Overview

overview

8

Static

static

8

d13d644d11...69.msi

windows7_x64

8

d13d644d11...69.msi

windows10_x64

8

Analysis

  • max time kernel
    153s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-10-2021 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d13d644d111ba1ad4a95d7c6dfd9b669.msi

  • Size

    264KB

  • MD5

    d13d644d111ba1ad4a95d7c6dfd9b669

  • SHA1

    3c9871a124d2eebeb68ebbfd49fe9b05320a4972

  • SHA256

    630793d812d85e763f5042ec21cfa2d5da436ee535fdd1ccd00b52c45f82ccb9

  • SHA512

    4f03ce84adfb108da2245914949a6a133b479d05fbde75ced318ad4142d34aebea0d318bdbfd66fd876e3fa146e9cd8379a32b4ebed3a5e37dd9624cf63a7ddb

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d13d644d111ba1ad4a95d7c6dfd9b669.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1080
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DCADB751D7A3CFD91CB6CE15A75138C7
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin nOMen\dacbP.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1140
  • C:\Users\Admin\Saved Games\Admin nOMen\dacbP.exe
    "C:\Users\Admin\Saved Games\Admin nOMen\dacbP.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Program Files (x86)\Internet explorer\iexplore.exe
      "C:\Program Files (x86)\Internet explorer\iexplore.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Saved Games\Admin nOMen\NvSmartMax.dll
    MD5

    1b587fb1603937d7d9f916cbe4ea778f

    SHA1

    5dfc53d151a71f36396a17df1bb0dcdda8074190

    SHA256

    8dfb35279242848faef62b35ca5720c21eecf2af1efc9f1830c5828b9609f292

    SHA512

    6f2992d30fdcca9b4171805348b3073b1393577c6ebb0e6f82b3282df9d2834542c536bd337bc85e5f2ed167000f0ca33600a2f37e88b3f0bfada1bb1e826de5

    Download Submit
  • C:\Users\Admin\Saved Games\Admin nOMen\dacbP.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin nOMen\dacbP.~tmp
    MD5

    3f0f24b43f992f70f0e2decff7350dfd

    SHA1

    be52b7c076a5fae4b495dc9bfa14ae90b94895d4

    SHA256

    968f32f311da3934c6de7aea33d3e7b769f060a6d56bfd34939cc1a0e221df92

    SHA512

    454e88722d5c515ec08a0d436434cdfd618d0dabb89559dcd065d071e293b0c370f96a964c4d4c30a17528267960c52f7eba7b5894468b6f9f0464bef55442b8

    Download Submit
  • C:\Windows\Installer\MSI9C30.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI9EEF.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\Saved Games\Admin nOMen\NvSmartMax.dll
    MD5

    88a09ec796a0df79e7be3a7d423e6edb

    SHA1

    e04349ccc68474fde98dbbea01658cb3dcbde640

    SHA256

    c0dbd6b944e2592368d55e8a24c593295c4b7fd377e56be2dee44f137f98254f

    SHA512

    a021c2acc50c160c6e6789d3ac88802341f58ba106fe5003354c07e8b29fe3fe99925d36648c7cb803fcce2af9720cabedfe5058597dd423e09b050e0c377ac8

    Download Submit
  • \Users\Admin\Saved Games\Admin nOMen\NvSmartMax.dll
    MD5

    c7bc4fc6042cfcab5a1b86f8ddd7b64a

    SHA1

    376cb8e9aa47705e4ce358f230e959663c0f9fc7

    SHA256

    17a614ec473f3fa03f1a40125f937778aa15880d5cb7b7fb7609a9b66f42b5cf

    SHA512

    b7d6e7f712aee77547993eaf91e0361734ceb371fa3af651a2dfeab434a09b2c78af92ed0a0ed5c7ebf256660d30f7285fe75b63354117fe715a838fcdecfb22

    Download Submit
  • \Windows\Installer\MSI9C30.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI9EEF.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/900-73-0x0000000001190000-0x0000000002254000-memory.dmp
    Filesize

    16.8MB

    Download
  • memory/1080-60-0x000007FEFB631000-0x000007FEFB633000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1140-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1340-75-0x0000000000000000-mapping.dmp
    Download
  • memory/1980-68-0x0000000000D90000-0x0000000000D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1980-63-0x0000000075801000-0x0000000075803000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1980-62-0x0000000000000000-mapping.dmp
    Download