fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522

General

Target

fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522.msi
Size

1.3MB
MD5

6e31d2f2c745b340e02b2e1f9711a715
SHA1

9c99809aa69805f708afb5418b68b430d4087552
SHA256

fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522
SHA512

41694c05606a8585e6fa8e4e5e0672c59ccc096be6dbf0184c4af0e03e145f98101d96d02e3f744f9710cb722906b2afb2b6f90851842cec9eb9912c32fc587c

Score

8^/10

discovery spyware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ab5sJkWggxaDJyJU.exe

pid process

3684 ab5sJkWggxaDJyJU.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

3604 MsiExec.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

2216 ICACLS.EXE
4352 ICACLS.EXE
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3684	ab5sJkWggxaDJyJU.exe

pid	process
3604	MsiExec.exe

pid	process
2216	ICACLS.EXE
4352	ICACLS.EXE

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ab5sJkWggxaDJyJU.exe

description pid process target process

PID 3684 set thread context of 3012 3684 ab5sJkWggxaDJyJU.exe InstallUtil.exe

description	pid	process	target process
PID 3684 set thread context of 3012	3684	ab5sJkWggxaDJyJU.exe	InstallUtil.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File created	C:\Windows\Installer\e57c8be.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c8be.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DC190695-68B6-4555-AA6D-43D47033C86E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB4F.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exevssvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msiexec.exeab5sJkWggxaDJyJU.exe

pid	process
1340	msiexec.exe
1340	msiexec.exe
3684	ab5sJkWggxaDJyJU.exe
3684	ab5sJkWggxaDJyJU.exe
3684	ab5sJkWggxaDJyJU.exe
3684	ab5sJkWggxaDJyJU.exe
3684	ab5sJkWggxaDJyJU.exe
3684	ab5sJkWggxaDJyJU.exe
3684	ab5sJkWggxaDJyJU.exe
3684	ab5sJkWggxaDJyJU.exe
3684	ab5sJkWggxaDJyJU.exe
3684	ab5sJkWggxaDJyJU.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exeInstallUtil.exe

description	pid	process
Token: SeShutdownPrivilege	1888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1888	msiexec.exe
Token: SeSecurityPrivilege	1340	msiexec.exe
Token: SeCreateTokenPrivilege	1888	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1888	msiexec.exe
Token: SeLockMemoryPrivilege	1888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1888	msiexec.exe
Token: SeMachineAccountPrivilege	1888	msiexec.exe
Token: SeTcbPrivilege	1888	msiexec.exe
Token: SeSecurityPrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeLoadDriverPrivilege	1888	msiexec.exe
Token: SeSystemProfilePrivilege	1888	msiexec.exe
Token: SeSystemtimePrivilege	1888	msiexec.exe
Token: SeProfSingleProcessPrivilege	1888	msiexec.exe
Token: SeIncBasePriorityPrivilege	1888	msiexec.exe
Token: SeCreatePagefilePrivilege	1888	msiexec.exe
Token: SeCreatePermanentPrivilege	1888	msiexec.exe
Token: SeBackupPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeShutdownPrivilege	1888	msiexec.exe
Token: SeDebugPrivilege	1888	msiexec.exe
Token: SeAuditPrivilege	1888	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1888	msiexec.exe
Token: SeChangeNotifyPrivilege	1888	msiexec.exe
Token: SeRemoteShutdownPrivilege	1888	msiexec.exe
Token: SeUndockPrivilege	1888	msiexec.exe
Token: SeSyncAgentPrivilege	1888	msiexec.exe
Token: SeEnableDelegationPrivilege	1888	msiexec.exe
Token: SeManageVolumePrivilege	1888	msiexec.exe
Token: SeImpersonatePrivilege	1888	msiexec.exe
Token: SeCreateGlobalPrivilege	1888	msiexec.exe
Token: SeBackupPrivilege	2404	vssvc.exe
Token: SeRestorePrivilege	2404	vssvc.exe
Token: SeAuditPrivilege	2404	vssvc.exe
Token: SeBackupPrivilege	1340	msiexec.exe
Token: SeRestorePrivilege	1340	msiexec.exe
Token: SeRestorePrivilege	1340	msiexec.exe
Token: SeTakeOwnershipPrivilege	1340	msiexec.exe
Token: SeRestorePrivilege	1340	msiexec.exe
Token: SeTakeOwnershipPrivilege	1340	msiexec.exe
Token: SeBackupPrivilege	3320	srtasks.exe
Token: SeRestorePrivilege	3320	srtasks.exe
Token: SeSecurityPrivilege	3320	srtasks.exe
Token: SeTakeOwnershipPrivilege	3320	srtasks.exe
Token: SeBackupPrivilege	3320	srtasks.exe
Token: SeRestorePrivilege	3320	srtasks.exe
Token: SeSecurityPrivilege	3320	srtasks.exe
Token: SeTakeOwnershipPrivilege	3320	srtasks.exe
Token: SeDebugPrivilege	3012	InstallUtil.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1888 msiexec.exe
1888 msiexec.exe

pid	process
1888	msiexec.exe
1888	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

msiexec.exeMsiExec.exeab5sJkWggxaDJyJU.exe

description	pid	process	target process
PID 1340 wrote to memory of 3320	1340	msiexec.exe	srtasks.exe
PID 1340 wrote to memory of 3320	1340	msiexec.exe	srtasks.exe
PID 1340 wrote to memory of 3604	1340	msiexec.exe	MsiExec.exe
PID 1340 wrote to memory of 3604	1340	msiexec.exe	MsiExec.exe
PID 1340 wrote to memory of 3604	1340	msiexec.exe	MsiExec.exe
PID 3604 wrote to memory of 2216	3604	MsiExec.exe	ICACLS.EXE
PID 3604 wrote to memory of 2216	3604	MsiExec.exe	ICACLS.EXE
PID 3604 wrote to memory of 2216	3604	MsiExec.exe	ICACLS.EXE
PID 3604 wrote to memory of 4632	3604	MsiExec.exe	EXPAND.EXE
PID 3604 wrote to memory of 4632	3604	MsiExec.exe	EXPAND.EXE
PID 3604 wrote to memory of 4632	3604	MsiExec.exe	EXPAND.EXE
PID 3604 wrote to memory of 3684	3604	MsiExec.exe	ab5sJkWggxaDJyJU.exe
PID 3604 wrote to memory of 3684	3604	MsiExec.exe	ab5sJkWggxaDJyJU.exe
PID 3604 wrote to memory of 3684	3604	MsiExec.exe	ab5sJkWggxaDJyJU.exe
PID 3684 wrote to memory of 3012	3684	ab5sJkWggxaDJyJU.exe	InstallUtil.exe
PID 3684 wrote to memory of 3012	3684	ab5sJkWggxaDJyJU.exe	InstallUtil.exe
PID 3684 wrote to memory of 3012	3684	ab5sJkWggxaDJyJU.exe	InstallUtil.exe
PID 3684 wrote to memory of 3012	3684	ab5sJkWggxaDJyJU.exe	InstallUtil.exe
PID 3684 wrote to memory of 3012	3684	ab5sJkWggxaDJyJU.exe	InstallUtil.exe
PID 3604 wrote to memory of 752	3604	MsiExec.exe	cmd.exe
PID 3604 wrote to memory of 752	3604	MsiExec.exe	cmd.exe
PID 3604 wrote to memory of 752	3604	MsiExec.exe	cmd.exe
PID 3604 wrote to memory of 4352	3604	MsiExec.exe	ICACLS.EXE
PID 3604 wrote to memory of 4352	3604	MsiExec.exe	ICACLS.EXE
PID 3604 wrote to memory of 4352	3604	MsiExec.exe	ICACLS.EXE

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4F7AE74AF177B5FE15221BB41B83EEE1
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a8d09a8d-27d3-4bdd-98e2-67c36a4180b2\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:2216

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:4632

C:\Users\Admin\AppData\Local\Temp\MW-a8d09a8d-27d3-4bdd-98e2-67c36a4180b2\files\ab5sJkWggxaDJyJU.exe
"C:\Users\Admin\AppData\Local\Temp\MW-a8d09a8d-27d3-4bdd-98e2-67c36a4180b2\files\ab5sJkWggxaDJyJU.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-a8d09a8d-27d3-4bdd-98e2-67c36a4180b2\files"
3⤵
PID:752

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a8d09a8d-27d3-4bdd-98e2-67c36a4180b2\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:4352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-a8d09a8d-27d3-4bdd-98e2-67c36a4180b2\files.cab
Filesize
904KB

MD5
37ca8d45f74cbc1215726cbf74990e85

SHA1
8ad754ae9db24c18998d3a10525091a385a94546

SHA256
f7ad06b2d914343daec583f4ebaf01e0d733a629a0040a85e54f8b74e944e1e5

SHA512
8ffdf1c157dfc4702c1f2d13b148d0fb35439ba1e50395e58ee74de9e02e323664ca8421b55057a1910829d417a2e38424bc77848ed81ac8d4c2623682eaa007

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a8d09a8d-27d3-4bdd-98e2-67c36a4180b2\files\ab5sJkWggxaDJyJU.exe
Filesize
1.2MB

MD5
cb8cd07d32498986d817939e06ac4abb

SHA1
1de2ea093784a9b7ff6d1fa6d6877fdae990bd42

SHA256
f751501b33b4d7e35aa20d08f718e5a8ed1c0471b4da1bdd2562a3536d83d58e

SHA512
4c37cbd33af706f265415a309f9b32a46836430597be5a929423b4eaffc498a25c853ab7806a39f2e641ac9e95d75f8306bf48c37958b6e9291db8d80ae0ad59

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a8d09a8d-27d3-4bdd-98e2-67c36a4180b2\files\ab5sJkWggxaDJyJU.exe
Filesize
1.2MB

MD5
cb8cd07d32498986d817939e06ac4abb

SHA1
1de2ea093784a9b7ff6d1fa6d6877fdae990bd42

SHA256
f751501b33b4d7e35aa20d08f718e5a8ed1c0471b4da1bdd2562a3536d83d58e

SHA512
4c37cbd33af706f265415a309f9b32a46836430597be5a929423b4eaffc498a25c853ab7806a39f2e641ac9e95d75f8306bf48c37958b6e9291db8d80ae0ad59

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a8d09a8d-27d3-4bdd-98e2-67c36a4180b2\msiwrapper.ini
Filesize
1KB

MD5
088396f1b0cec01c9e5d5241265cb9bf

SHA1
568b41d2a70c5ff6ccf4bb54fd21f1fe82c8f55f

SHA256
893a49fdaeef3fc35ae237b89b536220df615b162a7f12f2a73ee813ccf31bc3

SHA512
0600ef23196f5240afdc690f765fe321918ce0f765d40699ad39a29c9fd7f78cacd9a519576facb906b16f4d0419fadaf121d14d3caab392b57cc2d0a8d5741b

Download Submit
C:\Windows\Installer\MSICB4F.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSICB4F.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
c1fa7863ad1158a4c140155f8b5d9117

SHA1
bca48bcc75d5970a4968b8e066ece301f06069ad

SHA256
b72a712117c7d7ff73f273ad52c68d1b5d79c8f736cdbbb7c78a9c857e9e1af7

SHA512
a0d69f969506f0eddd241bfb47f3fc525866a3922f762ee51db887aaba7777164a991a6f75f9aa5cc674d2a708540168246769dc523c8f5f616ec6fcd3b67130

Download Submit
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ef6c47d7-fae0-4b21-8dab-f7a4c7937714}_OnDiskSnapshotProp
Filesize
5KB

MD5
b62932acc63d01cd67d1a1da9995bbe7

SHA1
b2cd702c54cacfdfc5c1828aab503573abae7818

SHA256
6e15fcb3d63384938529618b327e9a4a7984231d0be11aeee77909d01a46e13c

SHA512
113e46ed87815df896e968bcf139e75af67729767bb0561a214eeace11ab70c2171e3df27b7e364f574b6cb9c8cb2739259d1cd30b158c24259b2d68dddb63ee

Download Submit
memory/752-151-0x0000000000000000-mapping.dmp

Download
memory/2216-134-0x0000000000000000-mapping.dmp

Download
memory/3012-155-0x0000000007D90000-0x0000000007E9A000-memory.dmp

Filesize
1.0MB

Download
memory/3012-147-0x0000000000000000-mapping.dmp

Download
memory/3012-163-0x0000000009FD0000-0x000000000A4FC000-memory.dmp

Filesize
5.2MB

Download
memory/3012-162-0x00000000098D0000-0x0000000009A92000-memory.dmp

Filesize
1.8MB

Download
memory/3012-161-0x0000000008B40000-0x0000000008BA6000-memory.dmp

Filesize
408KB

Download
memory/3012-160-0x00000000080E0000-0x00000000080FE000-memory.dmp

Filesize
120KB

Download
memory/3012-159-0x0000000008E30000-0x00000000093D4000-memory.dmp

Filesize
5.6MB

Download
memory/3012-157-0x0000000008000000-0x0000000008076000-memory.dmp

Filesize
472KB

Download
memory/3012-148-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3012-150-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3012-156-0x0000000007CC0000-0x0000000007CFC000-memory.dmp

Filesize
240KB

Download
memory/3012-158-0x0000000008120000-0x00000000081B2000-memory.dmp

Filesize
584KB

Download
memory/3012-153-0x0000000008260000-0x0000000008878000-memory.dmp

Filesize
6.1MB

Download
memory/3012-154-0x0000000007C60000-0x0000000007C72000-memory.dmp

Filesize
72KB

Download
memory/3320-130-0x0000000000000000-mapping.dmp

Download
memory/3604-131-0x0000000000000000-mapping.dmp

Download
memory/3684-146-0x000000000EF10000-0x000000000F02B000-memory.dmp

Filesize
1.1MB

Download
memory/3684-141-0x0000000002760000-0x000000000289D000-memory.dmp

Filesize
1.2MB

Download
memory/3684-145-0x000000000EF10000-0x000000000F02B000-memory.dmp

Filesize
1.1MB

Download
memory/3684-139-0x0000000000000000-mapping.dmp

Download
memory/3684-142-0x0000000002760000-0x000000000289D000-memory.dmp

Filesize
1.2MB

Download
memory/4352-152-0x0000000000000000-mapping.dmp

Download
memory/4632-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads