Analysis
-
max time kernel
153s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-10-2021 16:43
Behavioral task
behavioral1
Sample
d13d644d111ba1ad4a95d7c6dfd9b669.msi
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d13d644d111ba1ad4a95d7c6dfd9b669.msi
Resource
win10-en-20210920
General
-
Target
d13d644d111ba1ad4a95d7c6dfd9b669.msi
-
Size
264KB
-
MD5
d13d644d111ba1ad4a95d7c6dfd9b669
-
SHA1
3c9871a124d2eebeb68ebbfd49fe9b05320a4972
-
SHA256
630793d812d85e763f5042ec21cfa2d5da436ee535fdd1ccd00b52c45f82ccb9
-
SHA512
4f03ce84adfb108da2245914949a6a133b479d05fbde75ced318ad4142d34aebea0d318bdbfd66fd876e3fa146e9cd8379a32b4ebed3a5e37dd9624cf63a7ddb
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
MsiExec.exeflow pid process 4 1980 MsiExec.exe 6 1980 MsiExec.exe 8 1980 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
dacbP.exepid process 900 dacbP.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exedacbP.exeiexplore.exepid process 1980 MsiExec.exe 1980 MsiExec.exe 900 dacbP.exe 1340 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin-_6JPWD6J651 = "\"C:\\Users\\Admin\\Saved Games\\Admin nOMen\\dacbP.exe\"" iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1D14.tmp msiexec.exe File opened for modification C:\Windows\Installer\f749b77.ipi msiexec.exe File created C:\Windows\Installer\f749b75.msi msiexec.exe File opened for modification C:\Windows\Installer\f749b75.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9C30.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9EEF.tmp msiexec.exe File created C:\Windows\Installer\f749b77.ipi msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion iexplore.exe -
Modifies Control Panel 2 IoCs
Processes:
dacbP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\(Padrão) 2 = "dacbP" dacbP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\(Padrão) 3 = "C:\\Users\\Admin\\Saved Games\\Admin nOMen\\" dacbP.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
msiexec.exeiexplore.exepid process 1224 msiexec.exe 1224 msiexec.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe 1340 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 1080 msiexec.exe Token: SeIncreaseQuotaPrivilege 1080 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeSecurityPrivilege 1224 msiexec.exe Token: SeCreateTokenPrivilege 1080 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1080 msiexec.exe Token: SeLockMemoryPrivilege 1080 msiexec.exe Token: SeIncreaseQuotaPrivilege 1080 msiexec.exe Token: SeMachineAccountPrivilege 1080 msiexec.exe Token: SeTcbPrivilege 1080 msiexec.exe Token: SeSecurityPrivilege 1080 msiexec.exe Token: SeTakeOwnershipPrivilege 1080 msiexec.exe Token: SeLoadDriverPrivilege 1080 msiexec.exe Token: SeSystemProfilePrivilege 1080 msiexec.exe Token: SeSystemtimePrivilege 1080 msiexec.exe Token: SeProfSingleProcessPrivilege 1080 msiexec.exe Token: SeIncBasePriorityPrivilege 1080 msiexec.exe Token: SeCreatePagefilePrivilege 1080 msiexec.exe Token: SeCreatePermanentPrivilege 1080 msiexec.exe Token: SeBackupPrivilege 1080 msiexec.exe Token: SeRestorePrivilege 1080 msiexec.exe Token: SeShutdownPrivilege 1080 msiexec.exe Token: SeDebugPrivilege 1080 msiexec.exe Token: SeAuditPrivilege 1080 msiexec.exe Token: SeSystemEnvironmentPrivilege 1080 msiexec.exe Token: SeChangeNotifyPrivilege 1080 msiexec.exe Token: SeRemoteShutdownPrivilege 1080 msiexec.exe Token: SeUndockPrivilege 1080 msiexec.exe Token: SeSyncAgentPrivilege 1080 msiexec.exe Token: SeEnableDelegationPrivilege 1080 msiexec.exe Token: SeManageVolumePrivilege 1080 msiexec.exe Token: SeImpersonatePrivilege 1080 msiexec.exe Token: SeCreateGlobalPrivilege 1080 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeIncreaseQuotaPrivilege 1140 WMIC.exe Token: SeSecurityPrivilege 1140 WMIC.exe Token: SeTakeOwnershipPrivilege 1140 WMIC.exe Token: SeLoadDriverPrivilege 1140 WMIC.exe Token: SeSystemProfilePrivilege 1140 WMIC.exe Token: SeSystemtimePrivilege 1140 WMIC.exe Token: SeProfSingleProcessPrivilege 1140 WMIC.exe Token: SeIncBasePriorityPrivilege 1140 WMIC.exe Token: SeCreatePagefilePrivilege 1140 WMIC.exe Token: SeBackupPrivilege 1140 WMIC.exe Token: SeRestorePrivilege 1140 WMIC.exe Token: SeShutdownPrivilege 1140 WMIC.exe Token: SeDebugPrivilege 1140 WMIC.exe Token: SeSystemEnvironmentPrivilege 1140 WMIC.exe Token: SeRemoteShutdownPrivilege 1140 WMIC.exe Token: SeUndockPrivilege 1140 WMIC.exe Token: SeManageVolumePrivilege 1140 WMIC.exe Token: 33 1140 WMIC.exe Token: 34 1140 WMIC.exe Token: 35 1140 WMIC.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 1080 msiexec.exe 1980 MsiExec.exe 1080 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
msiexec.exeMsiExec.exedacbP.exedescription pid process target process PID 1224 wrote to memory of 1980 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 1980 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 1980 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 1980 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 1980 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 1980 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 1980 1224 msiexec.exe MsiExec.exe PID 1980 wrote to memory of 1140 1980 MsiExec.exe WMIC.exe PID 1980 wrote to memory of 1140 1980 MsiExec.exe WMIC.exe PID 1980 wrote to memory of 1140 1980 MsiExec.exe WMIC.exe PID 1980 wrote to memory of 1140 1980 MsiExec.exe WMIC.exe PID 900 wrote to memory of 1340 900 dacbP.exe iexplore.exe PID 900 wrote to memory of 1340 900 dacbP.exe iexplore.exe PID 900 wrote to memory of 1340 900 dacbP.exe iexplore.exe PID 900 wrote to memory of 1340 900 dacbP.exe iexplore.exe PID 900 wrote to memory of 1340 900 dacbP.exe iexplore.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d13d644d111ba1ad4a95d7c6dfd9b669.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DCADB751D7A3CFD91CB6CE15A75138C72⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin nOMen\dacbP.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Saved Games\Admin nOMen\dacbP.exe"C:\Users\Admin\Saved Games\Admin nOMen\dacbP.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet explorer\iexplore.exe"C:\Program Files (x86)\Internet explorer\iexplore.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Saved Games\Admin nOMen\NvSmartMax.dllMD5
1b587fb1603937d7d9f916cbe4ea778f
SHA15dfc53d151a71f36396a17df1bb0dcdda8074190
SHA2568dfb35279242848faef62b35ca5720c21eecf2af1efc9f1830c5828b9609f292
SHA5126f2992d30fdcca9b4171805348b3073b1393577c6ebb0e6f82b3282df9d2834542c536bd337bc85e5f2ed167000f0ca33600a2f37e88b3f0bfada1bb1e826de5
-
C:\Users\Admin\Saved Games\Admin nOMen\dacbP.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin nOMen\dacbP.~tmpMD5
3f0f24b43f992f70f0e2decff7350dfd
SHA1be52b7c076a5fae4b495dc9bfa14ae90b94895d4
SHA256968f32f311da3934c6de7aea33d3e7b769f060a6d56bfd34939cc1a0e221df92
SHA512454e88722d5c515ec08a0d436434cdfd618d0dabb89559dcd065d071e293b0c370f96a964c4d4c30a17528267960c52f7eba7b5894468b6f9f0464bef55442b8
-
C:\Windows\Installer\MSI9C30.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI9EEF.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Users\Admin\Saved Games\Admin nOMen\NvSmartMax.dllMD5
88a09ec796a0df79e7be3a7d423e6edb
SHA1e04349ccc68474fde98dbbea01658cb3dcbde640
SHA256c0dbd6b944e2592368d55e8a24c593295c4b7fd377e56be2dee44f137f98254f
SHA512a021c2acc50c160c6e6789d3ac88802341f58ba106fe5003354c07e8b29fe3fe99925d36648c7cb803fcce2af9720cabedfe5058597dd423e09b050e0c377ac8
-
\Users\Admin\Saved Games\Admin nOMen\NvSmartMax.dllMD5
c7bc4fc6042cfcab5a1b86f8ddd7b64a
SHA1376cb8e9aa47705e4ce358f230e959663c0f9fc7
SHA25617a614ec473f3fa03f1a40125f937778aa15880d5cb7b7fb7609a9b66f42b5cf
SHA512b7d6e7f712aee77547993eaf91e0361734ceb371fa3af651a2dfeab434a09b2c78af92ed0a0ed5c7ebf256660d30f7285fe75b63354117fe715a838fcdecfb22
-
\Windows\Installer\MSI9C30.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI9EEF.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/900-73-0x0000000001190000-0x0000000002254000-memory.dmpFilesize
16.8MB
-
memory/1080-60-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB
-
memory/1140-69-0x0000000000000000-mapping.dmp
-
memory/1340-75-0x0000000000000000-mapping.dmp
-
memory/1980-68-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/1980-63-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1980-62-0x0000000000000000-mapping.dmp