15b07f5cdf48bc280a5174d121aa82c39ecec6496f856a3927dca297c639509c

Analysis

max time kernel
153s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nitro_pro13_ba_x64.msi
Size

227.7MB
MD5

06d03947343467c2171da13a7f2dce8c
SHA1

152869568cb73f70c56ace164074394737590c96
SHA256

15b07f5cdf48bc280a5174d121aa82c39ecec6496f856a3927dca297c639509c
SHA512

3cfbde459ba2a88cda2d680bdb1d17298ae109ba27d9e24748bbdbc30cfbb3d1df47b91453abff1bd0c9718ecf4c3a6d289331cfc7fb214594d6eafde5141849
SSDEEP

6291456:d8mYS7lAOLRMIoXzpO0EbjEcs7Jfjw+ouXB8Pb:gS7lLLReUHLQpu

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	1472	msiexec.exe
5	1472	msiexec.exe
7	1472	msiexec.exe
11	1708	MsiExec.exe
12	1708	MsiExec.exe

Loads dropped DLL 5 IoCs

pid	Process
1708	MsiExec.exe
1708	MsiExec.exe
1736	rundll32.exe
1736	rundll32.exe
1736	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	1696	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeMachineAccountPrivilege	1472	msiexec.exe
Token: SeTcbPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeLoadDriverPrivilege	1472	msiexec.exe
Token: SeSystemProfilePrivilege	1472	msiexec.exe
Token: SeSystemtimePrivilege	1472	msiexec.exe
Token: SeProfSingleProcessPrivilege	1472	msiexec.exe
Token: SeIncBasePriorityPrivilege	1472	msiexec.exe
Token: SeCreatePagefilePrivilege	1472	msiexec.exe
Token: SeCreatePermanentPrivilege	1472	msiexec.exe
Token: SeBackupPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeDebugPrivilege	1472	msiexec.exe
Token: SeAuditPrivilege	1472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1472	msiexec.exe
Token: SeChangeNotifyPrivilege	1472	msiexec.exe
Token: SeRemoteShutdownPrivilege	1472	msiexec.exe
Token: SeUndockPrivilege	1472	msiexec.exe
Token: SeSyncAgentPrivilege	1472	msiexec.exe
Token: SeEnableDelegationPrivilege	1472	msiexec.exe
Token: SeManageVolumePrivilege	1472	msiexec.exe
Token: SeImpersonatePrivilege	1472	msiexec.exe
Token: SeCreateGlobalPrivilege	1472	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeMachineAccountPrivilege	1472	msiexec.exe
Token: SeTcbPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeLoadDriverPrivilege	1472	msiexec.exe
Token: SeSystemProfilePrivilege	1472	msiexec.exe
Token: SeSystemtimePrivilege	1472	msiexec.exe
Token: SeProfSingleProcessPrivilege	1472	msiexec.exe
Token: SeIncBasePriorityPrivilege	1472	msiexec.exe
Token: SeCreatePagefilePrivilege	1472	msiexec.exe
Token: SeCreatePermanentPrivilege	1472	msiexec.exe
Token: SeBackupPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeDebugPrivilege	1472	msiexec.exe
Token: SeAuditPrivilege	1472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1472	msiexec.exe
Token: SeChangeNotifyPrivilege	1472	msiexec.exe
Token: SeRemoteShutdownPrivilege	1472	msiexec.exe
Token: SeUndockPrivilege	1472	msiexec.exe
Token: SeSyncAgentPrivilege	1472	msiexec.exe
Token: SeEnableDelegationPrivilege	1472	msiexec.exe
Token: SeManageVolumePrivilege	1472	msiexec.exe
Token: SeImpersonatePrivilege	1472	msiexec.exe
Token: SeCreateGlobalPrivilege	1472	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1472	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1708	1696	msiexec.exe	27
PID 1696 wrote to memory of 1708	1696	msiexec.exe	27
PID 1696 wrote to memory of 1708	1696	msiexec.exe	27
PID 1696 wrote to memory of 1708	1696	msiexec.exe	27
PID 1696 wrote to memory of 1708	1696	msiexec.exe	27
PID 1708 wrote to memory of 1736	1708	MsiExec.exe	30
PID 1708 wrote to memory of 1736	1708	MsiExec.exe	30
PID 1708 wrote to memory of 1736	1708	MsiExec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nitro_pro13_ba_x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1472

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 4D0524D9DC0E24AD865EBA4220DF85CE C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI3FA7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7159728 2 NitroCA!NitroCA.CustomActions.DefineAgreement
    3⤵
    - Loads dropped DLL
    PID:1736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab86bd73146163195c3162eb11d6b611

SHA1
fd8bf04ae96b292d8990d6fe17edb9a738853b24

SHA256
5882d8b019be912feefca1b36ffead702dd5461346d334f6a367e456ddb70489

SHA512
d6498c636b8bd8866a11379f53d1974c54f1d9d4c2557e888c0761ff27bc3b2707066e94d94b3e76d8dfdb4633426f2bee3087e39a53ea1556b791b7cd30783e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3FA7.tmp

Filesize
267KB

MD5
c2894c0391639b486ddb8f8c9dc3873e

SHA1
fdbef2279fe4fb323749d30998cd239b51e4a2a2

SHA256
0590f42b227c3f2726954521e85527668fe49b2de81abed53e738aed15746b0c

SHA512
c4fb09eb6b58f588eac6d7a65587468e2adba4ffa9a95f490d889d77181071b19ac808e26ae5222a057fe0c00b36c90425dc289147949b502757293ce955d2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID70.tmp

Filesize
721KB

MD5
5b76bd66c6865d1a89e7fa28fbea8135

SHA1
0ee56ea4b37ef211924c635e82133acd082e0a68

SHA256
5f0f645b02505a0e199ffa2e2f35172454a319977365f626fbae5b61cfe1a1f4

SHA512
63f7b48b91949aec77f4ee49903555b430aa5252bcf66a6dd52a5a504c354ca9f22eedce22941a617e063036f0d5844501ad258c81af9fa5188620b52c6fe98e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3FA7.tmp

Filesize
267KB

MD5
c2894c0391639b486ddb8f8c9dc3873e

SHA1
fdbef2279fe4fb323749d30998cd239b51e4a2a2

SHA256
0590f42b227c3f2726954521e85527668fe49b2de81abed53e738aed15746b0c

SHA512
c4fb09eb6b58f588eac6d7a65587468e2adba4ffa9a95f490d889d77181071b19ac808e26ae5222a057fe0c00b36c90425dc289147949b502757293ce955d2db

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3FA7.tmp

Filesize
267KB

MD5
c2894c0391639b486ddb8f8c9dc3873e

SHA1
fdbef2279fe4fb323749d30998cd239b51e4a2a2

SHA256
0590f42b227c3f2726954521e85527668fe49b2de81abed53e738aed15746b0c

SHA512
c4fb09eb6b58f588eac6d7a65587468e2adba4ffa9a95f490d889d77181071b19ac808e26ae5222a057fe0c00b36c90425dc289147949b502757293ce955d2db

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3FA7.tmp-\NitroCA.dll

Filesize
21KB

MD5
81cfdfc9cde37b8a847d8bc5326dc9d9

SHA1
dabcd11ca3dc797e39c2b1db28adba365b99c0d2

SHA256
2cbbbbebb66f535edea0fd4f2116e97802c84f1dce222cbbae1ede40b8ce5099

SHA512
983b38b7e49072bb32067e4a6500c6978ca26d95354b781546e1ad421f61e01e0d66ed3c3f85c2f30d49c4a2037f4c4dbd3e4d272963c215970e74b9c5010143

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3FA7.tmp-\NitroCA.dll

Filesize
21KB

MD5
81cfdfc9cde37b8a847d8bc5326dc9d9

SHA1
dabcd11ca3dc797e39c2b1db28adba365b99c0d2

SHA256
2cbbbbebb66f535edea0fd4f2116e97802c84f1dce222cbbae1ede40b8ce5099

SHA512
983b38b7e49072bb32067e4a6500c6978ca26d95354b781546e1ad421f61e01e0d66ed3c3f85c2f30d49c4a2037f4c4dbd3e4d272963c215970e74b9c5010143

Download Submit
\Users\Admin\AppData\Local\Temp\MSID70.tmp

Filesize
721KB

MD5
5b76bd66c6865d1a89e7fa28fbea8135

SHA1
0ee56ea4b37ef211924c635e82133acd082e0a68

SHA256
5f0f645b02505a0e199ffa2e2f35172454a319977365f626fbae5b61cfe1a1f4

SHA512
63f7b48b91949aec77f4ee49903555b430aa5252bcf66a6dd52a5a504c354ca9f22eedce22941a617e063036f0d5844501ad258c81af9fa5188620b52c6fe98e

Download Submit
memory/1472-54-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1736-66-0x0000000001BB0000-0x0000000001BDE000-memory.dmp

Filesize
184KB

Download
memory/1736-69-0x0000000001BE0000-0x0000000001BEA000-memory.dmp

Filesize
40KB

Download