Analysis
-
max time kernel
60s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 05:26
Static task
static1
Behavioral task
behavioral1
Sample
36b8ab4ab974a6be2ae8aec49600215c.msi
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
36b8ab4ab974a6be2ae8aec49600215c.msi
Resource
win10-en-20211014
General
-
Target
36b8ab4ab974a6be2ae8aec49600215c.msi
-
Size
264KB
-
MD5
36b8ab4ab974a6be2ae8aec49600215c
-
SHA1
01233a85959dd6f5815eb8a037d630b81bff0eb0
-
SHA256
17182f1f100e9370ee0798fdad75aca6c9004d9446bad85bf5ad9f28975f77d4
-
SHA512
27bbfedd27c8b821fc17a25ab7a704874df02cb9f608bb02c0892e68e64336ff6816248f4fab150c11e8da7d8422195be7f50ac37927a5e2cef3d95cc71e9072
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
MsiExec.exeflow pid process 3 1320 MsiExec.exe 5 1320 MsiExec.exe 7 1320 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
nECKz.exepid process 1644 nECKz.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exenECKz.exeiexplore.exepid process 1320 MsiExec.exe 1320 MsiExec.exe 1644 nECKz.exe 1580 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin-_29h14a = "\"C:\\Users\\Admin\\Saved Games\\Admin kkcKp\\nECKz.exe\"" iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f76585f.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSID7EA.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76585f.ipi msiexec.exe File created C:\Windows\Installer\f76585d.msi msiexec.exe File opened for modification C:\Windows\Installer\f76585d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI58CA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A70.tmp msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion iexplore.exe -
Modifies Control Panel 2 IoCs
Processes:
nECKz.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\(Padrão) 2 = "nECKz" nECKz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\(Padrão) 3 = "C:\\Users\\Admin\\Saved Games\\Admin kkcKp\\" nECKz.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
msiexec.exeiexplore.exepid process 932 msiexec.exe 932 msiexec.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe 1580 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 1564 msiexec.exe Token: SeIncreaseQuotaPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeSecurityPrivilege 932 msiexec.exe Token: SeCreateTokenPrivilege 1564 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1564 msiexec.exe Token: SeLockMemoryPrivilege 1564 msiexec.exe Token: SeIncreaseQuotaPrivilege 1564 msiexec.exe Token: SeMachineAccountPrivilege 1564 msiexec.exe Token: SeTcbPrivilege 1564 msiexec.exe Token: SeSecurityPrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeLoadDriverPrivilege 1564 msiexec.exe Token: SeSystemProfilePrivilege 1564 msiexec.exe Token: SeSystemtimePrivilege 1564 msiexec.exe Token: SeProfSingleProcessPrivilege 1564 msiexec.exe Token: SeIncBasePriorityPrivilege 1564 msiexec.exe Token: SeCreatePagefilePrivilege 1564 msiexec.exe Token: SeCreatePermanentPrivilege 1564 msiexec.exe Token: SeBackupPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeShutdownPrivilege 1564 msiexec.exe Token: SeDebugPrivilege 1564 msiexec.exe Token: SeAuditPrivilege 1564 msiexec.exe Token: SeSystemEnvironmentPrivilege 1564 msiexec.exe Token: SeChangeNotifyPrivilege 1564 msiexec.exe Token: SeRemoteShutdownPrivilege 1564 msiexec.exe Token: SeUndockPrivilege 1564 msiexec.exe Token: SeSyncAgentPrivilege 1564 msiexec.exe Token: SeEnableDelegationPrivilege 1564 msiexec.exe Token: SeManageVolumePrivilege 1564 msiexec.exe Token: SeImpersonatePrivilege 1564 msiexec.exe Token: SeCreateGlobalPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeIncreaseQuotaPrivilege 1364 WMIC.exe Token: SeSecurityPrivilege 1364 WMIC.exe Token: SeTakeOwnershipPrivilege 1364 WMIC.exe Token: SeLoadDriverPrivilege 1364 WMIC.exe Token: SeSystemProfilePrivilege 1364 WMIC.exe Token: SeSystemtimePrivilege 1364 WMIC.exe Token: SeProfSingleProcessPrivilege 1364 WMIC.exe Token: SeIncBasePriorityPrivilege 1364 WMIC.exe Token: SeCreatePagefilePrivilege 1364 WMIC.exe Token: SeBackupPrivilege 1364 WMIC.exe Token: SeRestorePrivilege 1364 WMIC.exe Token: SeShutdownPrivilege 1364 WMIC.exe Token: SeDebugPrivilege 1364 WMIC.exe Token: SeSystemEnvironmentPrivilege 1364 WMIC.exe Token: SeRemoteShutdownPrivilege 1364 WMIC.exe Token: SeUndockPrivilege 1364 WMIC.exe Token: SeManageVolumePrivilege 1364 WMIC.exe Token: 33 1364 WMIC.exe Token: 34 1364 WMIC.exe Token: 35 1364 WMIC.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeIncreaseQuotaPrivilege 1364 WMIC.exe Token: SeSecurityPrivilege 1364 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 1564 msiexec.exe 1320 MsiExec.exe 1564 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
msiexec.exeMsiExec.exenECKz.exedescription pid process target process PID 932 wrote to memory of 1320 932 msiexec.exe MsiExec.exe PID 932 wrote to memory of 1320 932 msiexec.exe MsiExec.exe PID 932 wrote to memory of 1320 932 msiexec.exe MsiExec.exe PID 932 wrote to memory of 1320 932 msiexec.exe MsiExec.exe PID 932 wrote to memory of 1320 932 msiexec.exe MsiExec.exe PID 932 wrote to memory of 1320 932 msiexec.exe MsiExec.exe PID 932 wrote to memory of 1320 932 msiexec.exe MsiExec.exe PID 1320 wrote to memory of 1364 1320 MsiExec.exe WMIC.exe PID 1320 wrote to memory of 1364 1320 MsiExec.exe WMIC.exe PID 1320 wrote to memory of 1364 1320 MsiExec.exe WMIC.exe PID 1320 wrote to memory of 1364 1320 MsiExec.exe WMIC.exe PID 1644 wrote to memory of 1580 1644 nECKz.exe iexplore.exe PID 1644 wrote to memory of 1580 1644 nECKz.exe iexplore.exe PID 1644 wrote to memory of 1580 1644 nECKz.exe iexplore.exe PID 1644 wrote to memory of 1580 1644 nECKz.exe iexplore.exe PID 1644 wrote to memory of 1580 1644 nECKz.exe iexplore.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\36b8ab4ab974a6be2ae8aec49600215c.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 96245231DFC000E95E854EF1DFBB32032⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin kkcKp\nECKz.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Saved Games\Admin kkcKp\nECKz.exe"C:\Users\Admin\Saved Games\Admin kkcKp\nECKz.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet explorer\iexplore.exe"C:\Program Files (x86)\Internet explorer\iexplore.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Saved Games\Admin kkcKp\NvSmartMax.dllMD5
51a2e4f3bf06a57b438449e10a78f12b
SHA1c1ca9f811e5d853730ce3797df27b877ad33dd2e
SHA2560ab58ca317447b8cd4098c22a92eaa29b14b9a111d7c82b6389599a4e4398311
SHA512d7a1c1dfc9c5433d6bb52172b9279d9c2b08163bf587b50fe65062fdc832d7e36965a057e89bd18ff0d74c19a9a75e21d5f43e33c4c4a47b824ad8e68dbc0d29
-
C:\Users\Admin\Saved Games\Admin kkcKp\nECKz.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin kkcKp\nECKz.~tmpMD5
2f3335c18aaa8ae44810a1bacae61691
SHA1a11b4b06148fc8cea338cfe29868366aec726cf8
SHA2566ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034
SHA512e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14
-
C:\Windows\Installer\MSI58CA.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI5A70.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Users\Admin\Saved Games\Admin kkcKp\NvSmartMax.dllMD5
43f05481b2475dbe34e3121a7f888cdd
SHA12d476d2e316ef5b26093fd08e24bc5021ae05d90
SHA2568e4833e0e7ad343dbd9d71dbed7cb0e9c67758ca4ffb0db8538ae90940f6a0ea
SHA51256b5d1eb66b746ed77ec1291abc083ed830876a10f74a3c6b6f91b931e34c450c1787bebb12f3acaa5a7ee5548bd6fca41cd5350eda1bd381b9375fd8abcd4ba
-
\Users\Admin\Saved Games\Admin kkcKp\NvSmartMax.dllMD5
0e4575a61c67faf11f1ebe0ace77bc6d
SHA15c8f68bbdbf4ba215a03226f0d1a1904934c2fc3
SHA256e0935a715377a4c6bc6d52e4222a1854640923170beed6d3366677bd97002606
SHA512d90e84c910b0ed13013f880fddc723c3fd4dd4e46eac1a21bf5627871c5bce6556f8f8dc5a2c52d651791721bc0a32ea93c8f328d538bf19c87a23d6b666fe21
-
\Windows\Installer\MSI58CA.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI5A70.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/1320-55-0x0000000000000000-mapping.dmp
-
memory/1320-56-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/1320-61-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/1364-62-0x0000000000000000-mapping.dmp
-
memory/1564-53-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmpFilesize
8KB
-
memory/1580-70-0x0000000000000000-mapping.dmp
-
memory/1644-69-0x00000000031B0000-0x00000000033C1000-memory.dmpFilesize
2.1MB
-
memory/1644-68-0x0000000002CB0000-0x0000000002F89000-memory.dmpFilesize
2.8MB
-
memory/1644-66-0x0000000000E70000-0x00000000015D2000-memory.dmpFilesize
7.4MB