9ca9f83803ab008fbedc3ce11690190720d5d700f40129be6187aec13084419f

Analysis

max time kernel
100s
max time network
132s
platform
windows10_x64
resource
win10v20210408
submitted
25-06-2021 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_.exe
Size

2.0MB
MD5

9ca8a76d08dd6b3b6be67a170968fc23
SHA1

361552c19a71ffb6b467f29981984970435f2ac5
SHA256

ec17203876629f4b92a28863a91d09205cc8bc821dcd29b5e4bad35ca9d306af
SHA512

7522dbf7bccd9708660c6d5fdb36cfb0d06d3e846a2c65119623774163b16c203939d2820b345e259634c040a3b15974a3032f891933b52f5a62f97037df5a37

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

_.exeLZMA_EXELZMA_EXE

pid process

3660 _.exe
2212 LZMA_EXE
3884 LZMA_EXE
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

1348 MsiExec.exe
1348 MsiExec.exe

pid	process
3660	_.exe
2212	LZMA_EXE
3884	LZMA_EXE

pid	process
1348	MsiExec.exe
1348	MsiExec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI7BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE93.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F32180281F0}	msiexec.exe
File created	C:\Windows\Installer\f75fd7b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75fd7b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1788 3660 WerFault.exe _.exe

pid	pid_target	process	target process
1788	3660	WerFault.exe	_.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

_.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	_.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

_.exemsiexec.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3660	_.exe
Token: SeIncreaseQuotaPrivilege	3660	_.exe
Token: SeSecurityPrivilege	3172	msiexec.exe
Token: SeCreateTokenPrivilege	3660	_.exe
Token: SeAssignPrimaryTokenPrivilege	3660	_.exe
Token: SeLockMemoryPrivilege	3660	_.exe
Token: SeIncreaseQuotaPrivilege	3660	_.exe
Token: SeMachineAccountPrivilege	3660	_.exe
Token: SeTcbPrivilege	3660	_.exe
Token: SeSecurityPrivilege	3660	_.exe
Token: SeTakeOwnershipPrivilege	3660	_.exe
Token: SeLoadDriverPrivilege	3660	_.exe
Token: SeSystemProfilePrivilege	3660	_.exe
Token: SeSystemtimePrivilege	3660	_.exe
Token: SeProfSingleProcessPrivilege	3660	_.exe
Token: SeIncBasePriorityPrivilege	3660	_.exe
Token: SeCreatePagefilePrivilege	3660	_.exe
Token: SeCreatePermanentPrivilege	3660	_.exe
Token: SeBackupPrivilege	3660	_.exe
Token: SeRestorePrivilege	3660	_.exe
Token: SeShutdownPrivilege	3660	_.exe
Token: SeDebugPrivilege	3660	_.exe
Token: SeAuditPrivilege	3660	_.exe
Token: SeSystemEnvironmentPrivilege	3660	_.exe
Token: SeChangeNotifyPrivilege	3660	_.exe
Token: SeRemoteShutdownPrivilege	3660	_.exe
Token: SeUndockPrivilege	3660	_.exe
Token: SeSyncAgentPrivilege	3660	_.exe
Token: SeEnableDelegationPrivilege	3660	_.exe
Token: SeManageVolumePrivilege	3660	_.exe
Token: SeImpersonatePrivilege	3660	_.exe
Token: SeCreateGlobalPrivilege	3660	_.exe
Token: SeRestorePrivilege	3172	msiexec.exe
Token: SeTakeOwnershipPrivilege	3172	msiexec.exe
Token: SeRestorePrivilege	3172	msiexec.exe
Token: SeTakeOwnershipPrivilege	3172	msiexec.exe
Token: SeRestorePrivilege	3172	msiexec.exe
Token: SeTakeOwnershipPrivilege	3172	msiexec.exe
Token: SeRestorePrivilege	1788	WerFault.exe
Token: SeBackupPrivilege	1788	WerFault.exe
Token: SeDebugPrivilege	1788	WerFault.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

_.exe

pid process

3660 _.exe
3660 _.exe
3660 _.exe
3660 _.exe

pid	process
3660	_.exe
3660	_.exe
3660	_.exe
3660	_.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

_.exe_.exemsiexec.exe

description	pid	process	target process
PID 860 wrote to memory of 3660	860	_.exe	_.exe
PID 860 wrote to memory of 3660	860	_.exe	_.exe
PID 860 wrote to memory of 3660	860	_.exe	_.exe
PID 3660 wrote to memory of 2212	3660	_.exe	LZMA_EXE
PID 3660 wrote to memory of 2212	3660	_.exe	LZMA_EXE
PID 3660 wrote to memory of 2212	3660	_.exe	LZMA_EXE
PID 3660 wrote to memory of 3884	3660	_.exe	LZMA_EXE
PID 3660 wrote to memory of 3884	3660	_.exe	LZMA_EXE
PID 3660 wrote to memory of 3884	3660	_.exe	LZMA_EXE
PID 3172 wrote to memory of 1348	3172	msiexec.exe	MsiExec.exe
PID 3172 wrote to memory of 1348	3172	msiexec.exe	MsiExec.exe
PID 3172 wrote to memory of 1348	3172	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\_.exe
"C:\Users\Admin\AppData\Local\Temp\_.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\jds259301125.tmp\_.exe
"C:\Users\Admin\AppData\Local\Temp\jds259301125.tmp\_.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp"
3⤵
- Executes dropped EXE
PID:2212

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\jre1.8.0_281full.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp"
3⤵
- Executes dropped EXE
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 3384
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1E20350D7E18FE9E0BB9730976EA0383
2⤵
- Loads dropped DLL
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
e690c5bad28e2a3b5562551d7cecaf05

SHA1
b7e5d62cf8e2a1f73c11baa83618c8218e7a7517

SHA256
b3efcea82573a42c3625c512c9cf13fa08b421f5b03daa9fc4d919186c4a7552

SHA512
b4f79743a3d23edc0b94aae76d28a7a3ba4aa825c287cdc4ccd6d1b67cfe6259fd1636d16bd607a292ef52c238c8c8a5622a3a90a059b2e19e33d1f5c3429dce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
MD5
43f2192cad7b988c7dd1033ca03923c9

SHA1
c67cb5ebf94422dbf38db03d0a6f6284177423dd

SHA256
90f1ec8091747d2b579d9b835fffe392df8cf0308ed76e690950fde1d005b312

SHA512
99bf973217fa330558bd8481e77b71f9e17012f8539406f97e1e2e263eaf3f2d829c5fa680a6ac8f1ef07dfa59b221628a4ec492afeea33ef5c52c3d94def246

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
99d3dcd236446533a23db7cf1c0be9cb

SHA1
254211908394f42de8fab991d86463d918c02815

SHA256
a97831b54f8b417920a6b079b228768cc04edbd44d5f0cd20c360d5a74ed0183

SHA512
770f529d966b545cc718fc5db517ba28093c4f178f291eee41dc08de2003da276d9fd7a2fdb22b4ceda1d48a467f3403660cc5c3805814dd7ae1975666dd5378

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
MD5
7e8c5d7674f258b43cf5070d0a060dbe

SHA1
df1204dcefb2391ac391ff82f91dc71a8a699653

SHA256
f4e86898d17181a6fb157d50453f88768e29ec6fcc456f806c926a9528e74632

SHA512
0be618bce96fc49b934a3e1378c2315fd71ac692f8365a275eb3443d4d6901ddd3d51ead12ff9b9c3d4f0e53c6014bb7756cfd8153a18071a8ce88fc814530b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\au.msi
MD5
88435c6298eff7ecf4fda8414d4b5c8c

SHA1
66d51843316a86d70b1b7799a6d74d492e413c64

SHA256
18ee9710217a0a341ef0b82324274a3a4ada6745934834e022ae12d19fb04981

SHA512
d46b1ad30244e0770fd040b7a9271846482c03a054ff727ccd840b0312650652a6c589c6ebca380f96fcf06fbc560d4d99a8f34c903108d1c94e93636ff0910b

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\jre1.8.0_281full.msi
MD5
cd6bbef4f6df0d6a0c9193a67f27b222

SHA1
e2fcc99c1fcc4203d1481620099f2dd156f5afaf

SHA256
ba28b247930d19fb8ad6553fb4a154cd8a40046507850c1f4af887223a5bedfc

SHA512
8ed7a70dfd9299e2ae105756186caf87fbbf11ecf57d0a2b22d49a8a28e9ecdf05cfce3654048548827497c6f5969729e1baaf98e8010773a97323c9274b64f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp
MD5
27163914d6a8e50c1aef46ee46c093a7

SHA1
d9880a1a2475c7359e0c5254f6f51b2f8cf9b289

SHA256
463fc2144ed4107e1462e2360e2baebfcde064dd8698375f015471abc20c2c5b

SHA512
70c25abf89442765c42ccfee99cd8396d8d06d8f984aac5c91dfa96ef8ba9f2c8cba7cb9d5062e5e9036e3dd09d83f5ac56c687549d203465c020e997d1d48b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp
MD5
c0e6d8887ccdf3376fcd87f20009b043

SHA1
2248952e0148d92eec7d03a832d269062e152a68

SHA256
001805d209448562eb98b92cb74933aa0b713f81437863591826b1ccea5350ab

SHA512
a40b82fa20115b4ffdcbf9e7f3abde074c33d9461c4db21dd483e61ef189c6d90bb3ae8187b3742181d8beb619f413e9e816fd81d15a4109858383cbbff8fbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259301125.tmp\_.exe
MD5
138dc2a47fb16fbc46c9ea6de48e62c5

SHA1
86411ddf411b01fbbc42e6ca274dfe29adb8affb

SHA256
2fe4f92aeb41f28989d9cf48829e19482cac6764d5b4143555779f60b7c5a277

SHA512
ee0ae781540d3a2ac517d7632f56b159e2f922db7a4972d949205b2e733bae287dab970c8bb4c0d8f725819442850a9ff92dbc826afef0de47b06c8148195632

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259301125.tmp\_.exe
MD5
138dc2a47fb16fbc46c9ea6de48e62c5

SHA1
86411ddf411b01fbbc42e6ca274dfe29adb8affb

SHA256
2fe4f92aeb41f28989d9cf48829e19482cac6764d5b4143555779f60b7c5a277

SHA512
ee0ae781540d3a2ac517d7632f56b159e2f922db7a4972d949205b2e733bae287dab970c8bb4c0d8f725819442850a9ff92dbc826afef0de47b06c8148195632

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
55ea7af1a30b5e5f98fd517727a87f31

SHA1
473ed2595b7873e4a4da4a3178d5a774ce22166b

SHA256
efebb5017e76849966c7a5a7f0877eb83f6279ca2a502e6f8aaaa26d1414fe1f

SHA512
2dfc5936176a2df31a4861f5af4044be95d20f3c759011b15317c97b8a60cf2b787f500bdfbc8f08c00606e56c227ab215dc63708139cc7b147ab5c221b20a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
68ba51dc1e06f05a870b4ce2ce4c14cd

SHA1
e6a8bc4cb84f6bce8fc30c7efb04ee84795e20f4

SHA256
91ec6150e42cc4d567e034623b5e744773e09aed7de391639c2ede7a3b841f52

SHA512
6141f00250c22b248037b392c6d3dd1d185799f1f743714ed0ae606eb9ada416e79902914562670d6d085ddabc8e94e601d0fae8c949cfb09af79c593ba356fe

Download Submit
C:\Windows\Installer\MSI7BC.tmp
MD5
48ba53112ed2c351e062499995891806

SHA1
f33cadaea1dfe2f488b3d936e1f12e9fe8ab6406

SHA256
21cd63d63d3af5da2c84f9368129cc760cded245d3365a075975890c3c775fc8

SHA512
35e692ea7daae171e35319dc670792110bbc0d618e38e967be8c40588bccdcc49c6398f4b309001a1972f0619af5e12b39a5f736598b29198f651b23125666e6

Download Submit
C:\Windows\Installer\MSIE93.tmp
MD5
48ba53112ed2c351e062499995891806

SHA1
f33cadaea1dfe2f488b3d936e1f12e9fe8ab6406

SHA256
21cd63d63d3af5da2c84f9368129cc760cded245d3365a075975890c3c775fc8

SHA512
35e692ea7daae171e35319dc670792110bbc0d618e38e967be8c40588bccdcc49c6398f4b309001a1972f0619af5e12b39a5f736598b29198f651b23125666e6

Download Submit
\Windows\Installer\MSI7BC.tmp
MD5
48ba53112ed2c351e062499995891806

SHA1
f33cadaea1dfe2f488b3d936e1f12e9fe8ab6406

SHA256
21cd63d63d3af5da2c84f9368129cc760cded245d3365a075975890c3c775fc8

SHA512
35e692ea7daae171e35319dc670792110bbc0d618e38e967be8c40588bccdcc49c6398f4b309001a1972f0619af5e12b39a5f736598b29198f651b23125666e6

Download Submit
\Windows\Installer\MSIE93.tmp
MD5
48ba53112ed2c351e062499995891806

SHA1
f33cadaea1dfe2f488b3d936e1f12e9fe8ab6406

SHA256
21cd63d63d3af5da2c84f9368129cc760cded245d3365a075975890c3c775fc8

SHA512
35e692ea7daae171e35319dc670792110bbc0d618e38e967be8c40588bccdcc49c6398f4b309001a1972f0619af5e12b39a5f736598b29198f651b23125666e6

Download Submit
memory/1348-133-0x0000000000000000-mapping.dmp

Download
memory/2212-118-0x0000000000000000-mapping.dmp

Download
memory/3660-114-0x0000000000000000-mapping.dmp

Download
memory/3884-123-0x0000000000000000-mapping.dmp

Download