Resubmissions
19-07-2024 15:23
240719-ssp3ka1dng 1009-10-2023 22:48
231009-2rhrjagh71 1029-01-2023 17:46
230129-wchv4afh63 1014-07-2022 07:49
220714-jn2fcsdbgr 10Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 07:49
Static task
static1
Behavioral task
behavioral1
Sample
Statement.pdf.msi
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Statement.pdf.msi
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
Statement.pdf.msi
-
Size
1.1MB
-
MD5
a362de111d5dff6bcdeaf4717af268b6
-
SHA1
2e5104db35871c5bc7da2035d8b91398bb5d5e0e
-
SHA256
0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca
-
SHA512
b48a18158a0dff9a9012952c467fcf69b8bfc53ceeacaf32a90fc4b7f3afd34465e676b282fa87f3c5c85b4780baf96cc754dcdeef77ba5330fa8c4fd1d20b72
Score
10/10
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Executes dropped EXE 2 IoCs
pid Process 508 Wire_Transfer.docx.exe 2232 drpbx.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File created C:\Users\Admin\Pictures\FindInitialize.png.fun drpbx.exe File created C:\Users\Admin\Pictures\HideDisable.png.fun drpbx.exe File created C:\Users\Admin\Pictures\WatchAssert.raw.fun drpbx.exe File created C:\Users\Admin\Pictures\AssertExpand.tif.fun drpbx.exe File created C:\Users\Admin\Pictures\BackupResize.tif.fun drpbx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Wire_Transfer.docx.exe -
Loads dropped DLL 2 IoCs
pid Process 1848 MsiExec.exe 4840 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" Wire_Transfer.docx.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-200.png drpbx.exe File created C:\Program Files\ImportSave.avi.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml drpbx.exe File created C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteLargeTile.scale-150.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-200_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-lightunplated.png drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 drpbx.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MixedRealityPortalStoreLogo.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_welcome_page.jpg drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt drpbx.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\iheart-radio.scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-400.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_contrast-black.png drpbx.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.fun drpbx.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.fun drpbx.exe File created C:\Program Files\7-Zip\History.txt.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-64.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-200_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-40_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt drpbx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.scale-100_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-black.png drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\AppSplashScreen.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-150.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1851_24x24x32.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\BuildInfo.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a.jpg drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-20.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer10Sec.targetsize-64.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-150.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-400.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-150.png drpbx.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.fun drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\proofing.msi.16.en-us.vreg.dat drpbx.exe File created C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-150.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Office.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-unplated_contrast-black.png drpbx.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Installer\MSI6E99.tmp msiexec.exe File created C:\Windows\Installer\e575582.msi msiexec.exe File opened for modification C:\Windows\Installer\e575582.msi msiexec.exe File created C:\Windows\Installer\SourceHash{6CC1D7E5-F55B-405E-8E29-8BF624B41193} msiexec.exe File opened for modification C:\Windows\Installer\MSI57B5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI730F.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000036afcf5ac1e326070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000036afcf5a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090036afcf5a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3100 msiexec.exe 3100 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeShutdownPrivilege 3264 msiexec.exe Token: SeIncreaseQuotaPrivilege 3264 msiexec.exe Token: SeSecurityPrivilege 3100 msiexec.exe Token: SeCreateTokenPrivilege 3264 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3264 msiexec.exe Token: SeLockMemoryPrivilege 3264 msiexec.exe Token: SeIncreaseQuotaPrivilege 3264 msiexec.exe Token: SeMachineAccountPrivilege 3264 msiexec.exe Token: SeTcbPrivilege 3264 msiexec.exe Token: SeSecurityPrivilege 3264 msiexec.exe Token: SeTakeOwnershipPrivilege 3264 msiexec.exe Token: SeLoadDriverPrivilege 3264 msiexec.exe Token: SeSystemProfilePrivilege 3264 msiexec.exe Token: SeSystemtimePrivilege 3264 msiexec.exe Token: SeProfSingleProcessPrivilege 3264 msiexec.exe Token: SeIncBasePriorityPrivilege 3264 msiexec.exe Token: SeCreatePagefilePrivilege 3264 msiexec.exe Token: SeCreatePermanentPrivilege 3264 msiexec.exe Token: SeBackupPrivilege 3264 msiexec.exe Token: SeRestorePrivilege 3264 msiexec.exe Token: SeShutdownPrivilege 3264 msiexec.exe Token: SeDebugPrivilege 3264 msiexec.exe Token: SeAuditPrivilege 3264 msiexec.exe Token: SeSystemEnvironmentPrivilege 3264 msiexec.exe Token: SeChangeNotifyPrivilege 3264 msiexec.exe Token: SeRemoteShutdownPrivilege 3264 msiexec.exe Token: SeUndockPrivilege 3264 msiexec.exe Token: SeSyncAgentPrivilege 3264 msiexec.exe Token: SeEnableDelegationPrivilege 3264 msiexec.exe Token: SeManageVolumePrivilege 3264 msiexec.exe Token: SeImpersonatePrivilege 3264 msiexec.exe Token: SeCreateGlobalPrivilege 3264 msiexec.exe Token: SeBackupPrivilege 3368 vssvc.exe Token: SeRestorePrivilege 3368 vssvc.exe Token: SeAuditPrivilege 3368 vssvc.exe Token: SeBackupPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeBackupPrivilege 3180 srtasks.exe Token: SeRestorePrivilege 3180 srtasks.exe Token: SeSecurityPrivilege 3180 srtasks.exe Token: SeTakeOwnershipPrivilege 3180 srtasks.exe Token: SeBackupPrivilege 3180 srtasks.exe Token: SeRestorePrivilege 3180 srtasks.exe Token: SeSecurityPrivilege 3180 srtasks.exe Token: SeTakeOwnershipPrivilege 3180 srtasks.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3264 msiexec.exe 3264 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3100 wrote to memory of 3180 3100 msiexec.exe 89 PID 3100 wrote to memory of 3180 3100 msiexec.exe 89 PID 3100 wrote to memory of 1848 3100 msiexec.exe 91 PID 3100 wrote to memory of 1848 3100 msiexec.exe 91 PID 3100 wrote to memory of 1848 3100 msiexec.exe 91 PID 1848 wrote to memory of 3560 1848 MsiExec.exe 94 PID 1848 wrote to memory of 3560 1848 MsiExec.exe 94 PID 1848 wrote to memory of 3560 1848 MsiExec.exe 94 PID 1848 wrote to memory of 508 1848 MsiExec.exe 97 PID 1848 wrote to memory of 508 1848 MsiExec.exe 97 PID 508 wrote to memory of 2232 508 Wire_Transfer.docx.exe 98 PID 508 wrote to memory of 2232 508 Wire_Transfer.docx.exe 98 PID 3100 wrote to memory of 4840 3100 msiexec.exe 100 PID 3100 wrote to memory of 4840 3100 msiexec.exe 100 PID 3100 wrote to memory of 4840 3100 msiexec.exe 100
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Statement.pdf.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3264
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 96AAFADEE50CA543026010D8857E67CC2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\expand.exe"C:\Windows\System32\expand.exe" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:3560
-
-
C:\Users\Admin\AppData\Local\Temp\MW-ff6f5621-f598-4762-8d67-9c4d57d2477e\files\Wire_Transfer.docx.exe"C:\Users\Admin\AppData\Local\Temp\MW-ff6f5621-f598-4762-8d67-9c4d57d2477e\files\Wire_Transfer.docx.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\MW-ff6f5621-f598-4762-8d67-9c4d57d2477e\files\Wire_Transfer.docx.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:2232
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6F61FE13CEA9159286BF2D809308F8E9 E Global\MSI00002⤵
- Loads dropped DLL
PID:4840
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD5fba7f5f58a53322d0b85cc588cfaacd1
SHA1da2617cb96dd02a075565de6a704551fd7995dab
SHA2561fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a
SHA512c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db
-
Filesize
282KB
MD5fba7f5f58a53322d0b85cc588cfaacd1
SHA1da2617cb96dd02a075565de6a704551fd7995dab
SHA2561fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a
SHA512c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db
-
Filesize
282KB
MD5807718ec27e1cdf76ea45291e0b73dcb
SHA143fd298dff26c7cc2180d5b198ef23e0c37d578e
SHA2561001621d1b1d3cbba8d28644b24d7c4ff165c13ab2850661b3ed863efb6d1759
SHA512a01444e070e6cbcf6b0aeb00c54469ea2dcf36e841c9179bb8a8d4c316000ebab6cef72cfe21467cf283bbed8372ce4787f60296c985ab831c49e3d18646da43
-
C:\Users\Admin\AppData\Local\Temp\MW-ff6f5621-f598-4762-8d67-9c4d57d2477e\files\Wire_Transfer.docx.exe
Filesize282KB
MD5fba7f5f58a53322d0b85cc588cfaacd1
SHA1da2617cb96dd02a075565de6a704551fd7995dab
SHA2561fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a
SHA512c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db
-
C:\Users\Admin\AppData\Local\Temp\MW-ff6f5621-f598-4762-8d67-9c4d57d2477e\files\Wire_Transfer.docx.exe
Filesize282KB
MD5fba7f5f58a53322d0b85cc588cfaacd1
SHA1da2617cb96dd02a075565de6a704551fd7995dab
SHA2561fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a
SHA512c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db
-
Filesize
513B
MD590a9dbe346d375d1096a92aed413ac5e
SHA1ab60f850388bc327c16961afb12fd828e63fce95
SHA256c6dd8adc672807581d872b866feaa197642266ac2ba1000a5e3d48ccc5d9bfe1
SHA512a74a2cffed9c682eb8f074e97a3584a609f890559358bc3b43ca819539b25c5c92275c882aa874720c7a96f8c2fcbcb738228f936bf273309b9378e3cd464c44
-
Filesize
601KB
MD5ffe70d3419a64f4be1982d5cdf1155f4
SHA1c62e03d533925c871cb9caac853a1d3a33f60f34
SHA2568b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909
SHA5125b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675
-
Filesize
601KB
MD5ffe70d3419a64f4be1982d5cdf1155f4
SHA1c62e03d533925c871cb9caac853a1d3a33f60f34
SHA2568b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909
SHA5125b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675
-
Filesize
601KB
MD5ffe70d3419a64f4be1982d5cdf1155f4
SHA1c62e03d533925c871cb9caac853a1d3a33f60f34
SHA2568b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909
SHA5125b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675
-
Filesize
601KB
MD5ffe70d3419a64f4be1982d5cdf1155f4
SHA1c62e03d533925c871cb9caac853a1d3a33f60f34
SHA2568b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909
SHA5125b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675
-
Filesize
23.0MB
MD5f54995a4febf875467a786220c788829
SHA1a3178ddab431bdef40995552c232cd92c4e6bce2
SHA256695262c9da5bd8e901474bd5e2f99f25923bcf0915f69114132c00e808725d35
SHA5129199311bc491acfd45194dc5bd9ca0ed8070e3edf7a554a5e7689225a75c5a3542d54fc7051f884001a24397c70eabd5d70b190a316ce582c6e6eaeef2f3fcc1
-
\??\Volume{5acfaf36-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3b783116-30ca-4c0a-891d-27ae2e084aee}_OnDiskSnapshotProp
Filesize5KB
MD5b4dae10fdf82dad6d04dfb0e2e99e1d2
SHA19627f25309d3682e3bd7726f14c34207161cfb2b
SHA2561796f5c709102fa454b73541784a299f278b1e046410b7797e2971bb461e188e
SHA5124d2fe71db354860633779e64075a82c214d42255dbbfe48dca00bec07d968e05e2437ab8ed7bb7a5df64f473ef1701bc49d59154c8b09f6ba947f62b58c4535b