6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6

Analysis

max time kernel
141s
max time network
136s
platform
windows7_x64
resource
win7v20210410
submitted
16/04/2021, 03:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PatchCleaner_1.4.2.0.exe
Size

1.3MB
MD5

70d0bd7633d10c492839272c97b2544e
SHA1

4da0e8c2fe1f06b13985d700fe15686a1015c3bb
SHA256

6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6
SHA512

99d43ed2060eb6371a54f73af407fe4cc7644a93e5f856419ad0cb8769b2664139cb9097ff4be4b8dbb93f2c5da4fc90bc48eeac6fe0b3df5f8bc12428b5b5b2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1420	setup.exe
1064	PatchCleaner.exe

Loads dropped DLL 7 IoCs

pid	Process
1100	PatchCleaner_1.4.2.0.exe
1420	setup.exe
1420	setup.exe
1436	MsiExec.exe
1436	MsiExec.exe
1164	MsiExec.exe
1164	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.log	PatchCleaner.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\AppData\patches.txt	cscript.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\AppData\WMIProducts.vbs	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\HomeDev.Common.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\log4net.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\HomeDev.Software.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\AppData\products.txt	cscript.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\System.Windows.Controls.Input.Toolkit.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\Microsoft.WindowsAPICodePack.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\AppData\Readme.rtf	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.exe	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.exe.config	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\Microsoft.WindowsAPICodePack.Shell.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\System.Windows.Controls.Layout.Toolkit.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\WPFToolkit.dll	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_9C79D8932B8391D44D5ECB.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f75b2db.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75b2db.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_853F67D554F05449430E7E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f75b2dc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB453.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5DA.tmp	msiexec.exe
File created	C:\Windows\Installer\f75b2dc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB704.tmp	msiexec.exe
File created	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_F50716A801D63468497CD3.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_F50716A801D63468497CD3.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_9C79D8932B8391D44D5ECB.exe	msiexec.exe
File created	C:\Windows\Installer\f75b2de.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\PackageCode = "185E25D16CE049341B4DA8BD645C594E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Common.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Common.dll\HomeDev.Common,Version="1.1.5.2",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="86819A5907809173" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e003400260041002c0044004400510072003400450062005a0049006d00540072005e006a007800270000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|log4net.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\671AD727BB05C254D85B69EEA075E34D\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS426D.tmp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\26E051A48C561874BB8CF174125F2F04\671AD727BB05C254D85B69EEA075E34D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS426D.tmp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Layout.Toolkit.dll\System.Windows.Controls.Layout.Toolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArchitecture="MSIL",Publi = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e00240037003700640067006e0049006b0060006b00600051004f004200550050002d00560075002a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Software.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|PatchCleaner.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\671AD727BB05C254D85B69EEA075E34D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Software.dll\HomeDev.Software,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="EB089AF34F3501AB" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e0046002100610039004b0064003100340059006c0062002800360053004e00510050004e004c00370000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Input.Toolkit.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Input.Toolkit.dll\System.Windows.Controls.Input.Toolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArchitecture="MSIL",PublicK = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e003900730036007d0060005500290067006b005400600045005b00480027004f005f0053006e00520000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.Shell.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|log4net.dll\log4net,Version="1.2.15.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="669E0DDF0BB1AA2A" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e006300430042005500760062002b0045005f0028006500430062007e005f002c00350077004c00540000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Version = "17039380"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\26E051A48C561874BB8CF174125F2F04	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\ProductIcon = "C:\\Windows\\Installer\\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\\_853F67D554F05449430E7E.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\PackageName = "PatchCleaner.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|PatchCleaner.exe\PatchCleaner,Version="1.4.2.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e00290049004e004800470076004b006c004700600053006f0075006e004c0048003f0053007d00660000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\ProductName = "PatchCleaner"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.Shell.dll\Microsoft.WindowsAPICodePack.Shell,Version="1.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e004d00650037005f0065004800240051004c003d0076006d006c006c00250067005f004d003600570000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Layout.Toolkit.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.dll\Microsoft.WindowsAPICodePack,Version="1.1.2.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e004a0072006b00540036005600370047007a00510062006b0064006b00420031005a0078002b005e0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|WPFToolkit.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|WPFToolkit.dll\WPFToolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="31BF3856AD364E35" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e00590055003200650062003100210032006a006500520042002e007d007a006d00420047002900390000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Clients = 3a0000000000	msiexec.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	PatchCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PatchCleaner.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
524	msiexec.exe
524	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1636	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeTakeOwnershipPrivilege	524	msiexec.exe
Token: SeSecurityPrivilege	524	msiexec.exe
Token: SeCreateTokenPrivilege	1636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1636	msiexec.exe
Token: SeLockMemoryPrivilege	1636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1636	msiexec.exe
Token: SeMachineAccountPrivilege	1636	msiexec.exe
Token: SeTcbPrivilege	1636	msiexec.exe
Token: SeSecurityPrivilege	1636	msiexec.exe
Token: SeTakeOwnershipPrivilege	1636	msiexec.exe
Token: SeLoadDriverPrivilege	1636	msiexec.exe
Token: SeSystemProfilePrivilege	1636	msiexec.exe
Token: SeSystemtimePrivilege	1636	msiexec.exe
Token: SeProfSingleProcessPrivilege	1636	msiexec.exe
Token: SeIncBasePriorityPrivilege	1636	msiexec.exe
Token: SeCreatePagefilePrivilege	1636	msiexec.exe
Token: SeCreatePermanentPrivilege	1636	msiexec.exe
Token: SeBackupPrivilege	1636	msiexec.exe
Token: SeRestorePrivilege	1636	msiexec.exe
Token: SeShutdownPrivilege	1636	msiexec.exe
Token: SeDebugPrivilege	1636	msiexec.exe
Token: SeAuditPrivilege	1636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1636	msiexec.exe
Token: SeChangeNotifyPrivilege	1636	msiexec.exe
Token: SeRemoteShutdownPrivilege	1636	msiexec.exe
Token: SeUndockPrivilege	1636	msiexec.exe
Token: SeSyncAgentPrivilege	1636	msiexec.exe
Token: SeEnableDelegationPrivilege	1636	msiexec.exe
Token: SeManageVolumePrivilege	1636	msiexec.exe
Token: SeImpersonatePrivilege	1636	msiexec.exe
Token: SeCreateGlobalPrivilege	1636	msiexec.exe
Token: SeCreateTokenPrivilege	1636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1636	msiexec.exe
Token: SeLockMemoryPrivilege	1636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1636	msiexec.exe
Token: SeMachineAccountPrivilege	1636	msiexec.exe
Token: SeTcbPrivilege	1636	msiexec.exe
Token: SeSecurityPrivilege	1636	msiexec.exe
Token: SeTakeOwnershipPrivilege	1636	msiexec.exe
Token: SeLoadDriverPrivilege	1636	msiexec.exe
Token: SeSystemProfilePrivilege	1636	msiexec.exe
Token: SeSystemtimePrivilege	1636	msiexec.exe
Token: SeProfSingleProcessPrivilege	1636	msiexec.exe
Token: SeIncBasePriorityPrivilege	1636	msiexec.exe
Token: SeCreatePagefilePrivilege	1636	msiexec.exe
Token: SeCreatePermanentPrivilege	1636	msiexec.exe
Token: SeBackupPrivilege	1636	msiexec.exe
Token: SeRestorePrivilege	1636	msiexec.exe
Token: SeShutdownPrivilege	1636	msiexec.exe
Token: SeDebugPrivilege	1636	msiexec.exe
Token: SeAuditPrivilege	1636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1636	msiexec.exe
Token: SeChangeNotifyPrivilege	1636	msiexec.exe
Token: SeRemoteShutdownPrivilege	1636	msiexec.exe
Token: SeUndockPrivilege	1636	msiexec.exe
Token: SeSyncAgentPrivilege	1636	msiexec.exe
Token: SeEnableDelegationPrivilege	1636	msiexec.exe
Token: SeManageVolumePrivilege	1636	msiexec.exe
Token: SeImpersonatePrivilege	1636	msiexec.exe
Token: SeCreateGlobalPrivilege	1636	msiexec.exe
Token: SeCreateTokenPrivilege	1636	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1636	msiexec.exe
1636	msiexec.exe
1064	PatchCleaner.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1420	1100	PatchCleaner_1.4.2.0.exe	29
PID 1100 wrote to memory of 1420	1100	PatchCleaner_1.4.2.0.exe	29
PID 1100 wrote to memory of 1420	1100	PatchCleaner_1.4.2.0.exe	29
PID 1100 wrote to memory of 1420	1100	PatchCleaner_1.4.2.0.exe	29
PID 1100 wrote to memory of 1420	1100	PatchCleaner_1.4.2.0.exe	29
PID 1100 wrote to memory of 1420	1100	PatchCleaner_1.4.2.0.exe	29
PID 1100 wrote to memory of 1420	1100	PatchCleaner_1.4.2.0.exe	29
PID 1420 wrote to memory of 1636	1420	setup.exe	30
PID 1420 wrote to memory of 1636	1420	setup.exe	30
PID 1420 wrote to memory of 1636	1420	setup.exe	30
PID 1420 wrote to memory of 1636	1420	setup.exe	30
PID 1420 wrote to memory of 1636	1420	setup.exe	30
PID 1420 wrote to memory of 1636	1420	setup.exe	30
PID 1420 wrote to memory of 1636	1420	setup.exe	30
PID 524 wrote to memory of 1436	524	msiexec.exe	32
PID 524 wrote to memory of 1436	524	msiexec.exe	32
PID 524 wrote to memory of 1436	524	msiexec.exe	32
PID 524 wrote to memory of 1436	524	msiexec.exe	32
PID 524 wrote to memory of 1436	524	msiexec.exe	32
PID 524 wrote to memory of 1436	524	msiexec.exe	32
PID 524 wrote to memory of 1436	524	msiexec.exe	32
PID 524 wrote to memory of 1164	524	msiexec.exe	36
PID 524 wrote to memory of 1164	524	msiexec.exe	36
PID 524 wrote to memory of 1164	524	msiexec.exe	36
PID 524 wrote to memory of 1164	524	msiexec.exe	36
PID 524 wrote to memory of 1164	524	msiexec.exe	36
PID 524 wrote to memory of 1164	524	msiexec.exe	36
PID 524 wrote to memory of 1164	524	msiexec.exe	36
PID 1064 wrote to memory of 960	1064	PatchCleaner.exe	39
PID 1064 wrote to memory of 960	1064	PatchCleaner.exe	39
PID 1064 wrote to memory of 960	1064	PatchCleaner.exe	39

C:\Users\Admin\AppData\Local\Temp\PatchCleaner_1.4.2.0.exe
"C:\Users\Admin\AppData\Local\Temp\PatchCleaner_1.4.2.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\7zS426D.tmp\setup.exe
  .\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\7zS426D.tmp\PatchCleaner.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DC17E9D44EDC5FF3A4A329465947AD24 C
  2⤵
  - Loads dropped DLL
  PID:1436
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A55167387D9FDDDB5EEC512EA063D027
  2⤵
  - Loads dropped DLL
  PID:1164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:644

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "000000000000055C" "0000000000000564"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1916

C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.exe
"C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" //B //Nologo WMIProducts.vbs
  2⤵
  - Drops file in Program Files directory
  PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-70-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1064-107-0x000000001B040000-0x000000001B041000-memory.dmp

Filesize
4KB

Download
memory/1064-94-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1064-91-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/1064-96-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1064-92-0x0000000000A16000-0x0000000000A35000-memory.dmp

Filesize
124KB

Download
memory/1064-99-0x000000001B740000-0x000000001B741000-memory.dmp

Filesize
4KB

Download
memory/1064-90-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1064-87-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/1064-104-0x000000001AD70000-0x000000001AD71000-memory.dmp

Filesize
4KB

Download
memory/1064-109-0x0000000000A36000-0x0000000000A37000-memory.dmp

Filesize
4KB

Download
memory/1064-108-0x0000000000A35000-0x0000000000A36000-memory.dmp

Filesize
4KB

Download
memory/1100-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download