lokibot | 0864dbe292a5fc5e96f14f9e4164d3964660c45442f08a4151877ce4974d8ecb

Analysis

max time kernel
129s
max time network
137s
platform
windows7_x64
resource
win7
submitted
30-06-2020 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1307741.msi
Size

260KB
MD5

7809e01e1d5e235a89203de4c892623c
SHA1

697ae5ef7f232d81b66c369060882c30dc942fa8
SHA256

0864dbe292a5fc5e96f14f9e4164d3964660c45442f08a4151877ce4974d8ecb
SHA512

267dbc22fb8908707f68ce383b9e9e976707e7be1c1478c0768964e17375f91caea5f229277b77672dc0cdbcb5155b24bf03f9ee7b85889c1c6183e6e572a8a8

Score

10^/10

discovery spyware trojan stealer lokibot persistence

Malware Config

Extracted

Family

lokibot

http://crogtrt.com/rozay/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Executes dropped EXE 2 IoCs

Processes:

MSI2981.tmpMSI2981.tmp

pid process

1588 MSI2981.tmp
832 MSI2981.tmp
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSI2981.tmp

description pid process target process

PID 1588 set thread context of 832 1588 MSI2981.tmp MSI2981.tmp

pid	process
1588	MSI2981.tmp
832	MSI2981.tmp

description	pid	process	target process
PID 1588 set thread context of 832	1588	MSI2981.tmp	MSI2981.tmp

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exeMSI2981.tmp

description	pid	process
Token: SeShutdownPrivilege	1668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeSecurityPrivilege	1768	msiexec.exe
Token: SeCreateTokenPrivilege	1668	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1668	msiexec.exe
Token: SeLockMemoryPrivilege	1668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1668	msiexec.exe
Token: SeMachineAccountPrivilege	1668	msiexec.exe
Token: SeTcbPrivilege	1668	msiexec.exe
Token: SeSecurityPrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeLoadDriverPrivilege	1668	msiexec.exe
Token: SeSystemProfilePrivilege	1668	msiexec.exe
Token: SeSystemtimePrivilege	1668	msiexec.exe
Token: SeProfSingleProcessPrivilege	1668	msiexec.exe
Token: SeIncBasePriorityPrivilege	1668	msiexec.exe
Token: SeCreatePagefilePrivilege	1668	msiexec.exe
Token: SeCreatePermanentPrivilege	1668	msiexec.exe
Token: SeBackupPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeShutdownPrivilege	1668	msiexec.exe
Token: SeDebugPrivilege	1668	msiexec.exe
Token: SeAuditPrivilege	1668	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1668	msiexec.exe
Token: SeChangeNotifyPrivilege	1668	msiexec.exe
Token: SeRemoteShutdownPrivilege	1668	msiexec.exe
Token: SeUndockPrivilege	1668	msiexec.exe
Token: SeSyncAgentPrivilege	1668	msiexec.exe
Token: SeEnableDelegationPrivilege	1668	msiexec.exe
Token: SeManageVolumePrivilege	1668	msiexec.exe
Token: SeImpersonatePrivilege	1668	msiexec.exe
Token: SeCreateGlobalPrivilege	1668	msiexec.exe
Token: SeBackupPrivilege	1876	vssvc.exe
Token: SeRestorePrivilege	1876	vssvc.exe
Token: SeAuditPrivilege	1876	vssvc.exe
Token: SeBackupPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeLoadDriverPrivilege	2008	DrvInst.exe
Token: SeLoadDriverPrivilege	2008	DrvInst.exe
Token: SeLoadDriverPrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeDebugPrivilege	832	MSI2981.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1768 msiexec.exe
1768 msiexec.exe
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

pid	process
1768	msiexec.exe
1768	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

msiexec.exeMSI2981.tmp

description	pid	process	target process
PID 1768 wrote to memory of 1588	1768	msiexec.exe	MSI2981.tmp
PID 1768 wrote to memory of 1588	1768	msiexec.exe	MSI2981.tmp
PID 1768 wrote to memory of 1588	1768	msiexec.exe	MSI2981.tmp
PID 1768 wrote to memory of 1588	1768	msiexec.exe	MSI2981.tmp
PID 1588 wrote to memory of 824	1588	MSI2981.tmp	schtasks.exe
PID 1588 wrote to memory of 824	1588	MSI2981.tmp	schtasks.exe
PID 1588 wrote to memory of 824	1588	MSI2981.tmp	schtasks.exe
PID 1588 wrote to memory of 824	1588	MSI2981.tmp	schtasks.exe
PID 1588 wrote to memory of 832	1588	MSI2981.tmp	MSI2981.tmp
PID 1588 wrote to memory of 832	1588	MSI2981.tmp	MSI2981.tmp
PID 1588 wrote to memory of 832	1588	MSI2981.tmp	MSI2981.tmp
PID 1588 wrote to memory of 832	1588	MSI2981.tmp	MSI2981.tmp
PID 1588 wrote to memory of 832	1588	MSI2981.tmp	MSI2981.tmp
PID 1588 wrote to memory of 832	1588	MSI2981.tmp	MSI2981.tmp
PID 1588 wrote to memory of 832	1588	MSI2981.tmp	MSI2981.tmp
PID 1588 wrote to memory of 832	1588	MSI2981.tmp	MSI2981.tmp
PID 1588 wrote to memory of 832	1588	MSI2981.tmp	MSI2981.tmp
PID 1588 wrote to memory of 832	1588	MSI2981.tmp	MSI2981.tmp

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

824 schtasks.exe

pid	process
824	schtasks.exe

Modifies data under HKEY_USERS 44 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 147 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exemsiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Leave) = 4800000000000000e0530881da4ed60154070000c8070000ea030000000000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Leave) = 4800000000000000c0452781da4ed60154070000c8070000ee030000000000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Enter) = 48000000000000006031aa81da4ed60154070000c807000005040000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Leave) = 4800000000000000e0c1c681da4ed6015407000020070000fc030000000000000300000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Enter) = 4800000000000000e0c1c681da4ed6015407000028070000f2030000010000000300000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Enter) = 4800000000000000c0a8d281da4ed60154070000c807000006040000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE (Enter) = 4800000000000000e0530881da4ed60154070000c8070000eb030000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Leave) = 4800000000000000e035197fda4ed60154070000c4070000e9030000000000000100000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\THAW (Leave) = 4800000000000000e0c1c681da4ed6015407000028040000f2030000000000000300000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Leave) = 480000000000000080a23682da4ed60154070000c8070000f5030000000000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Enter) = 480000000000000040a22e7fda4ed601e80600003c0700000a040000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 4800000000000000404f1582da4ed60154070000e804000005000000010000000400000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000c0717381da4ed60154070000e804000003000000010000000200000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_RM (Leave) = 4800000000000000c0717381da4ed60154070000c8070000ef030000000000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\PREPAREBACKUP (Enter) = 480000000000000080d4167fda4ed6015407000060070000e9030000010000000100000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Leave) = 4800000000000000e035197fda4ed601e8060000d0070000e9030000000000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000a0160d81da4ed601540700005c04000003000000010000000200000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Enter) = 4800000000000000209c1681da4ed60154070000c8070000ee030000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Enter) = 4800000000000000c0717381da4ed60154070000c807000003040000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Leave) = 480000000000000020d37581da4ed60154070000c807000003040000000000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 4800000000000000e0c1c681da4ed6015407000028070000f2030000000000000300000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Leave) = 4800000000000000404f1582da4ed601540700005c040000f5030000000000000400000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Enter) = 480000000000000060680982da4ed60154070000c8070000f5030000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Enter) = 480000000000000020a4df82da4ed60154070000e8040000fb030000010000000500000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer\IDENTIFY (Enter) = 480000000000000020c62d7cda4ed601540700004c070000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\VSS_WS_STABLE (SetCurrentState) = 4800000000000000e035197fda4ed601540700006007000001000000010000000100000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Leave) = 4800000000000000407eab80da4ed60154070000c807000002040000000000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Enter) = 48000000000000000041b080da4ed60154070000c8070000ea030000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{a2da1a04-afea-11ea-ab7e-806e6f6e6963}_)\IOCTL_RELEASE (Leave) = 48000000000000006031aa81da4ed60154070000c8060000ff030000000000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Leave) = 48000000000000006031aa81da4ed60154070000c8070000fe030000000000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Enter) = 4800000000000000e01ff37eda4ed60154070000c407000001040000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Leave) = 480000000000000060bb227fda4ed6015407000060070000f9030000000000000100000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 48000000000000000057d680da4ed601540700002c07000002000000010000000100000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 480000000000000080d4167fda4ed60154070000c4070000e9030000010000000100000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Leave) = 48000000000000000057d680da4ed601540700005c040000ea030000000000000100000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Leave) = 480000000000000080a23682da4ed6015407000028040000f5030000000000000400000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 480000000000000080a23682da4ed601540700002804000005000000010000000400000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Leave) = 480000000000000020a4df82da4ed60154070000e8040000fb030000000000000500000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Leave) = 480000000000000020a4df82da4ed601540700005c040000fb030000000000000500000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 4800000000000000c092ac81da4ed601e80600003c070000d50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 4800000000000000e0c1c681da4ed601540700002804000004000000010000000300000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\THAW (Enter) = 4800000000000000e0c1c681da4ed6015407000028040000f2030000010000000300000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Leave) = 480000000000000000ad397cda4ed60154070000c4070000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppAddInterestingComponents (Enter) = 4800000000000000c0e5c57eda4ed601e80600003c070000d40700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Enter) = 48000000000000002065b780da4ed601540700005c040000ea030000010000000100000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Leave) = 4800000000000000a0160d81da4ed601540700005c040000eb030000000000000200000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 4800000000000000e0c1c681da4ed601540700002807000004000000010000000300000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer\IDENTIFY (Leave) = 4800000000000000a04b377cda4ed601540700004c070000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppGatherWriterMetadata (Leave) = 4800000000000000c0e5c57eda4ed601e80600003c070000d30700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\GETSTATE (Leave) = 480000000000000060bb227fda4ed60154070000c4070000f9030000000000000100000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Enter) = 480000000000000040a22e7fda4ed60154070000c807000002040000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Leave) = 4800000000000000e0c1c681da4ed6015407000024070000fc030000000000000300000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Enter) = 4800000000000000404f1582da4ed6015407000028040000f5030000010000000400000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\IDENTIFY (Enter) = 480000000000000000a2267cda4ed601e806000068050000e8030000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Enter) = 480000000000000020c62d7cda4ed60154070000c4070000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Enter) = 4800000000000000c0717381da4ed601540700003c030000fc030000010000000300000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\IOCTL_RELEASE (Enter) = 48000000000000006031aa81da4ed60154070000c8070000ff0300000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\THAW_KTM (Enter) = 48000000000000006031aa81da4ed60154070000c8070000f4030000010000000000000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Enter) = 4800000000000000e0ed1282da4ed60154070000e8040000f5030000010000000400000000000000ee34214063b8414f83c0bf57aa80509500000000000000000000000000000000	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1668 msiexec.exe
1668 msiexec.exe

pid	process
1668	msiexec.exe
1668	msiexec.exe

Checks for installed software on the system 1 TTPs 82 IoCs

discovery

Query Registry

T1012

Processes:

msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	msiexec.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	msiexec.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\Installer\12656.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\12656.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\12654.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\12654.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI28D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2981.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1307741.msi
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1668

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Modifies service
- Checks for installed software on the system
- Drops file in Windows directory
PID:1768

C:\Windows\Installer\MSI2981.tmp
"C:\Windows\Installer\MSI2981.tmp"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\porUbJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB91.tmp"
3⤵
- Creates scheduled task(s)
PID:824

C:\Windows\Installer\MSI2981.tmp
"{path}"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1876

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005A8" "00000000000005A0"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies data under HKEY_USERS
- Drops file in Windows directory
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Modify Existing Service

T1031

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBB91.tmp

Download Submit
C:\Windows\Installer\MSI2981.tmp

Download Submit
C:\Windows\Installer\MSI2981.tmp

Download Submit
C:\Windows\Installer\MSI2981.tmp

Download Submit
memory/824-8-0x0000000000000000-mapping.dmp

Download
memory/832-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/832-10-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/832-11-0x00000000004139DE-mapping.dmp

Download
memory/1588-5-0x0000000000000000-mapping.dmp

Download
memory/1668-1-0x0000000004260000-0x0000000004264000-memory.dmp

Filesize
16KB

Download
memory/1668-0-0x0000000003380000-0x0000000003384000-memory.dmp

Filesize
16KB

Download
memory/1668-17-0x0000000002280000-0x0000000002284000-memory.dmp

Filesize
16KB

Download
memory/1768-4-0x0000000001AD0000-0x0000000001AD4000-memory.dmp

Filesize
16KB

Download
memory/1768-3-0x0000000002040000-0x0000000002044000-memory.dmp

Filesize
16KB

Download
memory/1768-14-0x0000000004600000-0x0000000004604000-memory.dmp

Filesize
16KB

Download
memory/1768-15-0x0000000001AD0000-0x0000000001AD4000-memory.dmp

Filesize
16KB

Download
memory/1768-16-0x0000000004600000-0x0000000004604000-memory.dmp

Filesize
16KB

Download