lampion | f085588cf016993e6298640bf797c1d31b61a8087a3240d517a53a5a58474987

Analysis

max time kernel
78s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
13-02-2022 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f085588cf016993e6298640bf797c1d31b61a8087a3240d517a53a5a58474987.msi
Size

951KB
MD5

e2c5416931f1c9369fb55e7adcf6364b
SHA1

57c960dc13b433a3fe3225b884fcbccc01c00c36
SHA256

f085588cf016993e6298640bf797c1d31b61a8087a3240d517a53a5a58474987
SHA512

96e666f61ad0e1e1c9146b31ea94622004e9dcdd082372e5ae7dada1c3aa28538d506c870502be8b381170a2d60ea470e196141de0affab232d8a106fa4ca51e

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

58 3852 WScript.exe
60 3852 WScript.exe
Executes dropped EXE 1 IoCs

Processes:

MSI368E.tmp

pid process

1340 MSI368E.tmp

flow	pid	process
58	3852	WScript.exe
60	3852	WScript.exe

pid	process
1340	MSI368E.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abntufeqpnj.lnk wscript.exe
Loads dropped DLL 4 IoCs

Processes:

MsiExec.exe

pid process

4108 MsiExec.exe
4108 MsiExec.exe
4108 MsiExec.exe
4108 MsiExec.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abntufeqpnj.lnk	wscript.exe

pid	process
4108	MsiExec.exe
4108	MsiExec.exe
4108	MsiExec.exe
4108	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files (x86)\Firefox_2020-3547\Firefox_2020-3547\658615508460043140_16.vbs msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Firefox_2020-3547\Firefox_2020-3547\658615508460043140_16.vbs	msiexec.exe

Drops file in Windows directory 21 IoCs

Processes:

svchost.exeTiWorker.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File created	C:\Windows\Installer\1ce2eb9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F56.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E145BDE0-9DC5-4A3D-A3F1-58330C55E42A}	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\1ce2ebc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI368E.tmp	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\Installer\MSI3331.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\Installer\1ce2eb9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3216.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3545.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008a0185136d91714e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008a0185130000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008a018513000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008a01851300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008a01851300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe

Modifies data under HKEY_USERS 32 IoCs

Processes:

LogonUI.exesvchost.exemsiexec.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1e	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "37"	LogonUI.exe
Key deleted	\REGISTRY\USER\S-1-5-19\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0EDB541E5CD9D3A43A1F8533C0554EA2\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\37358B2CE7DD8A04A99FF6AEEDC0C75C\0EDB541E5CD9D3A43A1F8533C0554EA2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\PackageCode = "4583136C67326D54F8B3AA1D53E6048F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\37358B2CE7DD8A04A99FF6AEEDC0C75C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\ProductName = "Firefox_2020-3547"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0EDB541E5CD9D3A43A1F8533C0554EA2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\SourceList\PackageName = "f085588cf016993e6298640bf797c1d31b61a8087a3240d517a53a5a58474987.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EDB541E5CD9D3A43A1F8533C0554EA2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSI368E.tmp

pid	process
548	msiexec.exe
548	msiexec.exe
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp
1340	MSI368E.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	5044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5044	msiexec.exe
Token: SeSecurityPrivilege	548	msiexec.exe
Token: SeCreateTokenPrivilege	5044	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5044	msiexec.exe
Token: SeLockMemoryPrivilege	5044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5044	msiexec.exe
Token: SeMachineAccountPrivilege	5044	msiexec.exe
Token: SeTcbPrivilege	5044	msiexec.exe
Token: SeSecurityPrivilege	5044	msiexec.exe
Token: SeTakeOwnershipPrivilege	5044	msiexec.exe
Token: SeLoadDriverPrivilege	5044	msiexec.exe
Token: SeSystemProfilePrivilege	5044	msiexec.exe
Token: SeSystemtimePrivilege	5044	msiexec.exe
Token: SeProfSingleProcessPrivilege	5044	msiexec.exe
Token: SeIncBasePriorityPrivilege	5044	msiexec.exe
Token: SeCreatePagefilePrivilege	5044	msiexec.exe
Token: SeCreatePermanentPrivilege	5044	msiexec.exe
Token: SeBackupPrivilege	5044	msiexec.exe
Token: SeRestorePrivilege	5044	msiexec.exe
Token: SeShutdownPrivilege	5044	msiexec.exe
Token: SeDebugPrivilege	5044	msiexec.exe
Token: SeAuditPrivilege	5044	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5044	msiexec.exe
Token: SeChangeNotifyPrivilege	5044	msiexec.exe
Token: SeRemoteShutdownPrivilege	5044	msiexec.exe
Token: SeUndockPrivilege	5044	msiexec.exe
Token: SeSyncAgentPrivilege	5044	msiexec.exe
Token: SeEnableDelegationPrivilege	5044	msiexec.exe
Token: SeManageVolumePrivilege	5044	msiexec.exe
Token: SeImpersonatePrivilege	5044	msiexec.exe
Token: SeCreateGlobalPrivilege	5044	msiexec.exe
Token: SeBackupPrivilege	4632	vssvc.exe
Token: SeRestorePrivilege	4632	vssvc.exe
Token: SeAuditPrivilege	4632	vssvc.exe
Token: SeBackupPrivilege	548	msiexec.exe
Token: SeRestorePrivilege	548	msiexec.exe
Token: SeShutdownPrivilege	4716	svchost.exe
Token: SeCreatePagefilePrivilege	4716	svchost.exe
Token: SeShutdownPrivilege	4716	svchost.exe
Token: SeCreatePagefilePrivilege	4716	svchost.exe
Token: SeShutdownPrivilege	4716	svchost.exe
Token: SeCreatePagefilePrivilege	4716	svchost.exe
Token: SeSecurityPrivilege	5024	TiWorker.exe
Token: SeRestorePrivilege	5024	TiWorker.exe
Token: SeBackupPrivilege	5024	TiWorker.exe
Token: SeBackupPrivilege	5024	TiWorker.exe
Token: SeRestorePrivilege	5024	TiWorker.exe
Token: SeSecurityPrivilege	5024	TiWorker.exe
Token: SeBackupPrivilege	5024	TiWorker.exe
Token: SeRestorePrivilege	5024	TiWorker.exe
Token: SeSecurityPrivilege	5024	TiWorker.exe
Token: SeBackupPrivilege	5024	TiWorker.exe
Token: SeRestorePrivilege	5024	TiWorker.exe
Token: SeSecurityPrivilege	5024	TiWorker.exe
Token: SeBackupPrivilege	5024	TiWorker.exe
Token: SeRestorePrivilege	5024	TiWorker.exe
Token: SeSecurityPrivilege	5024	TiWorker.exe
Token: SeBackupPrivilege	5024	TiWorker.exe
Token: SeRestorePrivilege	5024	TiWorker.exe
Token: SeSecurityPrivilege	5024	TiWorker.exe
Token: SeBackupPrivilege	5024	TiWorker.exe
Token: SeRestorePrivilege	5024	TiWorker.exe
Token: SeSecurityPrivilege	5024	TiWorker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

5044 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

920 LogonUI.exe

pid	process
5044	msiexec.exe

pid	process
920	LogonUI.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

msiexec.exeWScript.exewscript.execmd.exe

description	pid	process	target process
PID 548 wrote to memory of 3228	548	msiexec.exe	srtasks.exe
PID 548 wrote to memory of 3228	548	msiexec.exe	srtasks.exe
PID 548 wrote to memory of 4108	548	msiexec.exe	MsiExec.exe
PID 548 wrote to memory of 4108	548	msiexec.exe	MsiExec.exe
PID 548 wrote to memory of 4108	548	msiexec.exe	MsiExec.exe
PID 548 wrote to memory of 1340	548	msiexec.exe	MSI368E.tmp
PID 548 wrote to memory of 1340	548	msiexec.exe	MSI368E.tmp
PID 548 wrote to memory of 1340	548	msiexec.exe	MSI368E.tmp
PID 3852 wrote to memory of 3972	3852	WScript.exe	wscript.exe
PID 3852 wrote to memory of 3972	3852	WScript.exe	wscript.exe
PID 3972 wrote to memory of 2160	3972	wscript.exe	cmd.exe
PID 3972 wrote to memory of 2160	3972	wscript.exe	cmd.exe
PID 2160 wrote to memory of 1068	2160	cmd.exe	shutdown.exe
PID 2160 wrote to memory of 1068	2160	cmd.exe	shutdown.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f085588cf016993e6298640bf797c1d31b61a8087a3240d517a53a5a58474987.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
  2⤵
  PID:3228
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FB9FFA707F4CE430F0601BA2DF87494D
  2⤵
  - Loads dropped DLL
  PID:4108
- C:\Windows\Installer\MSI368E.tmp
  "C:\Windows\Installer\MSI368E.tmp" "C:\Program Files (x86)\Firefox_2020-3547\Firefox_2020-3547\658615508460043140_16.vbs"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3276

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Firefox_2020-3547\Firefox_2020-3547\658615508460043140_16.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\abntufeqpnj.vbs
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /t 0 /f
      4⤵
      PID:1068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39db855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Firefox_2020-3547\Firefox_2020-3547\658615508460043140_16.vbs

MD5
6726ce7753803c58bb7136216dd3378f

SHA1
eb6faf34ce5a9c9a6bc5eba32cb51b88cdda3f2d

SHA256
0a0bce3a1809e225be4a123e894e01a3f8eb805ebbea1bcd0172c2b104600f04

SHA512
320b9c6ffedac662290482f6c73e8b8b2242bf8a359da91baa06d37c165596668157a8e89199f81c132f9434b8ad202c4ce6735f654d5e8d353104786abae9a7

Download Submit
C:\Users\Admin\AppData\Roaming\67151783883571\ljzefipkspwqifuph80305349230766.exe

MD5
31b3fa3be13c3eca988b6647cf274003

SHA1
713779818be4a9956a02f8e16231750a9e0c3eb8

SHA256
881aa5538ac02efb941f6cbef4e784f5e4a4a0c70611cc6b7e7e461f21c65f97

SHA512
ba1fddaaa64e0bdc2418d615b2a34683167fc336d12109e29574c3cec51a93d16908bf155b96d0d8c4537b185caa7ee29c3eb6a84074ef366cd161b0fe8eb1bf

Download Submit
C:\Users\Admin\AppData\Roaming\abntufeqpnj.vbs

MD5
724e550c7c9a874946bcb6b51ce138c3

SHA1
16444fc8b1558abc51a4f2896b56012d360d7a1c

SHA256
f65f61431ebd327173276a5bf8c8e30c465d15273601c67277d140632bf55575

SHA512
1d3b0fc9818c77cded991846925af13351c8d964646008ef4da86c2298cfb92d3d3b6ea67956899af06cf04966d05fd3fec6b678b5b024399e9cd52842a82667

Download Submit
C:\Windows\Installer\MSI2F56.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI2F56.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI3216.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI3216.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI32B3.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI32B3.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI3331.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI3331.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI368E.tmp

MD5
867b627b008d149f15e8df90d2648d41

SHA1
543fc2763f98378c5777f0dc1f11f54ee3a71733

SHA256
51d309734f25d009714a0e4d428ffee3f42bfaa3eaf21da68369405f3a0a8233

SHA512
9c3beb4c8c5319f1f584c49fa66b1ee704b6ecb56184af0024a4e363979466c2933a99fa0662532b0ac8ca22536b1717de8214cd828094bbc38f9d8bb3d2da44

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\System Volume Information\SPP\metadata-2

MD5
bff4ebaee03ef104ed34a48ea4e1ce0d

SHA1
f9d2e090c188d0fd2d7c6632bd14ae28c0ddf0d8

SHA256
4b7640afb67328194f7a111f42e81f6565cff022e72fef96ee2bd7d5f658f047

SHA512
3341ffb04fa1c966a57d8422ab286afa072589b1239a846d23a06d5797b4fc09089f66643f92356925a61520428a953800fa34eb8b2663c0ee2ac9bb40d640b8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\softwaredistribution\DataStore\DataStore.edb

MD5
d11652347b2c3c5a6f5dc924a6e3e06c

SHA1
41ffdabff4e0e3b8be7945916a9b89e91704f432

SHA256
97f3eec695a86f9d285d1ee2c7b2d821104edf69320c6565d3dc973e4b1b5b8f

SHA512
023108d1e13e2cc8d9bdd815d3d422b3fb11c46e9d3d12f0c35047b8b478467d1810934a4448ee8db856ab7c1c7ba8fc7e0229c3b7fee5579f140c6dcbfa5b79

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\softwaredistribution\DataStore\DataStore.jfm

MD5
f35ed659b81455a2a36fc7b7ac30150b

SHA1
ae34f60afb7ba243b01b5586253a5c9cef870065

SHA256
9ad4105382cbee131153ef1c22452245f7848df10795af7a8d08acecba09f298

SHA512
b9e2b976891a7707a4584184473f33534a384a4b72f873026eaa040a9908e05476efcf13fb6be1b995b09a6f7d947b14d636e7513da170be1e56ad4220504fd8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\softwaredistribution\DataStore\Logs\edb.log

MD5
dede237c29ef31056bdd8ee742a87de0

SHA1
2b2bac17a326715b70c03f0623b42d9a515093a9

SHA256
12aa8318c82ddcd4b09d9cec171e652f54b325707de272695cb2eec85a3580ca

SHA512
1a524a5daf8af862c8bc5b6c43ac5e3908551f87baf42e7ccd9d0479feb8ca9af324616484f275792715a1ae85a78ab4ddfdfcba9a7b405c3869bf018911c805

Download Submit
\??\Volume{1385018a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c06cc8ac-892d-444a-9bff-859238d05789}_OnDiskSnapshotProp

MD5
6030d65b7608a031ff00577456ef7186

SHA1
44c36e76dcfab3929f17ab65c110013ddd117719

SHA256
23f419cdf2159d2de1308be7345c70ad86c6a3e1c1f7e64969ff19dbd6e353d5

SHA512
43f02801e52d9217b513785acf5b2652ade1582f0631f555c4b84423f3dd397974b59118b0a7482552486776dc871bd2c58469020746a77747e2f92a13c00be2

Download Submit
memory/4716-132-0x0000021E38ED0000-0x0000021E38ED4000-memory.dmp

Filesize
16KB

Download
memory/4716-131-0x0000021E36820000-0x0000021E36830000-memory.dmp

Filesize
64KB

Download
memory/4716-130-0x0000021E36150000-0x0000021E36160000-memory.dmp

Filesize
64KB

Download
memory/4716-159-0x0000021E38EF0000-0x0000021E38EF4000-memory.dmp

Filesize
16KB

Download
memory/4716-160-0x0000021E38E30000-0x0000021E38E31000-memory.dmp

Filesize
4KB

Download
memory/4716-162-0x0000021E38DF0000-0x0000021E38DF1000-memory.dmp

Filesize
4KB

Download
memory/4944-150-0x000001FBC75F0000-0x000001FBC75F4000-memory.dmp

Filesize
16KB

Download
memory/4944-153-0x000001FBC9AD0000-0x000001FBC9AD4000-memory.dmp

Filesize
16KB

Download
memory/4944-154-0x000001FBC9AC0000-0x000001FBC9AC1000-memory.dmp

Filesize
4KB

Download
memory/4944-155-0x000001FBC9820000-0x000001FBC9824000-memory.dmp

Filesize
16KB

Download
memory/4944-156-0x000001FBC9810000-0x000001FBC9811000-memory.dmp

Filesize
4KB

Download
memory/4944-157-0x000001FBC9810000-0x000001FBC9814000-memory.dmp

Filesize
16KB

Download
memory/4944-158-0x000001FBC7510000-0x000001FBC7511000-memory.dmp

Filesize
4KB

Download