trickbot | cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58

Analysis

max time kernel
141s
max time network
152s
platform
windows10_x64
resource
win10v20201028
submitted
13-11-2020 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58.msi
Size

624KB
MD5

e1d32800e12d4df430e9f016bfba70b3
SHA1

2aadf50c972d6dcbd439896a2cb5446f4fa8eebc
SHA256

cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58
SHA512

870fdbdadefbfab69887c50b253270cce3ce9da90092b11a6d26bd4989a98182833f07be7836109ee2e157d698139c8ed1094cf2f53d4483458b50a04410da13

Score

10^/10

trickbot tar2 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blacklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

7 796 msiexec.exe
9 796 msiexec.exe
11 796 msiexec.exe
Executes dropped EXE 1 IoCs

Processes:

MMMedia.exe

pid process

3908 MMMedia.exe

flow	pid	process
7	796	msiexec.exe
9	796	msiexec.exe
11	796	msiexec.exe

pid	process
3908	MMMedia.exe

Enumerates connected drives 3 TTPs 72 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeMMMedia.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	MMMedia.exe
File opened (read-only)	\??\W:	MMMedia.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	MMMedia.exe
File opened (read-only)	\??\I:	MMMedia.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	MMMedia.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	MMMedia.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	MMMedia.exe
File opened (read-only)	\??\Q:	MMMedia.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	MMMedia.exe
File opened (read-only)	\??\O:	MMMedia.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	MMMedia.exe
File opened (read-only)	\??\S:	MMMedia.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	MMMedia.exe
File opened (read-only)	\??\N:	MMMedia.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	MMMedia.exe
File opened (read-only)	\??\Y:	MMMedia.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	MMMedia.exe
File opened (read-only)	\??\P:	MMMedia.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	MMMedia.exe
File opened (read-only)	\??\U:	MMMedia.exe
File opened (read-only)	\??\Z:	MMMedia.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	MMMedia.exe
File opened (read-only)	\??\X:	MMMedia.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Modifies service 2 TTPs 165 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exesrtasks.exemsiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Enter) = 48000000000000006548bb78cbb9d601c8000000e80c000004040000010000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Enter) = 48000000000000004e670079cbb9d601c80000008c030000f5030000010000000400000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 4800000000000000a63e3779cbb9d601d80e0000d40e0000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 4800000000000000991b6b7fcbb9d601d80e0000d40e0000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Leave) = 480000000000000020691c77cbb9d601c8000000f0020000f9030000000000000100000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Enter) = 48000000000000009fafe477cbb9d601c800000034020000f0030000010000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Leave) = 480000000000000037b79270cbb9d601c8000000f0020000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppAddInterestingComponents (Enter) = 480000000000000006368676cbb9d601840a00009c0f0000d40700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Leave) = 4800000000000000020ca178cbb9d601c800000034020000fd030000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 4800000000000000991b6b7fcbb9d601d80e0000d40e0000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppCreate (Enter) = 480000000000000074688470cbb9d601840a00009c0f0000d00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Leave) = 480000000000000068a6f876cbb9d601c8000000f0020000e9030000000000000100000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\GETSTATE (Leave) = 480000000000000020691c77cbb9d601840a0000f8080000f9030000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Enter) = 4800000000000000b2ef6377cbb9d601c800000088060000ea030000010000000100000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Leave) = 4800000000000000e6ca7b77cbb9d601c8000000e40f0000ea030000000000000100000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 48000000000000008f7cd578cbb9d601c8000000dc07000004000000010000000300000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Leave) = 48000000000000004e670079cbb9d601c800000088060000f5030000000000000400000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGatherWriterMetadata (Enter) = 480000000000000047cb8670cbb9d601840a00009c0f0000d30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\IDENTIFY (Leave) = 480000000000000037b79270cbb9d601c8000000640c0000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Leave) = 48000000000000000608c078cbb9d601840a0000ac0500000a040000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Enter) = 48000000000000004ca3fb78cbb9d601c800000034020000f5030000010000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Leave) = 48000000000000004e670079cbb9d601c80000008c040000f5030000000000000400000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000b7d77279cbb9d601c80000008c030000fb030000010000000500000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Enter) = 48000000000000001c5c667fcbb9d601d80e0000d40e0000d20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{f994966a-0000-0000-0000-500600000000}_)	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{f994966a-0000-0000-0000-500600000000}_)\IOCTL_RELEASE (Enter) = 48000000000000006548bb78cbb9d601c8000000880e0000ff030000010000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 4800000000000000432ec778cbb9d601840a00009c0f0000d50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\THAW (Enter) = 48000000000000008f7cd578cbb9d601c80000008c030000f2030000010000000300000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Enter) = 48000000000000008ed7cc77cbb9d601c8000000dc070000eb030000010000000200000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Leave) = 48000000000000009fafe477cbb9d601c800000034020000ee030000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_BACK (Leave) = 4800000000000000d3eadf77cbb9d601c800000034020000ed030000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 48000000000000008f7cd578cbb9d601c80000008c04000004000000010000000300000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Leave) = 48000000000000004ca3fb78cbb9d601c80000003402000006040000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\IDENTIFY (Leave) = 48000000000000008565c572cbb9d601840a0000e4030000e8030000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\GETSTATE (Enter) = 480000000000000020691c77cbb9d601c8000000a8010000f9030000010000000100000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Enter) = 48000000000000008b6e6578cbb9d601c8000000d40f0000fc030000010000000300000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Leave) = 4800000000000000dac95c77cbb9d601c80000003402000002040000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 4800000000000000e6643e79cbb9d601d80e0000d40e0000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\IDENTIFY (Enter) = 4800000000000000f12c8970cbb9d601840a0000e4030000e8030000010000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Leave) = 48000000000000008b6e6578cbb9d601c80000003402000003040000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Leave) = 48000000000000006548bb78cbb9d601c800000034020000fe030000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Leave) = 48000000000000006548bb78cbb9d601c8000000e80c000004040000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Enter) = 48000000000000004e670079cbb9d601c80000008c040000f5030000010000000400000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 48000000000000003e068270cbb9d601840a00009c0f0000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Leave) = 48000000000000002b512b79cbb9d601c800000034020000f5030000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Enter) = 48000000000000003a80f176cbb9d601840a000018060000e9030000010000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Leave) = 48000000000000009fafe477cbb9d601c800000034020000f0030000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Leave) = 48000000000000000608c078cbb9d601c80000003402000005040000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Enter) = 4800000000000000f9ded778cbb9d601c80000003402000006040000010000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\IDENTIFY (Enter) = 4800000000000000ecf18d70cbb9d601c8000000900d0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Enter) = 4800000000000000d3eadf77cbb9d601c800000034020000ee030000010000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW_KTM (Leave) = 48000000000000000608c078cbb9d601c800000034020000f4030000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 4800000000000000a63e3779cbb9d601d80e0000d40e0000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\BACKUPSHUTDOWN (Leave) = 4800000000000000b7d77279cbb9d601c800000034020000fb030000000000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 4800000000000000d0b8687fcbb9d601d80e0000d40e0000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer\IDENTIFY (Leave) = 480000000000000069199570cbb9d601c8000000a8010000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppAddInterestingComponents (Leave) = 4800000000000000c4adba76cbb9d601840a00009c0f0000d40700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Enter) = 4800000000000000571d2d77cbb9d601c80000003402000002040000010000000000000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000eb297e77cbb9d601c80000008c04000002000000010000000100000000000000f7fad07ab5c7a34fa21ed609eb2bebc400000000000000000000000000000000	vssvc.exe

Drops file in Windows directory 7 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E87FB3C2-DD66-43F7-B272-78B88808693A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A66.tmp	msiexec.exe
File created	C:\Windows\Installer\f7478c0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7478c0.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2692 msiexec.exe
2692 msiexec.exe

pid	process
2692	msiexec.exe
2692	msiexec.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeMMMedia.exesrtasks.exewermgr.exe

description	pid	process
Token: SeShutdownPrivilege	796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	796	msiexec.exe
Token: SeSecurityPrivilege	2692	msiexec.exe
Token: SeCreateTokenPrivilege	796	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	796	msiexec.exe
Token: SeLockMemoryPrivilege	796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	796	msiexec.exe
Token: SeMachineAccountPrivilege	796	msiexec.exe
Token: SeTcbPrivilege	796	msiexec.exe
Token: SeSecurityPrivilege	796	msiexec.exe
Token: SeTakeOwnershipPrivilege	796	msiexec.exe
Token: SeLoadDriverPrivilege	796	msiexec.exe
Token: SeSystemProfilePrivilege	796	msiexec.exe
Token: SeSystemtimePrivilege	796	msiexec.exe
Token: SeProfSingleProcessPrivilege	796	msiexec.exe
Token: SeIncBasePriorityPrivilege	796	msiexec.exe
Token: SeCreatePagefilePrivilege	796	msiexec.exe
Token: SeCreatePermanentPrivilege	796	msiexec.exe
Token: SeBackupPrivilege	796	msiexec.exe
Token: SeRestorePrivilege	796	msiexec.exe
Token: SeShutdownPrivilege	796	msiexec.exe
Token: SeDebugPrivilege	796	msiexec.exe
Token: SeAuditPrivilege	796	msiexec.exe
Token: SeSystemEnvironmentPrivilege	796	msiexec.exe
Token: SeChangeNotifyPrivilege	796	msiexec.exe
Token: SeRemoteShutdownPrivilege	796	msiexec.exe
Token: SeUndockPrivilege	796	msiexec.exe
Token: SeSyncAgentPrivilege	796	msiexec.exe
Token: SeEnableDelegationPrivilege	796	msiexec.exe
Token: SeManageVolumePrivilege	796	msiexec.exe
Token: SeImpersonatePrivilege	796	msiexec.exe
Token: SeCreateGlobalPrivilege	796	msiexec.exe
Token: SeBackupPrivilege	200	vssvc.exe
Token: SeRestorePrivilege	200	vssvc.exe
Token: SeAuditPrivilege	200	vssvc.exe
Token: SeBackupPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeShutdownPrivilege	3908	MMMedia.exe
Token: SeCreatePagefilePrivilege	3908	MMMedia.exe
Token: SeBackupPrivilege	3800	srtasks.exe
Token: SeRestorePrivilege	3800	srtasks.exe
Token: SeSecurityPrivilege	3800	srtasks.exe
Token: SeTakeOwnershipPrivilege	3800	srtasks.exe
Token: SeBackupPrivilege	3800	srtasks.exe
Token: SeRestorePrivilege	3800	srtasks.exe
Token: SeSecurityPrivilege	3800	srtasks.exe
Token: SeTakeOwnershipPrivilege	3800	srtasks.exe
Token: SeDebugPrivilege	4220	wermgr.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

796 msiexec.exe
796 msiexec.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MMMedia.exe

pid process

3908 MMMedia.exe
3908 MMMedia.exe

pid	process
796	msiexec.exe
796	msiexec.exe

pid	process
3908	MMMedia.exe
3908	MMMedia.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

msiexec.exeMMMedia.exe

description	pid	process	target process
PID 2692 wrote to memory of 3800	2692	msiexec.exe	srtasks.exe
PID 2692 wrote to memory of 3800	2692	msiexec.exe	srtasks.exe
PID 2692 wrote to memory of 3908	2692	msiexec.exe	MMMedia.exe
PID 2692 wrote to memory of 3908	2692	msiexec.exe	MMMedia.exe
PID 2692 wrote to memory of 3908	2692	msiexec.exe	MMMedia.exe
PID 3908 wrote to memory of 4220	3908	MMMedia.exe	wermgr.exe
PID 3908 wrote to memory of 4220	3908	MMMedia.exe	wermgr.exe
PID 3908 wrote to memory of 4220	3908	MMMedia.exe	wermgr.exe
PID 3908 wrote to memory of 4220	3908	MMMedia.exe	wermgr.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58.msi
1⤵
- Blacklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:796

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Modifies service
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Users\Admin\AppData\Local\Temp\MMMedia\MMMedia.exe
C:\Users\Admin\AppData\Local\Temp\MMMedia\MMMedia.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:200

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
MD5
5750119e73733fa46e0e619bcc38c9e4

SHA1
f4676a5ed5b119ff1bc3159e7dfcb56ab9983a67

SHA256
9294e1ab3b124831317fc30d02523147abb8006a22b9f429106cc05ae358ab5d

SHA512
d67c1e47ecec9d849052d5dcceb4e60a7f99859bff5c86f41f1b07e6906e406105279c3934ddd59f98a4f0aca8d76fa25dddfd2ee4f3d4217bdc74168d5a3603

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_2EC831F712385997548A0475F2DAA8EC
MD5
483073b54bd6b8352dcdf5cd87c8c24f

SHA1
de2b9f3b81eb714517c869f5e16bf9754e558f25

SHA256
49a40c57ac173e259d2d8fc70d85c256ecbf20c7c8a21bb598b4060fd4d4f592

SHA512
16c278df57a33c389297d2d021ed033e2e0a74fd3ce22d04cb1e50e1e75d3452c4ab38fc415a6790e8ab24a7caa2259333a6ee64ca309162798014c061eb90f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
030fe87cfe5f6cd49739fdf70cbd3a5e

SHA1
5a2414fa9f2eae51e2bef9871e7cef0ebbdee0d2

SHA256
4df6f0a37708e36c68fe9eec2deedfe4f3f4fc7a311902209d2b399bd946ea5e

SHA512
0eb4798c3b34e1d5eb33675207bb85396fb54bef6d37f3617292f73299bc0d310e60db98eb8e5eaa28c01fe37b811f0b04731e68d1587095d9fb4fafcbc09a27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
MD5
79121847d966abd988dcdd3a9614558b

SHA1
50379bf8b187eda61a9afa5f4d2aae325902b902

SHA256
0379ed9a16c0a5cb780e03150915b792931c21578762b362d68fa6de24bfe86a

SHA512
7e57c202c7c0a878fbeae51f37bd4af04a58244fb1ac4167962ddb496af25d60c3939a53b00abbdfd7876df6c3c4818281cf8e3f3c248537c956b911b28acb8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_2EC831F712385997548A0475F2DAA8EC
MD5
34bd0fd017a7f514b7c60c206f3dc1e3

SHA1
9cf0bb90752caabf42ba6b9a3f49183ab97fa131

SHA256
ed837302d6e607861ccccd3f73325d4c5c6ea12f959ca457978c21fa69907740

SHA512
4e5d0ce9ff4eec083daee9aa4125d2b200389e659a8cd0f6418f4e1f541d953da516544c6969eafffc593aa945759edfa5cf573f1c113bcb6fe608528261e184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
a9c84f6c494394ef43e261584be8c24b

SHA1
28615058c429c19909a93abf3bfe9a86ab90c7e4

SHA256
8241ae0c7a931dcff96081feae9d397133f0b12e7ea4f53494ae71144ec5ff06

SHA512
939f6a9588ab5f199393aa10138d3ca54aeec4807ee6f73b723f47fba682ad5d080b38c05a97acc6ddca50090a475cc9c895da16a62d1ee2108d29c24d7a42eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMedia\MMMedia.exe
MD5
46a07ec480cd011dae44a527b478cce4

SHA1
21d83628819edcded2ca949c8c886526594847cd

SHA256
b4ad3c9c795d3d07eed4af3d337662a974e64315bb7edde82b6df25f4c09b32b

SHA512
ca1bce0427b4531f2d3960a49f734bbc61014627fac912a780b43d40b9db45c76801337d0086a1da464622aa05a6cc25e07c15bbef418826d40b78e6679e1e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMedia\MMMedia.exe
MD5
46a07ec480cd011dae44a527b478cce4

SHA1
21d83628819edcded2ca949c8c886526594847cd

SHA256
b4ad3c9c795d3d07eed4af3d337662a974e64315bb7edde82b6df25f4c09b32b

SHA512
ca1bce0427b4531f2d3960a49f734bbc61014627fac912a780b43d40b9db45c76801337d0086a1da464622aa05a6cc25e07c15bbef418826d40b78e6679e1e64

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
4fe1d0e62d7a70d9a8bef39650a5924a

SHA1
20bddd960d6f28390182b0609d868cf988a0ce8c

SHA256
80b620e2760b0ed28ecf4e30f3e7e3e351eaa7ccf207e2ddff19777f0f84e556

SHA512
26dcff758db14470891b079e2c6c459f269bfe355ccc14f5d5301238b6890240ec36193bbc128ed9109adbb26cde73fd1aa5f837470d076cacabf573aa524a08

Download Submit
\??\Volume{f994966a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{7ad0faf7-c7b5-4fa3-a21e-d609eb2bebc4}_OnDiskSnapshotProp
MD5
e5a3bd95e8e87eaa65e6eaf5ed9acfb3

SHA1
6b9a748e798b289e8cdec53d2a062ca9641037a4

SHA256
dfa87f43cd4e4e300d384541342b0ddef374a19a1f98775731fdf3d616c048bb

SHA512
e87ed838c42838c03c88c4e301ecd6907a1cea805f10441d0ff49011edc9b45ae90a945ff3e21d2407fcd9e4955cc58a324d17e027a0f8732de78e7275214811

Download Submit
memory/796-0-0x0000021D04560000-0x0000021D04564000-memory.dmp

Filesize
16KB

Download
memory/796-19-0x0000021D01500000-0x0000021D01504000-memory.dmp

Filesize
16KB

Download
memory/3800-2-0x0000000000000000-mapping.dmp

Download
memory/3908-11-0x0000000000000000-mapping.dmp

Download
memory/3908-14-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/3908-15-0x0000000004330000-0x000000000436A000-memory.dmp

Filesize
232KB

Download
memory/4220-18-0x0000000000000000-mapping.dmp

Download