Overview

overview

8

Static

static

8

d13d644d11...69.msi

windows7_x64

8

d13d644d11...69.msi

windows10_x64

8

Analysis

  • max time kernel
    138s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    14-10-2021 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d13d644d111ba1ad4a95d7c6dfd9b669.msi

  • Size

    264KB

  • MD5

    d13d644d111ba1ad4a95d7c6dfd9b669

  • SHA1

    3c9871a124d2eebeb68ebbfd49fe9b05320a4972

  • SHA256

    630793d812d85e763f5042ec21cfa2d5da436ee535fdd1ccd00b52c45f82ccb9

  • SHA512

    4f03ce84adfb108da2245914949a6a133b479d05fbde75ced318ad4142d34aebea0d318bdbfd66fd876e3fa146e9cd8379a32b4ebed3a5e37dd9624cf63a7ddb

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d13d644d111ba1ad4a95d7c6dfd9b669.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1588
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A7C96EA8C7E1A1E9DC512ED9DB1585BA
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin iulLz\feSeq.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
  • C:\Users\Admin\Saved Games\Admin iulLz\feSeq.exe
    "C:\Users\Admin\Saved Games\Admin iulLz\feSeq.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Program Files (x86)\Internet explorer\iexplore.exe
      "C:\Program Files (x86)\Internet explorer\iexplore.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Saved Games\Admin iulLz\NvSmartMax.dll
    MD5

    db2d42f1be9b25f220355f470f33b6b5

    SHA1

    3f7b58d78883db095d4d487c53f37eafbcb7a211

    SHA256

    12bb9c01ea9251e2e941b11a270a2ebd047ee99a2cb2e2abba0354352b0399f5

    SHA512

    adebb936a1b11a2e71de84d17f4d832c03d8fdfd566ecfc2e5c960d186eea25760472a10d1e55db04fad668951b3ad50172844cc772692e7fc97f3ab4a5b213a

    Download Submit
  • C:\Users\Admin\Saved Games\Admin iulLz\feSeq.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin iulLz\feSeq.~tmp
    MD5

    3f0f24b43f992f70f0e2decff7350dfd

    SHA1

    be52b7c076a5fae4b495dc9bfa14ae90b94895d4

    SHA256

    968f32f311da3934c6de7aea33d3e7b769f060a6d56bfd34939cc1a0e221df92

    SHA512

    454e88722d5c515ec08a0d436434cdfd618d0dabb89559dcd065d071e293b0c370f96a964c4d4c30a17528267960c52f7eba7b5894468b6f9f0464bef55442b8

    Download Submit
  • C:\Windows\Installer\MSI535E.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI5810.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\Saved Games\Admin iulLz\NvSmartMax.dll
    MD5

    fa4ee7906b441d0222dd490b13aefaaf

    SHA1

    2cf9ad0e7782c308fe6a2c39af013f0e5f65c268

    SHA256

    21cff70a2a7022bc3d3474ca2e0be87a541131a58125e363a6db4d514d13fbf7

    SHA512

    9f367b1a6ee2916d1a94bf212ad6ca6e0eabb0396dd89d97ba3098fab381401bf515d95cd00347d163f6d5f63427fd02771a36757b051a40a04d72d541b98f3d

    Download Submit
  • \Users\Admin\Saved Games\Admin iulLz\NvSmartMax.dll
    MD5

    e6f03f83092708a6bc5b6b0f09aefcfd

    SHA1

    8933ba09d1f2451a768ab2c41063418d3ce0072c

    SHA256

    7a3fe8550e8c0df375dc284ead02700b483ad2dcd21a8656ae7fc2956bf0afcd

    SHA512

    f1fc8ff53981dd7775bf72f8d6ef6c8850b5f3da0625dd9ee161eecac3fb2558ba56e2f3624ef9c096540068a685187637fb937df3e2a009c5110f9dc61f0b63

    Download Submit
  • \Windows\Installer\MSI535E.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI5810.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/860-62-0x0000000001E20000-0x0000000001EA0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/860-57-0x0000000076961000-0x0000000076963000-memory.dmp
    Filesize

    8KB

    Download
  • memory/860-56-0x0000000000000000-mapping.dmp
    Download
  • memory/956-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1276-67-0x0000000000700000-0x00000000017C4000-memory.dmp
    Filesize

    16.8MB

    Download
  • memory/1588-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1960-63-0x0000000000000000-mapping.dmp
    Download