Analysis
-
max time kernel
138s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 14:20
Behavioral task
behavioral1
Sample
d13d644d111ba1ad4a95d7c6dfd9b669.msi
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
d13d644d111ba1ad4a95d7c6dfd9b669.msi
Resource
win10-en-20210920
General
-
Target
d13d644d111ba1ad4a95d7c6dfd9b669.msi
-
Size
264KB
-
MD5
d13d644d111ba1ad4a95d7c6dfd9b669
-
SHA1
3c9871a124d2eebeb68ebbfd49fe9b05320a4972
-
SHA256
630793d812d85e763f5042ec21cfa2d5da436ee535fdd1ccd00b52c45f82ccb9
-
SHA512
4f03ce84adfb108da2245914949a6a133b479d05fbde75ced318ad4142d34aebea0d318bdbfd66fd876e3fa146e9cd8379a32b4ebed3a5e37dd9624cf63a7ddb
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
MsiExec.exeflow pid process 3 860 MsiExec.exe 5 860 MsiExec.exe 7 860 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
feSeq.exepid process 1276 feSeq.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exefeSeq.exeiexplore.exepid process 860 MsiExec.exe 860 MsiExec.exe 1276 feSeq.exe 956 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin-_QKK6z18U6 = "\"C:\\Users\\Admin\\Saved Games\\Admin iulLz\\feSeq.exe\"" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI6E7E.tmp msiexec.exe File opened for modification C:\Windows\Installer\f765015.ipi msiexec.exe File created C:\Windows\Installer\f765013.msi msiexec.exe File opened for modification C:\Windows\Installer\f765013.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI535E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5810.tmp msiexec.exe File created C:\Windows\Installer\f765015.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion iexplore.exe -
Modifies Control Panel 2 IoCs
Processes:
feSeq.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\(Padrão) 3 = "C:\\Users\\Admin\\Saved Games\\Admin iulLz\\" feSeq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\(Padrão) 2 = "feSeq" feSeq.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
msiexec.exeiexplore.exepid process 1776 msiexec.exe 1776 msiexec.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe 956 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 1588 msiexec.exe Token: SeIncreaseQuotaPrivilege 1588 msiexec.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeTakeOwnershipPrivilege 1776 msiexec.exe Token: SeSecurityPrivilege 1776 msiexec.exe Token: SeCreateTokenPrivilege 1588 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1588 msiexec.exe Token: SeLockMemoryPrivilege 1588 msiexec.exe Token: SeIncreaseQuotaPrivilege 1588 msiexec.exe Token: SeMachineAccountPrivilege 1588 msiexec.exe Token: SeTcbPrivilege 1588 msiexec.exe Token: SeSecurityPrivilege 1588 msiexec.exe Token: SeTakeOwnershipPrivilege 1588 msiexec.exe Token: SeLoadDriverPrivilege 1588 msiexec.exe Token: SeSystemProfilePrivilege 1588 msiexec.exe Token: SeSystemtimePrivilege 1588 msiexec.exe Token: SeProfSingleProcessPrivilege 1588 msiexec.exe Token: SeIncBasePriorityPrivilege 1588 msiexec.exe Token: SeCreatePagefilePrivilege 1588 msiexec.exe Token: SeCreatePermanentPrivilege 1588 msiexec.exe Token: SeBackupPrivilege 1588 msiexec.exe Token: SeRestorePrivilege 1588 msiexec.exe Token: SeShutdownPrivilege 1588 msiexec.exe Token: SeDebugPrivilege 1588 msiexec.exe Token: SeAuditPrivilege 1588 msiexec.exe Token: SeSystemEnvironmentPrivilege 1588 msiexec.exe Token: SeChangeNotifyPrivilege 1588 msiexec.exe Token: SeRemoteShutdownPrivilege 1588 msiexec.exe Token: SeUndockPrivilege 1588 msiexec.exe Token: SeSyncAgentPrivilege 1588 msiexec.exe Token: SeEnableDelegationPrivilege 1588 msiexec.exe Token: SeManageVolumePrivilege 1588 msiexec.exe Token: SeImpersonatePrivilege 1588 msiexec.exe Token: SeCreateGlobalPrivilege 1588 msiexec.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeTakeOwnershipPrivilege 1776 msiexec.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeTakeOwnershipPrivilege 1776 msiexec.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeTakeOwnershipPrivilege 1776 msiexec.exe Token: SeIncreaseQuotaPrivilege 1960 WMIC.exe Token: SeSecurityPrivilege 1960 WMIC.exe Token: SeTakeOwnershipPrivilege 1960 WMIC.exe Token: SeLoadDriverPrivilege 1960 WMIC.exe Token: SeSystemProfilePrivilege 1960 WMIC.exe Token: SeSystemtimePrivilege 1960 WMIC.exe Token: SeProfSingleProcessPrivilege 1960 WMIC.exe Token: SeIncBasePriorityPrivilege 1960 WMIC.exe Token: SeCreatePagefilePrivilege 1960 WMIC.exe Token: SeBackupPrivilege 1960 WMIC.exe Token: SeRestorePrivilege 1960 WMIC.exe Token: SeShutdownPrivilege 1960 WMIC.exe Token: SeDebugPrivilege 1960 WMIC.exe Token: SeSystemEnvironmentPrivilege 1960 WMIC.exe Token: SeRemoteShutdownPrivilege 1960 WMIC.exe Token: SeUndockPrivilege 1960 WMIC.exe Token: SeManageVolumePrivilege 1960 WMIC.exe Token: 33 1960 WMIC.exe Token: 34 1960 WMIC.exe Token: 35 1960 WMIC.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeTakeOwnershipPrivilege 1776 msiexec.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeTakeOwnershipPrivilege 1776 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 1588 msiexec.exe 860 MsiExec.exe 1588 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
msiexec.exeMsiExec.exefeSeq.exedescription pid process target process PID 1776 wrote to memory of 860 1776 msiexec.exe MsiExec.exe PID 1776 wrote to memory of 860 1776 msiexec.exe MsiExec.exe PID 1776 wrote to memory of 860 1776 msiexec.exe MsiExec.exe PID 1776 wrote to memory of 860 1776 msiexec.exe MsiExec.exe PID 1776 wrote to memory of 860 1776 msiexec.exe MsiExec.exe PID 1776 wrote to memory of 860 1776 msiexec.exe MsiExec.exe PID 1776 wrote to memory of 860 1776 msiexec.exe MsiExec.exe PID 860 wrote to memory of 1960 860 MsiExec.exe WMIC.exe PID 860 wrote to memory of 1960 860 MsiExec.exe WMIC.exe PID 860 wrote to memory of 1960 860 MsiExec.exe WMIC.exe PID 860 wrote to memory of 1960 860 MsiExec.exe WMIC.exe PID 1276 wrote to memory of 956 1276 feSeq.exe iexplore.exe PID 1276 wrote to memory of 956 1276 feSeq.exe iexplore.exe PID 1276 wrote to memory of 956 1276 feSeq.exe iexplore.exe PID 1276 wrote to memory of 956 1276 feSeq.exe iexplore.exe PID 1276 wrote to memory of 956 1276 feSeq.exe iexplore.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d13d644d111ba1ad4a95d7c6dfd9b669.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7C96EA8C7E1A1E9DC512ED9DB1585BA2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin iulLz\feSeq.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Saved Games\Admin iulLz\feSeq.exe"C:\Users\Admin\Saved Games\Admin iulLz\feSeq.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet explorer\iexplore.exe"C:\Program Files (x86)\Internet explorer\iexplore.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Saved Games\Admin iulLz\NvSmartMax.dllMD5
db2d42f1be9b25f220355f470f33b6b5
SHA13f7b58d78883db095d4d487c53f37eafbcb7a211
SHA25612bb9c01ea9251e2e941b11a270a2ebd047ee99a2cb2e2abba0354352b0399f5
SHA512adebb936a1b11a2e71de84d17f4d832c03d8fdfd566ecfc2e5c960d186eea25760472a10d1e55db04fad668951b3ad50172844cc772692e7fc97f3ab4a5b213a
-
C:\Users\Admin\Saved Games\Admin iulLz\feSeq.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin iulLz\feSeq.~tmpMD5
3f0f24b43f992f70f0e2decff7350dfd
SHA1be52b7c076a5fae4b495dc9bfa14ae90b94895d4
SHA256968f32f311da3934c6de7aea33d3e7b769f060a6d56bfd34939cc1a0e221df92
SHA512454e88722d5c515ec08a0d436434cdfd618d0dabb89559dcd065d071e293b0c370f96a964c4d4c30a17528267960c52f7eba7b5894468b6f9f0464bef55442b8
-
C:\Windows\Installer\MSI535E.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI5810.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Users\Admin\Saved Games\Admin iulLz\NvSmartMax.dllMD5
fa4ee7906b441d0222dd490b13aefaaf
SHA12cf9ad0e7782c308fe6a2c39af013f0e5f65c268
SHA25621cff70a2a7022bc3d3474ca2e0be87a541131a58125e363a6db4d514d13fbf7
SHA5129f367b1a6ee2916d1a94bf212ad6ca6e0eabb0396dd89d97ba3098fab381401bf515d95cd00347d163f6d5f63427fd02771a36757b051a40a04d72d541b98f3d
-
\Users\Admin\Saved Games\Admin iulLz\NvSmartMax.dllMD5
e6f03f83092708a6bc5b6b0f09aefcfd
SHA18933ba09d1f2451a768ab2c41063418d3ce0072c
SHA2567a3fe8550e8c0df375dc284ead02700b483ad2dcd21a8656ae7fc2956bf0afcd
SHA512f1fc8ff53981dd7775bf72f8d6ef6c8850b5f3da0625dd9ee161eecac3fb2558ba56e2f3624ef9c096540068a685187637fb937df3e2a009c5110f9dc61f0b63
-
\Windows\Installer\MSI535E.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI5810.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/860-62-0x0000000001E20000-0x0000000001EA0000-memory.dmpFilesize
512KB
-
memory/860-57-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/860-56-0x0000000000000000-mapping.dmp
-
memory/956-69-0x0000000000000000-mapping.dmp
-
memory/1276-67-0x0000000000700000-0x00000000017C4000-memory.dmpFilesize
16.8MB
-
memory/1588-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmpFilesize
8KB
-
memory/1960-63-0x0000000000000000-mapping.dmp