Analysis
-
max time kernel
60s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 17:55
Behavioral task
behavioral1
Sample
d392d9bfb7046189dc7bd9783a1602ae.msi
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
d392d9bfb7046189dc7bd9783a1602ae.msi
Resource
win10-en-20211014
General
-
Target
d392d9bfb7046189dc7bd9783a1602ae.msi
-
Size
264KB
-
MD5
d392d9bfb7046189dc7bd9783a1602ae
-
SHA1
884ebbad69a4d9e3ce5973514c5c6d77f4d672a4
-
SHA256
cf3537f8d24f8b59848c996f0fb94fd8f81bebd4a9baa8e1922f635eadc2d33e
-
SHA512
fb3d8166ce2f4f0a54b4b87922a75c693694309062eb17eed2ed2d03e052e2517c77231f18199bfa5d3f1f5d36a4aedf2d0696c913bdf4b60256cf529237ee86
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
MsiExec.exeflow pid process 3 628 MsiExec.exe 5 628 MsiExec.exe 7 628 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
zAgRv.exepid process 1268 zAgRv.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exezAgRv.exeiexplore.exepid process 628 MsiExec.exe 628 MsiExec.exe 1268 zAgRv.exe 908 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin-_39cd3 = "\"C:\\Users\\Admin\\Saved Games\\Admin FrYCG\\zAgRv.exe\"" iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2E0.tmp msiexec.exe File opened for modification C:\Windows\Installer\f767d5c.ipi msiexec.exe File created C:\Windows\Installer\f767d5a.msi msiexec.exe File opened for modification C:\Windows\Installer\f767d5a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7E63.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7F8D.tmp msiexec.exe File created C:\Windows\Installer\f767d5c.ipi msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion iexplore.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName iexplore.exe -
Modifies Control Panel 2 IoCs
Processes:
zAgRv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\(Padrão) 2 = "zAgRv" zAgRv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\(Padrão) 3 = "C:\\Users\\Admin\\Saved Games\\Admin FrYCG\\" zAgRv.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
msiexec.exeiexplore.exepid process 520 msiexec.exe 520 msiexec.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe 908 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 1200 msiexec.exe Token: SeIncreaseQuotaPrivilege 1200 msiexec.exe Token: SeRestorePrivilege 520 msiexec.exe Token: SeTakeOwnershipPrivilege 520 msiexec.exe Token: SeSecurityPrivilege 520 msiexec.exe Token: SeCreateTokenPrivilege 1200 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1200 msiexec.exe Token: SeLockMemoryPrivilege 1200 msiexec.exe Token: SeIncreaseQuotaPrivilege 1200 msiexec.exe Token: SeMachineAccountPrivilege 1200 msiexec.exe Token: SeTcbPrivilege 1200 msiexec.exe Token: SeSecurityPrivilege 1200 msiexec.exe Token: SeTakeOwnershipPrivilege 1200 msiexec.exe Token: SeLoadDriverPrivilege 1200 msiexec.exe Token: SeSystemProfilePrivilege 1200 msiexec.exe Token: SeSystemtimePrivilege 1200 msiexec.exe Token: SeProfSingleProcessPrivilege 1200 msiexec.exe Token: SeIncBasePriorityPrivilege 1200 msiexec.exe Token: SeCreatePagefilePrivilege 1200 msiexec.exe Token: SeCreatePermanentPrivilege 1200 msiexec.exe Token: SeBackupPrivilege 1200 msiexec.exe Token: SeRestorePrivilege 1200 msiexec.exe Token: SeShutdownPrivilege 1200 msiexec.exe Token: SeDebugPrivilege 1200 msiexec.exe Token: SeAuditPrivilege 1200 msiexec.exe Token: SeSystemEnvironmentPrivilege 1200 msiexec.exe Token: SeChangeNotifyPrivilege 1200 msiexec.exe Token: SeRemoteShutdownPrivilege 1200 msiexec.exe Token: SeUndockPrivilege 1200 msiexec.exe Token: SeSyncAgentPrivilege 1200 msiexec.exe Token: SeEnableDelegationPrivilege 1200 msiexec.exe Token: SeManageVolumePrivilege 1200 msiexec.exe Token: SeImpersonatePrivilege 1200 msiexec.exe Token: SeCreateGlobalPrivilege 1200 msiexec.exe Token: SeRestorePrivilege 520 msiexec.exe Token: SeTakeOwnershipPrivilege 520 msiexec.exe Token: SeRestorePrivilege 520 msiexec.exe Token: SeTakeOwnershipPrivilege 520 msiexec.exe Token: SeRestorePrivilege 520 msiexec.exe Token: SeTakeOwnershipPrivilege 520 msiexec.exe Token: SeRestorePrivilege 520 msiexec.exe Token: SeTakeOwnershipPrivilege 520 msiexec.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: SeRestorePrivilege 520 msiexec.exe Token: SeTakeOwnershipPrivilege 520 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 1200 msiexec.exe 628 MsiExec.exe 1200 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
msiexec.exeMsiExec.exezAgRv.exedescription pid process target process PID 520 wrote to memory of 628 520 msiexec.exe MsiExec.exe PID 520 wrote to memory of 628 520 msiexec.exe MsiExec.exe PID 520 wrote to memory of 628 520 msiexec.exe MsiExec.exe PID 520 wrote to memory of 628 520 msiexec.exe MsiExec.exe PID 520 wrote to memory of 628 520 msiexec.exe MsiExec.exe PID 520 wrote to memory of 628 520 msiexec.exe MsiExec.exe PID 520 wrote to memory of 628 520 msiexec.exe MsiExec.exe PID 628 wrote to memory of 2036 628 MsiExec.exe WMIC.exe PID 628 wrote to memory of 2036 628 MsiExec.exe WMIC.exe PID 628 wrote to memory of 2036 628 MsiExec.exe WMIC.exe PID 628 wrote to memory of 2036 628 MsiExec.exe WMIC.exe PID 1268 wrote to memory of 908 1268 zAgRv.exe iexplore.exe PID 1268 wrote to memory of 908 1268 zAgRv.exe iexplore.exe PID 1268 wrote to memory of 908 1268 zAgRv.exe iexplore.exe PID 1268 wrote to memory of 908 1268 zAgRv.exe iexplore.exe PID 1268 wrote to memory of 908 1268 zAgRv.exe iexplore.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d392d9bfb7046189dc7bd9783a1602ae.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2EF1A1D90EBB32D6C159DC851CDF222A2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.exe"C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet explorer\iexplore.exe"C:\Program Files (x86)\Internet explorer\iexplore.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Saved Games\Admin FrYCG\NvSmartMax.dllMD5
6be551a35f31c78ee10f91a916855dc1
SHA1034da0f36debf4370e33251f4a0ea064e83344af
SHA2565780ea041f2527da1b989c3fd120c6defe0f955bdebd8afb252c18ffe92c02e4
SHA512f18b2bba1f9271308e1f140801c019a704aef8bb963a7db1094d4fdc1eb577d6177af07484bfefa37a89f3fb17d62d109ccbd515ae570ac43e606e00df4231af
-
C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin FrYCG\zAgRv.~tmpMD5
2f3335c18aaa8ae44810a1bacae61691
SHA1a11b4b06148fc8cea338cfe29868366aec726cf8
SHA2566ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034
SHA512e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14
-
C:\Windows\Installer\MSI7E63.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI7F8D.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Users\Admin\Saved Games\Admin FrYCG\NvSmartMax.dllMD5
e4898d684fa83ae7a510d6f183f5f93a
SHA1ec2c1d6dda404a782643f9380b69b1027cc87efa
SHA256ba21917bc82f96665274d50c2bed69bf5db08fa571651336b5ebbb5186482498
SHA5129e3f909f41586af9d122f1b398be68f9df49e51a549a22789114bb0a9e2c3bd82772da264c16e1c205e8662ff2a5c58429b89c8dd26532f0686e5ff524a6b6fc
-
\Users\Admin\Saved Games\Admin FrYCG\NvSmartMax.dllMD5
2639464e479cee0d02acee52beabe837
SHA11f3e9a0575d24a5d2a5ada29eb842538c5ec856b
SHA256a938fc4529f05537f2736717daa2836225264796c8f80c06bebfb8e6dba328d8
SHA51232596ebbfbffc2308f5c6927621e48b1ff51fe67e14257a186d9c479ddef7aba2fa286e70307198fbba45db6e48d6a098ff50b2fb86b7d9e5c0f69dfa9e0bfed
-
\Windows\Installer\MSI7E63.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI7F8D.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/628-61-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/628-56-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/628-55-0x0000000000000000-mapping.dmp
-
memory/908-69-0x0000000000000000-mapping.dmp
-
memory/1200-53-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/1268-66-0x0000000000BD0000-0x000000000104A000-memory.dmpFilesize
4.5MB
-
memory/2036-62-0x0000000000000000-mapping.dmp