Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 10:57
Behavioral task
behavioral1
Sample
5A47B6ECD963805410D996573CA00DD0.msi
Resource
win7v20210410
General
-
Target
5A47B6ECD963805410D996573CA00DD0.msi
-
Size
256KB
-
MD5
5a47b6ecd963805410d996573ca00dd0
-
SHA1
2440e9a1a76573d9506b752d31b10a788d82b215
-
SHA256
cd5cf89c75b6639053a9f493d611b7b575c0ce09d5388a7fdb0e5e92ea05a3c2
-
SHA512
4e350b16e212435373343662d3b1636861f5fb704f7bc40e84b8c7cc47c2419c37edb6851da87482566a744f84f3e1459e60094971ee24ff2c4838d02b003cad
Malware Config
Extracted
formbook
4.1
http://www.craftsman-vail.com/cca/
whenpigsflyhigh.com
artistiklounge.com
tinytrendstique.com
projektpartner-ag.com
charvelevh.com
easycompliances.net
zengheqiye.com
professionalmallorca.com
bonzerstudio.com
nelivo.com
yangxeric.com
aredntech.com
twincitieshousingmarket.com
allshadesunscreen.com
xiang-life.net
qmcp00011.com
lindsayeandmarkv.com
fbcsbvsbvsjbvjs.com
saveonthrivelife.com
newdpo.com
raazjewellers.com
sangsterdesign.com
thedatdaiquiris.com
uljanarattel.com
daebak.cloud
hurricanekickgg.com
mercadilloartisanalfoods.com
salahdinortho.com
thisislandonbraverman.com
siliconesampler.com
youxiaoke.online
trucity.net
mychicpartyboutique.com
adsvestglobal.com
lidoshoreslistings.info
mexicoaprende.online
4-2ararinost.com
kevinberginlbi.com
vaudqa.com
alignedenergetics.info
conmielyconhiel.com
urweddingsite.com
angelshead.com
renejewels.com
sim201.com
fkdjjkdjkrefefe.com
thecontentchicks.com
sarikayalar.net
herspacephilly.com
fortwayneduiattorney.com
vallejocardealers.com
gmworldservice.com
mybuddyryde.net
zeneanyasbyerika.com
downloadhs.com
hernonymous.com
suu6.com
xuehuasa.ltd
miacting.com
thefreedomenvelope.com
yihuisq.net
steamshipautjority.com
lowcarblovefnp.com
knm.xyz
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1612-69-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/968-76-0x0000000000090000-0x00000000000BE000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
MSI5BA9.tmpMSI5BA9.tmppid process 788 MSI5BA9.tmp 1612 MSI5BA9.tmp -
Loads dropped DLL 1 IoCs
Processes:
MSI5BA9.tmppid process 788 MSI5BA9.tmp -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MSI5BA9.tmpMSI5BA9.tmpwuapp.exedescription pid process target process PID 788 set thread context of 1612 788 MSI5BA9.tmp MSI5BA9.tmp PID 1612 set thread context of 1248 1612 MSI5BA9.tmp Explorer.EXE PID 968 set thread context of 1248 968 wuapp.exe Explorer.EXE -
Drops file in Windows directory 10 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI5BA9.tmp msiexec.exe File opened for modification C:\Windows\Installer\f745968.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f745966.msi msiexec.exe File opened for modification C:\Windows\Installer\f745966.msi msiexec.exe File created C:\Windows\Installer\f745968.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5B3A.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Windows\Installer\MSI5BA9.tmp nsis_installer_1 C:\Windows\Installer\MSI5BA9.tmp nsis_installer_2 C:\Windows\Installer\MSI5BA9.tmp nsis_installer_1 C:\Windows\Installer\MSI5BA9.tmp nsis_installer_2 C:\Windows\Installer\MSI5BA9.tmp nsis_installer_1 C:\Windows\Installer\MSI5BA9.tmp nsis_installer_2 -
Modifies data under HKEY_USERS 44 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
msiexec.exeMSI5BA9.tmpwuapp.exepid process 1060 msiexec.exe 1060 msiexec.exe 1612 MSI5BA9.tmp 1612 MSI5BA9.tmp 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe 968 wuapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
MSI5BA9.tmpMSI5BA9.tmpwuapp.exepid process 788 MSI5BA9.tmp 1612 MSI5BA9.tmp 1612 MSI5BA9.tmp 1612 MSI5BA9.tmp 968 wuapp.exe 968 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exeMSI5BA9.tmpExplorer.EXEwuapp.exedescription pid process Token: SeShutdownPrivilege 1096 msiexec.exe Token: SeIncreaseQuotaPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1060 msiexec.exe Token: SeTakeOwnershipPrivilege 1060 msiexec.exe Token: SeSecurityPrivilege 1060 msiexec.exe Token: SeCreateTokenPrivilege 1096 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1096 msiexec.exe Token: SeLockMemoryPrivilege 1096 msiexec.exe Token: SeIncreaseQuotaPrivilege 1096 msiexec.exe Token: SeMachineAccountPrivilege 1096 msiexec.exe Token: SeTcbPrivilege 1096 msiexec.exe Token: SeSecurityPrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeLoadDriverPrivilege 1096 msiexec.exe Token: SeSystemProfilePrivilege 1096 msiexec.exe Token: SeSystemtimePrivilege 1096 msiexec.exe Token: SeProfSingleProcessPrivilege 1096 msiexec.exe Token: SeIncBasePriorityPrivilege 1096 msiexec.exe Token: SeCreatePagefilePrivilege 1096 msiexec.exe Token: SeCreatePermanentPrivilege 1096 msiexec.exe Token: SeBackupPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeShutdownPrivilege 1096 msiexec.exe Token: SeDebugPrivilege 1096 msiexec.exe Token: SeAuditPrivilege 1096 msiexec.exe Token: SeSystemEnvironmentPrivilege 1096 msiexec.exe Token: SeChangeNotifyPrivilege 1096 msiexec.exe Token: SeRemoteShutdownPrivilege 1096 msiexec.exe Token: SeUndockPrivilege 1096 msiexec.exe Token: SeSyncAgentPrivilege 1096 msiexec.exe Token: SeEnableDelegationPrivilege 1096 msiexec.exe Token: SeManageVolumePrivilege 1096 msiexec.exe Token: SeImpersonatePrivilege 1096 msiexec.exe Token: SeCreateGlobalPrivilege 1096 msiexec.exe Token: SeBackupPrivilege 1960 vssvc.exe Token: SeRestorePrivilege 1960 vssvc.exe Token: SeAuditPrivilege 1960 vssvc.exe Token: SeBackupPrivilege 1060 msiexec.exe Token: SeRestorePrivilege 1060 msiexec.exe Token: SeRestorePrivilege 912 DrvInst.exe Token: SeRestorePrivilege 912 DrvInst.exe Token: SeRestorePrivilege 912 DrvInst.exe Token: SeRestorePrivilege 912 DrvInst.exe Token: SeRestorePrivilege 912 DrvInst.exe Token: SeRestorePrivilege 912 DrvInst.exe Token: SeRestorePrivilege 912 DrvInst.exe Token: SeLoadDriverPrivilege 912 DrvInst.exe Token: SeLoadDriverPrivilege 912 DrvInst.exe Token: SeLoadDriverPrivilege 912 DrvInst.exe Token: SeRestorePrivilege 1060 msiexec.exe Token: SeTakeOwnershipPrivilege 1060 msiexec.exe Token: SeRestorePrivilege 1060 msiexec.exe Token: SeTakeOwnershipPrivilege 1060 msiexec.exe Token: SeRestorePrivilege 1060 msiexec.exe Token: SeTakeOwnershipPrivilege 1060 msiexec.exe Token: SeRestorePrivilege 1060 msiexec.exe Token: SeTakeOwnershipPrivilege 1060 msiexec.exe Token: SeRestorePrivilege 1060 msiexec.exe Token: SeTakeOwnershipPrivilege 1060 msiexec.exe Token: SeRestorePrivilege 1060 msiexec.exe Token: SeTakeOwnershipPrivilege 1060 msiexec.exe Token: SeDebugPrivilege 1612 MSI5BA9.tmp Token: SeShutdownPrivilege 1248 Explorer.EXE Token: SeDebugPrivilege 968 wuapp.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
msiexec.exeExplorer.EXEpid process 1096 msiexec.exe 1096 msiexec.exe 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
msiexec.exeMSI5BA9.tmpExplorer.EXEwuapp.exedescription pid process target process PID 1060 wrote to memory of 788 1060 msiexec.exe MSI5BA9.tmp PID 1060 wrote to memory of 788 1060 msiexec.exe MSI5BA9.tmp PID 1060 wrote to memory of 788 1060 msiexec.exe MSI5BA9.tmp PID 1060 wrote to memory of 788 1060 msiexec.exe MSI5BA9.tmp PID 788 wrote to memory of 1612 788 MSI5BA9.tmp MSI5BA9.tmp PID 788 wrote to memory of 1612 788 MSI5BA9.tmp MSI5BA9.tmp PID 788 wrote to memory of 1612 788 MSI5BA9.tmp MSI5BA9.tmp PID 788 wrote to memory of 1612 788 MSI5BA9.tmp MSI5BA9.tmp PID 788 wrote to memory of 1612 788 MSI5BA9.tmp MSI5BA9.tmp PID 1248 wrote to memory of 968 1248 Explorer.EXE wuapp.exe PID 1248 wrote to memory of 968 1248 Explorer.EXE wuapp.exe PID 1248 wrote to memory of 968 1248 Explorer.EXE wuapp.exe PID 1248 wrote to memory of 968 1248 Explorer.EXE wuapp.exe PID 1248 wrote to memory of 968 1248 Explorer.EXE wuapp.exe PID 1248 wrote to memory of 968 1248 Explorer.EXE wuapp.exe PID 1248 wrote to memory of 968 1248 Explorer.EXE wuapp.exe PID 968 wrote to memory of 912 968 wuapp.exe cmd.exe PID 968 wrote to memory of 912 968 wuapp.exe cmd.exe PID 968 wrote to memory of 912 968 wuapp.exe cmd.exe PID 968 wrote to memory of 912 968 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5A47B6ECD963805410D996573CA00DD0.msi2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Installer\MSI5BA9.tmp"3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI5BA9.tmp"C:\Windows\Installer\MSI5BA9.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI5BA9.tmp"C:\Windows\Installer\MSI5BA9.tmp"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "0000000000000398" "00000000000005B8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI5BA9.tmpMD5
c77e06cc36913e3fe6aee24cc84a602a
SHA144f58a4362deb256d5e8fa215f7590d1cef7c28e
SHA2563cae7292cd45fd776f787ea3530f4630bcfdc18a0aa0ec29f276f1de931f4cd4
SHA512d4f596613dfb5a1f3d5b5b154a28532ade260c6b3d3d65a1acba3dcf9daa1e2efa3c0c810ce979ef5ab7e741480e4a937854d61f9831e22f4ac38e6370c385b1
-
C:\Windows\Installer\MSI5BA9.tmpMD5
c77e06cc36913e3fe6aee24cc84a602a
SHA144f58a4362deb256d5e8fa215f7590d1cef7c28e
SHA2563cae7292cd45fd776f787ea3530f4630bcfdc18a0aa0ec29f276f1de931f4cd4
SHA512d4f596613dfb5a1f3d5b5b154a28532ade260c6b3d3d65a1acba3dcf9daa1e2efa3c0c810ce979ef5ab7e741480e4a937854d61f9831e22f4ac38e6370c385b1
-
C:\Windows\Installer\MSI5BA9.tmpMD5
c77e06cc36913e3fe6aee24cc84a602a
SHA144f58a4362deb256d5e8fa215f7590d1cef7c28e
SHA2563cae7292cd45fd776f787ea3530f4630bcfdc18a0aa0ec29f276f1de931f4cd4
SHA512d4f596613dfb5a1f3d5b5b154a28532ade260c6b3d3d65a1acba3dcf9daa1e2efa3c0c810ce979ef5ab7e741480e4a937854d61f9831e22f4ac38e6370c385b1
-
\Users\Admin\AppData\Local\Temp\nsn5C55.tmp\venh5.dllMD5
c00528a6302c18a9f864430711bdd4fb
SHA1f3bc9a67f9526bec14953713299c886417de6b47
SHA2560fe4f7c5b0bee4f32d84db8cc6acdcb202f00e396bbda7770d3faafe066cb367
SHA512354ed5ba7b654fefb339542e6f48088f1a2a9d73b4b2274684b9ff158c1d804ebd262e25592affbe626995718336c1132f9e7cbb305d62bac97a6f21249be643
-
memory/788-68-0x00000000004B0000-0x00000000004B2000-memory.dmpFilesize
8KB
-
memory/788-61-0x0000000000000000-mapping.dmp
-
memory/788-63-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB
-
memory/912-74-0x0000000000000000-mapping.dmp
-
memory/968-76-0x0000000000090000-0x00000000000BE000-memory.dmpFilesize
184KB
-
memory/968-73-0x0000000000000000-mapping.dmp
-
memory/968-77-0x0000000002050000-0x0000000002353000-memory.dmpFilesize
3.0MB
-
memory/968-75-0x0000000000340000-0x000000000034B000-memory.dmpFilesize
44KB
-
memory/968-78-0x0000000000630000-0x00000000006C3000-memory.dmpFilesize
588KB
-
memory/1096-59-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmpFilesize
8KB
-
memory/1248-72-0x0000000006EE0000-0x0000000007063000-memory.dmpFilesize
1.5MB
-
memory/1248-79-0x0000000004190000-0x0000000004254000-memory.dmpFilesize
784KB
-
memory/1612-69-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1612-71-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB
-
memory/1612-70-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1612-66-0x000000000041EB70-mapping.dmp