Overview

overview

8

Static

static

10

73f1227353...fa.msi

windows7_x64

8

73f1227353...fa.msi

windows10_x64

8

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    30-09-2021 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73f1227353bf94e9e829088b81cd25fa.msi

  • Size

    263KB

  • MD5

    73f1227353bf94e9e829088b81cd25fa

  • SHA1

    3d7412f2aae4e578712a19fedd5994aab0afee52

  • SHA256

    36417eb2ecdbb537b9679f959a8ab356e954f1a1ae200a360f7fed963c8d04e2

  • SHA512

    604be82de36114922a62d1661a537a2a8023fb354ff41a682a843106f622a688063e78deffda52f0de1a76fc115ccab954fdf6a4250ff43aaa654e13c1b844b1

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73f1227353bf94e9e829088b81cd25fa.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2468
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 780B32C81BE9777677024AFBBCBD229E
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1332
  • C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.exe
    "C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Program Files (x86)\Internet explorer\iexplore.exe
      "C:\Program Files (x86)\Internet explorer\iexplore.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:3636

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Saved Games\Admin HVIQm\NvSmartMax.dll
    MD5

    474861604ca122abbe451a2b5e69d0a5

    SHA1

    713cf7b0031c8630c9117ad2d3ad1ccfe6b43201

    SHA256

    c4dcb5c00ddb62a193329fc65fc4f3844ca76d8cfd91847baac5af866d6395b8

    SHA512

    a01faf28197bc2576d68f8a976ee980d373cc8b8310a320ca80493933ced8f0028e446d4f738655b3c1d727bd8b9d407f2e8c54b90438532e0f622626dbcb71c

    Download Submit
  • C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.~tmp
    MD5

    0519a28c682da434cbdaa065a39e441c

    SHA1

    0d83694de423e9098b5b61167a3706956d3384e1

    SHA256

    bcbf8a2d8c26c318c3203f206df2565a33a7272f9f25616c64c7943d4e469144

    SHA512

    7d2c93329679c5705ac13e2888123cd1b9ac4e59958e729cbf90ecd971bf7864806f1a8cda6a7badd8cbbc25bb6b2a263d0d756a8fdd4a7cde171608190464e5

    Download Submit
  • C:\Windows\Installer\MSI8DEE.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI9179.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\Saved Games\Admin HVIQm\NvSmartMax.dll
    MD5

    a935b1bb1a7c507de9b87c74e06f7fa2

    SHA1

    b242e33025a21f41dd09262a988502ad50bc85dc

    SHA256

    66400407ed76155a0ca4de28c77e6e6092c7f7a8763914948ecb830fa842eca6

    SHA512

    b6180c0b864866d06982b9480f043b97fccd058aa937e03c11821ab87bf871c05dc69d056a81d91b4bead695dd4903ee7a279c402fdf5749b0398f3bf90dbba6

    Download Submit
  • \Users\Admin\Saved Games\Admin HVIQm\NvSmartMax.dll
    MD5

    deacf06239f75f77c183626508f1ae64

    SHA1

    d613b372d71af40a4495a98ba190ce0b2e024a2c

    SHA256

    cfd763e85065a8b3cf8dc85715b8a3b3f61f6b193ca17061c5f3a797cc7dbe8b

    SHA512

    2fe1e28a8eccbd9edc6616c5eed3b9bbc4840f310b3e158edfe6b42fae5d76384edbe12223ee6fb2b8289eb2dabee4a7cc46e1856b70e58322a69c9e50e0792b

    Download Submit
  • \Users\Admin\Saved Games\Admin HVIQm\NvSmartMax.dll
    MD5

    dd415258ec959e0e5033a8a01e1af894

    SHA1

    51ea8c4e59168ce26810a6d1ba8d0b789f348251

    SHA256

    481975eb40ba4591a44ed5de4745bdaa583569128c014efdf1c39ea4d950242a

    SHA512

    9e13481c2ca08bf51397a5cba95aec91fc017f99c227fb6f1f6a1cfa3e5c6200f1d24240f0233388f1b0ae3570b70bd756bec2ba528fe7229494819700412284

    Download Submit
  • \Users\Admin\Saved Games\Admin HVIQm\NvSmartMax.dll
    MD5

    da30e79f96dcd285edbe78edaf790085

    SHA1

    cdfef38e7a05dd3a549094a3d29ac2de844755a3

    SHA256

    ac64cf476f9985aace1d0934437e751570f57264b1eaca7ab89d7dc9fd01f402

    SHA512

    c9bd426a9bed49f1a6e271da9d47b5b03cdc2edae6cfd29c7199c5a9bc139451490b20a3cb81de3b679259886edb96fe8821616738522e86546eedf5b923e5be

    Download Submit
  • \Windows\Installer\MSI8DEE.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI9179.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/1332-126-0x0000000000000000-mapping.dmp
    Download
  • memory/3364-119-0x0000000000000000-mapping.dmp
    Download
  • memory/3636-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3636-136-0x0000000004BA0000-0x00000000053D2000-memory.dmp
    Filesize

    8.2MB

    Download
  • memory/3640-132-0x0000000000CE0000-0x0000000001512000-memory.dmp
    Filesize

    8.2MB

    Download