Analysis
-
max time kernel
126s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
14-10-2021 17:55
Behavioral task
behavioral1
Sample
d392d9bfb7046189dc7bd9783a1602ae.msi
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
d392d9bfb7046189dc7bd9783a1602ae.msi
Resource
win10-en-20211014
General
-
Target
d392d9bfb7046189dc7bd9783a1602ae.msi
-
Size
264KB
-
MD5
d392d9bfb7046189dc7bd9783a1602ae
-
SHA1
884ebbad69a4d9e3ce5973514c5c6d77f4d672a4
-
SHA256
cf3537f8d24f8b59848c996f0fb94fd8f81bebd4a9baa8e1922f635eadc2d33e
-
SHA512
fb3d8166ce2f4f0a54b4b87922a75c693694309062eb17eed2ed2d03e052e2517c77231f18199bfa5d3f1f5d36a4aedf2d0696c913bdf4b60256cf529237ee86
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 9 3756 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
IonGz.exepid process 1172 IonGz.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exeIonGz.exeiexplore.exepid process 3756 MsiExec.exe 3756 MsiExec.exe 1172 IonGz.exe 1172 IonGz.exe 1516 iexplore.exe 1516 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin-_04uR1zm = "\"C:\\Users\\Admin\\Saved Games\\Admin kbGTH\\IonGz.exe\"" iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\f75b7b8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIB8C2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBFF6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2614.tmp msiexec.exe File created C:\Windows\Installer\f75b7b8.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{9239365C-F147-4EFD-BCA8-73249F3C07BE} msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion iexplore.exe -
Modifies Control Panel 2 IoCs
Processes:
IonGz.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\(Padrão) 2 = "IonGz" IonGz.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\(Padrão) 3 = "C:\\Users\\Admin\\Saved Games\\Admin kbGTH\\" IonGz.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeiexplore.exepid process 3804 msiexec.exe 3804 msiexec.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe 1516 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 3392 msiexec.exe Token: SeIncreaseQuotaPrivilege 3392 msiexec.exe Token: SeSecurityPrivilege 3804 msiexec.exe Token: SeCreateTokenPrivilege 3392 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3392 msiexec.exe Token: SeLockMemoryPrivilege 3392 msiexec.exe Token: SeIncreaseQuotaPrivilege 3392 msiexec.exe Token: SeMachineAccountPrivilege 3392 msiexec.exe Token: SeTcbPrivilege 3392 msiexec.exe Token: SeSecurityPrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeLoadDriverPrivilege 3392 msiexec.exe Token: SeSystemProfilePrivilege 3392 msiexec.exe Token: SeSystemtimePrivilege 3392 msiexec.exe Token: SeProfSingleProcessPrivilege 3392 msiexec.exe Token: SeIncBasePriorityPrivilege 3392 msiexec.exe Token: SeCreatePagefilePrivilege 3392 msiexec.exe Token: SeCreatePermanentPrivilege 3392 msiexec.exe Token: SeBackupPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeShutdownPrivilege 3392 msiexec.exe Token: SeDebugPrivilege 3392 msiexec.exe Token: SeAuditPrivilege 3392 msiexec.exe Token: SeSystemEnvironmentPrivilege 3392 msiexec.exe Token: SeChangeNotifyPrivilege 3392 msiexec.exe Token: SeRemoteShutdownPrivilege 3392 msiexec.exe Token: SeUndockPrivilege 3392 msiexec.exe Token: SeSyncAgentPrivilege 3392 msiexec.exe Token: SeEnableDelegationPrivilege 3392 msiexec.exe Token: SeManageVolumePrivilege 3392 msiexec.exe Token: SeImpersonatePrivilege 3392 msiexec.exe Token: SeCreateGlobalPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3804 msiexec.exe Token: SeTakeOwnershipPrivilege 3804 msiexec.exe Token: SeRestorePrivilege 3804 msiexec.exe Token: SeTakeOwnershipPrivilege 3804 msiexec.exe Token: SeRestorePrivilege 3804 msiexec.exe Token: SeTakeOwnershipPrivilege 3804 msiexec.exe Token: SeIncreaseQuotaPrivilege 424 WMIC.exe Token: SeSecurityPrivilege 424 WMIC.exe Token: SeTakeOwnershipPrivilege 424 WMIC.exe Token: SeLoadDriverPrivilege 424 WMIC.exe Token: SeSystemProfilePrivilege 424 WMIC.exe Token: SeSystemtimePrivilege 424 WMIC.exe Token: SeProfSingleProcessPrivilege 424 WMIC.exe Token: SeIncBasePriorityPrivilege 424 WMIC.exe Token: SeCreatePagefilePrivilege 424 WMIC.exe Token: SeBackupPrivilege 424 WMIC.exe Token: SeRestorePrivilege 424 WMIC.exe Token: SeShutdownPrivilege 424 WMIC.exe Token: SeDebugPrivilege 424 WMIC.exe Token: SeSystemEnvironmentPrivilege 424 WMIC.exe Token: SeRemoteShutdownPrivilege 424 WMIC.exe Token: SeUndockPrivilege 424 WMIC.exe Token: SeManageVolumePrivilege 424 WMIC.exe Token: 33 424 WMIC.exe Token: 34 424 WMIC.exe Token: 35 424 WMIC.exe Token: 36 424 WMIC.exe Token: SeRestorePrivilege 3804 msiexec.exe Token: SeTakeOwnershipPrivilege 3804 msiexec.exe Token: SeRestorePrivilege 3804 msiexec.exe Token: SeTakeOwnershipPrivilege 3804 msiexec.exe Token: SeRestorePrivilege 3804 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 3392 msiexec.exe 3756 MsiExec.exe 3392 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
msiexec.exeMsiExec.exeIonGz.exedescription pid process target process PID 3804 wrote to memory of 3756 3804 msiexec.exe MsiExec.exe PID 3804 wrote to memory of 3756 3804 msiexec.exe MsiExec.exe PID 3804 wrote to memory of 3756 3804 msiexec.exe MsiExec.exe PID 3756 wrote to memory of 424 3756 MsiExec.exe WMIC.exe PID 3756 wrote to memory of 424 3756 MsiExec.exe WMIC.exe PID 3756 wrote to memory of 424 3756 MsiExec.exe WMIC.exe PID 1172 wrote to memory of 1516 1172 IonGz.exe iexplore.exe PID 1172 wrote to memory of 1516 1172 IonGz.exe iexplore.exe PID 1172 wrote to memory of 1516 1172 IonGz.exe iexplore.exe PID 1172 wrote to memory of 1516 1172 IonGz.exe iexplore.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d392d9bfb7046189dc7bd9783a1602ae.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 03254F549F8C6B2B9654C3BEE12E83482⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.exe"C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet explorer\iexplore.exe"C:\Program Files (x86)\Internet explorer\iexplore.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.~tmpMD5
2f3335c18aaa8ae44810a1bacae61691
SHA1a11b4b06148fc8cea338cfe29868366aec726cf8
SHA2566ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034
SHA512e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14
-
C:\Users\Admin\Saved Games\Admin kbGTH\NvSmartMax.dllMD5
50735064e282bd5464538d04dff1e78e
SHA186258c2a824eda61aede38c3b1129895f7f6c8a3
SHA2563fe1aa8469ad95533e2b134199b31817325724c33050972ef3e1c9d3c385ace7
SHA512e166fe83d8241ab71ce8e84a2df4d4190e2fbb53e4bde9a22a99b781607a13c157b09c0611132b7428908cd26694d1dcc6580718f29dfb3d99de7b2365c7099d
-
C:\Windows\Installer\MSIB8C2.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSIBFF6.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Users\Admin\Saved Games\Admin kbGTH\NvSmartMax.dllMD5
7b270396b2d08255b5bb47de7a78009c
SHA177a78698dfe6e00e96db6f11edcf5ec7ec7a00b8
SHA25610cfed39a57473d345c21ef81f6c17ada21ba6d8cde3ca7b42f82d75e6404027
SHA512af95ceb6e7c6b7ca5d450465bc0d8bcedb0a82faff838fb1e063b867bff34a9bee187c1c34043621f2ade48fa70de4b4340df52fb2e2d9a4a0116313fa33f620
-
\Users\Admin\Saved Games\Admin kbGTH\NvSmartMax.dllMD5
6b0076e465afcfe5df7c6ae2f2a88a8a
SHA181e16eaa4deedbb9506f2e6e939a988ae85a219d
SHA256c44a379d74ed81003f14ad0169766a1059013c1633b29193d4563ec7ce2f5ae7
SHA5129ec478f3712c3d574f17617b3e648153e1dfe93cab046e615626ca6e6175feb651507e132404f0627f566489c62cad113b7513ba87e07c458d1af7a6e21d58c2
-
\Users\Admin\Saved Games\Admin kbGTH\NvSmartMax.dllMD5
f996d794477eca3b85e27185966b888f
SHA1e6d3668f491cc34db2dc28b022b23e0425d2c784
SHA2562aee67e634d8e6283eef5cdfca6b7790253cfaa0f9695e5b553fbb5f0e9d01ff
SHA512d9d1c4993c081da0a38ef5b9e6f4d27e5d96453ceda7e60b72cbba9015bf0417c001201bf52cc287fd888fc54ced8298bd56bac708d1feb065fd8223fe407520
-
\Users\Admin\Saved Games\Admin kbGTH\NvSmartMax.dllMD5
54f94fd8043a8a376bf2db00f372627c
SHA1f455dca2727ea0be59e1e475435ef1ed89fc5974
SHA25625860eca643f4ae603c8d2e494f71d6f618532ce4ac765d1db5534e32a833f7e
SHA51299a0bb5a534c314bc5e91b83ae4ab2afbaa3918ccde53ed214a4cfbe8356eb1c24601a4b9a208e8d52b58889886ac3708078ac9f5cd5a42e80995f07c9154c6f
-
\Windows\Installer\MSIB8C2.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSIBFF6.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/424-126-0x0000000000000000-mapping.dmp
-
memory/1172-132-0x0000000000C30000-0x00000000010AA000-memory.dmpFilesize
4.5MB
-
memory/1516-133-0x0000000000000000-mapping.dmp
-
memory/3392-115-0x000001E4BE900000-0x000001E4BE902000-memory.dmpFilesize
8KB
-
memory/3392-116-0x000001E4BE900000-0x000001E4BE902000-memory.dmpFilesize
8KB
-
memory/3756-121-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/3756-120-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/3756-119-0x0000000000000000-mapping.dmp
-
memory/3804-118-0x000001ED19F70000-0x000001ED19F72000-memory.dmpFilesize
8KB
-
memory/3804-117-0x000001ED19F70000-0x000001ED19F72000-memory.dmpFilesize
8KB