Analysis
-
max time kernel
151s -
max time network
174s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-07-2021 11:53
Static task
static1
Behavioral task
behavioral1
Sample
DCBR.msi
Resource
win7v20210408
Behavioral task
behavioral2
Sample
DCBR.msi
Resource
win10v20210410
General
-
Target
DCBR.msi
-
Size
5.6MB
-
MD5
3eb2ea9527590196759a92fdd24eaf8b
-
SHA1
22cb16a1c4331efa0f228484578b54708dcc1f0b
-
SHA256
0bd168703d2bb6a6d5fffe115c4834f4057bcb7f7877369a3230a82badce3d15
-
SHA512
9c775c31e2148a2bd8a82b5be6527d2ccbd8d31df3afda7d5e4b6f35c7bceb4bee42c9933a5e5a38e9eacfd2b97b0ad6e3b896a6b5e1b4e043c83e265264bbbc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 4 1836 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
yAVgTC.Lavasoft.WCAssistant.WinService.EXEpid process 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
yAVgTC.Lavasoft.WCAssistant.WinService.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion yAVgTC.Lavasoft.WCAssistant.WinService.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion yAVgTC.Lavasoft.WCAssistant.WinService.EXE -
Loads dropped DLL 8 IoCs
Processes:
MsiExec.exeyAVgTC.Lavasoft.WCAssistant.WinService.EXEpid process 1836 MsiExec.exe 1836 MsiExec.exe 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 1836 MsiExec.exe 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 1836 MsiExec.exe 1836 MsiExec.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\yAVgTC\Avira.OE.NativeCore.dll themida \Users\Admin\AppData\Local\yAVgTC\Avira.OE.NativeCore.dll themida behavioral1/memory/2248-90-0x000000006ECF0000-0x0000000070A64000-memory.dmp themida -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
reg.exeyAVgTC.Lavasoft.WCAssistant.WinService.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\yAVgTC = "C:\\Users\\Admin\\AppData\\Local\\yA\u007fVgT\u007f\u007fC\\yA\u007fVgT\u007f\u007fC.Lavasoft.WCAssistant.WinService.EXE" reg.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run yAVgTC.Lavasoft.WCAssistant.WinService.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\N9f5o9A7 = "C:\\Users\\Admin\\AppData\\Local\\yA\u007fVgT\u007f\u007fC\\yA\u007fVgT\u007f\u007fC.Lavasoft.WCAssistant.WinService.EXE" yAVgTC.Lavasoft.WCAssistant.WinService.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\V3K0J8R0 = "C:\\Users\\Admin\\AppData\\Local\\yA\u007fVgT\u007f\u007fC\\yA\u007fVgT\u007f\u007fC.Lavasoft.WCAssistant.WinService.EXE" yAVgTC.Lavasoft.WCAssistant.WinService.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Processes:
yAVgTC.Lavasoft.WCAssistant.WinService.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yAVgTC.Lavasoft.WCAssistant.WinService.EXE -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
yAVgTC.Lavasoft.WCAssistant.WinService.EXEpid process 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI5208.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI64D1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4F59.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7504f0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI59C.tmp msiexec.exe File created C:\Windows\Installer\f7504f2.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5DAD.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7504f2.ipi msiexec.exe File created C:\Windows\Installer\f7504f0.msi msiexec.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80935697007fd701 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b49f8fe5caa4ae4abbcd1f5469801c8b000000000200000000001066000000010000200000004461cfcfe785b10e8bcc11bbab2c9280104ca52df5fed5c45cda64b571a70016000000000e80000000020000200000004cda0919c3d9cb75b1675feb2c7363f9eb761160cd2178fcb753ab67f575f2af20000000bd059c5d21e7c3ca85ed7dc143ea2a59fd569b2d18d1c8eb296f72b11aae5ce1400000005ad14bfffa8b8cfdf2ac11726dadc77b32fb71e01008a5c5d764fa5f1848e18510f6f90b9818032e1c6771977654b8d7bf814342e456cdcdd8dab03f43943b4f iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "333726788" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC1B67A1-EAF3-11EB-AC6C-72DE1B3474B2} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b49f8fe5caa4ae4abbcd1f5469801c8b00000000020000000000106600000001000020000000bef7cb03f3adf3f3cc68b00703566a2b5daf97d666c44619c11789ccf78ec587000000000e8000000002000020000000c8a94d885d6abc3641774fbddffc86fa7ca9a73ed36b8c3e17ef834e215f668e9000000033b68b2b56372afc6266677bf43e17db5e616e5cc6b36063c737f1af611dc162aaa979031a5501cf66b79f448340b925f6d37383863ed0874078a62610a718dd80a681eec7665e47db3e65b4ff6ce515f48bd48c97f637026b575aea523aec63e734d5c0110f1ce9cacccc3a9b701899312e922d172cff0ac788131f49572bdbf3b4e5f64da4c471c28cb1c967dd8cd64000000027e829e9f50f95793df667112158203c93c8ebf49ab3b22e7e7e7b53b819fb50b4cda0139e87692023cac0f717e1cc4ac4aec2155e2781d50c9bd0740a41a417 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeyAVgTC.Lavasoft.WCAssistant.WinService.EXEpid process 1976 msiexec.exe 1976 msiexec.exe 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE 2248 yAVgTC.Lavasoft.WCAssistant.WinService.EXE -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2004 msiexec.exe Token: SeIncreaseQuotaPrivilege 2004 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeSecurityPrivilege 1976 msiexec.exe Token: SeCreateTokenPrivilege 2004 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2004 msiexec.exe Token: SeLockMemoryPrivilege 2004 msiexec.exe Token: SeIncreaseQuotaPrivilege 2004 msiexec.exe Token: SeMachineAccountPrivilege 2004 msiexec.exe Token: SeTcbPrivilege 2004 msiexec.exe Token: SeSecurityPrivilege 2004 msiexec.exe Token: SeTakeOwnershipPrivilege 2004 msiexec.exe Token: SeLoadDriverPrivilege 2004 msiexec.exe Token: SeSystemProfilePrivilege 2004 msiexec.exe Token: SeSystemtimePrivilege 2004 msiexec.exe Token: SeProfSingleProcessPrivilege 2004 msiexec.exe Token: SeIncBasePriorityPrivilege 2004 msiexec.exe Token: SeCreatePagefilePrivilege 2004 msiexec.exe Token: SeCreatePermanentPrivilege 2004 msiexec.exe Token: SeBackupPrivilege 2004 msiexec.exe Token: SeRestorePrivilege 2004 msiexec.exe Token: SeShutdownPrivilege 2004 msiexec.exe Token: SeDebugPrivilege 2004 msiexec.exe Token: SeAuditPrivilege 2004 msiexec.exe Token: SeSystemEnvironmentPrivilege 2004 msiexec.exe Token: SeChangeNotifyPrivilege 2004 msiexec.exe Token: SeRemoteShutdownPrivilege 2004 msiexec.exe Token: SeUndockPrivilege 2004 msiexec.exe Token: SeSyncAgentPrivilege 2004 msiexec.exe Token: SeEnableDelegationPrivilege 2004 msiexec.exe Token: SeManageVolumePrivilege 2004 msiexec.exe Token: SeImpersonatePrivilege 2004 msiexec.exe Token: SeCreateGlobalPrivilege 2004 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeiexplore.exepid process 2004 msiexec.exe 1728 iexplore.exe 2004 msiexec.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1728 iexplore.exe 1728 iexplore.exe 1468 IEXPLORE.EXE 1468 IEXPLORE.EXE 1468 IEXPLORE.EXE 1468 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
msiexec.exeMsiExec.execmd.exeiexplore.execmd.exedescription pid process target process PID 1976 wrote to memory of 1836 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1836 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1836 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1836 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1836 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1836 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1836 1976 msiexec.exe MsiExec.exe PID 1836 wrote to memory of 1564 1836 MsiExec.exe cmd.exe PID 1836 wrote to memory of 1564 1836 MsiExec.exe cmd.exe PID 1836 wrote to memory of 1564 1836 MsiExec.exe cmd.exe PID 1836 wrote to memory of 1564 1836 MsiExec.exe cmd.exe PID 1564 wrote to memory of 1728 1564 cmd.exe iexplore.exe PID 1564 wrote to memory of 1728 1564 cmd.exe iexplore.exe PID 1564 wrote to memory of 1728 1564 cmd.exe iexplore.exe PID 1564 wrote to memory of 1728 1564 cmd.exe iexplore.exe PID 1728 wrote to memory of 1468 1728 iexplore.exe IEXPLORE.EXE PID 1728 wrote to memory of 1468 1728 iexplore.exe IEXPLORE.EXE PID 1728 wrote to memory of 1468 1728 iexplore.exe IEXPLORE.EXE PID 1728 wrote to memory of 1468 1728 iexplore.exe IEXPLORE.EXE PID 1836 wrote to memory of 2224 1836 MsiExec.exe cmd.exe PID 1836 wrote to memory of 2224 1836 MsiExec.exe cmd.exe PID 1836 wrote to memory of 2224 1836 MsiExec.exe cmd.exe PID 1836 wrote to memory of 2224 1836 MsiExec.exe cmd.exe PID 1836 wrote to memory of 2248 1836 MsiExec.exe yAVgTC.Lavasoft.WCAssistant.WinService.EXE PID 1836 wrote to memory of 2248 1836 MsiExec.exe yAVgTC.Lavasoft.WCAssistant.WinService.EXE PID 1836 wrote to memory of 2248 1836 MsiExec.exe yAVgTC.Lavasoft.WCAssistant.WinService.EXE PID 1836 wrote to memory of 2248 1836 MsiExec.exe yAVgTC.Lavasoft.WCAssistant.WinService.EXE PID 2224 wrote to memory of 2288 2224 cmd.exe reg.exe PID 2224 wrote to memory of 2288 2224 cmd.exe reg.exe PID 2224 wrote to memory of 2288 2224 cmd.exe reg.exe PID 2224 wrote to memory of 2288 2224 cmd.exe reg.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DCBR.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2004
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 570053B627425E15A1A4295EDED032AB2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start /MIN https://bit.ly/3hPv4Ay3⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3hPv4Ay4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v yAVgTC /t reg_sz /d "C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE"3⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v yAVgTC /t reg_sz /d "C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE"4⤵
- Adds Run key to start application
- Modifies registry key
PID:2288 -
C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE"C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXE"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63MD5
32a913d8ecc4e44c129ec875773cf3dc
SHA1480eca9ee43825262c9907383c96ecbfa594c55c
SHA256c83a825a4359c833c9fab107e3355a0010f3516db6dfe137ce6b41251780d2dc
SHA51237d57dd012d896f30554b30b1fed0403a27bc6bc8d8ae288d96efad0f87d6adbb128bad19672c24c6c66882a0bf04214ae6ccd16682b5d033898360050d3f170
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63MD5
5f69b12a7e46f79ce23845f2722d6974
SHA139f247a2ba13e3d6a44b247a89753c90342ac4b0
SHA256ed1c5ddaf51d8383d142e5ff5dd6319206fb1252c4d7fa1d2c36f26a7787ae74
SHA5126ec57834a70b47e63a22ba51142e31dbf590ca13d9ad241610b45d6d30ca0899a36cde696ce033eacdeb1edc83de6f83ef0b772c0277a7d95b531e7d644a4174
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
f30ef1cfa2c426ca622f28e503e1e45f
SHA1c42b62de14249a8f40af1b62f0e410eb3cb5e188
SHA2568e0e37228162bc7f278c327238f285b9006fa121bb3d753f06287fac1d0ae279
SHA512ff95ac8bf9734181bbb18856ec4b4ba8ded5ee4ed2a7979e5d549252a693d178e9170a6a3e88de0e9a735baf13dcbff588016189e64adb90d8fcb209d399d6ee
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bq3gxmw\imagestore.datMD5
c5338306d65f320814348bfea969d069
SHA1cbf9ae30053fc48196d852ad712b66011a762c88
SHA256a3d4a03e3b31842dcb0428fb89f1026b0babff5853b5a246e5f2d1fd981753b1
SHA51209b5ed523d0cca1b296c3856b0656125d1ebc6e347e817e1c41d092d66cd721b2d3c664e23ae5699b7a310fadbbbe6b05bf982a375012f09eeee0e5f02c6cc43
-
C:\Users\Admin\AppData\Local\Temp\MSI501a6.LOGMD5
e4caee508c909619d992d95e598db46e
SHA17a65d594503d3cf302b4839d86975b1df1cd116a
SHA256fe573a52ff2d332dcfddf5abf3f5d05267264060d87bda38d62aa76629fd7dcd
SHA51275c4e6b56f90ac05fe1462f1205a808f09f40ec002781a901e2d49d1512a896a5f37c8bd62e13ef7df9bdc2e1f4fe5efe245e3ba20d0d1d261622bbf2bc9d6a4
-
C:\Users\Admin\AppData\Local\yAVgTC\Avira.OE.NativeCore.dllMD5
69956909dd2b7813338401ebd3774e8f
SHA16c49378f63505fd72a5ba53ab0ca2d25c47f13c3
SHA2563a74e84facc9b7ff009c0fd38267db03286a61b8c53d53fe0fdc7a69e5d553a0
SHA5123d8beeef5251117b3119df432eb5b29b25873bde716fdde8db931ceaa5b2e3305a9811e0c6b59cdf70855fec86f699d35595d8716027f0c9bb04031b64ddea88
-
C:\Users\Admin\AppData\Local\yAVgTC\MSVCP120.dllMD5
fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
C:\Users\Admin\AppData\Local\yAVgTC\MSVCR120.dllMD5
034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXEMD5
fefc447b17cf02a6fcb0abc7f5959450
SHA1918360e2e07c9be49ef4d07406b37cea7dc3b924
SHA256a74226654c5048cadb46d83b3778c554e0e02c6dc063f35b2721cb977f1285cf
SHA512aa3b6d2418ff7ecc3696a757408cacf054090e8c4b520900a0c45f4f274af24174ad79b5413537be0fe01ee0363c70fa49c3cc59b0788ae1abce11249cea6588
-
C:\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXEMD5
fefc447b17cf02a6fcb0abc7f5959450
SHA1918360e2e07c9be49ef4d07406b37cea7dc3b924
SHA256a74226654c5048cadb46d83b3778c554e0e02c6dc063f35b2721cb977f1285cf
SHA512aa3b6d2418ff7ecc3696a757408cacf054090e8c4b520900a0c45f4f274af24174ad79b5413537be0fe01ee0363c70fa49c3cc59b0788ae1abce11249cea6588
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\29IZFM7O.txtMD5
652891b1a446f971183242fb7250e7ca
SHA183e0182e2713820948c9cb2ecf82778aedf083e6
SHA256896476d13a2ae9a821694f0aad256145357888a86538ce88aca35364f3248a28
SHA512f316d6a47f5767dd7fdae66218c1adaf7eb6a20f89e53ec5d2c0f4cc0d539bd8a2bde1e3f80b076d3f383a349cebd09cf61e8ff829fb14920a9ae54c194c5415
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NMIGGAZE.txtMD5
a99d22eb4d076228312023cff298df5d
SHA135d28cab3f2bdb2f9b9853e74f5397f69fdcfc86
SHA256f1b67a739a16889856100bc7969527500af107c9d8c68cb6f9df3fa030a8c6de
SHA51292c8d49c22e6c0d99194e73d66160161806d285c1726cbbafc809f383f2b8b8fb30aaa7d48585d27cc00a90b77cb89b3c639479e1c202e8ec20fe31e97627802
-
C:\Windows\Installer\MSI4F59.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
C:\Windows\Installer\MSI5208.tmpMD5
2782aebc4b0d64dbd33e66251e9ab371
SHA11606c90365554b205af444bfa534e094847d0a32
SHA256e56039ccfb3d5a4fb35d415fd50d1eb8ad9da69bcff8e71bb1ed82306b535e1b
SHA51296a46726882e3c75e3489bd33da7474e8f308b0c7455b0c4c989ea84487b8e1b69c82d4bdf0cd15648b6904251442ab748aa392dd6de17820daa7d8549f956ad
-
C:\Windows\Installer\MSI59C.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
C:\Windows\Installer\MSI64D1.tmpMD5
2782aebc4b0d64dbd33e66251e9ab371
SHA11606c90365554b205af444bfa534e094847d0a32
SHA256e56039ccfb3d5a4fb35d415fd50d1eb8ad9da69bcff8e71bb1ed82306b535e1b
SHA51296a46726882e3c75e3489bd33da7474e8f308b0c7455b0c4c989ea84487b8e1b69c82d4bdf0cd15648b6904251442ab748aa392dd6de17820daa7d8549f956ad
-
\Users\Admin\AppData\Local\yAVgTC\Avira.OE.NativeCore.dllMD5
69956909dd2b7813338401ebd3774e8f
SHA16c49378f63505fd72a5ba53ab0ca2d25c47f13c3
SHA2563a74e84facc9b7ff009c0fd38267db03286a61b8c53d53fe0fdc7a69e5d553a0
SHA5123d8beeef5251117b3119df432eb5b29b25873bde716fdde8db931ceaa5b2e3305a9811e0c6b59cdf70855fec86f699d35595d8716027f0c9bb04031b64ddea88
-
\Users\Admin\AppData\Local\yAVgTC\msvcp120.dllMD5
fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
\Users\Admin\AppData\Local\yAVgTC\msvcr120.dllMD5
034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
\Users\Admin\AppData\Local\yAVgTC\yAVgTC.Lavasoft.WCAssistant.WinService.EXEMD5
fefc447b17cf02a6fcb0abc7f5959450
SHA1918360e2e07c9be49ef4d07406b37cea7dc3b924
SHA256a74226654c5048cadb46d83b3778c554e0e02c6dc063f35b2721cb977f1285cf
SHA512aa3b6d2418ff7ecc3696a757408cacf054090e8c4b520900a0c45f4f274af24174ad79b5413537be0fe01ee0363c70fa49c3cc59b0788ae1abce11249cea6588
-
\Windows\Installer\MSI4F59.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI5208.tmpMD5
2782aebc4b0d64dbd33e66251e9ab371
SHA11606c90365554b205af444bfa534e094847d0a32
SHA256e56039ccfb3d5a4fb35d415fd50d1eb8ad9da69bcff8e71bb1ed82306b535e1b
SHA51296a46726882e3c75e3489bd33da7474e8f308b0c7455b0c4c989ea84487b8e1b69c82d4bdf0cd15648b6904251442ab748aa392dd6de17820daa7d8549f956ad
-
\Windows\Installer\MSI59C.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI64D1.tmpMD5
2782aebc4b0d64dbd33e66251e9ab371
SHA11606c90365554b205af444bfa534e094847d0a32
SHA256e56039ccfb3d5a4fb35d415fd50d1eb8ad9da69bcff8e71bb1ed82306b535e1b
SHA51296a46726882e3c75e3489bd33da7474e8f308b0c7455b0c4c989ea84487b8e1b69c82d4bdf0cd15648b6904251442ab748aa392dd6de17820daa7d8549f956ad
-
memory/1468-70-0x0000000000000000-mapping.dmp
-
memory/1564-66-0x0000000000000000-mapping.dmp
-
memory/1728-68-0x0000000000000000-mapping.dmp
-
memory/1836-63-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1836-62-0x0000000000000000-mapping.dmp
-
memory/2004-59-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmpFilesize
8KB
-
memory/2224-73-0x0000000000000000-mapping.dmp
-
memory/2248-90-0x000000006ECF0000-0x0000000070A64000-memory.dmpFilesize
29.5MB
-
memory/2248-91-0x000000006ECF1000-0x000000006F032000-memory.dmpFilesize
3.3MB
-
memory/2248-92-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2248-75-0x0000000000000000-mapping.dmp
-
memory/2288-79-0x0000000000000000-mapping.dmp