Analysis
-
max time kernel
144s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 05:26
Static task
static1
Behavioral task
behavioral1
Sample
36b8ab4ab974a6be2ae8aec49600215c.msi
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
36b8ab4ab974a6be2ae8aec49600215c.msi
Resource
win10-en-20211014
General
-
Target
36b8ab4ab974a6be2ae8aec49600215c.msi
-
Size
264KB
-
MD5
36b8ab4ab974a6be2ae8aec49600215c
-
SHA1
01233a85959dd6f5815eb8a037d630b81bff0eb0
-
SHA256
17182f1f100e9370ee0798fdad75aca6c9004d9446bad85bf5ad9f28975f77d4
-
SHA512
27bbfedd27c8b821fc17a25ab7a704874df02cb9f608bb02c0892e68e64336ff6816248f4fab150c11e8da7d8422195be7f50ac37927a5e2cef3d95cc71e9072
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 13 1676 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
SzKHJ.exepid process 2772 SzKHJ.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exeSzKHJ.exeiexplore.exepid process 1676 MsiExec.exe 1676 MsiExec.exe 2772 SzKHJ.exe 2772 SzKHJ.exe 3876 iexplore.exe 3876 iexplore.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin-_IQ89Ul0H0 = "\"C:\\Users\\Admin\\Saved Games\\Admin xguUZ\\SzKHJ.exe\"" iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{E1970D67-9CDE-48F7-8641-ACBEA376F909} msiexec.exe File created C:\Windows\Installer\f75f07b.msi msiexec.exe File opened for modification C:\Windows\Installer\f75f07b.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF956.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF166.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI62CF.tmp msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iexplore.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion iexplore.exe -
Modifies Control Panel 2 IoCs
Processes:
SzKHJ.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\(Padrão) 2 = "SzKHJ" SzKHJ.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\(Padrão) 3 = "C:\\Users\\Admin\\Saved Games\\Admin xguUZ\\" SzKHJ.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeiexplore.exepid process 2232 msiexec.exe 2232 msiexec.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe 3876 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 4132 msiexec.exe Token: SeIncreaseQuotaPrivilege 4132 msiexec.exe Token: SeSecurityPrivilege 2232 msiexec.exe Token: SeCreateTokenPrivilege 4132 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4132 msiexec.exe Token: SeLockMemoryPrivilege 4132 msiexec.exe Token: SeIncreaseQuotaPrivilege 4132 msiexec.exe Token: SeMachineAccountPrivilege 4132 msiexec.exe Token: SeTcbPrivilege 4132 msiexec.exe Token: SeSecurityPrivilege 4132 msiexec.exe Token: SeTakeOwnershipPrivilege 4132 msiexec.exe Token: SeLoadDriverPrivilege 4132 msiexec.exe Token: SeSystemProfilePrivilege 4132 msiexec.exe Token: SeSystemtimePrivilege 4132 msiexec.exe Token: SeProfSingleProcessPrivilege 4132 msiexec.exe Token: SeIncBasePriorityPrivilege 4132 msiexec.exe Token: SeCreatePagefilePrivilege 4132 msiexec.exe Token: SeCreatePermanentPrivilege 4132 msiexec.exe Token: SeBackupPrivilege 4132 msiexec.exe Token: SeRestorePrivilege 4132 msiexec.exe Token: SeShutdownPrivilege 4132 msiexec.exe Token: SeDebugPrivilege 4132 msiexec.exe Token: SeAuditPrivilege 4132 msiexec.exe Token: SeSystemEnvironmentPrivilege 4132 msiexec.exe Token: SeChangeNotifyPrivilege 4132 msiexec.exe Token: SeRemoteShutdownPrivilege 4132 msiexec.exe Token: SeUndockPrivilege 4132 msiexec.exe Token: SeSyncAgentPrivilege 4132 msiexec.exe Token: SeEnableDelegationPrivilege 4132 msiexec.exe Token: SeManageVolumePrivilege 4132 msiexec.exe Token: SeImpersonatePrivilege 4132 msiexec.exe Token: SeCreateGlobalPrivilege 4132 msiexec.exe Token: SeRestorePrivilege 2232 msiexec.exe Token: SeTakeOwnershipPrivilege 2232 msiexec.exe Token: SeRestorePrivilege 2232 msiexec.exe Token: SeTakeOwnershipPrivilege 2232 msiexec.exe Token: SeRestorePrivilege 2232 msiexec.exe Token: SeTakeOwnershipPrivilege 2232 msiexec.exe Token: SeIncreaseQuotaPrivilege 1928 WMIC.exe Token: SeSecurityPrivilege 1928 WMIC.exe Token: SeTakeOwnershipPrivilege 1928 WMIC.exe Token: SeLoadDriverPrivilege 1928 WMIC.exe Token: SeSystemProfilePrivilege 1928 WMIC.exe Token: SeSystemtimePrivilege 1928 WMIC.exe Token: SeProfSingleProcessPrivilege 1928 WMIC.exe Token: SeIncBasePriorityPrivilege 1928 WMIC.exe Token: SeCreatePagefilePrivilege 1928 WMIC.exe Token: SeBackupPrivilege 1928 WMIC.exe Token: SeRestorePrivilege 1928 WMIC.exe Token: SeShutdownPrivilege 1928 WMIC.exe Token: SeDebugPrivilege 1928 WMIC.exe Token: SeSystemEnvironmentPrivilege 1928 WMIC.exe Token: SeRemoteShutdownPrivilege 1928 WMIC.exe Token: SeUndockPrivilege 1928 WMIC.exe Token: SeManageVolumePrivilege 1928 WMIC.exe Token: 33 1928 WMIC.exe Token: 34 1928 WMIC.exe Token: 35 1928 WMIC.exe Token: 36 1928 WMIC.exe Token: SeRestorePrivilege 2232 msiexec.exe Token: SeTakeOwnershipPrivilege 2232 msiexec.exe Token: SeRestorePrivilege 2232 msiexec.exe Token: SeTakeOwnershipPrivilege 2232 msiexec.exe Token: SeRestorePrivilege 2232 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 4132 msiexec.exe 1676 MsiExec.exe 4132 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
msiexec.exeMsiExec.exeSzKHJ.exedescription pid process target process PID 2232 wrote to memory of 1676 2232 msiexec.exe MsiExec.exe PID 2232 wrote to memory of 1676 2232 msiexec.exe MsiExec.exe PID 2232 wrote to memory of 1676 2232 msiexec.exe MsiExec.exe PID 1676 wrote to memory of 1928 1676 MsiExec.exe WMIC.exe PID 1676 wrote to memory of 1928 1676 MsiExec.exe WMIC.exe PID 1676 wrote to memory of 1928 1676 MsiExec.exe WMIC.exe PID 2772 wrote to memory of 3876 2772 SzKHJ.exe iexplore.exe PID 2772 wrote to memory of 3876 2772 SzKHJ.exe iexplore.exe PID 2772 wrote to memory of 3876 2772 SzKHJ.exe iexplore.exe PID 2772 wrote to memory of 3876 2772 SzKHJ.exe iexplore.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\36b8ab4ab974a6be2ae8aec49600215c.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4894A0B908B74AFE682A606432EF62172⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.exe"C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet explorer\iexplore.exe"C:\Program Files (x86)\Internet explorer\iexplore.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Saved Games\Admin xguUZ\NvSmartMax.dllMD5
6fc540570accb96f9839914989d46c4d
SHA105fe3e181d111d585562145c291a9a024a357c4d
SHA256d8ef1a0ae1b1d14d02afbd6458758b262c4d645bf4c0e9f0fdf2b4a045b1dc88
SHA5124b3283d896c157ee8150e0c74a28864ad294af86240af7d67015e389fb5cdc662c13b61d2703cb0ecad26f316d7b48626030a5cb321f07464910d820ce1f6061
-
C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.exeMD5
1f26da52aea0b3dfe2e829665bd2474f
SHA1a852a99e2982df75842ccfc274ea3f9c54d22859
SHA25633a71ea2fd95ac5682a12fd55bea29afb77828b9cc10991f0a88600fbf335f32
SHA512dfc9574f115969f36e4ca3746355112030f0550b77bca1cc2a3cf73694a47964fd20359d178b0db81479f6bea6d7fa6e26470a7ad8d4300da2435b8ed6c14b1d
-
C:\Users\Admin\Saved Games\Admin xguUZ\SzKHJ.~tmpMD5
2f3335c18aaa8ae44810a1bacae61691
SHA1a11b4b06148fc8cea338cfe29868366aec726cf8
SHA2566ab83e36dcd1534ad13f989feb4771d375ba67b77f9da1b9dd2aeea5d4683034
SHA512e66e569407f6778ef5af0b97db1e553c264296ded96dc6691966834d8eb700b196bcbe329170f05bf30d07a004e6bf8f380b41ad2cb014e618dc8ae306ff5a14
-
C:\Windows\Installer\MSIF166.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSIF956.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Users\Admin\Saved Games\Admin xguUZ\NvSmartMax.dllMD5
95820585194b04b90b87537350b42bfc
SHA1d565fb347b9993c384368edbc1c3532156b73b0b
SHA25655a2c0b7cecd86648a6b340f761d96d694e4c6fcbafcfc84f7beb299f83c39ce
SHA5122d6c1f9a8fa4d7d3f4c071601ba2d0bbe243448340a66d1ad6de1eb23dde0d7a546efea6fc430820f7c7880658c29d8e4b9ffb54a99e4bfefb7e5f11003734e7
-
\Users\Admin\Saved Games\Admin xguUZ\NvSmartMax.dllMD5
e63ed16f3464bbfe7cecbcf6f84dc52a
SHA148b4df4e1048be1de292178d21312ebb21b5489c
SHA2563e51e00570ffa2e8c8772d565aec4561481e910a9637d28a9a4e8b84b42439d0
SHA5122603b84c989aaa987ef2f709502d27170cb579f31903806f17a35d9c467e1be9d81969e55c97b1c9d000f06320b30ca418a13f498026edf408577f6a7983a963
-
\Users\Admin\Saved Games\Admin xguUZ\NvSmartMax.dllMD5
f1e045e88692ce9b95a6d38d3af89357
SHA11efa1e2c97f63d10fee8999c7416fd011d5ae8d7
SHA256a373ac62d91cf9149536612f6a29f5ed7a6eb3db7d77308a09315fa2e18d9401
SHA512e5953001509b8a935e7cf3bdd888169c38ed654a9416a0a04ec308e0e077f7102b6a24d00d0319f73149b4b7209bca643b1f3de06ad131307c576e000fa8633f
-
\Users\Admin\Saved Games\Admin xguUZ\NvSmartMax.dllMD5
26a8e2af55928745bd7b7be97f6c2e1e
SHA1f4f3343de351ec87a7b81e1d9e4746518088787b
SHA2568d184f3a9971e512b4d46d477bf76b37f988da6448b0afd88a9570179e27ff00
SHA512b70210d2e5714329b625c731c111c18b92eef860e4606b27b334ad3413d97d482e4df7d908d4175b4b607b958319deed4d1f4c387504613252e1df1d97f09966
-
\Windows\Installer\MSIF166.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSIF956.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/1676-121-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/1676-120-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/1676-119-0x0000000000000000-mapping.dmp
-
memory/1928-126-0x0000000000000000-mapping.dmp
-
memory/2232-118-0x00000226DA980000-0x00000226DA982000-memory.dmpFilesize
8KB
-
memory/2232-117-0x00000226DA980000-0x00000226DA982000-memory.dmpFilesize
8KB
-
memory/2772-132-0x0000000000D90000-0x00000000014F2000-memory.dmpFilesize
7.4MB
-
memory/2772-133-0x0000000003430000-0x0000000003709000-memory.dmpFilesize
2.8MB
-
memory/2772-134-0x0000000003810000-0x0000000003A21000-memory.dmpFilesize
2.1MB
-
memory/3876-135-0x0000000000000000-mapping.dmp
-
memory/4132-115-0x00000192EE650000-0x00000192EE652000-memory.dmpFilesize
8KB
-
memory/4132-116-0x00000192EE650000-0x00000192EE652000-memory.dmpFilesize
8KB