Analysis
-
max time kernel
201s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 16:08
Static task
static1
Behavioral task
behavioral1
Sample
fin.746.msi
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
fin.746.msi
Resource
ubuntu1804-amd64-20240611-en
General
-
Target
fin.746.msi
-
Size
14.3MB
-
MD5
0c155413d590719567a350fd96a57a56
-
SHA1
ef08e339f207f36dac3fb276e3d431d96ef9fed1
-
SHA256
f75c52684ec2fe9479f4ceb28c3cec36885e304003f02308b5be11cdd08187f3
-
SHA512
5a5dd5fd54069486a67d6d498ad5bb623ceb1891106192d470024c2496d3d3182793456ed48e0d6bca0b13d42f52870725586b06df548f98fd9dfbb80dd5f046
-
SSDEEP
393216:7Ong80sutL0BoGgDijgbDCF1IugHfqV7LMvZLI5bnFxylXzSFVcMy65Qz:7mg80sW4vNjgbWzFWfqZLEmbOSy6M
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 12 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI4844.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4893.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI48A4.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4AC9.tmp msiexec.exe File created C:\Windows\Installer\e574805.msi msiexec.exe File opened for modification C:\Windows\Installer\e574805.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI48B4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4A4B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{8D165FE7-9800-4EBE-9B21-7A0BAFBD125B} msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
Sqgigashiftо.exepid process 4572 Sqgigashiftо.exe -
Loads dropped DLL 12 IoCs
Processes:
MsiExec.exeMsiExec.exeSqgigashiftо.exepid process 752 MsiExec.exe 752 MsiExec.exe 752 MsiExec.exe 752 MsiExec.exe 752 MsiExec.exe 4504 MsiExec.exe 4572 Sqgigashiftо.exe 4572 Sqgigashiftо.exe 4572 Sqgigashiftо.exe 4572 Sqgigashiftо.exe 4572 Sqgigashiftо.exe 4572 Sqgigashiftо.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3180 msiexec.exe 3180 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3280 msiexec.exe Token: SeIncreaseQuotaPrivilege 3280 msiexec.exe Token: SeSecurityPrivilege 3180 msiexec.exe Token: SeCreateTokenPrivilege 3280 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3280 msiexec.exe Token: SeLockMemoryPrivilege 3280 msiexec.exe Token: SeIncreaseQuotaPrivilege 3280 msiexec.exe Token: SeMachineAccountPrivilege 3280 msiexec.exe Token: SeTcbPrivilege 3280 msiexec.exe Token: SeSecurityPrivilege 3280 msiexec.exe Token: SeTakeOwnershipPrivilege 3280 msiexec.exe Token: SeLoadDriverPrivilege 3280 msiexec.exe Token: SeSystemProfilePrivilege 3280 msiexec.exe Token: SeSystemtimePrivilege 3280 msiexec.exe Token: SeProfSingleProcessPrivilege 3280 msiexec.exe Token: SeIncBasePriorityPrivilege 3280 msiexec.exe Token: SeCreatePagefilePrivilege 3280 msiexec.exe Token: SeCreatePermanentPrivilege 3280 msiexec.exe Token: SeBackupPrivilege 3280 msiexec.exe Token: SeRestorePrivilege 3280 msiexec.exe Token: SeShutdownPrivilege 3280 msiexec.exe Token: SeDebugPrivilege 3280 msiexec.exe Token: SeAuditPrivilege 3280 msiexec.exe Token: SeSystemEnvironmentPrivilege 3280 msiexec.exe Token: SeChangeNotifyPrivilege 3280 msiexec.exe Token: SeRemoteShutdownPrivilege 3280 msiexec.exe Token: SeUndockPrivilege 3280 msiexec.exe Token: SeSyncAgentPrivilege 3280 msiexec.exe Token: SeEnableDelegationPrivilege 3280 msiexec.exe Token: SeManageVolumePrivilege 3280 msiexec.exe Token: SeImpersonatePrivilege 3280 msiexec.exe Token: SeCreateGlobalPrivilege 3280 msiexec.exe Token: SeRestorePrivilege 3180 msiexec.exe Token: SeTakeOwnershipPrivilege 3180 msiexec.exe Token: SeRestorePrivilege 3180 msiexec.exe Token: SeTakeOwnershipPrivilege 3180 msiexec.exe Token: SeRestorePrivilege 3180 msiexec.exe Token: SeTakeOwnershipPrivilege 3180 msiexec.exe Token: SeRestorePrivilege 3180 msiexec.exe Token: SeTakeOwnershipPrivilege 3180 msiexec.exe Token: SeRestorePrivilege 3180 msiexec.exe Token: SeTakeOwnershipPrivilege 3180 msiexec.exe Token: SeRestorePrivilege 3180 msiexec.exe Token: SeTakeOwnershipPrivilege 3180 msiexec.exe Token: SeRestorePrivilege 3180 msiexec.exe Token: SeTakeOwnershipPrivilege 3180 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3280 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 3180 wrote to memory of 752 3180 msiexec.exe MsiExec.exe PID 3180 wrote to memory of 752 3180 msiexec.exe MsiExec.exe PID 3180 wrote to memory of 752 3180 msiexec.exe MsiExec.exe PID 3180 wrote to memory of 4504 3180 msiexec.exe MsiExec.exe PID 3180 wrote to memory of 4504 3180 msiexec.exe MsiExec.exe PID 4504 wrote to memory of 4572 4504 MsiExec.exe Sqgigashiftо.exe PID 4504 wrote to memory of 4572 4504 MsiExec.exe Sqgigashiftо.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fin.746.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C064A70863F447C88E04000DF08C3DFB2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding DD1FE486B433DA08272D75829F768E062⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\nmzsopgwyw\Sqgigashiftо.exe"C:\ProgramData\nmzsopgwyw\Sqgigashiftо.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\nmzsopgwyw\Enscape.dllFilesize
467KB
MD5d5ede5c4bb07cba541d5c5c3ddb0d948
SHA1494ce99566b6c66548ec0e0449ed7ef7575965ea
SHA256e2f8d1a0f30f74a462733a047458091a470a49bff430507fc6be329b5f0efdc2
SHA512b58af6a161da26a0831402fdb64cfa3c44e1f1c8006902488c51ef924630c60654b172ef9025f0d3695fedfc344e557d58d12b94ea60368a4d53a38a5c6edae7
-
C:\ProgramData\nmzsopgwyw\Sqgigashiftо.exeFilesize
80KB
MD5058eef946157b69ed5e51ada7575afb6
SHA145aaa639e7391a74f697265b4126a062981d866f
SHA256040f24915ec39f1e978f325a9190a7e9c4521ee6faf860acf6eee13d796d6306
SHA5125528eef32e2c3480eece4836fc98274dc4bb2f11b56a1b5f9c13e3fa70e8a2515bf2536b10f15672f648ae2ef9f750a161c014ae2f3e9fe452ef1439d6389c73
-
C:\ProgramData\nmzsopgwyw\WrKvOnYuARFilesize
39KB
MD56a267e556566812a3d05544961c7ab96
SHA11887f55f238f2c30c1844a77a03372c825d36586
SHA25690aec840acdc014f7ff89149f96bf9097504c86ff13910553c33e9c0293c09d4
SHA512d917ee93cea17caa144aa27adecfd5cd2ef92fec722918bff34cd052b4cbbeeb304e7dd012185a5e3f8abdb6c8169ee1251668c005d343bec70665e919861e5b
-
C:\ProgramData\nmzsopgwyw\msvcp140.dllFilesize
580KB
MD5e5943129c2b18a25cf77cf888844e5a1
SHA1f3f5e32e33639b7b34c86759efe7fe15b08cb630
SHA2560310893c2958a285382ddb19b94e7e654600acf94a75f5a363c844c52f2c5375
SHA51271b894d7a4ffdb66af97c2453b99356f4ff306775428299c47a2af84023d994f1fd20af2950bc6aeaad5e2394b1b3b51905fbe82d800a2346b25a9d455a5ff5b
-
C:\ProgramData\nmzsopgwyw\vcruntime140.dllFilesize
101KB
MD54ffd50749cbbb87a400136bdb9d33334
SHA17711709d3cc2baf47f53a13effc1f25077e293e9
SHA256a99be0c3e3abea781aba0ac6a3e075db2fbd60f58e94a322055cad4ef4d9ea31
SHA5123cb98a1e2b1c43f9bc7901b5b72cc964cced02f881e5c8c73f33fa6d90ea8c4e6135c4a8d30c898dfafae761bf8e18012c2ccc0c2aba157cf70430ce186b1008
-
C:\ProgramData\nmzsopgwyw\vcruntime140_1.dllFilesize
45KB
MD548297142fd46e8c31176806ad5f9694b
SHA1ec193380cd3bbf03e5c530e971dbab85acf13e1b
SHA25601730a0f7bf179ef419d2d29e5e906583fd0c9f94905aa61b74eb8d82ed70eb8
SHA512ee54bff14980473776f6103f51e2196fdfe4ca898ae19b47be44dd692e78f524ef01e036cc153924d9c58989ba720ed2a3deb6b6d1a2eeeab7baa8d612b870c7
-
C:\Users\Admin\AppData\Roaming\SantosAlbuquerqueandOliveira\PrticoGranitoLuvas\JesVZlATqjU5WUP.bndFilesize
30.2MB
MD578380bfbd549d2888c402546da7ab003
SHA128c72e3cf49c26128d65d3d297daec45d5bb214c
SHA2564d84fea8e515483dcf7a8679dcf726e76d2aa340aef3edcd1e359857ba57fd44
SHA51263494b4354e6665c202b95e65b5948541536811b0dd7499f962b03a365422b805f02246e936cf260a3997b6144fe7dd4b54043147b36cf18788f262129ab08f1
-
C:\Users\Admin\AppData\Roaming\SantosAlbuquerqueandOliveira\PrticoGranitoLuvas\KMaFhNlDwpFilesize
76KB
MD52071ffb6872fdb50c5f471cfea1562e4
SHA1424e99240b96bc5de1ff51100f70cc5ea94e9379
SHA25614d47644b80184ef60918730e70c59b6d0b69d2404e3f642818c75be53491552
SHA512cd0e098204ea02ff2395f823b94569532b5df99cf45066f78b04c5e56abb706601e92b5caf87cf5c637a6e968c473f2617d2103684369e61ff2800439b35f5ff
-
C:\Users\Admin\AppData\Roaming\SantosAlbuquerqueandOliveira\PrticoGranitoLuvas\NZqrD0KT7vG4vrJEd9gPRt9w.dllFilesize
467KB
MD559ead9bf3d7e51139877d99ab92da2ac
SHA110835b70bde8ce36137e6e51cd2af0624714199d
SHA256de2c499d846a3c47bc90af39f13f2fa3b6237115f2be64d69e54411bccc00556
SHA51219f797bb8409209cd3beabe658490575637ceb1fb541592d19b9dc78cb30bd7d15df25a82e7f0a47a3c445151eae2277e3d21b1e0710d3296396bcc27011109a
-
C:\Windows\Installer\MSI4844.tmpFilesize
738KB
MD5ee45c6dffaf86ed2a76d8f969c390c08
SHA1ff5b2942ffa7d28ed3f72208e8e76391b2991b5a
SHA256118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca
SHA512a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664
-
memory/4504-37-0x000002F2FDCB0000-0x000002F2FDCBE000-memory.dmpFilesize
56KB
-
memory/4572-71-0x0000014516450000-0x000001451645A000-memory.dmpFilesize
40KB