Analysis
-
max time kernel
125s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 06:27
Static task
static1
Behavioral task
behavioral1
Sample
60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi
Resource
win10v2004-20220414-en
General
-
Target
60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi
-
Size
2.0MB
-
MD5
e34e031f90002ad25ca1b315e0a0e1ca
-
SHA1
ed594f951eed29c1354e6d9e65f82cc27b39b060
-
SHA256
60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899
-
SHA512
4c08ffaa9301f963c54cb8aa17bce30d833121b056c06903606ca1fe0d9e3a112b20ae72dde5e623acdf3bde15e75830f43f86594eed46e3ddc411e2bee9149f
Malware Config
Extracted
vidar
26.1
615
http://centos10.com/
-
profile_id
615
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1472-72-0x00000000009C0000-0x00000000009C8000-memory.dmp coreentity -
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1472-73-0x0000000005380000-0x0000000005416000-memory.dmp rezer0 -
Vidar Stealer 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1692-79-0x0000000000400000-0x000000000048D000-memory.dmp family_vidar behavioral1/memory/1692-81-0x0000000000400000-0x000000000048D000-memory.dmp family_vidar behavioral1/memory/1692-82-0x000000000045BA5D-mapping.dmp family_vidar behavioral1/memory/1692-86-0x0000000000400000-0x000000000048D000-memory.dmp family_vidar -
Executes dropped EXE 1 IoCs
Processes:
update_.exepid process 1472 update_.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exepid process 2012 MsiExec.exe 2012 MsiExec.exe 2012 MsiExec.exe 2012 MsiExec.exe 2012 MsiExec.exe 2012 MsiExec.exe 2012 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
update_.exedescription pid process target process PID 1472 set thread context of 1692 1472 update_.exe RegSvcs.exe -
Drops file in Windows directory 17 IoCs
Processes:
msiexec.exeDrvInst.exeexpand.exedescription ioc process File opened for modification C:\Windows\Installer\MSIC3EE.tmp msiexec.exe File created C:\Windows\Installer\{1BCCC744-C9F2-4623-BB86-4B588A51334D}\ProductIcon msiexec.exe File opened for modification C:\Windows\Installer\6d2ba4.ipi msiexec.exe File created C:\Windows\Installer\6d2ba3.msi msiexec.exe File opened for modification C:\Windows\Installer\6d2ba3.msi msiexec.exe File created C:\Windows\Installer\6d2ba4.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC361.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI2EAF.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Installer\MSIC5A6.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe File created C:\Windows\Installer\6d2ba6.msi msiexec.exe File opened for modification C:\Windows\Installer\{1BCCC744-C9F2-4623-BB86-4B588A51334D}\ProductIcon msiexec.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe -
Modifies registry class 23 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\447CCCB12F9C3264BB68B485A81533D4\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\ProductIcon = "C:\\Windows\\Installer\\{1BCCC744-C9F2-4623-BB86-4B588A51334D}\\ProductIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4D8C7751FCEC9AC4BB70FBE6F1982114 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\PackageCode = "C10CDC6E570C4CA43B2950E45D8BE53F" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\PackageName = "60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\447CCCB12F9C3264BB68B485A81533D4 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\ProductName = "setup" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4D8C7751FCEC9AC4BB70FBE6F1982114\447CCCB12F9C3264BB68B485A81533D4 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Clients = 3a0000000000 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
msiexec.exeupdate_.exepid process 2024 msiexec.exe 2024 msiexec.exe 1472 update_.exe 1472 update_.exe 1472 update_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exeupdate_.exedescription pid process Token: SeShutdownPrivilege 1984 msiexec.exe Token: SeIncreaseQuotaPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeSecurityPrivilege 2024 msiexec.exe Token: SeCreateTokenPrivilege 1984 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1984 msiexec.exe Token: SeLockMemoryPrivilege 1984 msiexec.exe Token: SeIncreaseQuotaPrivilege 1984 msiexec.exe Token: SeMachineAccountPrivilege 1984 msiexec.exe Token: SeTcbPrivilege 1984 msiexec.exe Token: SeSecurityPrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeLoadDriverPrivilege 1984 msiexec.exe Token: SeSystemProfilePrivilege 1984 msiexec.exe Token: SeSystemtimePrivilege 1984 msiexec.exe Token: SeProfSingleProcessPrivilege 1984 msiexec.exe Token: SeIncBasePriorityPrivilege 1984 msiexec.exe Token: SeCreatePagefilePrivilege 1984 msiexec.exe Token: SeCreatePermanentPrivilege 1984 msiexec.exe Token: SeBackupPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeShutdownPrivilege 1984 msiexec.exe Token: SeDebugPrivilege 1984 msiexec.exe Token: SeAuditPrivilege 1984 msiexec.exe Token: SeSystemEnvironmentPrivilege 1984 msiexec.exe Token: SeChangeNotifyPrivilege 1984 msiexec.exe Token: SeRemoteShutdownPrivilege 1984 msiexec.exe Token: SeUndockPrivilege 1984 msiexec.exe Token: SeSyncAgentPrivilege 1984 msiexec.exe Token: SeEnableDelegationPrivilege 1984 msiexec.exe Token: SeManageVolumePrivilege 1984 msiexec.exe Token: SeImpersonatePrivilege 1984 msiexec.exe Token: SeCreateGlobalPrivilege 1984 msiexec.exe Token: SeBackupPrivilege 1060 vssvc.exe Token: SeRestorePrivilege 1060 vssvc.exe Token: SeAuditPrivilege 1060 vssvc.exe Token: SeBackupPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeRestorePrivilege 432 DrvInst.exe Token: SeRestorePrivilege 432 DrvInst.exe Token: SeRestorePrivilege 432 DrvInst.exe Token: SeRestorePrivilege 432 DrvInst.exe Token: SeRestorePrivilege 432 DrvInst.exe Token: SeRestorePrivilege 432 DrvInst.exe Token: SeRestorePrivilege 432 DrvInst.exe Token: SeLoadDriverPrivilege 432 DrvInst.exe Token: SeLoadDriverPrivilege 432 DrvInst.exe Token: SeLoadDriverPrivilege 432 DrvInst.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeDebugPrivilege 1472 update_.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1984 msiexec.exe 1984 msiexec.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
msiexec.exeMsiExec.exeupdate_.exedescription pid process target process PID 2024 wrote to memory of 2012 2024 msiexec.exe MsiExec.exe PID 2024 wrote to memory of 2012 2024 msiexec.exe MsiExec.exe PID 2024 wrote to memory of 2012 2024 msiexec.exe MsiExec.exe PID 2024 wrote to memory of 2012 2024 msiexec.exe MsiExec.exe PID 2024 wrote to memory of 2012 2024 msiexec.exe MsiExec.exe PID 2024 wrote to memory of 2012 2024 msiexec.exe MsiExec.exe PID 2024 wrote to memory of 2012 2024 msiexec.exe MsiExec.exe PID 2012 wrote to memory of 1652 2012 MsiExec.exe expand.exe PID 2012 wrote to memory of 1652 2012 MsiExec.exe expand.exe PID 2012 wrote to memory of 1652 2012 MsiExec.exe expand.exe PID 2012 wrote to memory of 1652 2012 MsiExec.exe expand.exe PID 2012 wrote to memory of 1472 2012 MsiExec.exe update_.exe PID 2012 wrote to memory of 1472 2012 MsiExec.exe update_.exe PID 2012 wrote to memory of 1472 2012 MsiExec.exe update_.exe PID 2012 wrote to memory of 1472 2012 MsiExec.exe update_.exe PID 2012 wrote to memory of 1472 2012 MsiExec.exe update_.exe PID 2012 wrote to memory of 1472 2012 MsiExec.exe update_.exe PID 2012 wrote to memory of 1472 2012 MsiExec.exe update_.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 1472 wrote to memory of 1692 1472 update_.exe RegSvcs.exe PID 2012 wrote to memory of 1352 2012 MsiExec.exe cmd.exe PID 2012 wrote to memory of 1352 2012 MsiExec.exe cmd.exe PID 2012 wrote to memory of 1352 2012 MsiExec.exe cmd.exe PID 2012 wrote to memory of 1352 2012 MsiExec.exe cmd.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2946A75E5E91C15917F33431B6FCC9632⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\expand.exe"C:\Windows\System32\expand.exe" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exe"C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "0000000000000304"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files.cabFilesize
1.6MB
MD5483df885be4c8437b1911eff9850dda7
SHA106a57536d2c68c0c20d1ca3d7d451ac1280dd4f3
SHA256ecd1378d316af9c3412409bcd7e75209bcfc059ec168ee1ffbb1e6f4aad05834
SHA512007b3f6cee62f09338c02422066ecda15c04d95d713c0084af0d6d3af78f6be13e8bbbffc63aecbefd3aa114bc7856b044131785526cba61981c8558c373d079
-
C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exeFilesize
1.6MB
MD58997b830816a345baf25f94e8033f92a
SHA1f398d7c660d0d2e5e3f8fc7c88818f52d22ed008
SHA256af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52
SHA51257d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba
-
C:\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exeFilesize
1.6MB
MD58997b830816a345baf25f94e8033f92a
SHA1f398d7c660d0d2e5e3f8fc7c88818f52d22ed008
SHA256af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52
SHA51257d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba
-
C:\Windows\Installer\MSI2EAF.tmpFilesize
128KB
MD53e9d2974fd83d2c22b647d36a2ba7861
SHA13b1d50d42235439d456444f7d3b573f93ecdbe5f
SHA256339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a
SHA512e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f
-
C:\Windows\Installer\MSIC3EE.tmpFilesize
128KB
MD53e9d2974fd83d2c22b647d36a2ba7861
SHA13b1d50d42235439d456444f7d3b573f93ecdbe5f
SHA256339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a
SHA512e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f
-
C:\Windows\Installer\MSIC5A6.tmpFilesize
128KB
MD53e9d2974fd83d2c22b647d36a2ba7861
SHA13b1d50d42235439d456444f7d3b573f93ecdbe5f
SHA256339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a
SHA512e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f
-
\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exeFilesize
1.6MB
MD58997b830816a345baf25f94e8033f92a
SHA1f398d7c660d0d2e5e3f8fc7c88818f52d22ed008
SHA256af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52
SHA51257d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba
-
\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exeFilesize
1.6MB
MD58997b830816a345baf25f94e8033f92a
SHA1f398d7c660d0d2e5e3f8fc7c88818f52d22ed008
SHA256af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52
SHA51257d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba
-
\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exeFilesize
1.6MB
MD58997b830816a345baf25f94e8033f92a
SHA1f398d7c660d0d2e5e3f8fc7c88818f52d22ed008
SHA256af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52
SHA51257d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba
-
\Users\Admin\AppData\Local\Temp\MW-340cf801-b8f9-4bff-9f37-d232aad0515c\files\update_.exeFilesize
1.6MB
MD58997b830816a345baf25f94e8033f92a
SHA1f398d7c660d0d2e5e3f8fc7c88818f52d22ed008
SHA256af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52
SHA51257d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba
-
\Windows\Installer\MSI2EAF.tmpFilesize
128KB
MD53e9d2974fd83d2c22b647d36a2ba7861
SHA13b1d50d42235439d456444f7d3b573f93ecdbe5f
SHA256339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a
SHA512e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f
-
\Windows\Installer\MSIC3EE.tmpFilesize
128KB
MD53e9d2974fd83d2c22b647d36a2ba7861
SHA13b1d50d42235439d456444f7d3b573f93ecdbe5f
SHA256339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a
SHA512e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f
-
\Windows\Installer\MSIC5A6.tmpFilesize
128KB
MD53e9d2974fd83d2c22b647d36a2ba7861
SHA13b1d50d42235439d456444f7d3b573f93ecdbe5f
SHA256339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a
SHA512e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f
-
memory/1352-88-0x0000000000000000-mapping.dmp
-
memory/1472-69-0x0000000000D00000-0x0000000000E9E000-memory.dmpFilesize
1.6MB
-
memory/1472-71-0x0000000005D80000-0x0000000005E26000-memory.dmpFilesize
664KB
-
memory/1472-72-0x00000000009C0000-0x00000000009C8000-memory.dmpFilesize
32KB
-
memory/1472-73-0x0000000005380000-0x0000000005416000-memory.dmpFilesize
600KB
-
memory/1472-67-0x0000000000000000-mapping.dmp
-
memory/1652-60-0x0000000000000000-mapping.dmp
-
memory/1692-79-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1692-77-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1692-81-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1692-82-0x000000000045BA5D-mapping.dmp
-
memory/1692-75-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1692-86-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1692-74-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1984-54-0x000007FEFBC91000-0x000007FEFBC93000-memory.dmpFilesize
8KB
-
memory/2012-57-0x00000000756E1000-0x00000000756E3000-memory.dmpFilesize
8KB
-
memory/2012-56-0x0000000000000000-mapping.dmp