Overview

overview

8

Static

static

10

36b8ab4ab9...5c.msi

windows7_x64

8

36b8ab4ab9...5c.msi

windows10_x64

8

Analysis

  • max time kernel
    60s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    19-10-2021 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36b8ab4ab974a6be2ae8aec49600215c.msi

  • Size

    264KB

  • MD5

    36b8ab4ab974a6be2ae8aec49600215c

  • SHA1

    01233a85959dd6f5815eb8a037d630b81bff0eb0

  • SHA256

    17182f1f100e9370ee0798fdad75aca6c9004d9446bad85bf5ad9f28975f77d4

  • SHA512

    27bbfedd27c8b821fc17a25ab7a704874df02cb9f608bb02c0892e68e64336ff6816248f4fab150c11e8da7d8422195be7f50ac37927a5e2cef3d95cc71e9072

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\36b8ab4ab974a6be2ae8aec49600215c.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1564
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 96245231DFC000E95E854EF1DFBB3203
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin kkcKp\nECKz.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1364
  • C:\Users\Admin\Saved Games\Admin kkcKp\nECKz.exe
    "C:\Users\Admin\Saved Games\Admin kkcKp\nECKz.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Program Files (x86)\Internet explorer\iexplore.exe
      "C:\Program Files (x86)\Internet explorer\iexplore.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Saved Games\Admin kkcKp\NvSmartMax.dll
    MD5

    51a2e4f3bf06a57b438449e10a78f12b

    SHA1

    c1ca9f811e5d853730ce3797df27b877ad33dd2e

    SHA256

    0ab58ca317447b8cd4098c22a92eaa29b14b9a111d7c82b6389599a4e4398311

    SHA512

    d7a1c1dfc9c5433d6bb52172b9279d9c2b08163bf587b50fe65062fdc832d7e36965a057e89bd18ff0d74c19a9a75e21d5f43e33c4c4a47b824ad8e68dbc0d29

    Download Submit
  • C:\Users\Admin\Saved Games\Admin kkcKp\nECKz.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin kkcKp\nECKz.~tmp
    MD5

    2f3335c18aaa8ae44810a1bacae61691

    SHA1

    a11b4b06148fc8cea338cfe29868366aec726cf8

    SHA256

    6ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034

    SHA512

    e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14

    Download Submit
  • C:\Windows\Installer\MSI58CA.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSI5A70.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\Saved Games\Admin kkcKp\NvSmartMax.dll
    MD5

    43f05481b2475dbe34e3121a7f888cdd

    SHA1

    2d476d2e316ef5b26093fd08e24bc5021ae05d90

    SHA256

    8e4833e0e7ad343dbd9d71dbed7cb0e9c67758ca4ffb0db8538ae90940f6a0ea

    SHA512

    56b5d1eb66b746ed77ec1291abc083ed830876a10f74a3c6b6f91b931e34c450c1787bebb12f3acaa5a7ee5548bd6fca41cd5350eda1bd381b9375fd8abcd4ba

    Download Submit
  • \Users\Admin\Saved Games\Admin kkcKp\NvSmartMax.dll
    MD5

    0e4575a61c67faf11f1ebe0ace77bc6d

    SHA1

    5c8f68bbdbf4ba215a03226f0d1a1904934c2fc3

    SHA256

    e0935a715377a4c6bc6d52e4222a1854640923170beed6d3366677bd97002606

    SHA512

    d90e84c910b0ed13013f880fddc723c3fd4dd4e46eac1a21bf5627871c5bce6556f8f8dc5a2c52d651791721bc0a32ea93c8f328d538bf19c87a23d6b666fe21

    Download Submit
  • \Windows\Installer\MSI58CA.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSI5A70.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/1320-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1320-56-0x0000000076201000-0x0000000076203000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1320-61-0x0000000000B10000-0x0000000000B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1564-53-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1580-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1644-69-0x00000000031B0000-0x00000000033C1000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1644-68-0x0000000002CB0000-0x0000000002F89000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1644-66-0x0000000000E70000-0x00000000015D2000-memory.dmp
    Filesize

    7.4MB

    Download