vidar | 60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899

Analysis

max time kernel
125s
max time network
131s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi
Size

2.0MB
MD5

e34e031f90002ad25ca1b315e0a0e1ca
SHA1

ed594f951eed29c1354e6d9e65f82cc27b39b060
SHA256

60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899
SHA512

4c08ffaa9301f963c54cb8aa17bce30d833121b056c06903606ca1fe0d9e3a112b20ae72dde5e623acdf3bde15e75830f43f86594eed46e3ddc411e2bee9149f

Score

10^/10

vidar 615 coreentity rezer0 stealer suricata

Malware Config

Extracted

Family

vidar

Version

26.1

Botnet

615

http://centos10.com/

Attributes

profile_id
615

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1472-72-0x00000000009C0000-0x00000000009C8000-memory.dmp	coreentity

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1472-73-0x0000000005380000-0x0000000005416000-memory.dmp	rezer0

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1692-79-0x0000000000400000-0x000000000048D000-memory.dmp	family_vidar
behavioral1/memory/1692-81-0x0000000000400000-0x000000000048D000-memory.dmp	family_vidar
behavioral1/memory/1692-82-0x000000000045BA5D-mapping.dmp	family_vidar
behavioral1/memory/1692-86-0x0000000000400000-0x000000000048D000-memory.dmp	family_vidar

Executes dropped EXE 1 IoCs

Processes:

update_.exe

pid process

1472 update_.exe
Loads dropped DLL 7 IoCs

Processes:

MsiExec.exe

pid process

2012 MsiExec.exe
2012 MsiExec.exe
2012 MsiExec.exe
2012 MsiExec.exe
2012 MsiExec.exe
2012 MsiExec.exe
2012 MsiExec.exe

pid	process
1472	update_.exe

pid	process
2012	MsiExec.exe
2012	MsiExec.exe
2012	MsiExec.exe
2012	MsiExec.exe
2012	MsiExec.exe
2012	MsiExec.exe
2012	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

update_.exe

description pid process target process

PID 1472 set thread context of 1692 1472 update_.exe RegSvcs.exe

description	pid	process	target process
PID 1472 set thread context of 1692	1472	update_.exe	RegSvcs.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exeDrvInst.exeexpand.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIC3EE.tmp	msiexec.exe
File created	C:\Windows\Installer\{1BCCC744-C9F2-4623-BB86-4B588A51334D}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\6d2ba4.ipi	msiexec.exe
File created	C:\Windows\Installer\6d2ba3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6d2ba3.msi	msiexec.exe
File created	C:\Windows\Installer\6d2ba4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC361.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI2EAF.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Installer\MSIC5A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File created	C:\Windows\Installer\6d2ba6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{1BCCC744-C9F2-4623-BB86-4B588A51334D}\ProductIcon	msiexec.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\447CCCB12F9C3264BB68B485A81533D4\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\ProductIcon = "C:\\Windows\\Installer\\{1BCCC744-C9F2-4623-BB86-4B588A51334D}\\ProductIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4D8C7751FCEC9AC4BB70FBE6F1982114	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\PackageCode = "C10CDC6E570C4CA43B2950E45D8BE53F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\PackageName = "60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\447CCCB12F9C3264BB68B485A81533D4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\ProductName = "setup"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4D8C7751FCEC9AC4BB70FBE6F1982114\447CCCB12F9C3264BB68B485A81533D4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

msiexec.exeupdate_.exe

pid process

2024 msiexec.exe
2024 msiexec.exe
1472 update_.exe
1472 update_.exe
1472 update_.exe

pid	process
2024	msiexec.exe
2024	msiexec.exe
1472	update_.exe
1472	update_.exe
1472	update_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exeupdate_.exe

description	pid	process
Token: SeShutdownPrivilege	1984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1984	msiexec.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeTakeOwnershipPrivilege	2024	msiexec.exe
Token: SeSecurityPrivilege	2024	msiexec.exe
Token: SeCreateTokenPrivilege	1984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1984	msiexec.exe
Token: SeLockMemoryPrivilege	1984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1984	msiexec.exe
Token: SeMachineAccountPrivilege	1984	msiexec.exe
Token: SeTcbPrivilege	1984	msiexec.exe
Token: SeSecurityPrivilege	1984	msiexec.exe
Token: SeTakeOwnershipPrivilege	1984	msiexec.exe
Token: SeLoadDriverPrivilege	1984	msiexec.exe
Token: SeSystemProfilePrivilege	1984	msiexec.exe
Token: SeSystemtimePrivilege	1984	msiexec.exe
Token: SeProfSingleProcessPrivilege	1984	msiexec.exe
Token: SeIncBasePriorityPrivilege	1984	msiexec.exe
Token: SeCreatePagefilePrivilege	1984	msiexec.exe
Token: SeCreatePermanentPrivilege	1984	msiexec.exe
Token: SeBackupPrivilege	1984	msiexec.exe
Token: SeRestorePrivilege	1984	msiexec.exe
Token: SeShutdownPrivilege	1984	msiexec.exe
Token: SeDebugPrivilege	1984	msiexec.exe
Token: SeAuditPrivilege	1984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1984	msiexec.exe
Token: SeChangeNotifyPrivilege	1984	msiexec.exe
Token: SeRemoteShutdownPrivilege	1984	msiexec.exe
Token: SeUndockPrivilege	1984	msiexec.exe
Token: SeSyncAgentPrivilege	1984	msiexec.exe
Token: SeEnableDelegationPrivilege	1984	msiexec.exe
Token: SeManageVolumePrivilege	1984	msiexec.exe
Token: SeImpersonatePrivilege	1984	msiexec.exe
Token: SeCreateGlobalPrivilege	1984	msiexec.exe
Token: SeBackupPrivilege	1060	vssvc.exe
Token: SeRestorePrivilege	1060	vssvc.exe
Token: SeAuditPrivilege	1060	vssvc.exe
Token: SeBackupPrivilege	2024	msiexec.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeRestorePrivilege	432	DrvInst.exe
Token: SeRestorePrivilege	432	DrvInst.exe
Token: SeRestorePrivilege	432	DrvInst.exe
Token: SeRestorePrivilege	432	DrvInst.exe
Token: SeRestorePrivilege	432	DrvInst.exe
Token: SeRestorePrivilege	432	DrvInst.exe
Token: SeRestorePrivilege	432	DrvInst.exe
Token: SeLoadDriverPrivilege	432	DrvInst.exe
Token: SeLoadDriverPrivilege	432	DrvInst.exe
Token: SeLoadDriverPrivilege	432	DrvInst.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeTakeOwnershipPrivilege	2024	msiexec.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeTakeOwnershipPrivilege	2024	msiexec.exe
Token: SeDebugPrivilege	1472	update_.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeTakeOwnershipPrivilege	2024	msiexec.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeTakeOwnershipPrivilege	2024	msiexec.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeTakeOwnershipPrivilege	2024	msiexec.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeTakeOwnershipPrivilege	2024	msiexec.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeTakeOwnershipPrivilege	2024	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1984 msiexec.exe
1984 msiexec.exe

pid	process
1984	msiexec.exe
1984	msiexec.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

msiexec.exeMsiExec.exeupdate_.exe

description	pid	process	target process
PID 2024 wrote to memory of 2012	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2012	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2012	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2012	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2012	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2012	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2012	2024	msiexec.exe	MsiExec.exe
PID 2012 wrote to memory of 1652	2012	MsiExec.exe	expand.exe
PID 2012 wrote to memory of 1652	2012	MsiExec.exe	expand.exe
PID 2012 wrote to memory of 1652	2012	MsiExec.exe	expand.exe
PID 2012 wrote to memory of 1652	2012	MsiExec.exe	expand.exe
PID 2012 wrote to memory of 1472	2012	MsiExec.exe	update_.exe
PID 2012 wrote to memory of 1472	2012	MsiExec.exe	update_.exe
PID 2012 wrote to memory of 1472	2012	MsiExec.exe	update_.exe
PID 2012 wrote to memory of 1472	2012	MsiExec.exe	update_.exe
PID 2012 wrote to memory of 1472	2012	MsiExec.exe	update_.exe
PID 2012 wrote to memory of 1472	2012	MsiExec.exe	update_.exe
PID 2012 wrote to memory of 1472	2012	MsiExec.exe	update_.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 1472 wrote to memory of 1692	1472	update_.exe	RegSvcs.exe
PID 2012 wrote to memory of 1352	2012	MsiExec.exe	cmd.exe
PID 2012 wrote to memory of 1352	2012	MsiExec.exe	cmd.exe
PID 2012 wrote to memory of 1352	2012	MsiExec.exe	cmd.exe
PID 2012 wrote to memory of 1352	2012	MsiExec.exe	cmd.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2946A75E5E91C15917F33431B6FCC963
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\expand.exe
"C:\Windows\System32\expand.exe" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:1652

C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exe
"C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
4⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files"
3⤵
PID:1352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "0000000000000304"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files.cab
Filesize
1.6MB

MD5
483df885be4c8437b1911eff9850dda7

SHA1
06a57536d2c68c0c20d1ca3d7d451ac1280dd4f3

SHA256
ecd1378d316af9c3412409bcd7e75209bcfc059ec168ee1ffbb1e6f4aad05834

SHA512
007b3f6cee62f09338c02422066ecda15c04d95d713c0084af0d6d3af78f6be13e8bbbffc63aecbefd3aa114bc7856b044131785526cba61981c8558c373d079

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exe
Filesize
1.6MB

MD5
8997b830816a345baf25f94e8033f92a

SHA1
f398d7c660d0d2e5e3f8fc7c88818f52d22ed008

SHA256
af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52

SHA512
57d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exe
Filesize
1.6MB

MD5
8997b830816a345baf25f94e8033f92a

SHA1
f398d7c660d0d2e5e3f8fc7c88818f52d22ed008

SHA256
af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52

SHA512
57d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba

Download Submit
C:\Windows\Installer\MSI2EAF.tmp
Filesize
128KB

MD5
3e9d2974fd83d2c22b647d36a2ba7861

SHA1
3b1d50d42235439d456444f7d3b573f93ecdbe5f

SHA256
339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

SHA512
e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

Download Submit
C:\Windows\Installer\MSIC3EE.tmp
Filesize
128KB

MD5
3e9d2974fd83d2c22b647d36a2ba7861

SHA1
3b1d50d42235439d456444f7d3b573f93ecdbe5f

SHA256
339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

SHA512
e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

Download Submit
C:\Windows\Installer\MSIC5A6.tmp
Filesize
128KB

MD5
3e9d2974fd83d2c22b647d36a2ba7861

SHA1
3b1d50d42235439d456444f7d3b573f93ecdbe5f

SHA256
339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

SHA512
e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

Download Submit
\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exe
Filesize
1.6MB

MD5
8997b830816a345baf25f94e8033f92a

SHA1
f398d7c660d0d2e5e3f8fc7c88818f52d22ed008

SHA256
af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52

SHA512
57d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba

Download Submit
\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exe
Filesize
1.6MB

MD5
8997b830816a345baf25f94e8033f92a

SHA1
f398d7c660d0d2e5e3f8fc7c88818f52d22ed008

SHA256
af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52

SHA512
57d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba

Download Submit
\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exe
Filesize
1.6MB

MD5
8997b830816a345baf25f94e8033f92a

SHA1
f398d7c660d0d2e5e3f8fc7c88818f52d22ed008

SHA256
af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52

SHA512
57d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba

Download Submit
\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exe
Filesize
1.6MB

MD5
8997b830816a345baf25f94e8033f92a

SHA1
f398d7c660d0d2e5e3f8fc7c88818f52d22ed008

SHA256
af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52

SHA512
57d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba

Download Submit
\Windows\Installer\MSI2EAF.tmp
Filesize
128KB

MD5
3e9d2974fd83d2c22b647d36a2ba7861

SHA1
3b1d50d42235439d456444f7d3b573f93ecdbe5f

SHA256
339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

SHA512
e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

Download Submit
\Windows\Installer\MSIC3EE.tmp
Filesize
128KB

MD5
3e9d2974fd83d2c22b647d36a2ba7861

SHA1
3b1d50d42235439d456444f7d3b573f93ecdbe5f

SHA256
339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

SHA512
e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

Download Submit
\Windows\Installer\MSIC5A6.tmp
Filesize
128KB

MD5
3e9d2974fd83d2c22b647d36a2ba7861

SHA1
3b1d50d42235439d456444f7d3b573f93ecdbe5f

SHA256
339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

SHA512
e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

Download Submit
memory/1352-88-0x0000000000000000-mapping.dmp

Download
memory/1472-69-0x0000000000D00000-0x0000000000E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1472-71-0x0000000005D80000-0x0000000005E26000-memory.dmp

Filesize
664KB

Download
memory/1472-72-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/1472-73-0x0000000005380000-0x0000000005416000-memory.dmp

Filesize
600KB

Download
memory/1472-67-0x0000000000000000-mapping.dmp

Download
memory/1652-60-0x0000000000000000-mapping.dmp

Download
memory/1692-79-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1692-77-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1692-81-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1692-82-0x000000000045BA5D-mapping.dmp

Download
memory/1692-75-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1692-86-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1692-74-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1984-54-0x000007FEFBC91000-0x000007FEFBC93000-memory.dmp

Filesize
8KB

Download
memory/2012-57-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download
memory/2012-56-0x0000000000000000-mapping.dmp

Download