0e6860a8ce361236ec4bff327266a53152fe642e30bc076cada2d8ec9c1fa3c1

Analysis

max time kernel
169s
max time network
176s
platform
windows10_x64
resource
win10-en-20211208
submitted
31-01-2022 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6d90369d389bb04cf4619cd820b8210.exe
Size

830KB
MD5

a6d90369d389bb04cf4619cd820b8210
SHA1

4481d1cdb623fd775cb342f27c44305018bbe746
SHA256

0e6860a8ce361236ec4bff327266a53152fe642e30bc076cada2d8ec9c1fa3c1
SHA512

e444232c1389ab346f5b0700dc31e672154f7c3384bcaa9b6c908085cb336b4044c63466a2d041921dadae217a21723e40e33b7ab1169a1dfe6b7f9f769f4d43

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

49 588 msiexec.exe
51 588 msiexec.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

setup.exesc.exe

pid process

1224 setup.exe
676 sc.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

1196 MsiExec.exe
1196 MsiExec.exe

flow	pid	process
49	588	msiexec.exe
51	588	msiexec.exe

pid	process
1224	setup.exe
676	sc.exe

pid	process
1196	MsiExec.exe
1196	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a6d90369d389bb04cf4619cd820b8210.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	a6d90369d389bb04cf4619cd820b8210.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ctdownloader_3672 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a6d90369d389bb04cf4619cd820b8210.exe\" /afterreboot=\"C:\\Users\\Admin\\AppData\\Local\\OpenBoxAddIn_202223316\""	a6d90369d389bb04cf4619cd820b8210.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a6d90369d389bb04cf4619cd820b8210.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	a6d90369d389bb04cf4619cd820b8210.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000005c0000000100000004000000000800002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	a6d90369d389bb04cf4619cd820b8210.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000005c0000000100000004000000000800002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	a6d90369d389bb04cf4619cd820b8210.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\SystemCertificates\CA\Certificates\0185FF9961FF0AA2E431817948C28E83D3F3EC70	a6d90369d389bb04cf4619cd820b8210.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\SystemCertificates\CA\Certificates\0185FF9961FF0AA2E431817948C28E83D3F3EC70\Blob = 0300000001000000140000000185ff9961ff0aa2e431817948c28e83d3f3ec70140000000100000014000000813292412b28cd46c8c4a2c62a3912ec48a93f14040000000100000010000000d386d4056a495dd632c4c9c8be8574060f0000000100000030000000f55821c081b58e86eaa202923e715e1524c422c7be0469b13a9e7a319e50d70cb5b67e864273029a79250f9dc3203cbd19000000010000001000000079d9deaeb2dbf0e37e8750aa80b4cdfa5c0000000100000004000000000c00001800000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c2000000001000000200600003082061c30820404a003020102021033d708a891405319e2a5bbd339b9ad6e300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3336303332313233353935395a3057310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312e302c060355040313255365637469676f205075626c696320436f6465205369676e696e6720434120455620523336308201a2300d06092a864886f70d01010105000382018f003082018a0282018100bbd1fe1eb7425b78f590a7ae2c83f18d21d33086857bdfd3cdd9164bac85c5bb01cfe28c28117204762c81c5ab127a404ac510e88114391b5f4f07f63030307f3525e5c0733d400994e8a8f8eb390b55d5b60c8b1e27f8de3e22c1bfef65ee73ee65dd28ddbb1f7d9b327fb7995517aab249a83c106a3ac321b299a843d73b82a81961b53e6a5a5db8bc9e13d00a9ef55b8f693868eaa51f5bca23ee0bedbcd01e43436eb0538cc2732a44316ebe8fb8c602f6bb820415790c5220e898277161ef2fe4f802fb3359b5f4c355e7dff60822aeb6d10959ec019f7389b7434fd5f2d9bd565909ddb717f6c47480ba8746ac06dbdb040dd54ebaee8c093419951be670130425df8fb8d784338c6ca60ceb68ba954f7c44e8d4698d2579c321f13577f84fb6125595d056e81802d5ee79c886a169f11b4e94136a0762f0d06b99a597509e1c33a11eee618b05681c8ef5ee269083d6fe7185a79af20d143e36b512ad77757acce746366a9053cbc69471de073a21f9d63267e09c6e5486a064a083cb0203010001a38201633082015f301f0603551d2304183016801432eb929aff3596482f284042702036915c1785e6301d0603551d0e04160414813292412b28cd46c8c4a2c62a3912ec48a93f14300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff02010030130603551d25040c300a06082b06010505070303301a0603551d200413301130060604551d20003007060567810c0103304b0603551d1f044430423040a03ea03c863a687474703a2f2f63726c2e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67526f6f745234362e63726c307b06082b06010505070101046f306d304606082b06010505073002863a687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67526f6f745234362e703763302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d300d06092a864886f70d01010c050003820201005f36acfbf9f6725a14b7f00b1dded8fd9701d2fd01ee992d86e8f6b7f039ffd6814a5aa7424a0a2d159de694fdc5694ab2d74bf116124cf6be9066658b2d74d4ab08f76a110308777cbe69e1b0db9f248903d6de5ca4e0b2d6b4cfe338d5b96dcc27d6ce6411e8107276d3f9e0e92c89e949d3b39796060ae1f60ac8419a915d81d8367798ca804197a8f8913f639faacd54544b80eaf51766d39471fd9efd4731e3e91a861dd3be20d23fb1525fb293bd8c950998728f9501f49843a54afb1426aa9d36bf72b0fcdcbd840deced34a85e952b3816630575d9f6312e156be294b22ad27435b5989aa3fef82b2fb6174b276c5ae6b9765eda86ddab64d66aea8318881b3182f588b39425c0212f086902e34cbb4c2a1130eb817906e141952ad420f60b93e47c760c9d1d266b5f8401f62a99cdafdec7f0e418a24e9b2f2a0c66a6927526bed94035136faea6371a7ae8ad1c5163072a56066ced7e18f6e3ec6473a66d08368baf0f99ae756b172bc24d6ac351464156e98fc28dff13719bdaed9ed39fabe545a612c5145a524197a3060008c5e61cea27823c3bdbe646c4ef2d003513cd367d9de5aa270805cccec0360e4b194fd0639a6dbfc529533122db75507786d0f2f86aee6b061b3e85232b97c87e7a99410cdd587f0ea8c3123d3a359be09d2c8c17815444a87a1d989d967f5958a65465ff51420bf847ebcff8e5bf	a6d90369d389bb04cf4619cd820b8210.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692	a6d90369d389bb04cf4619cd820b8210.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c69214000000010000001400000032eb929aff3596482f284042702036915c1785e60400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a41900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8	a6d90369d389bb04cf4619cd820b8210.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	a6d90369d389bb04cf4619cd820b8210.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a6d90369d389bb04cf4619cd820b8210.exe

pid process

3672 a6d90369d389bb04cf4619cd820b8210.exe
3672 a6d90369d389bb04cf4619cd820b8210.exe

pid	process
3672	a6d90369d389bb04cf4619cd820b8210.exe
3672	a6d90369d389bb04cf4619cd820b8210.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	588	msiexec.exe
Token: SeSecurityPrivilege	964	msiexec.exe
Token: SeCreateTokenPrivilege	588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	588	msiexec.exe
Token: SeLockMemoryPrivilege	588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	588	msiexec.exe
Token: SeMachineAccountPrivilege	588	msiexec.exe
Token: SeTcbPrivilege	588	msiexec.exe
Token: SeSecurityPrivilege	588	msiexec.exe
Token: SeTakeOwnershipPrivilege	588	msiexec.exe
Token: SeLoadDriverPrivilege	588	msiexec.exe
Token: SeSystemProfilePrivilege	588	msiexec.exe
Token: SeSystemtimePrivilege	588	msiexec.exe
Token: SeProfSingleProcessPrivilege	588	msiexec.exe
Token: SeIncBasePriorityPrivilege	588	msiexec.exe
Token: SeCreatePagefilePrivilege	588	msiexec.exe
Token: SeCreatePermanentPrivilege	588	msiexec.exe
Token: SeBackupPrivilege	588	msiexec.exe
Token: SeRestorePrivilege	588	msiexec.exe
Token: SeShutdownPrivilege	588	msiexec.exe
Token: SeDebugPrivilege	588	msiexec.exe
Token: SeAuditPrivilege	588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	588	msiexec.exe
Token: SeChangeNotifyPrivilege	588	msiexec.exe
Token: SeRemoteShutdownPrivilege	588	msiexec.exe
Token: SeUndockPrivilege	588	msiexec.exe
Token: SeSyncAgentPrivilege	588	msiexec.exe
Token: SeEnableDelegationPrivilege	588	msiexec.exe
Token: SeManageVolumePrivilege	588	msiexec.exe
Token: SeImpersonatePrivilege	588	msiexec.exe
Token: SeCreateGlobalPrivilege	588	msiexec.exe
Token: SeCreateTokenPrivilege	588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	588	msiexec.exe
Token: SeLockMemoryPrivilege	588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	588	msiexec.exe
Token: SeMachineAccountPrivilege	588	msiexec.exe
Token: SeTcbPrivilege	588	msiexec.exe
Token: SeSecurityPrivilege	588	msiexec.exe
Token: SeTakeOwnershipPrivilege	588	msiexec.exe
Token: SeLoadDriverPrivilege	588	msiexec.exe
Token: SeSystemProfilePrivilege	588	msiexec.exe
Token: SeSystemtimePrivilege	588	msiexec.exe
Token: SeProfSingleProcessPrivilege	588	msiexec.exe
Token: SeIncBasePriorityPrivilege	588	msiexec.exe
Token: SeCreatePagefilePrivilege	588	msiexec.exe
Token: SeCreatePermanentPrivilege	588	msiexec.exe
Token: SeBackupPrivilege	588	msiexec.exe
Token: SeRestorePrivilege	588	msiexec.exe
Token: SeShutdownPrivilege	588	msiexec.exe
Token: SeDebugPrivilege	588	msiexec.exe
Token: SeAuditPrivilege	588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	588	msiexec.exe
Token: SeChangeNotifyPrivilege	588	msiexec.exe
Token: SeRemoteShutdownPrivilege	588	msiexec.exe
Token: SeUndockPrivilege	588	msiexec.exe
Token: SeSyncAgentPrivilege	588	msiexec.exe
Token: SeEnableDelegationPrivilege	588	msiexec.exe
Token: SeManageVolumePrivilege	588	msiexec.exe
Token: SeImpersonatePrivilege	588	msiexec.exe
Token: SeCreateGlobalPrivilege	588	msiexec.exe
Token: SeCreateTokenPrivilege	588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	588	msiexec.exe
Token: SeLockMemoryPrivilege	588	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

a6d90369d389bb04cf4619cd820b8210.exemsiexec.exe

pid process

3672 a6d90369d389bb04cf4619cd820b8210.exe
588 msiexec.exe

pid	process
3672	a6d90369d389bb04cf4619cd820b8210.exe
588	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a6d90369d389bb04cf4619cd820b8210.exesetup.exemsiexec.exe

description	pid	process	target process
PID 3672 wrote to memory of 1224	3672	a6d90369d389bb04cf4619cd820b8210.exe	setup.exe
PID 3672 wrote to memory of 1224	3672	a6d90369d389bb04cf4619cd820b8210.exe	setup.exe
PID 3672 wrote to memory of 1224	3672	a6d90369d389bb04cf4619cd820b8210.exe	setup.exe
PID 1224 wrote to memory of 676	1224	setup.exe	sc.exe
PID 1224 wrote to memory of 676	1224	setup.exe	sc.exe
PID 1224 wrote to memory of 676	1224	setup.exe	sc.exe
PID 3672 wrote to memory of 588	3672	a6d90369d389bb04cf4619cd820b8210.exe	msiexec.exe
PID 3672 wrote to memory of 588	3672	a6d90369d389bb04cf4619cd820b8210.exe	msiexec.exe
PID 3672 wrote to memory of 588	3672	a6d90369d389bb04cf4619cd820b8210.exe	msiexec.exe
PID 964 wrote to memory of 1196	964	msiexec.exe	MsiExec.exe
PID 964 wrote to memory of 1196	964	msiexec.exe	MsiExec.exe
PID 964 wrote to memory of 1196	964	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\a6d90369d389bb04cf4619cd820b8210.exe
"C:\Users\Admin\AppData\Local\Temp\a6d90369d389bb04cf4619cd820b8210.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\OpenBoxAddIn_202223316\prerequisites\setup.exe
  C:\Users\Admin\AppData\Local\OpenBoxAddIn_202223316\prerequisites\setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\OpenBoxAddIn_202223316\prerequisites\sc.exe
    "C:\Users\Admin\AppData\Local\OpenBoxAddIn_202223316\prerequisites\sc.exe"
    3⤵
    - Executes dropped EXE
    PID:676
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\OpenBoxAddIn_202223316\OpenBoxAddInSetup.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 21FD1F6610C3D7EE19F0707744E9F035 C
  2⤵
  - Loads dropped DLL
  PID:1196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OpenBoxAddIn_202223316\OpenBoxAddInSetup.msi

MD5
26ad18c56df90105a3da3054c07569ed

SHA1
f82d41ffeac56c3eeb4ecd3ac31e3d734037687b

SHA256
9550233216fce040a26fec30780a8402fbb221e4dcbc6e7490ef9670eae57119

SHA512
a37acbcaae6061b2aa36c04966e8376ee30c2f111f4f8202e6f248b364f1eb4a4fcd2add55bf8272feaab4903033d8f746510498728a7c9d4622eeb600d80894

Download Submit
C:\Users\Admin\AppData\Local\OpenBoxAddIn_202223316\prerequisites\sc.exe

MD5
7803a246c6dc35ec8175c29490f6bdf5

SHA1
bd850fbae93154446922c86df751f08fed93cf05

SHA256
f6c47a385d38ab29100f6c3ba57ca3cc14e0c6e17e02d00a1f2f948e79aa14f3

SHA512
efc66b74e74cfa212a872eeb7296a88944dfc14cd617b775ea7e3966cd79e50ca9abd1b2361fa0933f2c1eceb8141d5e4d050d0f4434fc37fbf6cd5fcec25b00

Download Submit
C:\Users\Admin\AppData\Local\OpenBoxAddIn_202223316\prerequisites\sc.exe

MD5
7803a246c6dc35ec8175c29490f6bdf5

SHA1
bd850fbae93154446922c86df751f08fed93cf05

SHA256
f6c47a385d38ab29100f6c3ba57ca3cc14e0c6e17e02d00a1f2f948e79aa14f3

SHA512
efc66b74e74cfa212a872eeb7296a88944dfc14cd617b775ea7e3966cd79e50ca9abd1b2361fa0933f2c1eceb8141d5e4d050d0f4434fc37fbf6cd5fcec25b00

Download Submit
C:\Users\Admin\AppData\Local\OpenBoxAddIn_202223316\prerequisites\setup.exe

MD5
242601e34bc56f41709f376706aad640

SHA1
0262974e437c644d891bc81ea16122b6b8cb37d2

SHA256
d43fee20211443a24dac895080137efabedf45e8b11aa98e552a9d2add734440

SHA512
5069f41d16c8b42b653e925937752fc8275cba23fd984949407518ba4d407e28954c0d9c4b2c2fbfafebaa7c29bd2bd253c06a534ba1b4e228ed86f6f2ee3bb8

Download Submit
C:\Users\Admin\AppData\Local\OpenBoxAddIn_202223316\prerequisites\setup.exe

MD5
242601e34bc56f41709f376706aad640

SHA1
0262974e437c644d891bc81ea16122b6b8cb37d2

SHA256
d43fee20211443a24dac895080137efabedf45e8b11aa98e552a9d2add734440

SHA512
5069f41d16c8b42b653e925937752fc8275cba23fd984949407518ba4d407e28954c0d9c4b2c2fbfafebaa7c29bd2bd253c06a534ba1b4e228ed86f6f2ee3bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEA38.tmp

MD5
9945f10135a4c7214fa5605c21e5de9b

SHA1
3826fb627c67efd574a30448ea7f1e560b949c87

SHA256
9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

SHA512
f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF11F.tmp

MD5
9945f10135a4c7214fa5605c21e5de9b

SHA1
3826fb627c67efd574a30448ea7f1e560b949c87

SHA256
9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

SHA512
f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

Download Submit
\Users\Admin\AppData\Local\Temp\MSIEA38.tmp

MD5
9945f10135a4c7214fa5605c21e5de9b

SHA1
3826fb627c67efd574a30448ea7f1e560b949c87

SHA256
9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

SHA512
f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF11F.tmp

MD5
9945f10135a4c7214fa5605c21e5de9b

SHA1
3826fb627c67efd574a30448ea7f1e560b949c87

SHA256
9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

SHA512
f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

Download Submit