Overview

overview

8

Static

static

10

36b8ab4ab9...5c.msi

windows7_x64

8

36b8ab4ab9...5c.msi

windows10_x64

8

Analysis

  • max time kernel
    144s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    19-10-2021 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36b8ab4ab974a6be2ae8aec49600215c.msi

  • Size

    264KB

  • MD5

    36b8ab4ab974a6be2ae8aec49600215c

  • SHA1

    01233a85959dd6f5815eb8a037d630b81bff0eb0

  • SHA256

    17182f1f100e9370ee0798fdad75aca6c9004d9446bad85bf5ad9f28975f77d4

  • SHA512

    27bbfedd27c8b821fc17a25ab7a704874df02cb9f608bb02c0892e68e64336ff6816248f4fab150c11e8da7d8422195be7f50ac37927a5e2cef3d95cc71e9072

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\36b8ab4ab974a6be2ae8aec49600215c.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4132
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4894A0B908B74AFE682A606432EF6217
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.exe'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
  • C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.exe
    "C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Program Files (x86)\Internet explorer\iexplore.exe
      "C:\Program Files (x86)\Internet explorer\iexplore.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:3876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Saved Games\Admin xguUZ\NvSmartMax.dll
    MD5

    6fc540570accb96f9839914989d46c4d

    SHA1

    05fe3e181d111d585562145c291a9a024a357c4d

    SHA256

    d8ef1a0ae1b1d14d02afbd6458758b262c4d645bf4c0e9f0fdf2b4a045b1dc88

    SHA512

    4b3283d896c157ee8150e0c74a28864ad294af86240af7d67015e389fb5cdc662c13b61d2703cb0ecad26f316d7b48626030a5cb321f07464910d820ce1f6061

    Download Submit
  • C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.exe
    MD5

    1f26da52aea0b3dfe2e829665bd2474f

    SHA1

    a852a99e2982df75842ccfc274ea3f9c54d22859

    SHA256

    33a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32

    SHA512

    dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d

    Download Submit
  • C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.~tmp
    MD5

    2f3335c18aaa8ae44810a1bacae61691

    SHA1

    a11b4b06148fc8cea338cfe29868366aec726cf8

    SHA256

    6ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034

    SHA512

    e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14

    Download Submit
  • C:\Windows\Installer\MSIF166.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • C:\Windows\Installer\MSIF956.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Users\Admin\Saved Games\Admin xguUZ\NvSmartMax.dll
    MD5

    95820585194b04b90b87537350b42bfc

    SHA1

    d565fb347b9993c384368edbc1c3532156b73b0b

    SHA256

    55a2c0b7cecd86648a6b340f761d96d694e4c6fcbafcfc84f7beb299f83c39ce

    SHA512

    2d6c1f9a8fa4d7d3f4c071601ba2d0bbe243448340a66d1ad6de1eb23dde0d7a546efea6fc430820f7c7880658c29d8e4b9ffb54a99e4bfefb7e5f11003734e7

    Download Submit
  • \Users\Admin\Saved Games\Admin xguUZ\NvSmartMax.dll
    MD5

    e63ed16f3464bbfe7cecbcf6f84dc52a

    SHA1

    48b4df4e1048be1de292178d21312ebb21b5489c

    SHA256

    3e51e00570ffa2e8c8772d565aec4561481e910a9637d28a9a4e8b84b42439d0

    SHA512

    2603b84c989aaa987ef2f709502d27170cb579f31903806f17a35d9c467e1be9d81969e55c97b1c9d000f06320b30ca418a13f498026edf408577f6a7983a963

    Download Submit
  • \Users\Admin\Saved Games\Admin xguUZ\NvSmartMax.dll
    MD5

    f1e045e88692ce9b95a6d38d3af89357

    SHA1

    1efa1e2c97f63d10fee8999c7416fd011d5ae8d7

    SHA256

    a373ac62d91cf9149536612f6a29f5ed7a6eb3db7d77308a09315fa2e18d9401

    SHA512

    e5953001509b8a935e7cf3bdd888169c38ed654a9416a0a04ec308e0e077f7102b6a24d00d0319f73149b4b7209bca643b1f3de06ad131307c576e000fa8633f

    Download Submit
  • \Users\Admin\Saved Games\Admin xguUZ\NvSmartMax.dll
    MD5

    26a8e2af55928745bd7b7be97f6c2e1e

    SHA1

    f4f3343de351ec87a7b81e1d9e4746518088787b

    SHA256

    8d184f3a9971e512b4d46d477bf76b37f988da6448b0afd88a9570179e27ff00

    SHA512

    b70210d2e5714329b625c731c111c18b92eef860e4606b27b334ad3413d97d482e4df7d908d4175b4b607b958319deed4d1f4c387504613252e1df1d97f09966

    Download Submit
  • \Windows\Installer\MSIF166.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • \Windows\Installer\MSIF956.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit
  • memory/1676-121-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1676-120-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1676-119-0x0000000000000000-mapping.dmp
    Download
  • memory/1928-126-0x0000000000000000-mapping.dmp
    Download
  • memory/2232-118-0x00000226DA980000-0x00000226DA982000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2232-117-0x00000226DA980000-0x00000226DA982000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2772-132-0x0000000000D90000-0x00000000014F2000-memory.dmp
    Filesize

    7.4MB

    Download
  • memory/2772-133-0x0000000003430000-0x0000000003709000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/2772-134-0x0000000003810000-0x0000000003A21000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3876-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4132-115-0x00000192EE650000-0x00000192EE652000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4132-116-0x00000192EE650000-0x00000192EE652000-memory.dmp
    Filesize

    8KB

    Download