Overview

overview

9

Static

static

DCBR.msi

windows7_x64

9

DCBR.msi

windows10_x64

9

Analysis

  • max time kernel
    151s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-07-2021 11:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCBR.msi

  • Size

    5.6MB

  • MD5

    3eb2ea9527590196759a92fdd24eaf8b

  • SHA1

    22cb16a1c4331efa0f228484578b54708dcc1f0b

  • SHA256

    0bd168703d2bb6a6d5fffe115c4834f4057bcb7f7877369a3230a82badce3d15

  • SHA512

    9c775c31e2148a2bd8a82b5be6527d2ccbd8d31df3afda7d5e4b6f35c7bceb4bee42c9933a5e5a38e9eacfd2b97b0ad6e3b896a6b5e1b4e043c83e265264bbbc

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 8 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DCBR.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2004
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 570053B627425E15A1A4295EDED032AB
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /MIN https://bit.ly/3hPv4Ay
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3hPv4Ay
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1728
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1468
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v yAVgTC /t reg_sz /d "C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v yAVgTC /t reg_sz /d "C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE"
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:2288
      • C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE
        "C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:2248

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    32a913d8ecc4e44c129ec875773cf3dc

    SHA1

    480eca9ee43825262c9907383c96ecbfa594c55c

    SHA256

    c83a825a4359c833c9fab107e3355a0010f3516db6dfe137ce6b41251780d2dc

    SHA512

    37d57dd012d896f30554b30b1fed0403a27bc6bc8d8ae288d96efad0f87d6adbb128bad19672c24c6c66882a0bf04214ae6ccd16682b5d033898360050d3f170

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    2902de11e30dcc620b184e3bb0f0c1cb

    SHA1

    5d11d14a2558801a2688dc2d6dfad39ac294f222

    SHA256

    e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

    SHA512

    efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    5f69b12a7e46f79ce23845f2722d6974

    SHA1

    39f247a2ba13e3d6a44b247a89753c90342ac4b0

    SHA256

    ed1c5ddaf51d8383d142e5ff5dd6319206fb1252c4d7fa1d2c36f26a7787ae74

    SHA512

    6ec57834a70b47e63a22ba51142e31dbf590ca13d9ad241610b45d6d30ca0899a36cde696ce033eacdeb1edc83de6f83ef0b772c0277a7d95b531e7d644a4174

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    f30ef1cfa2c426ca622f28e503e1e45f

    SHA1

    c42b62de14249a8f40af1b62f0e410eb3cb5e188

    SHA256

    8e0e37228162bc7f278c327238f285b9006fa121bb3d753f06287fac1d0ae279

    SHA512

    ff95ac8bf9734181bbb18856ec4b4ba8ded5ee4ed2a7979e5d549252a693d178e9170a6a3e88de0e9a735baf13dcbff588016189e64adb90d8fcb209d399d6ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bq3gxmw\imagestore.dat
    MD5

    c5338306d65f320814348bfea969d069

    SHA1

    cbf9ae30053fc48196d852ad712b66011a762c88

    SHA256

    a3d4a03e3b31842dcb0428fb89f1026b0babff5853b5a246e5f2d1fd981753b1

    SHA512

    09b5ed523d0cca1b296c3856b0656125d1ebc6e347e817e1c41d092d66cd721b2d3c664e23ae5699b7a310fadbbbe6b05bf982a375012f09eeee0e5f02c6cc43

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MSI501a6.LOG
    MD5

    e4caee508c909619d992d95e598db46e

    SHA1

    7a65d594503d3cf302b4839d86975b1df1cd116a

    SHA256

    fe573a52ff2d332dcfddf5abf3f5d05267264060d87bda38d62aa76629fd7dcd

    SHA512

    75c4e6b56f90ac05fe1462f1205a808f09f40ec002781a901e2d49d1512a896a5f37c8bd62e13ef7df9bdc2e1f4fe5efe245e3ba20d0d1d261622bbf2bc9d6a4

    Download Submit
  • C:\Users\Admin\AppData\Local\yAVgTC\Avira.OE.NativeCore.dll
    MD5

    69956909dd2b7813338401ebd3774e8f

    SHA1

    6c49378f63505fd72a5ba53ab0ca2d25c47f13c3

    SHA256

    3a74e84facc9b7ff009c0fd38267db03286a61b8c53d53fe0fdc7a69e5d553a0

    SHA512

    3d8beeef5251117b3119df432eb5b29b25873bde716fdde8db931ceaa5b2e3305a9811e0c6b59cdf70855fec86f699d35595d8716027f0c9bb04031b64ddea88

    Download Submit
  • C:\Users\Admin\AppData\Local\yAVgTC\MSVCP120.dll
    MD5

    fd5cabbe52272bd76007b68186ebaf00

    SHA1

    efd1e306c1092c17f6944cc6bf9a1bfad4d14613

    SHA256

    87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

    SHA512

    1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

    Download Submit
  • C:\Users\Admin\AppData\Local\yAVgTC\MSVCR120.dll
    MD5

    034ccadc1c073e4216e9466b720f9849

    SHA1

    f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

    SHA256

    86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

    SHA512

    5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

    Download Submit
  • C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE
    MD5

    fefc447b17cf02a6fcb0abc7f5959450

    SHA1

    918360e2e07c9be49ef4d07406b37cea7dc3b924

    SHA256

    a74226654c5048cadb46d83b3778c554e0e02c6dc063f35b2721cb977f1285cf

    SHA512

    aa3b6d2418ff7ecc3696a757408cacf054090e8c4b520900a0c45f4f274af24174ad79b5413537be0fe01ee0363c70fa49c3cc59b0788ae1abce11249cea6588

    Download Submit
  • C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE
    MD5

    fefc447b17cf02a6fcb0abc7f5959450

    SHA1

    918360e2e07c9be49ef4d07406b37cea7dc3b924

    SHA256

    a74226654c5048cadb46d83b3778c554e0e02c6dc063f35b2721cb977f1285cf

    SHA512

    aa3b6d2418ff7ecc3696a757408cacf054090e8c4b520900a0c45f4f274af24174ad79b5413537be0fe01ee0363c70fa49c3cc59b0788ae1abce11249cea6588

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\29IZFM7O.txt
    MD5

    652891b1a446f971183242fb7250e7ca

    SHA1

    83e0182e2713820948c9cb2ecf82778aedf083e6

    SHA256

    896476d13a2ae9a821694f0aad256145357888a86538ce88aca35364f3248a28

    SHA512

    f316d6a47f5767dd7fdae66218c1adaf7eb6a20f89e53ec5d2c0f4cc0d539bd8a2bde1e3f80b076d3f383a349cebd09cf61e8ff829fb14920a9ae54c194c5415

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NMIGGAZE.txt
    MD5

    a99d22eb4d076228312023cff298df5d

    SHA1

    35d28cab3f2bdb2f9b9853e74f5397f69fdcfc86

    SHA256

    f1b67a739a16889856100bc7969527500af107c9d8c68cb6f9df3fa030a8c6de

    SHA512

    92c8d49c22e6c0d99194e73d66160161806d285c1726cbbafc809f383f2b8b8fb30aaa7d48585d27cc00a90b77cb89b3c639479e1c202e8ec20fe31e97627802

    Download Submit
  • C:\Windows\Installer\MSI4F59.tmp
    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit
  • C:\Windows\Installer\MSI5208.tmp
    MD5

    2782aebc4b0d64dbd33e66251e9ab371

    SHA1

    1606c90365554b205af444bfa534e094847d0a32

    SHA256

    e56039ccfb3d5a4fb35d415fd50d1eb8ad9da69bcff8e71bb1ed82306b535e1b

    SHA512

    96a46726882e3c75e3489bd33da7474e8f308b0c7455b0c4c989ea84487b8e1b69c82d4bdf0cd15648b6904251442ab748aa392dd6de17820daa7d8549f956ad

    Download Submit
  • C:\Windows\Installer\MSI59C.tmp
    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit
  • C:\Windows\Installer\MSI64D1.tmp
    MD5

    2782aebc4b0d64dbd33e66251e9ab371

    SHA1

    1606c90365554b205af444bfa534e094847d0a32

    SHA256

    e56039ccfb3d5a4fb35d415fd50d1eb8ad9da69bcff8e71bb1ed82306b535e1b

    SHA512

    96a46726882e3c75e3489bd33da7474e8f308b0c7455b0c4c989ea84487b8e1b69c82d4bdf0cd15648b6904251442ab748aa392dd6de17820daa7d8549f956ad

    Download Submit
  • \Users\Admin\AppData\Local\yAVgTC\Avira.OE.NativeCore.dll
    MD5

    69956909dd2b7813338401ebd3774e8f

    SHA1

    6c49378f63505fd72a5ba53ab0ca2d25c47f13c3

    SHA256

    3a74e84facc9b7ff009c0fd38267db03286a61b8c53d53fe0fdc7a69e5d553a0

    SHA512

    3d8beeef5251117b3119df432eb5b29b25873bde716fdde8db931ceaa5b2e3305a9811e0c6b59cdf70855fec86f699d35595d8716027f0c9bb04031b64ddea88

    Download Submit
  • \Users\Admin\AppData\Local\yAVgTC\msvcp120.dll
    MD5

    fd5cabbe52272bd76007b68186ebaf00

    SHA1

    efd1e306c1092c17f6944cc6bf9a1bfad4d14613

    SHA256

    87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

    SHA512

    1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

    Download Submit
  • \Users\Admin\AppData\Local\yAVgTC\msvcr120.dll
    MD5

    034ccadc1c073e4216e9466b720f9849

    SHA1

    f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

    SHA256

    86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

    SHA512

    5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

    Download Submit
  • \Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE
    MD5

    fefc447b17cf02a6fcb0abc7f5959450

    SHA1

    918360e2e07c9be49ef4d07406b37cea7dc3b924

    SHA256

    a74226654c5048cadb46d83b3778c554e0e02c6dc063f35b2721cb977f1285cf

    SHA512

    aa3b6d2418ff7ecc3696a757408cacf054090e8c4b520900a0c45f4f274af24174ad79b5413537be0fe01ee0363c70fa49c3cc59b0788ae1abce11249cea6588

    Download Submit
  • \Windows\Installer\MSI4F59.tmp
    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit
  • \Windows\Installer\MSI5208.tmp
    MD5

    2782aebc4b0d64dbd33e66251e9ab371

    SHA1

    1606c90365554b205af444bfa534e094847d0a32

    SHA256

    e56039ccfb3d5a4fb35d415fd50d1eb8ad9da69bcff8e71bb1ed82306b535e1b

    SHA512

    96a46726882e3c75e3489bd33da7474e8f308b0c7455b0c4c989ea84487b8e1b69c82d4bdf0cd15648b6904251442ab748aa392dd6de17820daa7d8549f956ad

    Download Submit
  • \Windows\Installer\MSI59C.tmp
    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit
  • \Windows\Installer\MSI64D1.tmp
    MD5

    2782aebc4b0d64dbd33e66251e9ab371

    SHA1

    1606c90365554b205af444bfa534e094847d0a32

    SHA256

    e56039ccfb3d5a4fb35d415fd50d1eb8ad9da69bcff8e71bb1ed82306b535e1b

    SHA512

    96a46726882e3c75e3489bd33da7474e8f308b0c7455b0c4c989ea84487b8e1b69c82d4bdf0cd15648b6904251442ab748aa392dd6de17820daa7d8549f956ad

    Download Submit
  • memory/1468-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1564-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1728-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1836-63-0x00000000754F1000-0x00000000754F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1836-62-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-59-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2224-73-0x0000000000000000-mapping.dmp
    Download
  • memory/2248-90-0x000000006ECF0000-0x0000000070A64000-memory.dmp
    Filesize

    29.5MB

    Download
  • memory/2248-91-0x000000006ECF1000-0x000000006F032000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2248-92-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2248-75-0x0000000000000000-mapping.dmp
    Download
  • memory/2288-79-0x0000000000000000-mapping.dmp
    Download