Analysis
-
max time kernel
119s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
15-10-2021 12:19
Behavioral task
behavioral1
Sample
d658fc04f5eb9b2f7984579d4b8d8322.msi
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
d658fc04f5eb9b2f7984579d4b8d8322.msi
Resource
win10-en-20210920
General
-
Target
d658fc04f5eb9b2f7984579d4b8d8322.msi
-
Size
264KB
-
MD5
d658fc04f5eb9b2f7984579d4b8d8322
-
SHA1
905e42f62ce86570abd70081185c969574fe64ed
-
SHA256
472e40357bbd9c18824abf10157d6482b8d853cdef7267b723e5d887b54e00ee
-
SHA512
3242e71dd101cbbc54e0136922424f4faf64bdcee2e37adde5ec9247bab30b5c5fcc611c26e9a2816ce56adbb44d4b707363ddbf8f7852563aa308690b9c1adb
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
MsiExec.exeflow pid process 3 320 MsiExec.exe 5 320 MsiExec.exe 7 320 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
kqbrB.exepid process 1300 kqbrB.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exekqbrB.exeiexplore.exepid process 320 MsiExec.exe 320 MsiExec.exe 1300 kqbrB.exe 1644 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin-_45J6y4C49N = "\"C:\\Users\\Admin\\Saved Games\\Admin KaGqU\\kqbrB.exe\"" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f75e4d3.msi msiexec.exe File opened for modification C:\Windows\Installer\f75e4d3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE61B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEA02.tmp msiexec.exe File created C:\Windows\Installer\f75e4d5.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9955.tmp msiexec.exe File opened for modification C:\Windows\Installer\f75e4d5.ipi msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion iexplore.exe -
Modifies Control Panel 2 IoCs
Processes:
kqbrB.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\(Padrão) 2 = "kqbrB" kqbrB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\(Padrão) 3 = "C:\\Users\\Admin\\Saved Games\\Admin KaGqU\\" kqbrB.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
msiexec.exeiexplore.exepid process 1092 msiexec.exe 1092 msiexec.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe 1644 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 1700 msiexec.exe Token: SeIncreaseQuotaPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1092 msiexec.exe Token: SeTakeOwnershipPrivilege 1092 msiexec.exe Token: SeSecurityPrivilege 1092 msiexec.exe Token: SeCreateTokenPrivilege 1700 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1700 msiexec.exe Token: SeLockMemoryPrivilege 1700 msiexec.exe Token: SeIncreaseQuotaPrivilege 1700 msiexec.exe Token: SeMachineAccountPrivilege 1700 msiexec.exe Token: SeTcbPrivilege 1700 msiexec.exe Token: SeSecurityPrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeLoadDriverPrivilege 1700 msiexec.exe Token: SeSystemProfilePrivilege 1700 msiexec.exe Token: SeSystemtimePrivilege 1700 msiexec.exe Token: SeProfSingleProcessPrivilege 1700 msiexec.exe Token: SeIncBasePriorityPrivilege 1700 msiexec.exe Token: SeCreatePagefilePrivilege 1700 msiexec.exe Token: SeCreatePermanentPrivilege 1700 msiexec.exe Token: SeBackupPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeShutdownPrivilege 1700 msiexec.exe Token: SeDebugPrivilege 1700 msiexec.exe Token: SeAuditPrivilege 1700 msiexec.exe Token: SeSystemEnvironmentPrivilege 1700 msiexec.exe Token: SeChangeNotifyPrivilege 1700 msiexec.exe Token: SeRemoteShutdownPrivilege 1700 msiexec.exe Token: SeUndockPrivilege 1700 msiexec.exe Token: SeSyncAgentPrivilege 1700 msiexec.exe Token: SeEnableDelegationPrivilege 1700 msiexec.exe Token: SeManageVolumePrivilege 1700 msiexec.exe Token: SeImpersonatePrivilege 1700 msiexec.exe Token: SeCreateGlobalPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1092 msiexec.exe Token: SeTakeOwnershipPrivilege 1092 msiexec.exe Token: SeRestorePrivilege 1092 msiexec.exe Token: SeTakeOwnershipPrivilege 1092 msiexec.exe Token: SeRestorePrivilege 1092 msiexec.exe Token: SeTakeOwnershipPrivilege 1092 msiexec.exe Token: SeIncreaseQuotaPrivilege 1868 WMIC.exe Token: SeSecurityPrivilege 1868 WMIC.exe Token: SeTakeOwnershipPrivilege 1868 WMIC.exe Token: SeLoadDriverPrivilege 1868 WMIC.exe Token: SeSystemProfilePrivilege 1868 WMIC.exe Token: SeSystemtimePrivilege 1868 WMIC.exe Token: SeProfSingleProcessPrivilege 1868 WMIC.exe Token: SeIncBasePriorityPrivilege 1868 WMIC.exe Token: SeCreatePagefilePrivilege 1868 WMIC.exe Token: SeBackupPrivilege 1868 WMIC.exe Token: SeRestorePrivilege 1868 WMIC.exe Token: SeShutdownPrivilege 1868 WMIC.exe Token: SeDebugPrivilege 1868 WMIC.exe Token: SeSystemEnvironmentPrivilege 1868 WMIC.exe Token: SeRemoteShutdownPrivilege 1868 WMIC.exe Token: SeUndockPrivilege 1868 WMIC.exe Token: SeManageVolumePrivilege 1868 WMIC.exe Token: 33 1868 WMIC.exe Token: 34 1868 WMIC.exe Token: 35 1868 WMIC.exe Token: SeRestorePrivilege 1092 msiexec.exe Token: SeTakeOwnershipPrivilege 1092 msiexec.exe Token: SeRestorePrivilege 1092 msiexec.exe Token: SeTakeOwnershipPrivilege 1092 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 1700 msiexec.exe 320 MsiExec.exe 1700 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
msiexec.exeMsiExec.exekqbrB.exedescription pid process target process PID 1092 wrote to memory of 320 1092 msiexec.exe MsiExec.exe PID 1092 wrote to memory of 320 1092 msiexec.exe MsiExec.exe PID 1092 wrote to memory of 320 1092 msiexec.exe MsiExec.exe PID 1092 wrote to memory of 320 1092 msiexec.exe MsiExec.exe PID 1092 wrote to memory of 320 1092 msiexec.exe MsiExec.exe PID 1092 wrote to memory of 320 1092 msiexec.exe MsiExec.exe PID 1092 wrote to memory of 320 1092 msiexec.exe MsiExec.exe PID 320 wrote to memory of 1868 320 MsiExec.exe WMIC.exe PID 320 wrote to memory of 1868 320 MsiExec.exe WMIC.exe PID 320 wrote to memory of 1868 320 MsiExec.exe WMIC.exe PID 320 wrote to memory of 1868 320 MsiExec.exe WMIC.exe PID 1300 wrote to memory of 1644 1300 kqbrB.exe iexplore.exe PID 1300 wrote to memory of 1644 1300 kqbrB.exe iexplore.exe PID 1300 wrote to memory of 1644 1300 kqbrB.exe iexplore.exe PID 1300 wrote to memory of 1644 1300 kqbrB.exe iexplore.exe PID 1300 wrote to memory of 1644 1300 kqbrB.exe iexplore.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d658fc04f5eb9b2f7984579d4b8d8322.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7D5CE9271743A320A4C2F1466E5FFC852⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin KaGqU\kqbrB.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Saved Games\Admin KaGqU\kqbrB.exe"C:\Users\Admin\Saved Games\Admin KaGqU\kqbrB.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet explorer\iexplore.exe"C:\Program Files (x86)\Internet explorer\iexplore.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Saved Games\Admin KaGqU\NvSmartMax.dllMD5
3d22448b78bd5e3f00ef32b3b732c0cb
SHA14aa2d6ad6465b1cd3656be3b4278179efa995d96
SHA256ee61ead48748b0646e7472b6d0ce34d238936fdb68009fef210beb28b1698045
SHA512e6fce963e488a625f5385039fa9285b3366fbe1231b86bf6cb7c03388f5ccac0851ab61a84f367d7b0b96886066336306bf827ad9742a9644e56fc00de897b8d
-
C:\Users\Admin\Saved Games\Admin KaGqU\kqbrB.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin KaGqU\kqbrB.~tmpMD5
2f3335c18aaa8ae44810a1bacae61691
SHA1a11b4b06148fc8cea338cfe29868366aec726cf8
SHA2566ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034
SHA512e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14
-
C:\Windows\Installer\MSIE61B.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSIEA02.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Users\Admin\Saved Games\Admin KaGqU\NvSmartMax.dllMD5
df754d0cdb5d5b663a624302f103bf25
SHA1ba6f3482b96ca93bb5fdf2977fa74e574613b586
SHA256441652d585d3c8ed91b1e2e4eb8d8c5b6b19d949ccd02b4f5dd8e5383fd726cd
SHA512eb0751f81e0bb5c86b220f93d6dc309de4cc81912d9fb9143c8f370030f13fcc84b12e59e727741d505b9ed20148f69ac4b69a9bd9489e4126103f18aa3fd89d
-
\Users\Admin\Saved Games\Admin KaGqU\NvSmartMax.dllMD5
1c6fd28fa1b8c08afcdebf2ab72ece5e
SHA17262af961194304d8951598f75aa04d09b7ab4df
SHA256ea288ac455bb3ac0dc7c88f106aac7c3822a8893afe76fef7352a14fb72b8d6a
SHA5121b82b0d41e85eaa9971f317992220f74888a55449c38cd6e75cace1c0cf9b642af8e3c61eabfa1d51eae8b78a4e8d1538eebdd69da680899942cb515c0f1397e
-
\Windows\Installer\MSIE61B.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSIEA02.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/320-57-0x0000000000000000-mapping.dmp
-
memory/320-58-0x0000000074F61000-0x0000000074F63000-memory.dmpFilesize
8KB
-
memory/320-63-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1300-68-0x0000000000BD0000-0x000000000114C000-memory.dmpFilesize
5.5MB
-
memory/1644-71-0x0000000000000000-mapping.dmp
-
memory/1700-55-0x000007FEFB831000-0x000007FEFB833000-memory.dmpFilesize
8KB
-
memory/1868-64-0x0000000000000000-mapping.dmp