Behavioral Report

Analysis

max time kernel
162s
max time network
178s
platform
windows7_x64
resource
win7-en-20211208
submitted
11-02-2022 07:11

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

PO_3421.msi
Size

2MB
MD5

30a04930a6888a2df882478fef4a7ade
SHA1

c91b1b550c3a74840f3066e7a4b0fe08c37b7d2a
SHA256

1f7830f0117f694b87ae81caed022c82174f9a8d158a0b8e127154e17d1600cc
SHA512

b101b58533e61dd8fe8d27af36cb3c6300927286a51994bb7adbafac63ff20af61196660bc79f3f6ffef1e9975be8d06d9ed0c88891389abedcf823480565b49

Score

10^/10

arkei default discovery spyware stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

http://62.204.41.172/h3nwk7uvsH.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Arkei Stealer Payload ⋅ 1 IoCs
stealer

Processes:

resource yara_rule

behavioral1/memory/1312-80-0x00000000007F0000-0x000000000081E000-memory.dmp family_arkei
Downloads MZ/PE file
Executes dropped EXE ⋅ 1 IoCs

Processes:

NEnXoxoXxKaPjctW.exe

pid process

1312 NEnXoxoXxKaPjctW.exe

resource	yara_rule
behavioral1/memory/1312-80-0x00000000007F0000-0x000000000081E000-memory.dmp	family_arkei

pid	process
1312	NEnXoxoXxKaPjctW.exe

Loads dropped DLL ⋅ 11 IoCs

Processes:

MsiExec.exeNEnXoxoXxKaPjctW.exe

pid	process
1460	MsiExec.exe
1460	MsiExec.exe
1460	MsiExec.exe
1460	MsiExec.exe
1460	MsiExec.exe
1312	NEnXoxoXxKaPjctW.exe
1312	NEnXoxoXxKaPjctW.exe
1312	NEnXoxoXxKaPjctW.exe
1312	NEnXoxoXxKaPjctW.exe
1312	NEnXoxoXxKaPjctW.exe
1460	MsiExec.exe

Modifies file permissions ⋅ 1 TTPs 2 IoCs
discovery

TTPs:

File Permissions Modification

Processes:

ICACLS.EXEICACLS.EXE

pid process

1128 ICACLS.EXE
1848 ICACLS.EXE
Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
spyware

TTPs:

Data from Local System Credentials in Files
Checks installed software on the system ⋅ 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

TTPs:

Query Registry

pid	process
1128	ICACLS.EXE
1848	ICACLS.EXE

Enumerates connected drives ⋅ 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in System32 directory ⋅ 6 IoCs

Processes:

NEnXoxoXxKaPjctW.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\OPZUASJE	NEnXoxoXxKaPjctW.exe
File created	C:\Windows\SysWOW64\S0HVS2V3	NEnXoxoXxKaPjctW.exe
File opened for modification	C:\Windows\SysWOW64\S0HVS2V3	NEnXoxoXxKaPjctW.exe
File created	C:\Windows\SysWOW64\Q9000Z5F	NEnXoxoXxKaPjctW.exe
File opened for modification	C:\Windows\SysWOW64\Q9000Z5F	NEnXoxoXxKaPjctW.exe
File created	C:\Windows\SysWOW64\OPZUASJE	NEnXoxoXxKaPjctW.exe

Suspicious use of NtSetInformationThreadHideFromDebugger ⋅ 1 IoCs

Processes:

NEnXoxoXxKaPjctW.exe

pid process

1312 NEnXoxoXxKaPjctW.exe

pid	process
1312	NEnXoxoXxKaPjctW.exe

Drops file in Windows directory ⋅ 13 IoCs

Processes:

msiexec.exeEXPAND.EXEDrvInst.exe

description	ioc	process
File created	C:\Windows\Installer\f77363d.msi	msiexec.exe
File created	C:\Windows\Installer\f77363e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI848B.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI6894.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68A4.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f77363d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\f77363e.ipi	msiexec.exe

Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

Checks processor information in registry ⋅ 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

NEnXoxoXxKaPjctW.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NEnXoxoXxKaPjctW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NEnXoxoXxKaPjctW.exe

Delays execution with timeout.exe ⋅ 1 IoCs
evasion

Processes:

timeout.exe

pid process

1464 timeout.exe

pid	process
1464	timeout.exe

Modifies data under HKEY_USERS ⋅ 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses ⋅ 3 IoCs

Processes:

msiexec.exeNEnXoxoXxKaPjctW.exe

pid process

1152 msiexec.exe
1152 msiexec.exe
1312 NEnXoxoXxKaPjctW.exe

pid	process
1152	msiexec.exe
1152	msiexec.exe
1312	NEnXoxoXxKaPjctW.exe

Suspicious use of AdjustPrivilegeToken ⋅ 57 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	1500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1500	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeSecurityPrivilege	1152	msiexec.exe
Token: SeCreateTokenPrivilege	1500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1500	msiexec.exe
Token: SeLockMemoryPrivilege	1500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1500	msiexec.exe
Token: SeMachineAccountPrivilege	1500	msiexec.exe
Token: SeTcbPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeLoadDriverPrivilege	1500	msiexec.exe
Token: SeSystemProfilePrivilege	1500	msiexec.exe
Token: SeSystemtimePrivilege	1500	msiexec.exe
Token: SeProfSingleProcessPrivilege	1500	msiexec.exe
Token: SeIncBasePriorityPrivilege	1500	msiexec.exe
Token: SeCreatePagefilePrivilege	1500	msiexec.exe
Token: SeCreatePermanentPrivilege	1500	msiexec.exe
Token: SeBackupPrivilege	1500	msiexec.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeShutdownPrivilege	1500	msiexec.exe
Token: SeDebugPrivilege	1500	msiexec.exe
Token: SeAuditPrivilege	1500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1500	msiexec.exe
Token: SeChangeNotifyPrivilege	1500	msiexec.exe
Token: SeRemoteShutdownPrivilege	1500	msiexec.exe
Token: SeUndockPrivilege	1500	msiexec.exe
Token: SeSyncAgentPrivilege	1500	msiexec.exe
Token: SeEnableDelegationPrivilege	1500	msiexec.exe
Token: SeManageVolumePrivilege	1500	msiexec.exe
Token: SeImpersonatePrivilege	1500	msiexec.exe
Token: SeCreateGlobalPrivilege	1500	msiexec.exe
Token: SeBackupPrivilege	1676	vssvc.exe
Token: SeRestorePrivilege	1676	vssvc.exe
Token: SeAuditPrivilege	1676	vssvc.exe
Token: SeBackupPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1580	DrvInst.exe
Token: SeRestorePrivilege	1580	DrvInst.exe
Token: SeRestorePrivilege	1580	DrvInst.exe
Token: SeRestorePrivilege	1580	DrvInst.exe
Token: SeRestorePrivilege	1580	DrvInst.exe
Token: SeRestorePrivilege	1580	DrvInst.exe
Token: SeRestorePrivilege	1580	DrvInst.exe
Token: SeLoadDriverPrivilege	1580	DrvInst.exe
Token: SeLoadDriverPrivilege	1580	DrvInst.exe
Token: SeLoadDriverPrivilege	1580	DrvInst.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe

Suspicious use of FindShellTrayWindow ⋅ 1 IoCs

Processes:

msiexec.exe

pid process

1500 msiexec.exe

pid	process
1500	msiexec.exe

Suspicious use of WriteProcessMemory ⋅ 31 IoCs

Processes:

msiexec.exeMsiExec.exeNEnXoxoXxKaPjctW.execmd.exe

description	pid	process	target process
PID 1152 wrote to memory of 1460	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1460	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1460	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1460	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1460	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1460	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1460	1152	msiexec.exe	MsiExec.exe
PID 1460 wrote to memory of 1128	1460	MsiExec.exe	ICACLS.EXE
PID 1460 wrote to memory of 1128	1460	MsiExec.exe	ICACLS.EXE
PID 1460 wrote to memory of 1128	1460	MsiExec.exe	ICACLS.EXE
PID 1460 wrote to memory of 1128	1460	MsiExec.exe	ICACLS.EXE
PID 1460 wrote to memory of 1732	1460	MsiExec.exe	EXPAND.EXE
PID 1460 wrote to memory of 1732	1460	MsiExec.exe	EXPAND.EXE
PID 1460 wrote to memory of 1732	1460	MsiExec.exe	EXPAND.EXE
PID 1460 wrote to memory of 1732	1460	MsiExec.exe	EXPAND.EXE
PID 1460 wrote to memory of 1312	1460	MsiExec.exe	NEnXoxoXxKaPjctW.exe
PID 1460 wrote to memory of 1312	1460	MsiExec.exe	NEnXoxoXxKaPjctW.exe
PID 1460 wrote to memory of 1312	1460	MsiExec.exe	NEnXoxoXxKaPjctW.exe
PID 1460 wrote to memory of 1312	1460	MsiExec.exe	NEnXoxoXxKaPjctW.exe
PID 1312 wrote to memory of 864	1312	NEnXoxoXxKaPjctW.exe	cmd.exe
PID 1312 wrote to memory of 864	1312	NEnXoxoXxKaPjctW.exe	cmd.exe
PID 1312 wrote to memory of 864	1312	NEnXoxoXxKaPjctW.exe	cmd.exe
PID 1312 wrote to memory of 864	1312	NEnXoxoXxKaPjctW.exe	cmd.exe
PID 1460 wrote to memory of 1848	1460	MsiExec.exe	ICACLS.EXE
PID 1460 wrote to memory of 1848	1460	MsiExec.exe	ICACLS.EXE
PID 1460 wrote to memory of 1848	1460	MsiExec.exe	ICACLS.EXE
PID 1460 wrote to memory of 1848	1460	MsiExec.exe	ICACLS.EXE
PID 864 wrote to memory of 1464	864	cmd.exe	timeout.exe
PID 864 wrote to memory of 1464	864	cmd.exe	timeout.exe
PID 864 wrote to memory of 1464	864	cmd.exe	timeout.exe
PID 864 wrote to memory of 1464	864	cmd.exe	timeout.exe

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PO_3421.msi

Enumerates connected drives
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow

PID:1500

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Enumerates connected drives
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1152

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 91D056B6F1F57D00C046A1A786A489F3

Loads dropped DLL
Suspicious use of WriteProcessMemory

PID:1460

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Modifies file permissions

PID:1128

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

Drops file in Windows directory

PID:1732

C:\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\files\NEnXoxoXxKaPjctW.exe

"C:\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\files\NEnXoxoXxKaPjctW.exe"

Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:1312

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\files\NEnXoxoXxKaPjctW.exe" & exit

Suspicious use of WriteProcessMemory

PID:864

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

Delays execution with timeout.exe

PID:1464

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Modifies file permissions

PID:1848

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Suspicious use of AdjustPrivilegeToken

PID:1676

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000005B8" "00000000000003F8"

Drops file in Windows directory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken

PID:1580

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

File Permissions Modification

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\files.cab
MD5
337c942cefd507c8b0e867bf5f1eb200

SHA1
5510ebc9267b62551c6e47f357afc85597bc63f4

SHA256
80ee6c8645aae3b16656799b48e4ea46830899c071d76f39fdd74bfbe8a0d8be

SHA512
f355fb4a6d61f9a385d3fda95c08853d370efa5005a8f3c3bb68a71f6c030407b91dd282754b0dbf936ec4c91c8d2b9aef14866179a5e9c8cc81c601af84e184

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\files\NEnXoxoXxKaPjctW.exe
MD5
da868dad12a9a93e4c4f1e9eac6e4e67

SHA1
b56a2651eebea428777a791a773d07c50a0dc2bf

SHA256
9b9d5ddbc7af43e09f81ec3c385318551253316bce968a335ac2f47f122e17d2

SHA512
4ab138ec462e95936374d328ca8a4bd389c8b1a84f0caf869470a64924d5738f3a536247f0e2cd3d8225e7aa87ecf771b04ac4ea376aaea2a9e23ee215f0c654

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\files\NEnXoxoXxKaPjctW.exe
MD5
da868dad12a9a93e4c4f1e9eac6e4e67

SHA1
b56a2651eebea428777a791a773d07c50a0dc2bf

SHA256
9b9d5ddbc7af43e09f81ec3c385318551253316bce968a335ac2f47f122e17d2

SHA512
4ab138ec462e95936374d328ca8a4bd389c8b1a84f0caf869470a64924d5738f3a536247f0e2cd3d8225e7aa87ecf771b04ac4ea376aaea2a9e23ee215f0c654

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\msiwrapper.ini
MD5
a14fd412ca1fd3edc9871c2437031750

SHA1
a31d5ea1e954f7c683a07d09db0f553aee3b4085

SHA256
0e79d0b6f97ab5c01da001ac0065e2cf2af91cfc2a7652cbe982efafdde8f59e

SHA512
8f102c42910272f2df5a152f739090a6aad2e6f5d36564625939557d6d214742f456075c8d712f7bb61ba1414fceaca36b9ba314af6a3b1b44ed0d020e3a31f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\msiwrapper.ini
MD5
6a7287c1937471b15134168f4cf7c86f

SHA1
58de16232aeadaa84fcd5ca57d423ffedd5dc936

SHA256
c09616fe9c27554b7d0751b31ff4efcadf0909102cbe9c62fce1728591c39193

SHA512
965e6f56a5b90541b9bf2284b9747fbdb1228a099487df67238a0eadcc0d1c2c2ba603a3bbb4158805ce2542c7a6671a2604ce176f6884439449cf30ccebc1ed

Download Submit
C:\Windows\Installer\MSI68A4.tmp
MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSI848B.tmp
MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\files\NEnXoxoXxKaPjctW.exe
MD5
da868dad12a9a93e4c4f1e9eac6e4e67

SHA1
b56a2651eebea428777a791a773d07c50a0dc2bf

SHA256
9b9d5ddbc7af43e09f81ec3c385318551253316bce968a335ac2f47f122e17d2

SHA512
4ab138ec462e95936374d328ca8a4bd389c8b1a84f0caf869470a64924d5738f3a536247f0e2cd3d8225e7aa87ecf771b04ac4ea376aaea2a9e23ee215f0c654

Download Submit
\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\files\NEnXoxoXxKaPjctW.exe
MD5
da868dad12a9a93e4c4f1e9eac6e4e67

SHA1
b56a2651eebea428777a791a773d07c50a0dc2bf

SHA256
9b9d5ddbc7af43e09f81ec3c385318551253316bce968a335ac2f47f122e17d2

SHA512
4ab138ec462e95936374d328ca8a4bd389c8b1a84f0caf869470a64924d5738f3a536247f0e2cd3d8225e7aa87ecf771b04ac4ea376aaea2a9e23ee215f0c654

Download Submit
\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\files\NEnXoxoXxKaPjctW.exe
MD5
da868dad12a9a93e4c4f1e9eac6e4e67

SHA1
b56a2651eebea428777a791a773d07c50a0dc2bf

SHA256
9b9d5ddbc7af43e09f81ec3c385318551253316bce968a335ac2f47f122e17d2

SHA512
4ab138ec462e95936374d328ca8a4bd389c8b1a84f0caf869470a64924d5738f3a536247f0e2cd3d8225e7aa87ecf771b04ac4ea376aaea2a9e23ee215f0c654

Download Submit
\Users\Admin\AppData\Local\Temp\MW-ff11007f-4eb2-40e7-9979-1fd83d021fce\files\NEnXoxoXxKaPjctW.exe
MD5
da868dad12a9a93e4c4f1e9eac6e4e67

SHA1
b56a2651eebea428777a791a773d07c50a0dc2bf

SHA256
9b9d5ddbc7af43e09f81ec3c385318551253316bce968a335ac2f47f122e17d2

SHA512
4ab138ec462e95936374d328ca8a4bd389c8b1a84f0caf869470a64924d5738f3a536247f0e2cd3d8225e7aa87ecf771b04ac4ea376aaea2a9e23ee215f0c654

Download Submit
\Windows\Installer\MSI68A4.tmp
MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\Windows\Installer\MSI848B.tmp
MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
memory/1312-73-0x0000000000401000-0x000000000057E000-memory.dmp

Download
memory/1312-75-0x0000000000599000-0x000000000059A000-memory.dmp

Download
memory/1312-77-0x000000000059D000-0x000000000059E000-memory.dmp

Download
memory/1312-78-0x000000000059E000-0x000000000059F000-memory.dmp

Download
memory/1312-79-0x00000000003C0000-0x00000000003C1000-memory.dmp

Download
memory/1312-80-0x00000000007F0000-0x000000000081E000-memory.dmp

Download
memory/1312-85-0x00000000007F1000-0x0000000000804000-memory.dmp

Download
memory/1312-76-0x000000000059A000-0x000000000059B000-memory.dmp

Download
memory/1312-74-0x000000000057E000-0x0000000000599000-memory.dmp

Download
memory/1312-67-0x0000000000400000-0x00000000007A4000-memory.dmp

Download
memory/1312-72-0x0000000000330000-0x0000000000370000-memory.dmp

Download
memory/1312-69-0x0000000000400000-0x00000000007A4000-memory.dmp

Download
memory/1312-68-0x00000000003B0000-0x00000000003B1000-memory.dmp

Download
memory/1460-56-0x0000000074F01000-0x0000000074F03000-memory.dmp

Download
memory/1500-54-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Download