Overview

overview

8

Static

static

8

d392d9bfb7...ae.msi

windows7_x64

8

d392d9bfb7...ae.msi

windows10_x64

8

Analysis

  • max time kernel
    126s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    14-10-2021 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d392d9bfb7046189dc7bd9783a1602ae.msi

  • Size

    264KB

  • MD5

    d392d9bfb7046189dc7bd9783a1602ae

  • SHA1

    884ebbad69a4d9e3ce5973514c5c6d77f4d672a4

  • SHA256

    cf3537f8d24f8b59848c996f0fb94fd8f81bebd4a9baa8e1922f635eadc2d33e

  • SHA512

    fb3d8166ce2f4f0a54b4b87922a75c693694309062eb17eed2ed2d03e052e2517c77231f18199bfa5d3f1f5d36a4aedf2d0696c913bdf4b60256cf529237ee86

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d392d9bfb7046189dc7bd9783a1602ae.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3392
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3804
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 03254F549F8C6B2B9654C3BEE12E8348
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:424
  • C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.exe
    "C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Program Files (x86)\Internet explorer\iexplore.exe
      "C:\Program Files (x86)\Internet explorer\iexplore.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin kbGTH\IonGz.~tmp
    MD5

    2f3335c18aaa8ae44810a1bacae61691

    SHA1

    a11b4b06148fc8cea338cfe29868366aec726cf8

    SHA256

    6ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034

    SHA512

    e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14

    Download Submit
  • C:\Users\Admin\Saved Games\Admin kbGTH\NvSmartMax.dll
    MD5

    50735064e282bd5464538d04dff1e78e

    SHA1

    86258c2a824eda61aede38c3b1129895f7f6c8a3

    SHA256

    3fe1aa8469ad95533e2b134199b31817325724c33050972ef3e1c9d3c385ace7

    SHA512

    e166fe83d8241ab71ce8e84a2df4d4190e2fbb53e4bde9a22a99b781607a13c157b09c0611132b7428908cd26694d1dcc6580718f29dfb3d99de7b2365c7099d

    Download Submit
  • C:\Windows\Installer\MSIB8C2.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSIBFF6.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\Saved Games\Admin kbGTH\NvSmartMax.dll
    MD5

    7b270396b2d08255b5bb47de7a78009c

    SHA1

    77a78698dfe6e00e96db6f11edcf5ec7ec7a00b8

    SHA256

    10cfed39a57473d345c21ef81f6c17ada21ba6d8cde3ca7b42f82d75e6404027

    SHA512

    af95ceb6e7c6b7ca5d450465bc0d8bcedb0a82faff838fb1e063b867bff34a9bee187c1c34043621f2ade48fa70de4b4340df52fb2e2d9a4a0116313fa33f620

    Download Submit
  • \Users\Admin\Saved Games\Admin kbGTH\NvSmartMax.dll
    MD5

    6b0076e465afcfe5df7c6ae2f2a88a8a

    SHA1

    81e16eaa4deedbb9506f2e6e939a988ae85a219d

    SHA256

    c44a379d74ed81003f14ad0169766a1059013c1633b29193d4563ec7ce2f5ae7

    SHA512

    9ec478f3712c3d574f17617b3e648153e1dfe93cab046e615626ca6e6175feb651507e132404f0627f566489c62cad113b7513ba87e07c458d1af7a6e21d58c2

    Download Submit
  • \Users\Admin\Saved Games\Admin kbGTH\NvSmartMax.dll
    MD5

    f996d794477eca3b85e27185966b888f

    SHA1

    e6d3668f491cc34db2dc28b022b23e0425d2c784

    SHA256

    2aee67e634d8e6283eef5cdfca6b7790253cfaa0f9695e5b553fbb5f0e9d01ff

    SHA512

    d9d1c4993c081da0a38ef5b9e6f4d27e5d96453ceda7e60b72cbba9015bf0417c001201bf52cc287fd888fc54ced8298bd56bac708d1feb065fd8223fe407520

    Download Submit
  • \Users\Admin\Saved Games\Admin kbGTH\NvSmartMax.dll
    MD5

    54f94fd8043a8a376bf2db00f372627c

    SHA1

    f455dca2727ea0be59e1e475435ef1ed89fc5974

    SHA256

    25860eca643f4ae603c8d2e494f71d6f618532ce4ac765d1db5534e32a833f7e

    SHA512

    99a0bb5a534c314bc5e91b83ae4ab2afbaa3918ccde53ed214a4cfbe8356eb1c24601a4b9a208e8d52b58889886ac3708078ac9f5cd5a42e80995f07c9154c6f

    Download Submit
  • \Windows\Installer\MSIB8C2.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSIBFF6.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/424-126-0x0000000000000000-mapping.dmp
    Download
  • memory/1172-132-0x0000000000C30000-0x00000000010AA000-memory.dmp
    Filesize

    4.5MB

    Download
  • memory/1516-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3392-115-0x000001E4BE900000-0x000001E4BE902000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3392-116-0x000001E4BE900000-0x000001E4BE902000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3756-121-0x0000000000470000-0x0000000000471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3756-120-0x0000000000470000-0x0000000000471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3756-119-0x0000000000000000-mapping.dmp
    Download
  • memory/3804-118-0x000001ED19F70000-0x000001ED19F72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3804-117-0x000001ED19F70000-0x000001ED19F72000-memory.dmp
    Filesize

    8KB

    Download