Overview

overview

8

Static

static

8

d392d9bfb7...ae.msi

windows7_x64

8

d392d9bfb7...ae.msi

windows10_x64

8

Analysis

  • max time kernel
    60s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    14-10-2021 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d392d9bfb7046189dc7bd9783a1602ae.msi

  • Size

    264KB

  • MD5

    d392d9bfb7046189dc7bd9783a1602ae

  • SHA1

    884ebbad69a4d9e3ce5973514c5c6d77f4d672a4

  • SHA256

    cf3537f8d24f8b59848c996f0fb94fd8f81bebd4a9baa8e1922f635eadc2d33e

  • SHA512

    fb3d8166ce2f4f0a54b4b87922a75c693694309062eb17eed2ed2d03e052e2517c77231f18199bfa5d3f1f5d36a4aedf2d0696c913bdf4b60256cf529237ee86

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d392d9bfb7046189dc7bd9783a1602ae.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1200
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2EF1A1D90EBB32D6C159DC851CDF222A
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
  • C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.exe
    "C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Program Files (x86)\Internet explorer\iexplore.exe
      "C:\Program Files (x86)\Internet explorer\iexplore.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Saved Games\Admin FrYCG\NvSmartMax.dll
    MD5

    6be551a35f31c78ee10f91a916855dc1

    SHA1

    034da0f36debf4370e33251f4a0ea064e83344af

    SHA256

    5780ea041f2527da1b989c3fd120c6defe0f955bdebd8afb252c18ffe92c02e4

    SHA512

    f18b2bba1f9271308e1f140801c019a704aef8bb963a7db1094d4fdc1eb577d6177af07484bfefa37a89f3fb17d62d109ccbd515ae570ac43e606e00df4231af

    Download Submit
  • C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.~tmp
    MD5

    2f3335c18aaa8ae44810a1bacae61691

    SHA1

    a11b4b06148fc8cea338cfe29868366aec726cf8

    SHA256

    6ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034

    SHA512

    e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14

    Download Submit
  • C:\Windows\Installer\MSI7E63.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI7F8D.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\Saved Games\Admin FrYCG\NvSmartMax.dll
    MD5

    e4898d684fa83ae7a510d6f183f5f93a

    SHA1

    ec2c1d6dda404a782643f9380b69b1027cc87efa

    SHA256

    ba21917bc82f96665274d50c2bed69bf5db08fa571651336b5ebbb5186482498

    SHA512

    9e3f909f41586af9d122f1b398be68f9df49e51a549a22789114bb0a9e2c3bd82772da264c16e1c205e8662ff2a5c58429b89c8dd26532f0686e5ff524a6b6fc

    Download Submit
  • \Users\Admin\Saved Games\Admin FrYCG\NvSmartMax.dll
    MD5

    2639464e479cee0d02acee52beabe837

    SHA1

    1f3e9a0575d24a5d2a5ada29eb842538c5ec856b

    SHA256

    a938fc4529f05537f2736717daa2836225264796c8f80c06bebfb8e6dba328d8

    SHA512

    32596ebbfbffc2308f5c6927621e48b1ff51fe67e14257a186d9c479ddef7aba2fa286e70307198fbba45db6e48d6a098ff50b2fb86b7d9e5c0f69dfa9e0bfed

    Download Submit
  • \Windows\Installer\MSI7E63.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI7F8D.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/628-61-0x00000000009C0000-0x00000000009C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/628-56-0x00000000751A1000-0x00000000751A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/628-55-0x0000000000000000-mapping.dmp
    Download
  • memory/908-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1200-53-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1268-66-0x0000000000BD0000-0x000000000104A000-memory.dmp
    Filesize

    4.5MB

    Download
  • memory/2036-62-0x0000000000000000-mapping.dmp
    Download