42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b

Analysis

max time kernel
154s
max time network
174s
platform
windows7_x64
resource
win7-en-20211208
submitted
13-02-2022 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b.msi
Size

639KB
MD5

4ab860c4a0b02410cd0f5adf80153c3e
SHA1

3983610f2687885b350d259b936a19a3f2c45f6b
SHA256

42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b
SHA512

5c982d65f306efc3a37ea97f7e4dc99d95c1f32b19c20e1872df31349ac25f65bd5a6422aa561ababa745d320f8545c94b20a5e85c1d10638f303414eba713c0

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

MsiExec.exe

flow	pid	Process
3	1732	MsiExec.exe
6	1732	MsiExec.exe
8	1732	MsiExec.exe
11	1732	MsiExec.exe

Executes dropped EXE 1 IoCs

Processes:

lcF2E0.tmp

pid	Process
1628	lcF2E0.tmp

Loads dropped DLL 6 IoCs

Processes:

MsiExec.exe

pid	Process
1732	MsiExec.exe
1732	MsiExec.exe
1732	MsiExec.exe
1732	MsiExec.exe
1732	MsiExec.exe
1732	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2004.tmp	msiexec.exe
File created	C:\Windows\Installer\f76190c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76190c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D22.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF164.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76190e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7A3.tmp	msiexec.exe
File created	C:\Windows\Installer\f76190e.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "70"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "90"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "351517796"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50153596cf20d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba97830000000002000000000010660000000100002000000007f27f6514b5001cb793937ea214bd47fbdf136ab3806345ae568fda195ea929000000000e8000000002000020000000b86e298d6994c20c1ca853f1055e6bbe83564f8c8536d281287505e8baf2c056900000006e2f3bf598cb280bc13c42d267c4cd57252fb0cb3bd97b393cd4575ededb484c4dbe7a4e09a3a7790709d371003568b5cd58616c4b143d78fe2a6f504a09f0e43c58963c5a5cf18bcbc3252065e24df02a7a4d3116840d1b35a6b39d967c3cab169990deebd8c11616c5e20eb3d5e261f64c174ba40c542afd57b2ef8db86ee4657684b9124573fdb9dd895769e85d414000000040e1ab609767d2df51cc9b573d135ab9cfb389e0556399287f931a56d51d0761c4a57016a67ff6f04dff88031e35e9908918f7e2de18743744abd13431b44440	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A31A4A60-8CC2-11EC-AB0E-6E24649026A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba978300000000020000000000106600000001000020000000e32f9a581dde5808bdc4bd24ee2ea3d4a8826366e3ab37b5d9ec2e65749bfb33000000000e80000000020000200000002247ebdaf520db5ae62fb8c6558ecb6f38c849e4e5f53f1078bed600af4e900620000000668eaab3abfc381ccabdc581c221f28120efafe7ca7ca6db39c50860f8f3d94e400000007013e4c6c6459d972e1b155afd339b2fc4f97b64dcfe03feb11162d85822bac81553f896ee1d099a9a6678a033e90dce74665a1674219d57e5f871ad1ca2c3b2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "48"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "48"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "48"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "70"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "70"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "90"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "90"	IEXPLORE.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid	Process
652	msiexec.exe
652	msiexec.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	1656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1656	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeSecurityPrivilege	652	msiexec.exe
Token: SeCreateTokenPrivilege	1656	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1656	msiexec.exe
Token: SeLockMemoryPrivilege	1656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1656	msiexec.exe
Token: SeMachineAccountPrivilege	1656	msiexec.exe
Token: SeTcbPrivilege	1656	msiexec.exe
Token: SeSecurityPrivilege	1656	msiexec.exe
Token: SeTakeOwnershipPrivilege	1656	msiexec.exe
Token: SeLoadDriverPrivilege	1656	msiexec.exe
Token: SeSystemProfilePrivilege	1656	msiexec.exe
Token: SeSystemtimePrivilege	1656	msiexec.exe
Token: SeProfSingleProcessPrivilege	1656	msiexec.exe
Token: SeIncBasePriorityPrivilege	1656	msiexec.exe
Token: SeCreatePagefilePrivilege	1656	msiexec.exe
Token: SeCreatePermanentPrivilege	1656	msiexec.exe
Token: SeBackupPrivilege	1656	msiexec.exe
Token: SeRestorePrivilege	1656	msiexec.exe
Token: SeShutdownPrivilege	1656	msiexec.exe
Token: SeDebugPrivilege	1656	msiexec.exe
Token: SeAuditPrivilege	1656	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1656	msiexec.exe
Token: SeChangeNotifyPrivilege	1656	msiexec.exe
Token: SeRemoteShutdownPrivilege	1656	msiexec.exe
Token: SeUndockPrivilege	1656	msiexec.exe
Token: SeSyncAgentPrivilege	1656	msiexec.exe
Token: SeEnableDelegationPrivilege	1656	msiexec.exe
Token: SeManageVolumePrivilege	1656	msiexec.exe
Token: SeImpersonatePrivilege	1656	msiexec.exe
Token: SeCreateGlobalPrivilege	1656	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msiexec.exeiexplore.exe

pid	Process
1656	msiexec.exe
1084	iexplore.exe
1656	msiexec.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1084	iexplore.exe
1084	iexplore.exe
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

msiexec.exeMsiExec.execmd.exeiexplore.exe

description	pid	Process	procid_target
PID 652 wrote to memory of 1732	652	msiexec.exe	28
PID 652 wrote to memory of 1732	652	msiexec.exe	28
PID 652 wrote to memory of 1732	652	msiexec.exe	28
PID 652 wrote to memory of 1732	652	msiexec.exe	28
PID 652 wrote to memory of 1732	652	msiexec.exe	28
PID 652 wrote to memory of 1732	652	msiexec.exe	28
PID 652 wrote to memory of 1732	652	msiexec.exe	28
PID 1732 wrote to memory of 380	1732	MsiExec.exe	29
PID 1732 wrote to memory of 380	1732	MsiExec.exe	29
PID 1732 wrote to memory of 380	1732	MsiExec.exe	29
PID 1732 wrote to memory of 380	1732	MsiExec.exe	29
PID 380 wrote to memory of 1084	380	cmd.exe	31
PID 380 wrote to memory of 1084	380	cmd.exe	31
PID 380 wrote to memory of 1084	380	cmd.exe	31
PID 380 wrote to memory of 1084	380	cmd.exe	31
PID 1084 wrote to memory of 1196	1084	iexplore.exe	33
PID 1084 wrote to memory of 1196	1084	iexplore.exe	33
PID 1084 wrote to memory of 1196	1084	iexplore.exe	33
PID 1084 wrote to memory of 1196	1084	iexplore.exe	33
PID 1732 wrote to memory of 1628	1732	MsiExec.exe	36
PID 1732 wrote to memory of 1628	1732	MsiExec.exe	36
PID 1732 wrote to memory of 1628	1732	MsiExec.exe	36
PID 1732 wrote to memory of 1628	1732	MsiExec.exe	36
PID 1732 wrote to memory of 1628	1732	MsiExec.exe	36
PID 1732 wrote to memory of 1628	1732	MsiExec.exe	36
PID 1732 wrote to memory of 1628	1732	MsiExec.exe	36

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F352DEB7B6A08CC4CEA5DDF1159674C1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /MAX https://adobe.ly/2RY5GJR
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://adobe.ly/2RY5GJR
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1084 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1196
- - C:\Users\Admin\AppData\Local\Temp\lcF2E0.tmp
    "C:\Users\Admin\AppData\Local\Temp\lcF2E0.tmp"
    3⤵
    - Executes dropped EXE
    PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
fa744953a5c92d6270c56c94dcd3e98e

SHA1
e115a5be7bfc23892a3b25092573ccf36c124048

SHA256
a7d690a39852c408b2b5fa9942879e1d18918c1ce95675c2d7662f021edbbac6

SHA512
a697270e2679c3f60ed8d1759638e6682ae68878a925e406a53915587261caf0f15f5b73020ba20526a9bf8b09a222eaf7b15a0d65d8ca43dbeb10901b222160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
b0c35c77442a4cb676aa4e1a84709c0d

SHA1
a3e8f422ef8b49b958aeb6196d056887322ac31d

SHA256
bacf0cbdd10fa08c1b5bbf65e04c1434442f203b6a4a9564d4a78a9c9e88ceb2

SHA512
c7ad74d7b64d5e1b164b965bff4b160a96c573f36793903c9f4f76873f3bb2cdb2f2ffce637750444621684c266c5bbbe31877f538ce9583cc0a58e949d05be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7w612sw\imagestore.dat

MD5
337a365fcc11b11989f1a1847d223a91

SHA1
d9c1843293347d288f2ca8668dc8467f80295975

SHA256
e4ead53188b69c43da13ce520fd7ac54543f3545329acf12debf03e93160f193

SHA512
9a1122ebb72b324711ea66f8e6a8e43164f1ec5eeacf7ff2ee5037cb6fca103825ac62002d4e0bbc62db735c9556a38858dae26a08d3532453381e9068a6b2c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7w612sw\imagestore.dat

MD5
cac8b557639715168c6473571475812c

SHA1
c36c85ecbda8bfb7cf74d2965953417555567cb8

SHA256
fa9b0dc082d09b0a0c81a60f6087fd2c588b7888e57972952edf947e1dbb137e

SHA512
bfcb8b997160e6eb98043d4f0795ff00080c53e4c72feb99130cf2bd610670bc3988e1a6dbcfaa730f017cb3cc6f341f8fff69722f360a13d623742a640baa78

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcF2E0.tmp

MD5
55ffee241709ae96cf64cb0b9a96f0d7

SHA1
b191810094dd2ee6b13c0d33458fafcd459681ae

SHA256
64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

SHA512
01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C3SUJVXF.txt

MD5
14a0cd22502c76dbb54e06ed81f6d86e

SHA1
d324bc08fea742afdf19bda4553e9d7177dd61ac

SHA256
07c9d1a2e6d121d4be38c8b8b7e3294d14e14c9963394eb3ed0ef4c346588035

SHA512
8b2d6e43591a3609c923aacfd287c12f877fcee22c24a86a20b0c8502f9a9c1873ea99d29d2cc7464500a1572f022f206a7c13292decf156d333a68b2a2e92ad

Download Submit
C:\Windows\Installer\MSI1D22.tmp

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Windows\Installer\MSIAFD.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSIE6D7.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSIE7A3.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSIF164.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Users\Admin\AppData\Local\Temp\lcF2E0.tmp

MD5
55ffee241709ae96cf64cb0b9a96f0d7

SHA1
b191810094dd2ee6b13c0d33458fafcd459681ae

SHA256
64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

SHA512
01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

Download Submit
\Windows\Installer\MSI1D22.tmp

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
\Windows\Installer\MSIAFD.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSIE6D7.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSIE7A3.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSIF164.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
memory/1656-55-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1732-57-0x0000000074EC1000-0x0000000074EC3000-memory.dmp

Filesize
8KB

Download