Overview

overview

8

Static

static

8

d658fc04f5...22.msi

windows7_x64

8

d658fc04f5...22.msi

windows10_x64

8

Analysis

  • max time kernel
    122s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    15-10-2021 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d658fc04f5eb9b2f7984579d4b8d8322.msi

  • Size

    264KB

  • MD5

    d658fc04f5eb9b2f7984579d4b8d8322

  • SHA1

    905e42f62ce86570abd70081185c969574fe64ed

  • SHA256

    472e40357bbd9c18824abf10157d6482b8d853cdef7267b723e5d887b54e00ee

  • SHA512

    3242e71dd101cbbc54e0136922424f4faf64bdcee2e37adde5ec9247bab30b5c5fcc611c26e9a2816ce56adbb44d4b707363ddbf8f7852563aa308690b9c1adb

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d658fc04f5eb9b2f7984579d4b8d8322.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2388
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding EDCC892941E07C54254DB3EFE36090DD
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin BAzOj\brLci.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3480
  • C:\Users\Admin\Saved Games\Admin BAzOj\brLci.exe
    "C:\Users\Admin\Saved Games\Admin BAzOj\brLci.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Program Files (x86)\Internet explorer\iexplore.exe
      "C:\Program Files (x86)\Internet explorer\iexplore.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Saved Games\Admin BAzOj\NvSmartMax.dll
    MD5

    c9eedf4659ade24511516e3b3dec0bfb

    SHA1

    dea6a8a803e7bdb7db8c009c83ecdbe665669684

    SHA256

    26dd39fd64e3a85e5d7307a850f5a48b46e3909ecc962ef94d23b53f5f251a63

    SHA512

    a7bc672b4a31f31eed4cc5620faf85e197c23483ec1bbebb152fbcc71dea6f8ac822013834f78584c8dd9b9758a77f3801346d90a72e26f63ac743aa47ffd92c

    Download Submit
  • C:\Users\Admin\Saved Games\Admin BAzOj\brLci.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin BAzOj\brLci.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin BAzOj\brLci.~tmp
    MD5

    2f3335c18aaa8ae44810a1bacae61691

    SHA1

    a11b4b06148fc8cea338cfe29868366aec726cf8

    SHA256

    6ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034

    SHA512

    e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14

    Download Submit
  • C:\Windows\Installer\MSIA47E.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSIAB36.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\Saved Games\Admin BAzOj\NvSmartMax.dll
    MD5

    fedc3c2faa04e9a6c2feb03badae0cc7

    SHA1

    2c01c29fdaa5239db6861485fb808c2d715209f3

    SHA256

    ea028f2f1d1a624eb5e2e3853b933ff3f0b21c5beeb155cb49af849d0682579e

    SHA512

    e9d0307a8e3b9a3e5a72389d6033f94b5f67cda760a5609d8cf8279e858066dc5d4aaa80c4a8b2bfa13345238e32767b961c0c968632eb66c36966c79e25c857

    Download Submit
  • \Users\Admin\Saved Games\Admin BAzOj\NvSmartMax.dll
    MD5

    723d3f8c7359ce61c5772c6004eae0da

    SHA1

    10e2fa99f7c9cd45a1e2631770f645ab0430e69d

    SHA256

    002626597ae57346901370ed86320a7f953f792468bebcd051caf204fed92d7d

    SHA512

    14f58177a7781ed1904830e496ab7640cb33cb72926bbed04432751daf62126f793da3125d9d209f7bcc873570fec8f7a43cc5fc5bb7b0c92271378fd4e35d73

    Download Submit
  • \Users\Admin\Saved Games\Admin BAzOj\NvSmartMax.dll
    MD5

    2c97f8c4122049a30ffad6da60742169

    SHA1

    64e35cbf7d50e5f7ffc876771a1cdeb2f58e1176

    SHA256

    f31796fdea1fc775b96de74282b036d7927152fa4bc8be752049f3a97e9c5691

    SHA512

    6fe5594a0cf0b8e6d05de9619e65dd436d68088cf01d52a4bb2e5eb42897ddb8f79be95c3b2964101ad19b4cff9bb8124141e6f628582fa2c5e0ecb36ce0f1dc

    Download Submit
  • \Users\Admin\Saved Games\Admin BAzOj\NvSmartMax.dll
    MD5

    43aca1e1fda61f616196d3b1a9297590

    SHA1

    ea82c49f08c5ec76310fdaf08350ab300914defe

    SHA256

    accfd419ac49403328503ad0d9a520b2f686356bfb5d025d9c44e09f4c1b9969

    SHA512

    f62d329235f1e6ad3fb56c490480c9be5774655237f8ecd1095bdba9c8c684076e7ad08c490c50589ebbc77cad1de7393eca994edff7deef7bb66a69917ff054

    Download Submit
  • \Windows\Installer\MSIA47E.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSIAB36.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/512-117-0x0000023D96AB0000-0x0000023D96AB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/512-118-0x0000023D96AB0000-0x0000023D96AB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1244-132-0x0000000001260000-0x00000000017DC000-memory.dmp
    Filesize

    5.5MB

    Download
  • memory/1444-120-0x00000000000D0000-0x00000000000D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-121-0x00000000000D0000-0x00000000000D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-119-0x0000000000000000-mapping.dmp
    Download
  • memory/2332-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2388-115-0x000002211C090000-0x000002211C092000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2388-116-0x000002211C090000-0x000002211C092000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3480-126-0x0000000000000000-mapping.dmp
    Download