metasploit | 5c10afa23f689af55e3479480f13836b05f64dc2f3edf47b7084f297c5894539

Analysis

max time kernel
128s
max time network
144s
platform
windows10_x64
resource
win10v20201028
submitted
11-11-2020 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c10afa23f689af55e3479480f13836b05f64dc2f3edf47b7084f297c5894539.msi
Size

3.1MB
MD5

56f97661a171b446d89733cb499082e4
SHA1

feb03f3d2a29d27b56685954fb6b4a253e3da87f
SHA256

5c10afa23f689af55e3479480f13836b05f64dc2f3edf47b7084f297c5894539
SHA512

21b4ceb6ab24477722ba1d214903755eb7fdc5dfe527d690072e56a4b0e308f99e861f13f0b4c7d78fb194a58d428713bce360cb23b853f7646d87c52711107b

Score

10^/10

metasploit backdoor persistence trojan vmprotect

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://47.91.237.42:8443/blIF

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

svchcst.exe

pid process

1404 svchcst.exe

pid	process
1404	svchcst.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MW-e7077978-6f68-490c-9484-5697ed985087\files\svchcst.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\MW-e7077978-6f68-490c-9484-5697ed985087\files\svchcst.exe	vmprotect
behavioral2/memory/1404-11-0x0000000000400000-0x0000000000A0E000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

3496 MsiExec.exe

pid	process
3496	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Modifies service 2 TTPs 161 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exemsiexec.exesrtasks.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 48000000000000005a42e77521b8d601e0080000c80d0000020000000100000001000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Leave) = 48000000000000006020677721b8d601e008000000090000fd0300000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Leave) = 48000000000000006817e37721b8d601e0080000240f0000f50300000000000004000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppCreate (Enter) = 48000000000000000ca4406a21b8d601740f0000540c0000d00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Enter) = 48000000000000006637fe7621b8d601e008000000090000fd0300000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW_KTM (Leave) = 4800000000000000e6df8a7721b8d601e008000000090000f40300000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Leave) = 48000000000000006ac7f37721b8d601e0080000100d0000f50300000000000004000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Enter) = 480000000000000009286f7621b8d601e008000000090000f00300000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Enter) = 480000000000000084b4e07721b8d601e0080000240f0000f50300000100000004000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Leave) = 48000000000000006817e37721b8d601e0080000240f0000f50300000000000004000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000be9d2a7821b8d601e0080000700d0000fb0300000100000005000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 48000000000000003701687621b8d601e0080000100d0000030000000100000002000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_RELEASE (Leave) = 48000000000000005881887721b8d601e008000000090000ff0300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW_KTM (Enter) = 4800000000000000e6df8a7721b8d601e008000000090000f40300000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTFINALCOMMIT (Enter) = 48000000000000000c63107821b8d601e008000000090000070400000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\IDENTIFY (Enter) = 480000000000000090dd5a6a21b8d601e0080000000d0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Leave) = 48000000000000005269646a21b8d601e0080000e00c0000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Leave) = 4800000000000000f7991c7521b8d601e0080000700f0000e90300000000000001000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_)\IOCTL_RELEASE (Leave) = 48000000000000005881887721b8d601e008000020080000ff0300000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 4800000000000000f807927721b8d601740f0000540c0000d50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGatherWriterMetadata (Leave) = 4800000000000000c8ee8f7421b8d601740f0000540c0000d30700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Leave) = 48000000000000007c7de27521b8d601e0080000e40e0000ea0300000000000001000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Enter) = 48000000000000000dee547621b8d601e0080000480c0000fc0300000100000003000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Enter) = 48000000000000006637fe7621b8d601e0080000c80f0000fc0300000100000003000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\GETSTATE (Enter) = 480000000000000023494c7521b8d601e0080000cc000000f90300000100000001000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_RM (Leave) = 48000000000000006637fe7621b8d601e008000000090000ef0300000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Leave) = 48000000000000006637fe7621b8d601e008000000090000030400000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_)\IOCTL_FLUSH_AND_HOLD (Enter) = 48000000000000006020677721b8d601e008000020080000fe0300000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\GETSTATE (Enter) = 480000000000000023494c7521b8d601e0080000cc000000f90300000100000001000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Leave) = 480000000000000009286f7621b8d601e008000000090000ee0300000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Leave) = 480000000000000009286f7621b8d601e008000000090000f00300000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\BACKUPSHUTDOWN (Leave) = 4800000000000000be9d2a7821b8d601e008000000090000fb0300000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Enter) = 48000000000000001552de7721b8d601e008000000090000f50300000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 4800000000000000e56dfc7821b8d601980800009c080000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Leave) = 48000000000000003010137521b8d601e0080000700f0000010400000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Enter) = 480000000000000003fd1e7521b8d601e0080000cc000000e90300000100000001000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_STABLE (SetCurrentState) = 480000000000000003fd1e7521b8d601e0080000cc000000010000000100000001000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW (Leave) = 4800000000000000ef428d7721b8d601e008000000090000f20300000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Leave) = 4800000000000000e6df8a7721b8d601e008000000090000050400000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Enter) = 48000000000000005c73157521b8d601740f000030050000e90300000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\GETSTATE (Leave) = 480000000000000023494c7521b8d601740f000094040000f90300000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE (Enter) = 48000000000000007429507621b8d601e008000000090000eb0300000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Enter) = 48000000000000005881887721b8d601e008000000090000050400000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Enter) = 4800000000000000956cb07521b8d601e0080000c80d0000ea0300000100000001000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\FREEZE (Enter) = 48000000000000003701687621b8d601e0080000100d0000eb0300000100000002000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\THAW (Enter) = 4800000000000000e6df8a7721b8d601e0080000700d0000f20300000100000003000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 48000000000000002fea577821b8d601980800009c080000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\IDENTIFY (Leave) = 480000000000000045ca666a21b8d601e0080000cc000000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_STABLE (SetCurrentState) = 480000000000000003fd1e7521b8d601e0080000000d0000010000000100000001000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\GETSTATE (Enter) = 48000000000000002f87477521b8d601740f000094040000f90300000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Enter) = 4800000000000000b732967521b8d601e008000000090000ea0300000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 4800000000000000d74b5a7821b8d601980800009c080000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000be9d2a7821b8d601e0080000700d0000fb0300000000000005000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Enter) = 48000000000000006020677721b8d601e008000000090000fe0300000100000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Enter) = 4800000000000000e6df8a7721b8d601e0080000c80d0000f20300000100000003000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 48000000000000006817e37721b8d601e0080000240f0000050000000100000004000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000be9d2a7821b8d601e0080000700d0000fb0300000100000005000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 480000000000000034423e6a21b8d601740f0000540c0000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Leave) = 48000000000000005881887721b8d601e008000000090000fe0300000000000000000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 4800000000000000e56dfc7821b8d601980800009c080000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Enter) = 4800000000000000da09ae7521b8d601e0080000100d0000ea0300000100000001000000000000002eda0875ba4cdc409c43e74eba174f3600000000000000000000000000000000	vssvc.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exeexpand.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{54891440-67C0-4102-963E-93B613DF014F}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File created	C:\Windows\Installer\f74d1bd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74d1bd.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3FF.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

MsiExec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\ForegroundLockTimeout = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\ForegroundLockTimeout = "200000"	MsiExec.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3956 msiexec.exe
3956 msiexec.exe

pid	process
3956	msiexec.exe
3956	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	984	msiexec.exe
Token: SeSecurityPrivilege	3956	msiexec.exe
Token: SeCreateTokenPrivilege	984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	984	msiexec.exe
Token: SeLockMemoryPrivilege	984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	984	msiexec.exe
Token: SeMachineAccountPrivilege	984	msiexec.exe
Token: SeTcbPrivilege	984	msiexec.exe
Token: SeSecurityPrivilege	984	msiexec.exe
Token: SeTakeOwnershipPrivilege	984	msiexec.exe
Token: SeLoadDriverPrivilege	984	msiexec.exe
Token: SeSystemProfilePrivilege	984	msiexec.exe
Token: SeSystemtimePrivilege	984	msiexec.exe
Token: SeProfSingleProcessPrivilege	984	msiexec.exe
Token: SeIncBasePriorityPrivilege	984	msiexec.exe
Token: SeCreatePagefilePrivilege	984	msiexec.exe
Token: SeCreatePermanentPrivilege	984	msiexec.exe
Token: SeBackupPrivilege	984	msiexec.exe
Token: SeRestorePrivilege	984	msiexec.exe
Token: SeShutdownPrivilege	984	msiexec.exe
Token: SeDebugPrivilege	984	msiexec.exe
Token: SeAuditPrivilege	984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	984	msiexec.exe
Token: SeChangeNotifyPrivilege	984	msiexec.exe
Token: SeRemoteShutdownPrivilege	984	msiexec.exe
Token: SeUndockPrivilege	984	msiexec.exe
Token: SeSyncAgentPrivilege	984	msiexec.exe
Token: SeEnableDelegationPrivilege	984	msiexec.exe
Token: SeManageVolumePrivilege	984	msiexec.exe
Token: SeImpersonatePrivilege	984	msiexec.exe
Token: SeCreateGlobalPrivilege	984	msiexec.exe
Token: SeBackupPrivilege	2272	vssvc.exe
Token: SeRestorePrivilege	2272	vssvc.exe
Token: SeAuditPrivilege	2272	vssvc.exe
Token: SeBackupPrivilege	3956	msiexec.exe
Token: SeRestorePrivilege	3956	msiexec.exe
Token: SeRestorePrivilege	3956	msiexec.exe
Token: SeTakeOwnershipPrivilege	3956	msiexec.exe
Token: SeRestorePrivilege	3956	msiexec.exe
Token: SeTakeOwnershipPrivilege	3956	msiexec.exe
Token: SeBackupPrivilege	2200	srtasks.exe
Token: SeRestorePrivilege	2200	srtasks.exe
Token: SeSecurityPrivilege	2200	srtasks.exe
Token: SeTakeOwnershipPrivilege	2200	srtasks.exe
Token: SeBackupPrivilege	2200	srtasks.exe
Token: SeRestorePrivilege	2200	srtasks.exe
Token: SeSecurityPrivilege	2200	srtasks.exe
Token: SeTakeOwnershipPrivilege	2200	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

984 msiexec.exe

pid	process
984	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 3956 wrote to memory of 2200	3956	msiexec.exe	srtasks.exe
PID 3956 wrote to memory of 2200	3956	msiexec.exe	srtasks.exe
PID 3956 wrote to memory of 3496	3956	msiexec.exe	MsiExec.exe
PID 3956 wrote to memory of 3496	3956	msiexec.exe	MsiExec.exe
PID 3956 wrote to memory of 3496	3956	msiexec.exe	MsiExec.exe
PID 3496 wrote to memory of 3684	3496	MsiExec.exe	expand.exe
PID 3496 wrote to memory of 3684	3496	MsiExec.exe	expand.exe
PID 3496 wrote to memory of 3684	3496	MsiExec.exe	expand.exe
PID 3496 wrote to memory of 1404	3496	MsiExec.exe	svchcst.exe
PID 3496 wrote to memory of 1404	3496	MsiExec.exe	svchcst.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5c10afa23f689af55e3479480f13836b05f64dc2f3edf47b7084f297c5894539.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Modifies service
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7BCB5904F52E9E482E65C89A46ECFD96
2⤵
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\expand.exe
"C:\Windows\System32\expand.exe" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:3684

C:\Users\Admin\AppData\Local\Temp\MW-e7077978-6f68-490c-9484-5697ed985087\files\svchcst.exe
"C:\Users\Admin\AppData\Local\Temp\MW-e7077978-6f68-490c-9484-5697ed985087\files\svchcst.exe"
3⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2272

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-e7077978-6f68-490c-9484-5697ed985087\files.cab
MD5
b653e1dc68612a271aee9b0b3930293f

SHA1
fbf5da87659a05e1011eeb521eb25538f59eb406

SHA256
122350f455ebd60647f862ae34e15d8424517b97bd94eb12b89c2593834c601f

SHA512
dd1f6b5982399516d44fa0ad183ff3a40c40eec4f460054fc62a829138845633673aabb9be2c6498b61a671ce2936e9466ffa24784d5f3fcb6cee6c3f8462315

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e7077978-6f68-490c-9484-5697ed985087\files\svchcst.exe
MD5
8c0c79a1d225b583724e6d6cb97d2640

SHA1
d86f98b0f4c965a2f5e41ebdeb54388890967450

SHA256
9b5063189c2dd0550c422662883b23b243a72d97a8d55e80236328aed1625a3c

SHA512
6029b4df1048897d941682bc1379d27017f5d0cc2b6724ee5a46c5b54f2f41cb8c2d10e7beca56ec214c77a51a2364dbf5341ef4279af707767659a95671ce18

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e7077978-6f68-490c-9484-5697ed985087\files\svchcst.exe
MD5
8c0c79a1d225b583724e6d6cb97d2640

SHA1
d86f98b0f4c965a2f5e41ebdeb54388890967450

SHA256
9b5063189c2dd0550c422662883b23b243a72d97a8d55e80236328aed1625a3c

SHA512
6029b4df1048897d941682bc1379d27017f5d0cc2b6724ee5a46c5b54f2f41cb8c2d10e7beca56ec214c77a51a2364dbf5341ef4279af707767659a95671ce18

Download Submit
C:\Windows\Installer\MSID3FF.tmp
MD5
3e9d2974fd83d2c22b647d36a2ba7861

SHA1
3b1d50d42235439d456444f7d3b573f93ecdbe5f

SHA256
339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

SHA512
e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
5b2eeed262cccb06b8d387fd31eabe00

SHA1
c5c3413d1a54e54e9438996d3433051840e4287a

SHA256
92aa68222c1e101a625f01b3ace5c626cce65567ce49f7feba316975be366b41

SHA512
83b484c047577b15764ab6873ff8c3de9402f251bb42e3ac35f83ab949406bb51904416c5d891b5dc6e2fde99d13547f80a9775ae06fbc4e98d912ba6684702b

Download Submit
\??\Volume{0e932f02-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{7508da2e-4cba-40dc-9c43-e74eba174f36}_OnDiskSnapshotProp
MD5
2f52526a3f3da08d5a6201189067ac2c

SHA1
4617e83fef0d2e60b979a9eb884070a296dd9634

SHA256
7eaf82b17a9352805590e4fe32acf1fffa0111b5523c52ac37b5460946f41c45

SHA512
845741ef1c8ad4f443c70ded7152f5d50a3be1db66fee23a0d4d3dbcbb35359bd51ec605186efe6c78e28afe589cb85ddcbcf47508c45a7218cad5c3876b80f8

Download Submit
\Windows\Installer\MSID3FF.tmp
MD5
3e9d2974fd83d2c22b647d36a2ba7861

SHA1
3b1d50d42235439d456444f7d3b573f93ecdbe5f

SHA256
339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

SHA512
e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

Download Submit
memory/1404-9-0x0000000000000000-mapping.dmp

Download
memory/1404-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2200-0-0x0000000000000000-mapping.dmp

Download
memory/3496-1-0x0000000000000000-mapping.dmp

Download
memory/3684-6-0x0000000000000000-mapping.dmp

Download