revengerat | 8e57e91b007a4aea044f90adce393d0a78465d62df8f70a4022f5a4533c3fd65

General

Target

Invoice.msi
Size

288KB
MD5

f959677f1823dff599d226429d95c0e6
SHA1

02b546733236c788dec7c680ec38afa03dc5960d
SHA256

8e57e91b007a4aea044f90adce393d0a78465d62df8f70a4022f5a4533c3fd65
SHA512

7e3781b42b4d2f7533523c986d0778a53ea7e995fa794c5196d49fe2229892519472cff53f6787b7a8c7f307dde0c58bd2be167b90f3c5b59a369796c3ba8547

Score

10^/10

revengerat nov333 stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Nov333

C2

80.82.68.21:3333

Mutex

RV_MUTEX-FtNHuiGGjjtnxDp

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/3736-12-0x0000000004C90000-0x0000000004CC5000-memory.dmp	beds_protector

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2228-17-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral2/memory/2228-18-0x0000000000405DDE-mapping.dmp	revengerat

Executes dropped EXE 2 IoCs

Processes:

MSIDC1F.tmpMSIDC1F.tmp

pid process

3736 MSIDC1F.tmp
2228 MSIDC1F.tmp

pid	process
3736	MSIDC1F.tmp
2228	MSIDC1F.tmp

Drops startup file 2 IoCs

Processes:

MSIDC1F.tmp

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSIDC1F.tmp.exe	MSIDC1F.tmp
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSIDC1F.tmp.exe	MSIDC1F.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MSIDC1F.tmp

description pid process target process

PID 3736 set thread context of 2228 3736 MSIDC1F.tmp MSIDC1F.tmp

description	pid	process	target process
PID 3736 set thread context of 2228	3736	MSIDC1F.tmp	MSIDC1F.tmp

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC1F.tmp	msiexec.exe
File created	C:\Windows\Installer\f74d93f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74d93f.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSIDC1F.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	MSIDC1F.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSIDC1F.tmp

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

msiexec.exeMSIDC1F.tmp

pid	process
4072	msiexec.exe
4072	msiexec.exe
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp
3736	MSIDC1F.tmp

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeMSIDC1F.tmpsrtasks.exeMSIDC1F.tmp

description	pid	process
Token: SeShutdownPrivilege	732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	732	msiexec.exe
Token: SeSecurityPrivilege	4072	msiexec.exe
Token: SeCreateTokenPrivilege	732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	732	msiexec.exe
Token: SeLockMemoryPrivilege	732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	732	msiexec.exe
Token: SeMachineAccountPrivilege	732	msiexec.exe
Token: SeTcbPrivilege	732	msiexec.exe
Token: SeSecurityPrivilege	732	msiexec.exe
Token: SeTakeOwnershipPrivilege	732	msiexec.exe
Token: SeLoadDriverPrivilege	732	msiexec.exe
Token: SeSystemProfilePrivilege	732	msiexec.exe
Token: SeSystemtimePrivilege	732	msiexec.exe
Token: SeProfSingleProcessPrivilege	732	msiexec.exe
Token: SeIncBasePriorityPrivilege	732	msiexec.exe
Token: SeCreatePagefilePrivilege	732	msiexec.exe
Token: SeCreatePermanentPrivilege	732	msiexec.exe
Token: SeBackupPrivilege	732	msiexec.exe
Token: SeRestorePrivilege	732	msiexec.exe
Token: SeShutdownPrivilege	732	msiexec.exe
Token: SeDebugPrivilege	732	msiexec.exe
Token: SeAuditPrivilege	732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	732	msiexec.exe
Token: SeChangeNotifyPrivilege	732	msiexec.exe
Token: SeRemoteShutdownPrivilege	732	msiexec.exe
Token: SeUndockPrivilege	732	msiexec.exe
Token: SeSyncAgentPrivilege	732	msiexec.exe
Token: SeEnableDelegationPrivilege	732	msiexec.exe
Token: SeManageVolumePrivilege	732	msiexec.exe
Token: SeImpersonatePrivilege	732	msiexec.exe
Token: SeCreateGlobalPrivilege	732	msiexec.exe
Token: SeBackupPrivilege	768	vssvc.exe
Token: SeRestorePrivilege	768	vssvc.exe
Token: SeAuditPrivilege	768	vssvc.exe
Token: SeBackupPrivilege	4072	msiexec.exe
Token: SeRestorePrivilege	4072	msiexec.exe
Token: SeRestorePrivilege	4072	msiexec.exe
Token: SeTakeOwnershipPrivilege	4072	msiexec.exe
Token: SeRestorePrivilege	4072	msiexec.exe
Token: SeTakeOwnershipPrivilege	4072	msiexec.exe
Token: SeRestorePrivilege	4072	msiexec.exe
Token: SeTakeOwnershipPrivilege	4072	msiexec.exe
Token: SeRestorePrivilege	4072	msiexec.exe
Token: SeTakeOwnershipPrivilege	4072	msiexec.exe
Token: SeDebugPrivilege	3736	MSIDC1F.tmp
Token: SeBackupPrivilege	2276	srtasks.exe
Token: SeRestorePrivilege	2276	srtasks.exe
Token: SeSecurityPrivilege	2276	srtasks.exe
Token: SeTakeOwnershipPrivilege	2276	srtasks.exe
Token: SeBackupPrivilege	2276	srtasks.exe
Token: SeRestorePrivilege	2276	srtasks.exe
Token: SeSecurityPrivilege	2276	srtasks.exe
Token: SeTakeOwnershipPrivilege	2276	srtasks.exe
Token: SeDebugPrivilege	2228	MSIDC1F.tmp
Token: SeRestorePrivilege	4072	msiexec.exe
Token: SeTakeOwnershipPrivilege	4072	msiexec.exe
Token: SeRestorePrivilege	4072	msiexec.exe
Token: SeTakeOwnershipPrivilege	4072	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

732 msiexec.exe
732 msiexec.exe

pid	process
732	msiexec.exe
732	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

msiexec.exeMSIDC1F.tmp

description	pid	process	target process
PID 4072 wrote to memory of 2276	4072	msiexec.exe	srtasks.exe
PID 4072 wrote to memory of 2276	4072	msiexec.exe	srtasks.exe
PID 4072 wrote to memory of 3736	4072	msiexec.exe	MSIDC1F.tmp
PID 4072 wrote to memory of 3736	4072	msiexec.exe	MSIDC1F.tmp
PID 4072 wrote to memory of 3736	4072	msiexec.exe	MSIDC1F.tmp
PID 3736 wrote to memory of 2228	3736	MSIDC1F.tmp	MSIDC1F.tmp
PID 3736 wrote to memory of 2228	3736	MSIDC1F.tmp	MSIDC1F.tmp
PID 3736 wrote to memory of 2228	3736	MSIDC1F.tmp	MSIDC1F.tmp
PID 3736 wrote to memory of 2228	3736	MSIDC1F.tmp	MSIDC1F.tmp
PID 3736 wrote to memory of 2228	3736	MSIDC1F.tmp	MSIDC1F.tmp
PID 3736 wrote to memory of 2228	3736	MSIDC1F.tmp	MSIDC1F.tmp
PID 3736 wrote to memory of 2228	3736	MSIDC1F.tmp	MSIDC1F.tmp

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Invoice.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\Installer\MSIDC1F.tmp
"C:\Windows\Installer\MSIDC1F.tmp"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\Installer\MSIDC1F.tmp
"C:\Windows\Installer\MSIDC1F.tmp"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIDC1F.tmp
MD5
49d493901c396507a0d26065e4a75283

SHA1
0fa197bf3b50ca8a6b6be01283e6ba1eebcc7889

SHA256
c04888cf051d59540208dc4e13c7b32366f131d095e50bd97c2c8fbff91c07c3

SHA512
a72ed9410f8fcedd6ea63a5eab84174ad78a397155238651de35c0cd69060f1bc51219430955929753a3fe8347abc0ebdf544d55f452930deab7fa99ff2fc711

Download Submit
C:\Windows\Installer\MSIDC1F.tmp
MD5
49d493901c396507a0d26065e4a75283

SHA1
0fa197bf3b50ca8a6b6be01283e6ba1eebcc7889

SHA256
c04888cf051d59540208dc4e13c7b32366f131d095e50bd97c2c8fbff91c07c3

SHA512
a72ed9410f8fcedd6ea63a5eab84174ad78a397155238651de35c0cd69060f1bc51219430955929753a3fe8347abc0ebdf544d55f452930deab7fa99ff2fc711

Download Submit
C:\Windows\Installer\MSIDC1F.tmp
MD5
49d493901c396507a0d26065e4a75283

SHA1
0fa197bf3b50ca8a6b6be01283e6ba1eebcc7889

SHA256
c04888cf051d59540208dc4e13c7b32366f131d095e50bd97c2c8fbff91c07c3

SHA512
a72ed9410f8fcedd6ea63a5eab84174ad78a397155238651de35c0cd69060f1bc51219430955929753a3fe8347abc0ebdf544d55f452930deab7fa99ff2fc711

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
50038df61b800d7a6fd20d884dfbf81d

SHA1
044cb28e565c14059563f01b37c1860bd6db2aed

SHA256
3d25a21fce86479ff292ae67a3c30cacc224be5db805723653a2ef78f2b3b010

SHA512
60bcaf5f198e45fc2d3816680c63c62a85bac2a3c6d708a5e71b250085c4310def3656817b589e344cb6aa54af8c9661026fc9b459f1b7de8c452372a0eae309

Download Submit
\??\Volume{0e932f02-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{38936e64-4051-4736-a3e9-9f193a32890a}_OnDiskSnapshotProp
MD5
c634d6f4260f0966349dd31c5af4033c

SHA1
684212c0668c23f374f0cdf5a23ab93e86a8e515

SHA256
60ad798d368df583f643d2b67ba5ebf11c436b55573c2818a6952d18829e95cd

SHA512
7f5da7449aab6f3e4ecd64e5eadbaf7a337eb12da77baa59a5a59ffb5e1eb27809c8e21f9e49e87fa65db70896b2f339b58f45f8e538911ad9a8f52a2e22fcee

Download Submit
memory/732-26-0x000002352A840000-0x000002352A844000-memory.dmp

Filesize
16KB

Download
memory/2228-20-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-18-0x0000000000405DDE-mapping.dmp

Download
memory/2228-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-2-0x0000000000000000-mapping.dmp

Download
memory/3736-11-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/3736-12-0x0000000004C90000-0x0000000004CC5000-memory.dmp

Filesize
212KB

Download
memory/3736-15-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/3736-16-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/3736-10-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/3736-9-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3736-7-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3736-6-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/3736-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads