c51857627b43582a7f2995c27356717b474854716ddffabcc4ec03b0085bcc07

Analysis

max time kernel
141s
max time network
189s
platform
windows7_x64
resource
win7-20220414-en
submitted
20/05/2022, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c51857627b43582a7f2995c27356717b474854716ddffabcc4ec03b0085bcc07.msi
Size

280KB
MD5

04e7028611b3a265f90a627f45e43721
SHA1

10cc07c9d057baff07aa81e5f6c3833f8c763f8d
SHA256

c51857627b43582a7f2995c27356717b474854716ddffabcc4ec03b0085bcc07
SHA512

e6f39b4e3d934eae2a47e2ee382c7560e3c8852e95d2ce72ee1a6eb31e92b8e102a922638077b16f31ebdb9da92e932649f43d755627b0c5a1c45bff360b5382

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
6	1336	MsiExec.exe
8	1336	MsiExec.exe
10	1336	MsiExec.exe
13	1336	MsiExec.exe

Executes dropped EXE 1 IoCs

pid	Process
1416	lcD246.tmp

Loads dropped DLL 5 IoCs

pid	Process
1336	MsiExec.exe
1336	MsiExec.exe
1336	MsiExec.exe
1336	MsiExec.exe
1336	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICA15.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6c8dd1.ipi	msiexec.exe
File created	C:\Windows\Installer\6c8dd1.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37D7.tmp	msiexec.exe
File created	C:\Windows\Installer\6c8dcf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c8dcf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID221.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3A8.tmp	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359797220"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC764581-D80F-11EC-A40D-5EFF8A6DE4BC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd4000000000200000000001066000000010000200000005b0bf945ad21818cf5a33200988f9cc56d1fe1aa379c54f5f6dae47a0b3597da000000000e8000000002000020000000410d89b368f9afdc82bf1b0cdaeb426fe145d9bf286541b16e694a2cb90f74e120000000da8f43a7947e919062b99fc447c5d9eb51aec49fbb3739fa273e9a7bfd11ae0640000000e3a40f9a4fb50d8c4908acf8ba8ce6af6e2cea21d166a391ca4499935b32ec9ca878d4b8026412897755e32b4cd25a95e260f76764b6074088c9e467661f87c2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09d109f1c6cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "42"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd40000000002000000000010660000000100002000000009fde20e14eab8bde55a8469c50acca962b2c27a5217380ee86cad65c7b54880000000000e80000000020000200000004d7399bde239d5bda769c95295e47bede73547a88e49e0bed392dd662b49115d90000000d3592aebefeb4c47f54d2bfe80f44217821e66f9e62fb399a9adda358c9f014bf94efcc435fedf9e9bf9cb8cd0dcc341c46534926752b791a2e653b6ca0e3262c5d5b722e272f3c954161bf2caf1b5ffeb8793a5dffb2b70f137c4e21cbec60965a9d39ff3cfe07de5cdc18998ed302ea0edeb37e33edb422b32b32a96cdab460b25cbbcd8ba212cc48178e41792d00b400000004cb0f9957b1a8ae32cf1e7b25cb0b1266e4922f72c67e9bc5e856095a4c85e76f31aca8f22bfe073a5c68682b8f298342cdaf9c2f67421958c149f24d8d23ec0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1828	msiexec.exe
1828	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1892	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1828	msiexec.exe
Token: SeTakeOwnershipPrivilege	1828	msiexec.exe
Token: SeSecurityPrivilege	1828	msiexec.exe
Token: SeCreateTokenPrivilege	1892	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1892	msiexec.exe
Token: SeLockMemoryPrivilege	1892	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1892	msiexec.exe
Token: SeMachineAccountPrivilege	1892	msiexec.exe
Token: SeTcbPrivilege	1892	msiexec.exe
Token: SeSecurityPrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeLoadDriverPrivilege	1892	msiexec.exe
Token: SeSystemProfilePrivilege	1892	msiexec.exe
Token: SeSystemtimePrivilege	1892	msiexec.exe
Token: SeProfSingleProcessPrivilege	1892	msiexec.exe
Token: SeIncBasePriorityPrivilege	1892	msiexec.exe
Token: SeCreatePagefilePrivilege	1892	msiexec.exe
Token: SeCreatePermanentPrivilege	1892	msiexec.exe
Token: SeBackupPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeShutdownPrivilege	1892	msiexec.exe
Token: SeDebugPrivilege	1892	msiexec.exe
Token: SeAuditPrivilege	1892	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1892	msiexec.exe
Token: SeChangeNotifyPrivilege	1892	msiexec.exe
Token: SeRemoteShutdownPrivilege	1892	msiexec.exe
Token: SeUndockPrivilege	1892	msiexec.exe
Token: SeSyncAgentPrivilege	1892	msiexec.exe
Token: SeEnableDelegationPrivilege	1892	msiexec.exe
Token: SeManageVolumePrivilege	1892	msiexec.exe
Token: SeImpersonatePrivilege	1892	msiexec.exe
Token: SeCreateGlobalPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1828	msiexec.exe
Token: SeTakeOwnershipPrivilege	1828	msiexec.exe
Token: SeRestorePrivilege	1828	msiexec.exe
Token: SeTakeOwnershipPrivilege	1828	msiexec.exe
Token: SeRestorePrivilege	1828	msiexec.exe
Token: SeTakeOwnershipPrivilege	1828	msiexec.exe
Token: SeRestorePrivilege	1828	msiexec.exe
Token: SeTakeOwnershipPrivilege	1828	msiexec.exe
Token: SeRestorePrivilege	1828	msiexec.exe
Token: SeTakeOwnershipPrivilege	1828	msiexec.exe
Token: SeRestorePrivilege	1828	msiexec.exe
Token: SeTakeOwnershipPrivilege	1828	msiexec.exe
Token: SeRestorePrivilege	1828	msiexec.exe
Token: SeTakeOwnershipPrivilege	1828	msiexec.exe
Token: SeRestorePrivilege	1828	msiexec.exe
Token: SeTakeOwnershipPrivilege	1828	msiexec.exe
Token: SeRestorePrivilege	1828	msiexec.exe
Token: SeTakeOwnershipPrivilege	1828	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1892	msiexec.exe
568	iexplore.exe
1892	msiexec.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
568	iexplore.exe
568	iexplore.exe
276	IEXPLORE.EXE
276	IEXPLORE.EXE
276	IEXPLORE.EXE
276	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1336	1828	msiexec.exe	29
PID 1828 wrote to memory of 1336	1828	msiexec.exe	29
PID 1828 wrote to memory of 1336	1828	msiexec.exe	29
PID 1828 wrote to memory of 1336	1828	msiexec.exe	29
PID 1828 wrote to memory of 1336	1828	msiexec.exe	29
PID 1828 wrote to memory of 1336	1828	msiexec.exe	29
PID 1828 wrote to memory of 1336	1828	msiexec.exe	29
PID 1336 wrote to memory of 2036	1336	MsiExec.exe	30
PID 1336 wrote to memory of 2036	1336	MsiExec.exe	30
PID 1336 wrote to memory of 2036	1336	MsiExec.exe	30
PID 1336 wrote to memory of 2036	1336	MsiExec.exe	30
PID 2036 wrote to memory of 568	2036	cmd.exe	32
PID 2036 wrote to memory of 568	2036	cmd.exe	32
PID 2036 wrote to memory of 568	2036	cmd.exe	32
PID 2036 wrote to memory of 568	2036	cmd.exe	32
PID 568 wrote to memory of 276	568	iexplore.exe	34
PID 568 wrote to memory of 276	568	iexplore.exe	34
PID 568 wrote to memory of 276	568	iexplore.exe	34
PID 568 wrote to memory of 276	568	iexplore.exe	34
PID 1336 wrote to memory of 1416	1336	MsiExec.exe	36
PID 1336 wrote to memory of 1416	1336	MsiExec.exe	36
PID 1336 wrote to memory of 1416	1336	MsiExec.exe	36
PID 1336 wrote to memory of 1416	1336	MsiExec.exe	36
PID 1336 wrote to memory of 1416	1336	MsiExec.exe	36
PID 1336 wrote to memory of 1416	1336	MsiExec.exe	36
PID 1336 wrote to memory of 1416	1336	MsiExec.exe	36

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c51857627b43582a7f2995c27356717b474854716ddffabcc4ec03b0085bcc07.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27D08120AADCBB46D01751344EC927F3
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /MAX https://adobe.ly/2RY5GJR
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://adobe.ly/2RY5GJR
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:276
- - C:\Users\Admin\AppData\Local\Temp\lcD246.tmp
    "C:\Users\Admin\AppData\Local\Temp\lcD246.tmp"
    3⤵
    - Executes dropped EXE
    PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e71abcb9c8add91ee5af5adf70ece2d4

SHA1
b9da3f3f1cf1019f3b9e4cf992b0a8d4e71cf069

SHA256
0c56582f033a1ef7bdd34b003b7c95c7b1d7edccb6c13c9198921f38aa30116e

SHA512
180c95c34b25d4d5b2dc5537296b29903744ec44a5d887ddc2857e5025c64c3a0c749442d15b5eb97342ce487a4f85b463e7ac347b140778db44a1577cd1b98a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6bb7abf6b8e128f080a0e21722f306ad

SHA1
6cc9a2efc3b1711ea334742b9c5480643ce6f348

SHA256
10923c19d1eda074f906e27eab6bf1eeb34907c9d2e6c0b9944738cb804c7a06

SHA512
546a5e97e474ec1a3c6a921f04ffa2bad9345f754aabc581f2a109c8df531818171aad093f63d286af72c53ad095babe59a780ef0c1d45f893097ab5431edf42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat

Filesize
13KB

MD5
65149ccf4162c18b17d350b3ad0eaa41

SHA1
082f865b2a6c7276fa3d8b520ff2c130655cee6d

SHA256
70950b840ffe392f7164a53fdb97fad02aa81e502e67759984a584101e23422b

SHA512
b71d6993ba5d4d634b9b339c27cff0debd6bb43fc8dc27645952fa537c32b8ffffab349ff5a0c97a9dff76c9d5f7cf2abff3c07d519f9f55554ef86f4a9cf70c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat

Filesize
23KB

MD5
91f6c9f6969c18fd9a4ab5981b42a460

SHA1
03996c117727010780c7e91bbbc04c14f3e9c3ad

SHA256
a07fdef8750e3bfa4e7893acf9f302ff7d16ceae4af3432a368711ecff2ba8f9

SHA512
8349514c219bf0dc1f5c7f27cc7a65f529c6e399a8db678b6c6e83a0435e30b210f6dffded63e0cdeb4da9bb39010c188ae3133a11951e5b8e4411089d08e213

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcD246.tmp

Filesize
12KB

MD5
55ffee241709ae96cf64cb0b9a96f0d7

SHA1
b191810094dd2ee6b13c0d33458fafcd459681ae

SHA256
64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

SHA512
01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5WGLWXRJ.txt

Filesize
602B

MD5
55fe6ef3e9184e5a4625717785cb750e

SHA1
099606447f4cb26de427021fe811399fa412d08b

SHA256
ffaa890749847ac38869f8b566c1fd057ecfdf4f364a3825eb62f698e0b89b3b

SHA512
d6e5f0bb88e48942dafb093baec3af1a5e3bf26e2b86d939a7bd8a6ee752a26abac8c10d25d1ef13d3fa36cd75ce442a258806cf77bfe45e11dd17e4d29d8953

Download Submit
C:\Windows\Installer\MSIB3E5.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSICA15.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSID221.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSID3A8.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Users\Admin\AppData\Local\Temp\lcD246.tmp

Filesize
12KB

MD5
55ffee241709ae96cf64cb0b9a96f0d7

SHA1
b191810094dd2ee6b13c0d33458fafcd459681ae

SHA256
64bc6cf6b6e9850cea2a36cabc88982b0b936dd7f0bc169a2f6dd2a5d1e86abf

SHA512
01d05a5f34be950ec660af9e1de5c7d3c0e473f7815c2e13157c0b7bf162ca5a6b34fabc3704ba6e4fb339a53b1a20862fe984e16feca81f45cf4a0f98e01c07

Download Submit
\Windows\Installer\MSIB3E5.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSICA15.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSID221.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSID3A8.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
memory/1336-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1892-54-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmp

Filesize
8KB

Download