Overview

overview

8

Static

static

10

73f1227353...fa.msi

windows7_x64

8

73f1227353...fa.msi

windows10_x64

8

Analysis

  • max time kernel
    109s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    30-09-2021 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73f1227353bf94e9e829088b81cd25fa.msi

  • Size

    263KB

  • MD5

    73f1227353bf94e9e829088b81cd25fa

  • SHA1

    3d7412f2aae4e578712a19fedd5994aab0afee52

  • SHA256

    36417eb2ecdbb537b9679f959a8ab356e954f1a1ae200a360f7fed963c8d04e2

  • SHA512

    604be82de36114922a62d1661a537a2a8023fb354ff41a682a843106f622a688063e78deffda52f0de1a76fc115ccab954fdf6a4250ff43aaa654e13c1b844b1

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73f1227353bf94e9e829088b81cd25fa.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:336
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5257C74EC2B627BAA5DC5986E9FCC9D0
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:328
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin TONMm\UizWC.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1544
  • C:\Users\Admin\Saved Games\Admin TONMm\UizWC.exe
    "C:\Users\Admin\Saved Games\Admin TONMm\UizWC.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Program Files (x86)\Internet explorer\iexplore.exe
      "C:\Program Files (x86)\Internet explorer\iexplore.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Saved Games\Admin TONMm\NvSmartMax.dll
    MD5

    35ae120ad12ad9e41568d8c824be10c5

    SHA1

    e964f72f23f812dd2d5bf709f1f1cec457788ddf

    SHA256

    a0d7cdd57187dd31014f4a7ab5efa86cefba30ea6dee34f2bcdbefd66679b11b

    SHA512

    0255cb6bab6d1895d8b38fb79a4ff950a3e16d5acb0b4af3418ad6a97aec5cf7f2fec92d9228a6044836b2181325a32cc5695ba5d1f517c270bb3692b9ef72f7

    Download Submit
  • C:\Users\Admin\Saved Games\Admin TONMm\UizWC.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin TONMm\UizWC.~tmp
    MD5

    0519a28c682da434cbdaa065a39e441c

    SHA1

    0d83694de423e9098b5b61167a3706956d3384e1

    SHA256

    bcbf8a2d8c26c318c3203f206df2565a33a7272f9f25616c64c7943d4e469144

    SHA512

    7d2c93329679c5705ac13e2888123cd1b9ac4e59958e729cbf90ecd971bf7864806f1a8cda6a7badd8cbbc25bb6b2a263d0d756a8fdd4a7cde171608190464e5

    Download Submit
  • C:\Windows\Installer\MSI56B6.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI5947.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\Saved Games\Admin TONMm\NvSmartMax.dll
    MD5

    bc12dd46c538170fe700f2c62f66eac1

    SHA1

    f7ccb388d786293472469e1300296a25029ccc6f

    SHA256

    479c9557510075571699123741fe0b55cf463206d56f3d0397e55d996db84d61

    SHA512

    b4ff3687d387794034d8bf0d8f9325626a3244a36650b90bcfb5a74db85e3af7d4ee1b9669dd52a958161171c7c10133bf64e36c210c88297d1a5dc9dac0df83

    Download Submit
  • \Users\Admin\Saved Games\Admin TONMm\NvSmartMax.dll
    MD5

    dcb6e901c264cec1d67204047f5b7bc8

    SHA1

    b5a7194ac09c899840f4894c78aa86c0ef8cc3c5

    SHA256

    13166c2e4bb9e9ad55322db7d20ae9fbf89d3aae388203028f4f99198593a7d6

    SHA512

    e4ea93c364c5a98d21615950ce3cda142d539371a1cd46a792f15a2766edbca45049ae31b0701cb13ccd01d8f64d5df10c100dad42cfab085b335e6f8f151754

    Download Submit
  • \Windows\Installer\MSI56B6.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI5947.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/328-67-0x00000000009F0000-0x00000000009F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/328-62-0x0000000075D11000-0x0000000075D13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/328-61-0x0000000000000000-mapping.dmp
    Download
  • memory/336-59-0x000007FEFC251000-0x000007FEFC253000-memory.dmp
    Filesize

    8KB

    Download
  • memory/372-72-0x0000000000580000-0x0000000000DB2000-memory.dmp
    Filesize

    8.2MB

    Download
  • memory/1544-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-74-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-76-0x00000000022E0000-0x0000000002B12000-memory.dmp
    Filesize

    8.2MB

    Download