Analysis
-
max time kernel
109s -
max time network
103s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-09-2021 15:24
Static task
static1
Behavioral task
behavioral1
Sample
73f1227353bf94e9e829088b81cd25fa.msi
Resource
win7v20210408
Behavioral task
behavioral2
Sample
73f1227353bf94e9e829088b81cd25fa.msi
Resource
win10-en-20210920
General
-
Target
73f1227353bf94e9e829088b81cd25fa.msi
-
Size
263KB
-
MD5
73f1227353bf94e9e829088b81cd25fa
-
SHA1
3d7412f2aae4e578712a19fedd5994aab0afee52
-
SHA256
36417eb2ecdbb537b9679f959a8ab356e954f1a1ae200a360f7fed963c8d04e2
-
SHA512
604be82de36114922a62d1661a537a2a8023fb354ff41a682a843106f622a688063e78deffda52f0de1a76fc115ccab954fdf6a4250ff43aaa654e13c1b844b1
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
MsiExec.exeflow pid process 3 328 MsiExec.exe 5 328 MsiExec.exe 7 328 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
UizWC.exepid process 372 UizWC.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exeUizWC.exeiexplore.exepid process 328 MsiExec.exe 328 MsiExec.exe 372 UizWC.exe 1984 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin-_6JdWP6Jal = "\"C:\\Users\\Admin\\Saved Games\\Admin TONMm\\UizWC.exe\"" iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\2562a.msi msiexec.exe File opened for modification C:\Windows\Installer\2562a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI56B6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5947.tmp msiexec.exe File created C:\Windows\Installer\2562c.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSID865.tmp msiexec.exe File opened for modification C:\Windows\Installer\2562c.ipi msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 iexplore.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion iexplore.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName iexplore.exe -
Modifies Control Panel 2 IoCs
Processes:
UizWC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\(Padrão) 2 = "UizWC" UizWC.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\(Padrão) 3 = "C:\\Users\\Admin\\Saved Games\\Admin TONMm\\" UizWC.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
msiexec.exeiexplore.exepid process 1108 msiexec.exe 1108 msiexec.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe 1984 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 336 msiexec.exe Token: SeIncreaseQuotaPrivilege 336 msiexec.exe Token: SeRestorePrivilege 1108 msiexec.exe Token: SeTakeOwnershipPrivilege 1108 msiexec.exe Token: SeSecurityPrivilege 1108 msiexec.exe Token: SeCreateTokenPrivilege 336 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 336 msiexec.exe Token: SeLockMemoryPrivilege 336 msiexec.exe Token: SeIncreaseQuotaPrivilege 336 msiexec.exe Token: SeMachineAccountPrivilege 336 msiexec.exe Token: SeTcbPrivilege 336 msiexec.exe Token: SeSecurityPrivilege 336 msiexec.exe Token: SeTakeOwnershipPrivilege 336 msiexec.exe Token: SeLoadDriverPrivilege 336 msiexec.exe Token: SeSystemProfilePrivilege 336 msiexec.exe Token: SeSystemtimePrivilege 336 msiexec.exe Token: SeProfSingleProcessPrivilege 336 msiexec.exe Token: SeIncBasePriorityPrivilege 336 msiexec.exe Token: SeCreatePagefilePrivilege 336 msiexec.exe Token: SeCreatePermanentPrivilege 336 msiexec.exe Token: SeBackupPrivilege 336 msiexec.exe Token: SeRestorePrivilege 336 msiexec.exe Token: SeShutdownPrivilege 336 msiexec.exe Token: SeDebugPrivilege 336 msiexec.exe Token: SeAuditPrivilege 336 msiexec.exe Token: SeSystemEnvironmentPrivilege 336 msiexec.exe Token: SeChangeNotifyPrivilege 336 msiexec.exe Token: SeRemoteShutdownPrivilege 336 msiexec.exe Token: SeUndockPrivilege 336 msiexec.exe Token: SeSyncAgentPrivilege 336 msiexec.exe Token: SeEnableDelegationPrivilege 336 msiexec.exe Token: SeManageVolumePrivilege 336 msiexec.exe Token: SeImpersonatePrivilege 336 msiexec.exe Token: SeCreateGlobalPrivilege 336 msiexec.exe Token: SeRestorePrivilege 1108 msiexec.exe Token: SeTakeOwnershipPrivilege 1108 msiexec.exe Token: SeRestorePrivilege 1108 msiexec.exe Token: SeTakeOwnershipPrivilege 1108 msiexec.exe Token: SeRestorePrivilege 1108 msiexec.exe Token: SeTakeOwnershipPrivilege 1108 msiexec.exe Token: SeIncreaseQuotaPrivilege 1544 WMIC.exe Token: SeSecurityPrivilege 1544 WMIC.exe Token: SeTakeOwnershipPrivilege 1544 WMIC.exe Token: SeLoadDriverPrivilege 1544 WMIC.exe Token: SeSystemProfilePrivilege 1544 WMIC.exe Token: SeSystemtimePrivilege 1544 WMIC.exe Token: SeProfSingleProcessPrivilege 1544 WMIC.exe Token: SeIncBasePriorityPrivilege 1544 WMIC.exe Token: SeCreatePagefilePrivilege 1544 WMIC.exe Token: SeBackupPrivilege 1544 WMIC.exe Token: SeRestorePrivilege 1544 WMIC.exe Token: SeShutdownPrivilege 1544 WMIC.exe Token: SeDebugPrivilege 1544 WMIC.exe Token: SeSystemEnvironmentPrivilege 1544 WMIC.exe Token: SeRemoteShutdownPrivilege 1544 WMIC.exe Token: SeUndockPrivilege 1544 WMIC.exe Token: SeManageVolumePrivilege 1544 WMIC.exe Token: 33 1544 WMIC.exe Token: 34 1544 WMIC.exe Token: 35 1544 WMIC.exe Token: SeRestorePrivilege 1108 msiexec.exe Token: SeTakeOwnershipPrivilege 1108 msiexec.exe Token: SeRestorePrivilege 1108 msiexec.exe Token: SeTakeOwnershipPrivilege 1108 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 336 msiexec.exe 328 MsiExec.exe 336 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
msiexec.exeMsiExec.exeUizWC.exedescription pid process target process PID 1108 wrote to memory of 328 1108 msiexec.exe MsiExec.exe PID 1108 wrote to memory of 328 1108 msiexec.exe MsiExec.exe PID 1108 wrote to memory of 328 1108 msiexec.exe MsiExec.exe PID 1108 wrote to memory of 328 1108 msiexec.exe MsiExec.exe PID 1108 wrote to memory of 328 1108 msiexec.exe MsiExec.exe PID 1108 wrote to memory of 328 1108 msiexec.exe MsiExec.exe PID 1108 wrote to memory of 328 1108 msiexec.exe MsiExec.exe PID 328 wrote to memory of 1544 328 MsiExec.exe WMIC.exe PID 328 wrote to memory of 1544 328 MsiExec.exe WMIC.exe PID 328 wrote to memory of 1544 328 MsiExec.exe WMIC.exe PID 328 wrote to memory of 1544 328 MsiExec.exe WMIC.exe PID 372 wrote to memory of 1984 372 UizWC.exe iexplore.exe PID 372 wrote to memory of 1984 372 UizWC.exe iexplore.exe PID 372 wrote to memory of 1984 372 UizWC.exe iexplore.exe PID 372 wrote to memory of 1984 372 UizWC.exe iexplore.exe PID 372 wrote to memory of 1984 372 UizWC.exe iexplore.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73f1227353bf94e9e829088b81cd25fa.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:336
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5257C74EC2B627BAA5DC5986E9FCC9D02⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin TONMm\UizWC.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
C:\Users\Admin\Saved Games\Admin TONMm\UizWC.exe"C:\Users\Admin\Saved Games\Admin TONMm\UizWC.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Program Files (x86)\Internet explorer\iexplore.exe"C:\Program Files (x86)\Internet explorer\iexplore.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Saved Games\Admin TONMm\NvSmartMax.dllMD5
35ae120ad12ad9e41568d8c824be10c5
SHA1e964f72f23f812dd2d5bf709f1f1cec457788ddf
SHA256a0d7cdd57187dd31014f4a7ab5efa86cefba30ea6dee34f2bcdbefd66679b11b
SHA5120255cb6bab6d1895d8b38fb79a4ff950a3e16d5acb0b4af3418ad6a97aec5cf7f2fec92d9228a6044836b2181325a32cc5695ba5d1f517c270bb3692b9ef72f7
-
C:\Users\Admin\Saved Games\Admin TONMm\UizWC.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin TONMm\UizWC.~tmpMD5
0519a28c682da434cbdaa065a39e441c
SHA10d83694de423e9098b5b61167a3706956d3384e1
SHA256bcbf8a2d8c26c318c3203f206df2565a33a7272f9f25616c64c7943d4e469144
SHA5127d2c93329679c5705ac13e2888123cd1b9ac4e59958e729cbf90ecd971bf7864806f1a8cda6a7badd8cbbc25bb6b2a263d0d756a8fdd4a7cde171608190464e5
-
C:\Windows\Installer\MSI56B6.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI5947.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Users\Admin\Saved Games\Admin TONMm\NvSmartMax.dllMD5
bc12dd46c538170fe700f2c62f66eac1
SHA1f7ccb388d786293472469e1300296a25029ccc6f
SHA256479c9557510075571699123741fe0b55cf463206d56f3d0397e55d996db84d61
SHA512b4ff3687d387794034d8bf0d8f9325626a3244a36650b90bcfb5a74db85e3af7d4ee1b9669dd52a958161171c7c10133bf64e36c210c88297d1a5dc9dac0df83
-
\Users\Admin\Saved Games\Admin TONMm\NvSmartMax.dllMD5
dcb6e901c264cec1d67204047f5b7bc8
SHA1b5a7194ac09c899840f4894c78aa86c0ef8cc3c5
SHA25613166c2e4bb9e9ad55322db7d20ae9fbf89d3aae388203028f4f99198593a7d6
SHA512e4ea93c364c5a98d21615950ce3cda142d539371a1cd46a792f15a2766edbca45049ae31b0701cb13ccd01d8f64d5df10c100dad42cfab085b335e6f8f151754
-
\Windows\Installer\MSI56B6.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI5947.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/328-67-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/328-62-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/328-61-0x0000000000000000-mapping.dmp
-
memory/336-59-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/372-72-0x0000000000580000-0x0000000000DB2000-memory.dmpFilesize
8.2MB
-
memory/1544-68-0x0000000000000000-mapping.dmp
-
memory/1984-74-0x0000000000000000-mapping.dmp
-
memory/1984-76-0x00000000022E0000-0x0000000002B12000-memory.dmpFilesize
8.2MB