Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
30-09-2021 15:24
Static task
static1
Behavioral task
behavioral1
Sample
73f1227353bf94e9e829088b81cd25fa.msi
Resource
win7v20210408
Behavioral task
behavioral2
Sample
73f1227353bf94e9e829088b81cd25fa.msi
Resource
win10-en-20210920
General
-
Target
73f1227353bf94e9e829088b81cd25fa.msi
-
Size
263KB
-
MD5
73f1227353bf94e9e829088b81cd25fa
-
SHA1
3d7412f2aae4e578712a19fedd5994aab0afee52
-
SHA256
36417eb2ecdbb537b9679f959a8ab356e954f1a1ae200a360f7fed963c8d04e2
-
SHA512
604be82de36114922a62d1661a537a2a8023fb354ff41a682a843106f622a688063e78deffda52f0de1a76fc115ccab954fdf6a4250ff43aaa654e13c1b844b1
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 4 3364 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
zRTnn.exepid process 3640 zRTnn.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exezRTnn.exeiexplore.exepid process 3364 MsiExec.exe 3364 MsiExec.exe 3640 zRTnn.exe 3640 zRTnn.exe 3636 iexplore.exe 3636 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin-_P9o3G = "\"C:\\Users\\Admin\\Saved Games\\Admin HVIQm\\zRTnn.exe\"" iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{EA8B109E-A485-48B9-BC42-07AA6875ACCC} msiexec.exe File opened for modification C:\Windows\Installer\MSI310.tmp msiexec.exe File opened for modification C:\Windows\Installer\28d52.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI8DEE.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\28d52.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9179.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion iexplore.exe -
Modifies Control Panel 2 IoCs
Processes:
zRTnn.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\(Padrão) 3 = "C:\\Users\\Admin\\Saved Games\\Admin HVIQm\\" zRTnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\(Padrão) 2 = "zRTnn" zRTnn.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeiexplore.exepid process 2756 msiexec.exe 2756 msiexec.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 2468 msiexec.exe Token: SeIncreaseQuotaPrivilege 2468 msiexec.exe Token: SeSecurityPrivilege 2756 msiexec.exe Token: SeCreateTokenPrivilege 2468 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2468 msiexec.exe Token: SeLockMemoryPrivilege 2468 msiexec.exe Token: SeIncreaseQuotaPrivilege 2468 msiexec.exe Token: SeMachineAccountPrivilege 2468 msiexec.exe Token: SeTcbPrivilege 2468 msiexec.exe Token: SeSecurityPrivilege 2468 msiexec.exe Token: SeTakeOwnershipPrivilege 2468 msiexec.exe Token: SeLoadDriverPrivilege 2468 msiexec.exe Token: SeSystemProfilePrivilege 2468 msiexec.exe Token: SeSystemtimePrivilege 2468 msiexec.exe Token: SeProfSingleProcessPrivilege 2468 msiexec.exe Token: SeIncBasePriorityPrivilege 2468 msiexec.exe Token: SeCreatePagefilePrivilege 2468 msiexec.exe Token: SeCreatePermanentPrivilege 2468 msiexec.exe Token: SeBackupPrivilege 2468 msiexec.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeShutdownPrivilege 2468 msiexec.exe Token: SeDebugPrivilege 2468 msiexec.exe Token: SeAuditPrivilege 2468 msiexec.exe Token: SeSystemEnvironmentPrivilege 2468 msiexec.exe Token: SeChangeNotifyPrivilege 2468 msiexec.exe Token: SeRemoteShutdownPrivilege 2468 msiexec.exe Token: SeUndockPrivilege 2468 msiexec.exe Token: SeSyncAgentPrivilege 2468 msiexec.exe Token: SeEnableDelegationPrivilege 2468 msiexec.exe Token: SeManageVolumePrivilege 2468 msiexec.exe Token: SeImpersonatePrivilege 2468 msiexec.exe Token: SeCreateGlobalPrivilege 2468 msiexec.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe Token: SeIncreaseQuotaPrivilege 1332 WMIC.exe Token: SeSecurityPrivilege 1332 WMIC.exe Token: SeTakeOwnershipPrivilege 1332 WMIC.exe Token: SeLoadDriverPrivilege 1332 WMIC.exe Token: SeSystemProfilePrivilege 1332 WMIC.exe Token: SeSystemtimePrivilege 1332 WMIC.exe Token: SeProfSingleProcessPrivilege 1332 WMIC.exe Token: SeIncBasePriorityPrivilege 1332 WMIC.exe Token: SeCreatePagefilePrivilege 1332 WMIC.exe Token: SeBackupPrivilege 1332 WMIC.exe Token: SeRestorePrivilege 1332 WMIC.exe Token: SeShutdownPrivilege 1332 WMIC.exe Token: SeDebugPrivilege 1332 WMIC.exe Token: SeSystemEnvironmentPrivilege 1332 WMIC.exe Token: SeRemoteShutdownPrivilege 1332 WMIC.exe Token: SeUndockPrivilege 1332 WMIC.exe Token: SeManageVolumePrivilege 1332 WMIC.exe Token: 33 1332 WMIC.exe Token: 34 1332 WMIC.exe Token: 35 1332 WMIC.exe Token: 36 1332 WMIC.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe Token: SeIncreaseQuotaPrivilege 1332 WMIC.exe Token: SeSecurityPrivilege 1332 WMIC.exe Token: SeTakeOwnershipPrivilege 1332 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 2468 msiexec.exe 3364 MsiExec.exe 2468 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
msiexec.exeMsiExec.exezRTnn.exedescription pid process target process PID 2756 wrote to memory of 3364 2756 msiexec.exe MsiExec.exe PID 2756 wrote to memory of 3364 2756 msiexec.exe MsiExec.exe PID 2756 wrote to memory of 3364 2756 msiexec.exe MsiExec.exe PID 3364 wrote to memory of 1332 3364 MsiExec.exe WMIC.exe PID 3364 wrote to memory of 1332 3364 MsiExec.exe WMIC.exe PID 3364 wrote to memory of 1332 3364 MsiExec.exe WMIC.exe PID 3640 wrote to memory of 3636 3640 zRTnn.exe iexplore.exe PID 3640 wrote to memory of 3636 3640 zRTnn.exe iexplore.exe PID 3640 wrote to memory of 3636 3640 zRTnn.exe iexplore.exe PID 3640 wrote to memory of 3636 3640 zRTnn.exe iexplore.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73f1227353bf94e9e829088b81cd25fa.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2468
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 780B32C81BE9777677024AFBBCBD229E2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.exe"C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Program Files (x86)\Internet explorer\iexplore.exe"C:\Program Files (x86)\Internet explorer\iexplore.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Saved Games\Admin HVIQm\NvSmartMax.dllMD5
474861604ca122abbe451a2b5e69d0a5
SHA1713cf7b0031c8630c9117ad2d3ad1ccfe6b43201
SHA256c4dcb5c00ddb62a193329fc65fc4f3844ca76d8cfd91847baac5af866d6395b8
SHA512a01faf28197bc2576d68f8a976ee980d373cc8b8310a320ca80493933ced8f0028e446d4f738655b3c1d727bd8b9d407f2e8c54b90438532e0f622626dbcb71c
-
C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin HVIQm\zRTnn.~tmpMD5
0519a28c682da434cbdaa065a39e441c
SHA10d83694de423e9098b5b61167a3706956d3384e1
SHA256bcbf8a2d8c26c318c3203f206df2565a33a7272f9f25616c64c7943d4e469144
SHA5127d2c93329679c5705ac13e2888123cd1b9ac4e59958e729cbf90ecd971bf7864806f1a8cda6a7badd8cbbc25bb6b2a263d0d756a8fdd4a7cde171608190464e5
-
C:\Windows\Installer\MSI8DEE.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI9179.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Users\Admin\Saved Games\Admin HVIQm\NvSmartMax.dllMD5
a935b1bb1a7c507de9b87c74e06f7fa2
SHA1b242e33025a21f41dd09262a988502ad50bc85dc
SHA25666400407ed76155a0ca4de28c77e6e6092c7f7a8763914948ecb830fa842eca6
SHA512b6180c0b864866d06982b9480f043b97fccd058aa937e03c11821ab87bf871c05dc69d056a81d91b4bead695dd4903ee7a279c402fdf5749b0398f3bf90dbba6
-
\Users\Admin\Saved Games\Admin HVIQm\NvSmartMax.dllMD5
deacf06239f75f77c183626508f1ae64
SHA1d613b372d71af40a4495a98ba190ce0b2e024a2c
SHA256cfd763e85065a8b3cf8dc85715b8a3b3f61f6b193ca17061c5f3a797cc7dbe8b
SHA5122fe1e28a8eccbd9edc6616c5eed3b9bbc4840f310b3e158edfe6b42fae5d76384edbe12223ee6fb2b8289eb2dabee4a7cc46e1856b70e58322a69c9e50e0792b
-
\Users\Admin\Saved Games\Admin HVIQm\NvSmartMax.dllMD5
dd415258ec959e0e5033a8a01e1af894
SHA151ea8c4e59168ce26810a6d1ba8d0b789f348251
SHA256481975eb40ba4591a44ed5de4745bdaa583569128c014efdf1c39ea4d950242a
SHA5129e13481c2ca08bf51397a5cba95aec91fc017f99c227fb6f1f6a1cfa3e5c6200f1d24240f0233388f1b0ae3570b70bd756bec2ba528fe7229494819700412284
-
\Users\Admin\Saved Games\Admin HVIQm\NvSmartMax.dllMD5
da30e79f96dcd285edbe78edaf790085
SHA1cdfef38e7a05dd3a549094a3d29ac2de844755a3
SHA256ac64cf476f9985aace1d0934437e751570f57264b1eaca7ab89d7dc9fd01f402
SHA512c9bd426a9bed49f1a6e271da9d47b5b03cdc2edae6cfd29c7199c5a9bc139451490b20a3cb81de3b679259886edb96fe8821616738522e86546eedf5b923e5be
-
\Windows\Installer\MSI8DEE.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI9179.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/1332-126-0x0000000000000000-mapping.dmp
-
memory/3364-119-0x0000000000000000-mapping.dmp
-
memory/3636-133-0x0000000000000000-mapping.dmp
-
memory/3636-136-0x0000000004BA0000-0x00000000053D2000-memory.dmpFilesize
8.2MB
-
memory/3640-132-0x0000000000CE0000-0x0000000001512000-memory.dmpFilesize
8.2MB