Overview

overview

9

Static

static

N-72kzbfcz 2d2e1q.msi

windows7_x64

8

N-72kzbfcz 2d2e1q.msi

windows10-2004_x64

9

Analysis

  • max time kernel
    34s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    03-02-2022 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    N-72kzbfcz 2d2e1q.msi

  • Size

    952KB

  • MD5

    7d577d8a871c7340f56660b1e4389601

  • SHA1

    6e2a1cb4eb564634baab2c1649fdaed7f92d7943

  • SHA256

    56e791cc8e07df049102c8d489a27c08ce231b90ac97eb97c741ddeb236fec24

  • SHA512

    03a1693e8f4be065bb4e84ff7c8e56e4c2e3a59092c38a0d503fe30032f5d67d2f0cab75dbe36751da456015ef1f7d81d343d6253fc418f661c4003c0eaae72c

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 8 IoCs
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 19 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\N-72kzbfcz 2d2e1q.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3512
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 83EB32EDF1D434209F9B24E865425BF1
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Users\Admin\AppData\Roaming\yo4fvxws\jsg1yoe\my55he\qrG5.exe
        "C:\Users\Admin\AppData\Roaming\yo4fvxws\jsg1yoe\my55he\qrG5.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3772
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe b6dabb7c0450ca141650af3f3cc33a46 qR3WV0VRTkOYWAWJaXJdow.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1956
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\yo4fvxws\jsg1yoe\my55he\jKPeSMhaBb.dll
    MD5

    71de56304b7c5bf604a2c63c27fee89b

    SHA1

    84b63bc607afa5ed4401a618e896f5a511dbeb20

    SHA256

    7941b73b753797e4926d9df968f5e6b101dc23d7312569ae2af784262f532353

    SHA512

    ee7f465a235ec63163a4ac93e0b120daf7b1e66a11ef0046a87f9d90923760ea47882fc5eda5a1caf8814fc2e0e74cd769c9b88e0de7488701c9b9556edbf406

    Download Submit
  • C:\Users\Admin\AppData\Roaming\yo4fvxws\jsg1yoe\my55he\jKPeSMhaBb.dll
    MD5

    71de56304b7c5bf604a2c63c27fee89b

    SHA1

    84b63bc607afa5ed4401a618e896f5a511dbeb20

    SHA256

    7941b73b753797e4926d9df968f5e6b101dc23d7312569ae2af784262f532353

    SHA512

    ee7f465a235ec63163a4ac93e0b120daf7b1e66a11ef0046a87f9d90923760ea47882fc5eda5a1caf8814fc2e0e74cd769c9b88e0de7488701c9b9556edbf406

    Download Submit
  • C:\Users\Admin\AppData\Roaming\yo4fvxws\jsg1yoe\my55he\jKPeSMhaBb.dll
    MD5

    71de56304b7c5bf604a2c63c27fee89b

    SHA1

    84b63bc607afa5ed4401a618e896f5a511dbeb20

    SHA256

    7941b73b753797e4926d9df968f5e6b101dc23d7312569ae2af784262f532353

    SHA512

    ee7f465a235ec63163a4ac93e0b120daf7b1e66a11ef0046a87f9d90923760ea47882fc5eda5a1caf8814fc2e0e74cd769c9b88e0de7488701c9b9556edbf406

    Download Submit
  • C:\Users\Admin\AppData\Roaming\yo4fvxws\jsg1yoe\my55he\qrG5.ahk
    MD5

    690554d85a8a4bee133a1cbe844d622f

    SHA1

    81eafd80bc5bcc0e67f7a50b2f1a5d81807b84fe

    SHA256

    afbeadb41fbfb0225a9242cc1d3e2c72fe607d0530eb2c5b3a866b4d57f272fc

    SHA512

    236f5e636569757fe701f5e1c91279db023f990caa17031369a54a5058bab3ec55848b6a9e28ad7b65834dc14327f3c072aa57c8c3c831bcff8464ef211f2ab7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\yo4fvxws\jsg1yoe\my55he\qrG5.exe
    MD5

    01f601da6304451e0bc17cf004c97c43

    SHA1

    1aa363861d1cfc45056068de0710289ebbfcb886

    SHA256

    945adada6cf6698b949359d9b395a5f905989d0d1eb84f537de492ecc1263148

    SHA512

    cc74c0b016ab1f53069f6ffbe1e35373090a64ad5630cefbb70e72febdd00fb2d885838e5b9836382bf4b160998a08d7ce149071c73b10aa4320bca00805cb6b

    Download Submit
  • C:\Windows\Installer\MSI73C6.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit
  • C:\Windows\Installer\MSI73C6.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit
  • C:\Windows\Installer\MSI89EF.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit
  • C:\Windows\Installer\MSI89EF.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit
  • C:\Windows\Installer\MSI8EA3.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit
  • C:\Windows\Installer\MSI8EA3.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit
  • C:\Windows\Installer\MSI8F02.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit
  • C:\Windows\Installer\MSI8F02.tmp
    MD5

    d90ab57e6c584f90fbbea74b566216e3

    SHA1

    4616e59aed33848f5870e5e1fe865f932721a162

    SHA256

    44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

    SHA512

    5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

    Download Submit
  • C:\Windows\Installer\MSI9398.tmp
    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

    Download Submit
  • C:\Windows\Installer\MSI9398.tmp
    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

    Download Submit
  • C:\Windows\Installer\MSI9723.tmp
    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

    Download Submit
  • C:\Windows\Installer\MSI9723.tmp
    MD5

    06bf05c1b207c1340db60571ee6ef552

    SHA1

    64b9ad03c6827a320633336c5e53c974d950ef67

    SHA256

    2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

    SHA512

    a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

    Download Submit
  • memory/1848-145-0x00000253E9790000-0x00000253E97A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1848-152-0x00000253EC510000-0x00000253EC514000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3772-158-0x0000000004AE0000-0x0000000005A8E000-memory.dmp
    Filesize

    15.7MB

    Download
  • memory/3772-159-0x0000000004AE0000-0x0000000005A8E000-memory.dmp
    Filesize

    15.7MB

    Download