Analysis
-
max time kernel
153s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d.msi
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d.msi
Resource
win10-en-20211208
General
-
Target
ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d.msi
-
Size
3.6MB
-
MD5
bdbb71848ccda557b6be1f1ef6f8386c
-
SHA1
1db41ab648efdb58fafba6494b9fc89a7c15dadb
-
SHA256
ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d
-
SHA512
dc63a6536d61a463fb93954e2c309adce3308102c1b58c50b855ab99fbe4d2f7a02f9d85ef2184986f6cc70b5de1015148f0b05069a619886c34722072259688
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
storsvc.exeexit.exebtc.exeexit.exepid Process 1144 storsvc.exe 964 exit.exe 428 btc.exe 1004 exit.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\bitcoin = "c:\\ProgramData\\btc\\winserv.exe" reg.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
autoit_exe 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x000200000001ab5b-411.dat autoit_exe behavioral2/files/0x000200000001ab5b-412.dat autoit_exe behavioral2/files/0x000900000001ab49-510.dat autoit_exe behavioral2/files/0x000900000001ab49-511.dat autoit_exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{31F49B53-7587-4F85-8592-2CA10A3027D8} msiexec.exe File opened for modification C:\Windows\Installer\MSI228E.tmp msiexec.exe File created C:\Windows\Installer\f781b6c.msi msiexec.exe File created C:\Windows\Installer\f781b6a.msi msiexec.exe File opened for modification C:\Windows\Installer\f781b6a.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid Process 1692 msiexec.exe 1692 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid Process Token: SeShutdownPrivilege 508 msiexec.exe Token: SeIncreaseQuotaPrivilege 508 msiexec.exe Token: SeSecurityPrivilege 1692 msiexec.exe Token: SeCreateTokenPrivilege 508 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 508 msiexec.exe Token: SeLockMemoryPrivilege 508 msiexec.exe Token: SeIncreaseQuotaPrivilege 508 msiexec.exe Token: SeMachineAccountPrivilege 508 msiexec.exe Token: SeTcbPrivilege 508 msiexec.exe Token: SeSecurityPrivilege 508 msiexec.exe Token: SeTakeOwnershipPrivilege 508 msiexec.exe Token: SeLoadDriverPrivilege 508 msiexec.exe Token: SeSystemProfilePrivilege 508 msiexec.exe Token: SeSystemtimePrivilege 508 msiexec.exe Token: SeProfSingleProcessPrivilege 508 msiexec.exe Token: SeIncBasePriorityPrivilege 508 msiexec.exe Token: SeCreatePagefilePrivilege 508 msiexec.exe Token: SeCreatePermanentPrivilege 508 msiexec.exe Token: SeBackupPrivilege 508 msiexec.exe Token: SeRestorePrivilege 508 msiexec.exe Token: SeShutdownPrivilege 508 msiexec.exe Token: SeDebugPrivilege 508 msiexec.exe Token: SeAuditPrivilege 508 msiexec.exe Token: SeSystemEnvironmentPrivilege 508 msiexec.exe Token: SeChangeNotifyPrivilege 508 msiexec.exe Token: SeRemoteShutdownPrivilege 508 msiexec.exe Token: SeUndockPrivilege 508 msiexec.exe Token: SeSyncAgentPrivilege 508 msiexec.exe Token: SeEnableDelegationPrivilege 508 msiexec.exe Token: SeManageVolumePrivilege 508 msiexec.exe Token: SeImpersonatePrivilege 508 msiexec.exe Token: SeCreateGlobalPrivilege 508 msiexec.exe Token: SeBackupPrivilege 3484 vssvc.exe Token: SeRestorePrivilege 3484 vssvc.exe Token: SeAuditPrivilege 3484 vssvc.exe Token: SeBackupPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 508 msiexec.exe 508 msiexec.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
msiexec.exestorsvc.exeexit.execmd.exebtc.exeexit.execmd.exedescription pid Process procid_target PID 1692 wrote to memory of 680 1692 msiexec.exe 76 PID 1692 wrote to memory of 680 1692 msiexec.exe 76 PID 1692 wrote to memory of 1144 1692 msiexec.exe 78 PID 1692 wrote to memory of 1144 1692 msiexec.exe 78 PID 1692 wrote to memory of 1144 1692 msiexec.exe 78 PID 1144 wrote to memory of 964 1144 storsvc.exe 79 PID 1144 wrote to memory of 964 1144 storsvc.exe 79 PID 1144 wrote to memory of 964 1144 storsvc.exe 79 PID 964 wrote to memory of 372 964 exit.exe 80 PID 964 wrote to memory of 372 964 exit.exe 80 PID 964 wrote to memory of 372 964 exit.exe 80 PID 372 wrote to memory of 2416 372 cmd.exe 82 PID 372 wrote to memory of 2416 372 cmd.exe 82 PID 372 wrote to memory of 2416 372 cmd.exe 82 PID 372 wrote to memory of 4016 372 cmd.exe 83 PID 372 wrote to memory of 4016 372 cmd.exe 83 PID 372 wrote to memory of 4016 372 cmd.exe 83 PID 372 wrote to memory of 428 372 cmd.exe 84 PID 372 wrote to memory of 428 372 cmd.exe 84 PID 372 wrote to memory of 428 372 cmd.exe 84 PID 428 wrote to memory of 1004 428 btc.exe 85 PID 428 wrote to memory of 1004 428 btc.exe 85 PID 428 wrote to memory of 1004 428 btc.exe 85 PID 1004 wrote to memory of 1396 1004 exit.exe 86 PID 1004 wrote to memory of 1396 1004 exit.exe 86 PID 1004 wrote to memory of 1396 1004 exit.exe 86 PID 1396 wrote to memory of 2112 1396 cmd.exe 88 PID 1396 wrote to memory of 2112 1396 cmd.exe 88 PID 1396 wrote to memory of 2112 1396 cmd.exe 88
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ef4930fc91c40c8bc955c9a38b5112ee0a7cb6008b13e48025ed458fae4ba20d.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:508
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:680
-
-
C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe"C:\Users\Admin\AppData\Local\Temp\Data1\storsvc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\exit.exe"C:\Users\Admin\AppData\Local\Temp\exit.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c i.cmd4⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\PING.EXEping ping-test.hldns.ru -n 3 -w 60005⤵
- Runs ping.exe
PID:2416
-
-
C:\Windows\SysWOW64\PING.EXEping ping-test.hldns.ru -n 3 -w 60005⤵
- Runs ping.exe
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\btc.exebtc.exe x -p3KPnoNJ3ReME4bEU5W9APkKS5ErkR3tNRT -y5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
C:\ProgramData\btc\exit.exe"C:\ProgramData\btc\exit.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c i.cmd7⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bitcoin" /t REG_SZ /d "c:\ProgramData\btc\winserv.exe"8⤵
- Adds Run key to start application
PID:2112
-
-
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d76c6f53bcbbfb672a1f68a3017c1962
SHA1976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda
-
MD5
d76c6f53bcbbfb672a1f68a3017c1962
SHA1976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda
-
MD5
2769f4f3c0c132044c66e249f03c1828
SHA19085fa6517cd20e62bc525d756daf74f6cede8d6
SHA25628771275ee7c58967e49acf1d939d7c9231ed952c1125109999e3cb9b3a6b8dd
SHA512e9dd96e11c5a8e2ed59bf7c7ba320ed25ffdafbdc4f7d5a070467facf1328b9c0602639396a03358c4b35282a40934a96fb3b8d028dd05e12177505967751d2c
-
MD5
c3c3407f19d8fcdc6ef55f059f6beea6
SHA1134185c71c2e6a2dd5441bff027de85f3a9b5c91
SHA2568598695a8c7ef4672ba9357022abcb8b61ec6f6db3ff5588058872c17a9e75bb
SHA512fb17dd760cfd691fb4d4005f56b55518bc3c51d7e7afafdab0ac50cca02af714b1391e2435732bae8e766985e031d855ed976750a125a9417e6257f0fa051818
-
MD5
c3c3407f19d8fcdc6ef55f059f6beea6
SHA1134185c71c2e6a2dd5441bff027de85f3a9b5c91
SHA2568598695a8c7ef4672ba9357022abcb8b61ec6f6db3ff5588058872c17a9e75bb
SHA512fb17dd760cfd691fb4d4005f56b55518bc3c51d7e7afafdab0ac50cca02af714b1391e2435732bae8e766985e031d855ed976750a125a9417e6257f0fa051818
-
MD5
1a81bdde68862f89ddde3276abe33c94
SHA1fc5148ad9b387e91febd695d92f4233c2e92f600
SHA2560b4797e50e773329365b83eb84da804f4d75483e6faa25b2b0c97c6c21ff1715
SHA512048f441091c06759c4e81b6a331ed2aa489f1630e84162d40d3b7dab549f5f100dea61d8e51a806033c8121c29258c262f9de66af90a6e80d3d90f0e329bbe7a
-
MD5
d76c6f53bcbbfb672a1f68a3017c1962
SHA1976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda
-
MD5
d76c6f53bcbbfb672a1f68a3017c1962
SHA1976e087ca1a5d34cb326a96861df7ed79288b0d7
SHA256258fe1b431cd23bfd509ca71ff47d2ad2ca4ef0bb0d82a22ce85d7ad987a9505
SHA512e9f3e4ef8393c3b06330fe1a530ec5dc0bbb50f68e5c80ddd1a0a46a6383a52dbd2fad6ce286e68ea0cd0020f8bbb63d76ff23407877c6157e1c4b1067fe5cda
-
MD5
4873668f4a034b615f15fd8983001468
SHA1162dcd46d5e171535eb81d284126bfd68cb4d29c
SHA256d91c01dc76613d7342f541703df60b6519fc4f0107db24b56a49a6ac220304a7
SHA512f6b5fb56cf8a380451db16fd2af6b9bf994425b9ba86180c2ff38556c080d1d16123c0341d3cec4a84cd36972a5cc4bb8618d24cccc879751f2b455c4ed1070c
-
MD5
1a81bdde68862f89ddde3276abe33c94
SHA1fc5148ad9b387e91febd695d92f4233c2e92f600
SHA2560b4797e50e773329365b83eb84da804f4d75483e6faa25b2b0c97c6c21ff1715
SHA512048f441091c06759c4e81b6a331ed2aa489f1630e84162d40d3b7dab549f5f100dea61d8e51a806033c8121c29258c262f9de66af90a6e80d3d90f0e329bbe7a
-
MD5
0da701373f22e9e61034a6a18c9884ff
SHA18f6cc291042f6f38e0c62fb5131b5aca650842b6
SHA2568a00699225cc71933b61c29c83007d26b3430d9994b2e56aeb080af749d06b7e
SHA512d9fe779b6e1821e237fd1c482f2d92f2a924df6dd1be82b893b19db8aa629385ee09854eaf3348c86e8408385e35d440da76b9e1fc2068d2a1b73f7cff9b5604
-
\??\Volume{e49a283c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a6bbd6da-6324-491c-ad60-d6de3294ac23}_OnDiskSnapshotProp
MD56a625b66e5b239afc16b1b2f7e400a4f
SHA12cc92dbb4a3fb03d1d98227b343ec03856bbf469
SHA2560f658a24bce0e2c134db22f2bdabf96d428f0d1cb6e899bf4174504e6be44a8e
SHA51263072b7f9d8da5f487e40592586d09aee1844c40bf4c36cd41b39a016703cee2ee9826ac3725987e5e2cdcf9be138612277dc8719491448100fd98c9f1a2d264