Analysis
-
max time kernel
122s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
15-10-2021 12:19
Behavioral task
behavioral1
Sample
d658fc04f5eb9b2f7984579d4b8d8322.msi
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
d658fc04f5eb9b2f7984579d4b8d8322.msi
Resource
win10-en-20210920
General
-
Target
d658fc04f5eb9b2f7984579d4b8d8322.msi
-
Size
264KB
-
MD5
d658fc04f5eb9b2f7984579d4b8d8322
-
SHA1
905e42f62ce86570abd70081185c969574fe64ed
-
SHA256
472e40357bbd9c18824abf10157d6482b8d853cdef7267b723e5d887b54e00ee
-
SHA512
3242e71dd101cbbc54e0136922424f4faf64bdcee2e37adde5ec9247bab30b5c5fcc611c26e9a2816ce56adbb44d4b707363ddbf8f7852563aa308690b9c1adb
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 17 1444 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
brLci.exepid process 1244 brLci.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exebrLci.exeiexplore.exepid process 1444 MsiExec.exe 1444 MsiExec.exe 1244 brLci.exe 1244 brLci.exe 2332 iexplore.exe 2332 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin-_dvF3ew = "\"C:\\Users\\Admin\\Saved Games\\Admin BAzOj\\brLci.exe\"" iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f75a401.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAB36.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{0059B770-DA72-46A1-AD9A-54D05549B4E7} msiexec.exe File opened for modification C:\Windows\Installer\MSI2D67.tmp msiexec.exe File opened for modification C:\Windows\Installer\f75a401.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIA47E.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion iexplore.exe -
Modifies Control Panel 2 IoCs
Processes:
brLci.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\(Padrão) 3 = "C:\\Users\\Admin\\Saved Games\\Admin BAzOj\\" brLci.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\(Padrão) 2 = "brLci" brLci.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeiexplore.exepid process 512 msiexec.exe 512 msiexec.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe 2332 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 2388 msiexec.exe Token: SeIncreaseQuotaPrivilege 2388 msiexec.exe Token: SeSecurityPrivilege 512 msiexec.exe Token: SeCreateTokenPrivilege 2388 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2388 msiexec.exe Token: SeLockMemoryPrivilege 2388 msiexec.exe Token: SeIncreaseQuotaPrivilege 2388 msiexec.exe Token: SeMachineAccountPrivilege 2388 msiexec.exe Token: SeTcbPrivilege 2388 msiexec.exe Token: SeSecurityPrivilege 2388 msiexec.exe Token: SeTakeOwnershipPrivilege 2388 msiexec.exe Token: SeLoadDriverPrivilege 2388 msiexec.exe Token: SeSystemProfilePrivilege 2388 msiexec.exe Token: SeSystemtimePrivilege 2388 msiexec.exe Token: SeProfSingleProcessPrivilege 2388 msiexec.exe Token: SeIncBasePriorityPrivilege 2388 msiexec.exe Token: SeCreatePagefilePrivilege 2388 msiexec.exe Token: SeCreatePermanentPrivilege 2388 msiexec.exe Token: SeBackupPrivilege 2388 msiexec.exe Token: SeRestorePrivilege 2388 msiexec.exe Token: SeShutdownPrivilege 2388 msiexec.exe Token: SeDebugPrivilege 2388 msiexec.exe Token: SeAuditPrivilege 2388 msiexec.exe Token: SeSystemEnvironmentPrivilege 2388 msiexec.exe Token: SeChangeNotifyPrivilege 2388 msiexec.exe Token: SeRemoteShutdownPrivilege 2388 msiexec.exe Token: SeUndockPrivilege 2388 msiexec.exe Token: SeSyncAgentPrivilege 2388 msiexec.exe Token: SeEnableDelegationPrivilege 2388 msiexec.exe Token: SeManageVolumePrivilege 2388 msiexec.exe Token: SeImpersonatePrivilege 2388 msiexec.exe Token: SeCreateGlobalPrivilege 2388 msiexec.exe Token: SeRestorePrivilege 512 msiexec.exe Token: SeTakeOwnershipPrivilege 512 msiexec.exe Token: SeRestorePrivilege 512 msiexec.exe Token: SeTakeOwnershipPrivilege 512 msiexec.exe Token: SeRestorePrivilege 512 msiexec.exe Token: SeTakeOwnershipPrivilege 512 msiexec.exe Token: SeIncreaseQuotaPrivilege 3480 WMIC.exe Token: SeSecurityPrivilege 3480 WMIC.exe Token: SeTakeOwnershipPrivilege 3480 WMIC.exe Token: SeLoadDriverPrivilege 3480 WMIC.exe Token: SeSystemProfilePrivilege 3480 WMIC.exe Token: SeSystemtimePrivilege 3480 WMIC.exe Token: SeProfSingleProcessPrivilege 3480 WMIC.exe Token: SeIncBasePriorityPrivilege 3480 WMIC.exe Token: SeCreatePagefilePrivilege 3480 WMIC.exe Token: SeBackupPrivilege 3480 WMIC.exe Token: SeRestorePrivilege 3480 WMIC.exe Token: SeShutdownPrivilege 3480 WMIC.exe Token: SeDebugPrivilege 3480 WMIC.exe Token: SeSystemEnvironmentPrivilege 3480 WMIC.exe Token: SeRemoteShutdownPrivilege 3480 WMIC.exe Token: SeUndockPrivilege 3480 WMIC.exe Token: SeManageVolumePrivilege 3480 WMIC.exe Token: 33 3480 WMIC.exe Token: 34 3480 WMIC.exe Token: 35 3480 WMIC.exe Token: 36 3480 WMIC.exe Token: SeIncreaseQuotaPrivilege 3480 WMIC.exe Token: SeSecurityPrivilege 3480 WMIC.exe Token: SeTakeOwnershipPrivilege 3480 WMIC.exe Token: SeLoadDriverPrivilege 3480 WMIC.exe Token: SeSystemProfilePrivilege 3480 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 2388 msiexec.exe 1444 MsiExec.exe 2388 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
msiexec.exeMsiExec.exebrLci.exedescription pid process target process PID 512 wrote to memory of 1444 512 msiexec.exe MsiExec.exe PID 512 wrote to memory of 1444 512 msiexec.exe MsiExec.exe PID 512 wrote to memory of 1444 512 msiexec.exe MsiExec.exe PID 1444 wrote to memory of 3480 1444 MsiExec.exe WMIC.exe PID 1444 wrote to memory of 3480 1444 MsiExec.exe WMIC.exe PID 1444 wrote to memory of 3480 1444 MsiExec.exe WMIC.exe PID 1244 wrote to memory of 2332 1244 brLci.exe iexplore.exe PID 1244 wrote to memory of 2332 1244 brLci.exe iexplore.exe PID 1244 wrote to memory of 2332 1244 brLci.exe iexplore.exe PID 1244 wrote to memory of 2332 1244 brLci.exe iexplore.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d658fc04f5eb9b2f7984579d4b8d8322.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EDCC892941E07C54254DB3EFE36090DD2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin BAzOj\brLci.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Saved Games\Admin BAzOj\brLci.exe"C:\Users\Admin\Saved Games\Admin BAzOj\brLci.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet explorer\iexplore.exe"C:\Program Files (x86)\Internet explorer\iexplore.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Saved Games\Admin BAzOj\NvSmartMax.dllMD5
c9eedf4659ade24511516e3b3dec0bfb
SHA1dea6a8a803e7bdb7db8c009c83ecdbe665669684
SHA25626dd39fd64e3a85e5d7307a850f5a48b46e3909ecc962ef94d23b53f5f251a63
SHA512a7bc672b4a31f31eed4cc5620faf85e197c23483ec1bbebb152fbcc71dea6f8ac822013834f78584c8dd9b9758a77f3801346d90a72e26f63ac743aa47ffd92c
-
C:\Users\Admin\Saved Games\Admin BAzOj\brLci.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin BAzOj\brLci.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin BAzOj\brLci.~tmpMD5
2f3335c18aaa8ae44810a1bacae61691
SHA1a11b4b06148fc8cea338cfe29868366aec726cf8
SHA2566ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034
SHA512e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14
-
C:\Windows\Installer\MSIA47E.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSIAB36.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Users\Admin\Saved Games\Admin BAzOj\NvSmartMax.dllMD5
fedc3c2faa04e9a6c2feb03badae0cc7
SHA12c01c29fdaa5239db6861485fb808c2d715209f3
SHA256ea028f2f1d1a624eb5e2e3853b933ff3f0b21c5beeb155cb49af849d0682579e
SHA512e9d0307a8e3b9a3e5a72389d6033f94b5f67cda760a5609d8cf8279e858066dc5d4aaa80c4a8b2bfa13345238e32767b961c0c968632eb66c36966c79e25c857
-
\Users\Admin\Saved Games\Admin BAzOj\NvSmartMax.dllMD5
723d3f8c7359ce61c5772c6004eae0da
SHA110e2fa99f7c9cd45a1e2631770f645ab0430e69d
SHA256002626597ae57346901370ed86320a7f953f792468bebcd051caf204fed92d7d
SHA51214f58177a7781ed1904830e496ab7640cb33cb72926bbed04432751daf62126f793da3125d9d209f7bcc873570fec8f7a43cc5fc5bb7b0c92271378fd4e35d73
-
\Users\Admin\Saved Games\Admin BAzOj\NvSmartMax.dllMD5
2c97f8c4122049a30ffad6da60742169
SHA164e35cbf7d50e5f7ffc876771a1cdeb2f58e1176
SHA256f31796fdea1fc775b96de74282b036d7927152fa4bc8be752049f3a97e9c5691
SHA5126fe5594a0cf0b8e6d05de9619e65dd436d68088cf01d52a4bb2e5eb42897ddb8f79be95c3b2964101ad19b4cff9bb8124141e6f628582fa2c5e0ecb36ce0f1dc
-
\Users\Admin\Saved Games\Admin BAzOj\NvSmartMax.dllMD5
43aca1e1fda61f616196d3b1a9297590
SHA1ea82c49f08c5ec76310fdaf08350ab300914defe
SHA256accfd419ac49403328503ad0d9a520b2f686356bfb5d025d9c44e09f4c1b9969
SHA512f62d329235f1e6ad3fb56c490480c9be5774655237f8ecd1095bdba9c8c684076e7ad08c490c50589ebbc77cad1de7393eca994edff7deef7bb66a69917ff054
-
\Windows\Installer\MSIA47E.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSIAB36.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/512-117-0x0000023D96AB0000-0x0000023D96AB2000-memory.dmpFilesize
8KB
-
memory/512-118-0x0000023D96AB0000-0x0000023D96AB2000-memory.dmpFilesize
8KB
-
memory/1244-132-0x0000000001260000-0x00000000017DC000-memory.dmpFilesize
5.5MB
-
memory/1444-120-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1444-121-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1444-119-0x0000000000000000-mapping.dmp
-
memory/2332-134-0x0000000000000000-mapping.dmp
-
memory/2388-115-0x000002211C090000-0x000002211C092000-memory.dmpFilesize
8KB
-
memory/2388-116-0x000002211C090000-0x000002211C092000-memory.dmpFilesize
8KB
-
memory/3480-126-0x0000000000000000-mapping.dmp