51eb64e8719bcd2caba807e8ffe09e9b016ab828f4352f9905a99fc3f3517e82

General

Target

ups-label.jar.msi
Size

382KB
MD5

1eb30fec5a58dc7a6af2c17d7e8327d0
SHA1

277fb1032edb935cb9bd3fbd33a17c83615cedfa
SHA256

51eb64e8719bcd2caba807e8ffe09e9b016ab828f4352f9905a99fc3f3517e82
SHA512

2670b7062f9918fd7b53200e26e25b56cfb8974c0e6a0e7e2720218cee018479ce6855cf57c4d6c89855439ecad9ff0ddce73fb2ac91e524bc2bd98e51f942aa

Score

8^/10

persistence

Malware Config

Signatures

Blacklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

3 1500 msiexec.exe

flow	pid	process
3	1500	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Modifies service 2 TTPs 165 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exemsiexec.exesrtasks.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Enter) = 4800000000000000053e3e2f9f4dd601e80900006c0d0000ec03000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Leave) = 48000000000000001ce346309f4dd601e80900006c0d0000fe03000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_RELEASE (Leave) = 4800000000000000b34549309f4dd601e80900006c0d0000ff0300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Enter) = 48000000000000001ce346309f4dd601e8090000ac0200000404000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\THAW (Enter) = 4800000000000000c9094e309f4dd601e80900005c0d0000f203000001000000030000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Leave) = 48000000000000009a5c782e9f4dd60194070000ec080000e903000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\IDENTIFY (Enter) = 480000000000000010685e239f4dd60194070000440b0000e803000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 4800000000000000c9094e309f4dd601e8090000840d0000f203000000000000030000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 48000000000000003a1c18379f4dd601d00500005c050000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Enter) = 4800000000000000600e4b2e9f4dd601e8090000f80e0000e903000001000000010000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Enter) = 48000000000000002d827f2e9f4dd601e8090000f80e0000f903000001000000010000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Enter) = 480000000000000012a6c42e9f4dd601e80900006c0d0000ea03000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000787ddc2e9f4dd601e8090000b00200000200000001000000010000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000dcdfde2e9f4dd601e8090000f80700000200000001000000010000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Leave) = 48000000000000009c0e2f309f4dd601e80900006c0d0000fd03000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{44af7660-0000-0000-0000-500600000000}_)\IOCTL_FLUSH_AND_HOLD (Leave) = 48000000000000001ce346309f4dd601e8090000ac040000fe03000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Leave) = 4800000000000000c9094e309f4dd601e8090000200b0000fc03000000000000030000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPAREBACKUP (Leave) = 480000000000000049d34f2e9f4dd601e8090000bc0f0000e903000000000000010000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Enter) = 4800000000000000cd6bc92e9f4dd601e8090000e40c0000ea03000001000000010000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{44af7660-0000-0000-0000-500600000000}_)\IOCTL_RELEASE (Leave) = 4800000000000000b34549309f4dd601e8090000ac040000ff03000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Enter) = 48000000000000002a569a309f4dd601e80900005c0d0000f503000001000000040000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Enter) = 480000000000000038e7432e9f4dd601e8090000e00f00000104000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_RM (Leave) = 480000000000000079c2e22f9f4dd601e80900006c0d0000ef03000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE (Leave) = 480000000000000079c2e22f9f4dd601e80900006c0d0000eb03000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Enter) = 4800000000000000a8f297309f4dd601e80900006c0d0000f503000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\FREEZE (Leave) = 480000000000000079c2e22f9f4dd601e8090000f8070000eb03000000000000020000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Enter) = 4800000000000000f96b50309f4dd601e80900006c0d00000604000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Enter) = 48000000000000002616fc309f4dd601e8090000e40c0000fb03000001000000050000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 4800000000000000d7df35239f4dd60194070000f00f0000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Leave) = 480000000000000038e7432e9f4dd601e8090000e00f00000104000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Enter) = 4800000000000000ac65452f9f4dd601e80900006c0d0000ee03000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Enter) = 4800000000000000ac65452f9f4dd601e8090000200b0000fc03000001000000030000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Leave) = 48000000000000002616fc309f4dd601e80900005c0d0000fb03000000000000050000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Leave) = 480000000000000049d34f2e9f4dd601e8090000f80e0000e903000000000000010000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Enter) = 4800000000000000a1cdcb2e9f4dd601e8090000f8070000ea03000001000000010000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\FREEZE (Leave) = 4800000000000000ac65452f9f4dd601e80900005c0d0000eb03000000000000020000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Enter) = 48000000000000009c0e2f309f4dd601e80900006c0d0000fe03000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Leave) = 4800000000000000b34549309f4dd601e8090000ac0200000404000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Leave) = 48000000000000005079df309f4dd601e80900006c0d0000f503000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppAddInterestingComponents (Leave) = 4800000000000000f2e9052e9f4dd60194070000f00f0000d40700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Leave) = 4800000000000000787ddc2e9f4dd601e8090000b0020000ea03000000000000010000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\FREEZE (Enter) = 4800000000000000fc50512f9f4dd601e8090000f8070000eb03000001000000020000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppCreate (Leave) = 4800000000000000f96b50309f4dd60194070000f00f0000d00700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\IDENTIFY (Enter) = 480000000000000020b76c239f4dd601e8090000bc0f0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{44af7660-0000-0000-0000-500600000000}_)\OPEN_VOLUME_HANDLE (Leave) = 48000000000000009c0e2f309f4dd601e8090000ac040000fd03000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Leave) = 4800000000000000b34549309f4dd601e80900006c0d00000504000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Enter) = 4800000000000000a8f297309f4dd601e80900005c0d0000f503000001000000040000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Enter) = 4800000000000000a8f297309f4dd601e80900005c0d0000f503000001000000040000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 4800000000000000bb3d03319f4dd601d00500005c050000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\GETSTATE (Leave) = 480000000000000027e4812e9f4dd6019407000004060000f903000000000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Enter) = 480000000000000079c2e22f9f4dd601e80900006c0d00000304000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Leave) = 4800000000000000a8f297309f4dd601e80900005c0d0000f503000000000000040000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTFINALCOMMIT (Enter) = 4800000000000000b8dce1309f4dd601e80900006c0d00000704000001000000000000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Enter) = 4800000000000000c9094e309f4dd601e8090000840d0000f203000001000000030000000000000058e687c69b01fb49a0edd37e26df1e7100000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag	msiexec.exe

Drops file in Windows directory 7 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\244b0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\244b0.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{90140000-0010-0409-0000-0000000FF1CE}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI475F.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1940 msiexec.exe
1940 msiexec.exe

pid	process
1940	msiexec.exe
1940	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	1500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	1940	msiexec.exe
Token: SeCreateTokenPrivilege	1500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1500	msiexec.exe
Token: SeLockMemoryPrivilege	1500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1500	msiexec.exe
Token: SeMachineAccountPrivilege	1500	msiexec.exe
Token: SeTcbPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeLoadDriverPrivilege	1500	msiexec.exe
Token: SeSystemProfilePrivilege	1500	msiexec.exe
Token: SeSystemtimePrivilege	1500	msiexec.exe
Token: SeProfSingleProcessPrivilege	1500	msiexec.exe
Token: SeIncBasePriorityPrivilege	1500	msiexec.exe
Token: SeCreatePagefilePrivilege	1500	msiexec.exe
Token: SeCreatePermanentPrivilege	1500	msiexec.exe
Token: SeBackupPrivilege	1500	msiexec.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeShutdownPrivilege	1500	msiexec.exe
Token: SeDebugPrivilege	1500	msiexec.exe
Token: SeAuditPrivilege	1500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1500	msiexec.exe
Token: SeChangeNotifyPrivilege	1500	msiexec.exe
Token: SeRemoteShutdownPrivilege	1500	msiexec.exe
Token: SeUndockPrivilege	1500	msiexec.exe
Token: SeSyncAgentPrivilege	1500	msiexec.exe
Token: SeEnableDelegationPrivilege	1500	msiexec.exe
Token: SeManageVolumePrivilege	1500	msiexec.exe
Token: SeImpersonatePrivilege	1500	msiexec.exe
Token: SeCreateGlobalPrivilege	1500	msiexec.exe
Token: SeBackupPrivilege	2536	vssvc.exe
Token: SeRestorePrivilege	2536	vssvc.exe
Token: SeAuditPrivilege	2536	vssvc.exe
Token: SeBackupPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeRestorePrivilege	1940	msiexec.exe
Token: SeTakeOwnershipPrivilege	1940	msiexec.exe
Token: SeBackupPrivilege	1488	srtasks.exe
Token: SeRestorePrivilege	1488	srtasks.exe
Token: SeSecurityPrivilege	1488	srtasks.exe
Token: SeTakeOwnershipPrivilege	1488	srtasks.exe
Token: SeBackupPrivilege	1488	srtasks.exe
Token: SeRestorePrivilege	1488	srtasks.exe
Token: SeSecurityPrivilege	1488	srtasks.exe
Token: SeTakeOwnershipPrivilege	1488	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1500 msiexec.exe

pid	process
1500	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1940 wrote to memory of 1488	1940	msiexec.exe	srtasks.exe
PID 1940 wrote to memory of 1488	1940	msiexec.exe	srtasks.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ups-label.jar.msi
1⤵
- Blacklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Modifies service
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Modifies service
  - Suspicious use of AdjustPrivilegeToken
  PID:1488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2536

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Download Submit
\??\Volume{44af7660-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{c687e658-019b-49fb-a0ed-d37e26df1e71}_OnDiskSnapshotProp

Download Submit
memory/1488-1-0x0000000000000000-mapping.dmp

Download
memory/1500-0-0x000002A7843B0000-0x000002A7843B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads