exe
Token: SeSystemProfilePrivilege	3280	msiexec.exe
Token: SeSystemtimePrivilege	3280	msiexec.exe
Token: SeProfSingleProcessPrivilege	3280	msiexec.exe
Token: SeIncBasePriorityPrivilege	3280	msiexec.exe
Token: SeCreatePagefilePrivilege	3280	msiexec.exe
Token: SeCreatePermanentPrivilege	3280	msiexec.exe
Token: SeBackupPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeShutdownPrivilege	3280	msiexec.exe
Token: SeDebugPrivilege	3280	msiexec.exe
Token: SeAuditPrivilege	3280	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3280	msiexec.exe
Token: SeChangeNotifyPrivilege	3280	msiexec.exe
Token: SeRemoteShutdownPrivilege	3280	msiexec.exe
Token: SeUndockPrivilege	3280	msiexec.exe
Token: SeSyncAgentPrivilege	3280	msiexec.exe
Token: SeEnableDelegationPrivilege	3280	msiexec.exe
Token: SeManageVolumePrivilege	3280	msiexec.exe
Token: SeImpersonatePrivilege	3280	msiexec.exe
Token: SeCreateGlobalPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3180	msiexec.exe
Token: SeTakeOwnershipPrivilege	3180	msiexec.exe
Token: SeRestorePrivilege	3180	msiexec.exe
Token: SeTakeOwnershipPrivilege	3180	msiexec.exe
Token: SeRestorePrivilege	3180	msiexec.exe
Token: SeTakeOwnershipPrivilege	3180	msiexec.exe
Token: SeRestorePrivilege	3180	msiexec.exe
Token: SeTakeOwnershipPrivilege	3180	msiexec.exe
Token: SeRestorePrivilege	3180	msiexec.exe
Token: SeTakeOwnershipPrivilege	3180	msiexec.exe
Token: SeRestorePrivilege	3180	msiexec.exe
Token: SeTakeOwnershipPrivilege	3180	msiexec.exe
Token: SeRestorePrivilege	3180	msiexec.exe
Token: SeTakeOwnershipPrivilege	3180	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

3280 msiexec.exe

pid	process
3280	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 3180 wrote to memory of 752	3180	msiexec.exe	MsiExec.exe
PID 3180 wrote to memory of 752	3180	msiexec.exe	MsiExec.exe
PID 3180 wrote to memory of 752	3180	msiexec.exe	MsiExec.exe
PID 3180 wrote to memory of 4504	3180	msiexec.exe	MsiExec.exe
PID 3180 wrote to memory of 4504	3180	msiexec.exe	MsiExec.exe
PID 4504 wrote to memory of 4572	4504	MsiExec.exe	Sqgigashiftо.exe
PID 4504 wrote to memory of 4572	4504	MsiExec.exe	Sqgigashiftо.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fin.746.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C064A70863F447C88E04000DF08C3DFB
2⤵
- Loads dropped DLL
PID:752

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding DD1FE486B433DA08272D75829F768E06
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4504

C:\ProgramData\nmzsopgwyw\Sqgigashiftо.exe
"C:\ProgramData\nmzsopgwyw\Sqgigashiftо.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4572

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nmzsopgwyw\Enscape.dll
Filesize
467KB

MD5
d5ede5c4bb07cba541d5c5c3ddb0d948

SHA1
494ce99566b6c66548ec0e0449ed7ef7575965ea

SHA256
e2f8d1a0f30f74a462733a047458091a470a49bff430507fc6be329b5f0efdc2

SHA512
b58af6a161da26a0831402fdb64cfa3c44e1f1c8006902488c51ef924630c60654b172ef9025f0d3695fedfc344e557d58d12b94ea60368a4d53a38a5c6edae7

Download Submit
C:\ProgramData\nmzsopgwyw\Sqgigashiftо.exe
Filesize
80KB

MD5
058eef946157b69ed5e51ada7575afb6

SHA1
45aaa639e7391a74f697265b4126a062981d866f

SHA256
040f24915ec39f1e978f325a9190a7e9c4521ee6faf860acf6eee13d796d6306

SHA512
5528eef32e2c3480eece4836fc98274dc4bb2f11b56a1b5f9c13e3fa70e8a2515bf2536b10f15672f648ae2ef9f750a161c014ae2f3e9fe452ef1439d6389c73

Download Submit
C:\ProgramData\nmzsopgwyw\WrKvOnYuAR
Filesize
39KB

MD5
6a267e556566812a3d05544961c7ab96

SHA1
1887f55f238f2c30c1844a77a03372c825d36586

SHA256
90aec840acdc014f7ff89149f96bf9097504c86ff13910553c33e9c0293c09d4

SHA512
d917ee93cea17caa144aa27adecfd5cd2ef92fec722918bff34cd052b4cbbeeb304e7dd012185a5e3f8abdb6c8169ee1251668c005d343bec70665e919861e5b

Download Submit
C:\ProgramData\nmzsopgwyw\msvcp140.dll
Filesize
580KB

MD5
e5943129c2b18a25cf77cf888844e5a1

SHA1
f3f5e32e33639b7b34c86759efe7fe15b08cb630

SHA256
0310893c2958a285382ddb19b94e7e654600acf94a75f5a363c844c52f2c5375

SHA512
71b894d7a4ffdb66af97c2453b99356f4ff306775428299c47a2af84023d994f1fd20af2950bc6aeaad5e2394b1b3b51905fbe82d800a2346b25a9d455a5ff5b

Download Submit
C:\ProgramData\nmzsopgwyw\vcruntime140.dll
Filesize
101KB

MD5
4ffd50749cbbb87a400136bdb9d33334

SHA1
7711709d3cc2baf47f53a13effc1f25077e293e9

SHA256
a99be0c3e3abea781aba0ac6a3e075db2fbd60f58e94a322055cad4ef4d9ea31

SHA512
3cb98a1e2b1c43f9bc7901b5b72cc964cced02f881e5c8c73f33fa6d90ea8c4e6135c4a8d30c898dfafae761bf8e18012c2ccc0c2aba157cf70430ce186b1008

Download Submit
C:\ProgramData\nmzsopgwyw\vcruntime140_1.dll
Filesize
45KB

MD5
48297142fd46e8c31176806ad5f9694b

SHA1
ec193380cd3bbf03e5c530e971dbab85acf13e1b

SHA256
01730a0f7bf179ef419d2d29e5e906583fd0c9f94905aa61b74eb8d82ed70eb8

SHA512
ee54bff14980473776f6103f51e2196fdfe4ca898ae19b47be44dd692e78f524ef01e036cc153924d9c58989ba720ed2a3deb6b6d1a2eeeab7baa8d612b870c7

Download Submit
C:\Users\Admin\AppData\Roaming\SantosAlbuquerqueandOliveira\PrticoGranitoLuvas\JesVZlATqjU5WUP.bnd
Filesize
30.2MB

MD5
78380bfbd549d2888c402546da7ab003

SHA1
28c72e3cf49c26128d65d3d297daec45d5bb214c

SHA256
4d84fea8e515483dcf7a8679dcf726e76d2aa340aef3edcd1e359857ba57fd44

SHA512
63494b4354e6665c202b95e65b5948541536811b0dd7499f962b03a365422b805f02246e936cf260a3997b6144fe7dd4b54043147b36cf18788f262129ab08f1

Download Submit
C:\Users\Admin\AppData\Roaming\SantosAlbuquerqueandOliveira\PrticoGranitoLuvas\KMaFhNlDwp
Filesize
76KB

MD5
2071ffb6872fdb50c5f471cfea1562e4

SHA1
424e99240b96bc5de1ff51100f70cc5ea94e9379

SHA256
14d47644b80184ef60918730e70c59b6d0b69d2404e3f642818c75be53491552

SHA512
cd0e098204ea02ff2395f823b94569532b5df99cf45066f78b04c5e56abb706601e92b5caf87cf5c637a6e968c473f2617d2103684369e61ff2800439b35f5ff

Download Submit
C:\Users\Admin\AppData\Roaming\SantosAlbuquerqueandOliveira\PrticoGranitoLuvas\NZqrD0KT7vG4vrJEd9gPRt9w.dll
Filesize
467KB

MD5
59ead9bf3d7e51139877d99ab92da2ac

SHA1
10835b70bde8ce36137e6e51cd2af0624714199d

SHA256
de2c499d846a3c47bc90af39f13f2fa3b6237115f2be64d69e54411bccc00556

SHA512
19f797bb8409209cd3beabe658490575637ceb1fb541592d19b9dc78cb30bd7d15df25a82e7f0a47a3c445151eae2277e3d21b1e0710d3296396bcc27011109a

Download Submit
C:\Windows\Installer\MSI4844.tmp
Filesize
738KB

MD5
ee45c6dffaf86ed2a76d8f969c390c08

SHA1
ff5b2942ffa7d28ed3f72208e8e76391b2991b5a

SHA256
118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca

SHA512
a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664

Download Submit
memory/4504-37-0x000002F2FDCB0000-0x000002F2FDCBE000-memory.dmp

Filesize
56KB

Download
memory/4572-71-0x0000014516450000-0x000001451645A000-memory.dmp

Filesize
40KB

Download