Overview

overview

8

Static

static

8

d658fc04f5...22.msi

windows7_x64

8

d658fc04f5...22.msi

windows10_x64

8

Analysis

  • max time kernel
    119s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    15-10-2021 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d658fc04f5eb9b2f7984579d4b8d8322.msi

  • Size

    264KB

  • MD5

    d658fc04f5eb9b2f7984579d4b8d8322

  • SHA1

    905e42f62ce86570abd70081185c969574fe64ed

  • SHA256

    472e40357bbd9c18824abf10157d6482b8d853cdef7267b723e5d887b54e00ee

  • SHA512

    3242e71dd101cbbc54e0136922424f4faf64bdcee2e37adde5ec9247bab30b5c5fcc611c26e9a2816ce56adbb44d4b707363ddbf8f7852563aa308690b9c1adb

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d658fc04f5eb9b2f7984579d4b8d8322.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1700
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7D5CE9271743A320A4C2F1466E5FFC85
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin KaGqU\kqbrB.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
  • C:\Users\Admin\Saved Games\Admin KaGqU\kqbrB.exe
    "C:\Users\Admin\Saved Games\Admin KaGqU\kqbrB.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Program Files (x86)\Internet explorer\iexplore.exe
      "C:\Program Files (x86)\Internet explorer\iexplore.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Saved Games\Admin KaGqU\NvSmartMax.dll
    MD5

    3d22448b78bd5e3f00ef32b3b732c0cb

    SHA1

    4aa2d6ad6465b1cd3656be3b4278179efa995d96

    SHA256

    ee61ead48748b0646e7472b6d0ce34d238936fdb68009fef210beb28b1698045

    SHA512

    e6fce963e488a625f5385039fa9285b3366fbe1231b86bf6cb7c03388f5ccac0851ab61a84f367d7b0b96886066336306bf827ad9742a9644e56fc00de897b8d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin KaGqU\kqbrB.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin KaGqU\kqbrB.~tmp
    MD5

    2f3335c18aaa8ae44810a1bacae61691

    SHA1

    a11b4b06148fc8cea338cfe29868366aec726cf8

    SHA256

    6ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034

    SHA512

    e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14

    Download Submit
  • C:\Windows\Installer\MSIE61B.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSIEA02.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\Saved Games\Admin KaGqU\NvSmartMax.dll
    MD5

    df754d0cdb5d5b663a624302f103bf25

    SHA1

    ba6f3482b96ca93bb5fdf2977fa74e574613b586

    SHA256

    441652d585d3c8ed91b1e2e4eb8d8c5b6b19d949ccd02b4f5dd8e5383fd726cd

    SHA512

    eb0751f81e0bb5c86b220f93d6dc309de4cc81912d9fb9143c8f370030f13fcc84b12e59e727741d505b9ed20148f69ac4b69a9bd9489e4126103f18aa3fd89d

    Download Submit
  • \Users\Admin\Saved Games\Admin KaGqU\NvSmartMax.dll
    MD5

    1c6fd28fa1b8c08afcdebf2ab72ece5e

    SHA1

    7262af961194304d8951598f75aa04d09b7ab4df

    SHA256

    ea288ac455bb3ac0dc7c88f106aac7c3822a8893afe76fef7352a14fb72b8d6a

    SHA512

    1b82b0d41e85eaa9971f317992220f74888a55449c38cd6e75cace1c0cf9b642af8e3c61eabfa1d51eae8b78a4e8d1538eebdd69da680899942cb515c0f1397e

    Download Submit
  • \Windows\Installer\MSIE61B.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSIEA02.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/320-57-0x0000000000000000-mapping.dmp
    Download
  • memory/320-58-0x0000000074F61000-0x0000000074F63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/320-63-0x0000000000E40000-0x0000000000E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1300-68-0x0000000000BD0000-0x000000000114C000-memory.dmp
    Filesize

    5.5MB

    Download
  • memory/1644-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1700-55-0x000007FEFB831000-0x000007FEFB833000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1868-64-0x0000000000000000-mapping.dmp
    Download