Analysis
-
max time kernel
299s -
max time network
283s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2022 15:01
Static task
static1
Behavioral task
behavioral1
Sample
362e56855844fb2be3dfae4b566ab676f6ec681fad1c1a2e8eb6d245d56b83f5.msi
Resource
win7-20220414-en
General
-
Target
362e56855844fb2be3dfae4b566ab676f6ec681fad1c1a2e8eb6d245d56b83f5.msi
-
Size
676KB
-
MD5
a0d132cdc67c29abf79ecf455c4a4e25
-
SHA1
2b278de35e52d695b27e1c880d35db04daa982bf
-
SHA256
362e56855844fb2be3dfae4b566ab676f6ec681fad1c1a2e8eb6d245d56b83f5
-
SHA512
645d2e3a168667de44d04756f48fe1d7d6581efc0755dccd72f6e09e603300783777b3b3376bb0d2bfab4c1ad3d239845eb606acffc3ea4ea4261d451c427ddf
Malware Config
Extracted
qakbot
403.780
vip01
1657721813
67.209.195.198:443
63.143.92.99:995
148.64.96.100:443
72.252.157.93:990
72.252.157.93:995
89.101.97.139:443
76.25.142.196:443
47.180.172.159:443
67.165.206.193:993
32.221.224.140:995
70.46.220.114:443
176.45.218.138:995
174.69.215.101:443
24.54.48.11:443
86.97.10.37:443
81.158.239.251:2078
37.34.253.233:443
120.150.218.241:995
186.90.153.162:2222
38.70.253.226:2222
41.228.22.180:443
217.165.157.202:995
179.111.8.52:32101
172.115.177.204:2222
190.252.242.69:443
31.215.185.213:1194
208.107.221.224:443
24.158.23.166:995
70.51.137.244:2222
39.44.116.107:995
31.215.185.213:2222
47.23.89.60:993
24.55.67.176:443
93.48.80.198:995
24.139.72.117:443
69.14.172.24:443
197.89.11.169:443
66.230.104.103:443
92.132.132.81:2222
24.178.196.158:2222
174.80.15.101:2083
187.116.126.216:32101
100.38.242.113:995
37.186.58.99:995
84.241.8.23:32103
182.191.92.203:995
40.134.246.185:995
106.193.213.197:995
86.98.78.118:993
117.248.109.38:21
74.14.5.179:2222
39.49.48.167:995
172.114.160.81:443
179.158.105.44:443
196.203.37.215:80
94.59.15.180:2222
39.52.55.99:995
89.211.209.234:2222
1.161.118.53:995
94.36.193.176:2222
121.7.223.45:2222
104.34.212.7:32103
45.46.53.140:2222
118.163.113.140:443
173.21.10.71:2222
47.145.130.171:443
47.156.129.52:443
72.252.157.93:993
187.172.164.12:443
197.94.92.5:443
201.172.23.72:2222
82.41.63.217:443
109.12.111.14:443
85.6.232.221:2222
96.37.113.36:993
217.128.122.65:2222
2.178.120.112:61202
193.136.1.58:443
103.133.11.10:995
120.61.3.142:443
182.52.159.24:443
37.208.131.49:50010
173.174.216.62:443
103.246.242.202:443
106.51.48.188:50001
67.69.166.79:2222
45.241.254.69:993
88.240.59.52:443
39.41.18.76:995
86.213.75.30:2078
39.57.56.11:995
24.43.99.75:443
101.50.67.155:995
108.56.213.219:995
189.253.167.141:443
5.32.41.45:443
39.53.160.99:995
80.11.74.81:2222
41.84.224.109:443
103.116.178.85:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 3 1180 msiexec.exe 7 1180 msiexec.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1644 regsvr32.exe 1324 regsvr32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{C59B204F-C8EF-4357-BEB2-23761AE43557} msiexec.exe File opened for modification C:\Windows\Installer\MSI40A3.tmp msiexec.exe File created C:\Windows\Installer\e573e53.msi msiexec.exe File created C:\Windows\Installer\e573e51.msi msiexec.exe File opened for modification C:\Windows\Installer\e573e51.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exevssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e111c2ed168134740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e111c2ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900e111c2ed000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 51 IoCs
Processes:
explorer.exepowershell.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuqhmxrifoyo\93f1b434 = 7aa3a52380427c0cf05c2e27d9392fa0e0bb4d7d8c72824f3975022f390e546444e4afc0165e83700af8f1dfebbf95b2583aeeb7e89dc3f945 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuqhmxrifoyo\1ed2031f = db6edd5ed631a5522315dbb3e818ac3eb549a4e2883253dbbf2120f468f98efd11b9db6bb6ea8c199cbb6cfde4fcbb4bd14c3ea4600e explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuqhmxrifoyo\5404bca7 = 6be0e8e4e47b04650080ddde44a1192ef1c1b94fd56014aeea10434babb884e748cbb5a8ef2d9e3dedc642c7cc40e5125bb390c5e15628e752ccbdae678238cc9efecdff63c0dc3dd85613b28fdc78b27987fbc5cd86e6441e8de9b56e2790a40a7f0439abe167a3a95570427ce722c33bd62340fda2985828c6e8ba2a1c6eefa401e8abc614f40a0e52c9f73e32b03d1f3ddcfa493acf78e3daa810911c3991f325df30e93607b9b438bdee explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuqhmxrifoyo\ecb8dbc2 = 9840298ca67a48c40ab5a0b3c32b23052de1862292bbc7f4af0e36400cfb5fcb89125c2cbf9080798d22591efcc35ceb21df6fec27e8997766b5e843b65219c4440ee7fe1608ec38562d4713e38299869abeeffc96504f63 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuqhmxrifoyo\eef9fbbe = 9eef6f8584633e44bf1332ab06ca020f129726007d39b0d21ba93fe2be8b531fda0c58ca70c24cec811bc53e9527b9b1ad463617a9e1f5ce62bdcd17dabe51f7fcbca140e446db6edf9faffc7d76958e40544e53fe6c5e565c0c798077ff6bb76786 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuqhmxrifoyo\619b6ce9 = 58e87a151a71498fce356c7bb1bbddb05ead9e5fa35bc50435cbbc09ede77d659f336d7a93f32e0bffde4295b12890ed49d5c25db6595237693b37eda7bc38c8ddd86eed2b explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuqhmxrifoyo\56459cdb = 5db9eff6bd791435305e2eb3248c9cfa24e361fb67f796f259b5c3876b824328d9cf0780fb70bac148c9237f4fccb43df0cf81ed6e812fc9e9b751999ec5ffec9d1917ba93857459679eca6f0e8c2ff8262bf5273caef868005afc916d04f3fd3673 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuqhmxrifoyo\2b4dd351 = a9d8f2188cab7db3291a2056a8e0e3b944ae75b4cac6d40bd81ef2b549b8e72cfd8f2a3f8d4406747e78a42e34a4acecb8219256aeab579f2280cfde1c78a4d2e2a70db5288e6f974f5d7af1fcbf2bc9416ca3fb62a0694c27c8ae30f501a7f4c64915095c56 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuqhmxrifoyo explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Uuqhmxrifoyo\619b6ce9 = 58e86d151a717acdf8086a40a126e08d85930868b9e0a846e9e97ac1607f656c6b2d7701ac49b1bc3c952e0aeb7e0447fe16ddd6f2e6e1f5ab16b4cf8b50f3704fdfbe740e97c5364229b4b3e8f0f8041b0433ddab3dfb96131f explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeregsvr32.exeexplorer.exepid process 5008 msiexec.exe 5008 msiexec.exe 1644 regsvr32.exe 1644 regsvr32.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe 1356 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 4364 taskmgr.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1644 regsvr32.exe 1324 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1180 msiexec.exe Token: SeIncreaseQuotaPrivilege 1180 msiexec.exe Token: SeSecurityPrivilege 5008 msiexec.exe Token: SeCreateTokenPrivilege 1180 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1180 msiexec.exe Token: SeLockMemoryPrivilege 1180 msiexec.exe Token: SeIncreaseQuotaPrivilege 1180 msiexec.exe Token: SeMachineAccountPrivilege 1180 msiexec.exe Token: SeTcbPrivilege 1180 msiexec.exe Token: SeSecurityPrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeLoadDriverPrivilege 1180 msiexec.exe Token: SeSystemProfilePrivilege 1180 msiexec.exe Token: SeSystemtimePrivilege 1180 msiexec.exe Token: SeProfSingleProcessPrivilege 1180 msiexec.exe Token: SeIncBasePriorityPrivilege 1180 msiexec.exe Token: SeCreatePagefilePrivilege 1180 msiexec.exe Token: SeCreatePermanentPrivilege 1180 msiexec.exe Token: SeBackupPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeShutdownPrivilege 1180 msiexec.exe Token: SeDebugPrivilege 1180 msiexec.exe Token: SeAuditPrivilege 1180 msiexec.exe Token: SeSystemEnvironmentPrivilege 1180 msiexec.exe Token: SeChangeNotifyPrivilege 1180 msiexec.exe Token: SeRemoteShutdownPrivilege 1180 msiexec.exe Token: SeUndockPrivilege 1180 msiexec.exe Token: SeSyncAgentPrivilege 1180 msiexec.exe Token: SeEnableDelegationPrivilege 1180 msiexec.exe Token: SeManageVolumePrivilege 1180 msiexec.exe Token: SeImpersonatePrivilege 1180 msiexec.exe Token: SeCreateGlobalPrivilege 1180 msiexec.exe Token: SeBackupPrivilege 4936 vssvc.exe Token: SeRestorePrivilege 4936 vssvc.exe Token: SeAuditPrivilege 4936 vssvc.exe Token: SeBackupPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe Token: SeTakeOwnershipPrivilege 5008 msiexec.exe Token: SeRestorePrivilege 5008 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msiexec.exetaskmgr.exepid process 1180 msiexec.exe 1180 msiexec.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe 4364 taskmgr.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
msiexec.exeregsvr32.exeregsvr32.exeexplorer.exepowershell.exeregsvr32.exeregsvr32.exedescription pid process target process PID 5008 wrote to memory of 988 5008 msiexec.exe srtasks.exe PID 5008 wrote to memory of 988 5008 msiexec.exe srtasks.exe PID 5008 wrote to memory of 4628 5008 msiexec.exe wscript.exe PID 5008 wrote to memory of 4628 5008 msiexec.exe wscript.exe PID 5008 wrote to memory of 5028 5008 msiexec.exe regsvr32.exe PID 5008 wrote to memory of 5028 5008 msiexec.exe regsvr32.exe PID 5028 wrote to memory of 1644 5028 regsvr32.exe regsvr32.exe PID 5028 wrote to memory of 1644 5028 regsvr32.exe regsvr32.exe PID 5028 wrote to memory of 1644 5028 regsvr32.exe regsvr32.exe PID 1644 wrote to memory of 1356 1644 regsvr32.exe explorer.exe PID 1644 wrote to memory of 1356 1644 regsvr32.exe explorer.exe PID 1644 wrote to memory of 1356 1644 regsvr32.exe explorer.exe PID 1644 wrote to memory of 1356 1644 regsvr32.exe explorer.exe PID 1644 wrote to memory of 1356 1644 regsvr32.exe explorer.exe PID 1356 wrote to memory of 4812 1356 explorer.exe schtasks.exe PID 1356 wrote to memory of 4812 1356 explorer.exe schtasks.exe PID 1356 wrote to memory of 4812 1356 explorer.exe schtasks.exe PID 1124 wrote to memory of 4704 1124 powershell.exe regsvr32.exe PID 1124 wrote to memory of 4704 1124 powershell.exe regsvr32.exe PID 4704 wrote to memory of 1324 4704 regsvr32.exe regsvr32.exe PID 4704 wrote to memory of 1324 4704 regsvr32.exe regsvr32.exe PID 4704 wrote to memory of 1324 4704 regsvr32.exe regsvr32.exe PID 1324 wrote to memory of 1828 1324 regsvr32.exe explorer.exe PID 1324 wrote to memory of 1828 1324 regsvr32.exe explorer.exe PID 1324 wrote to memory of 1828 1324 regsvr32.exe explorer.exe PID 1324 wrote to memory of 1828 1324 regsvr32.exe explorer.exe PID 1324 wrote to memory of 1828 1324 regsvr32.exe explorer.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\362e56855844fb2be3dfae4b566ab676f6ec681fad1c1a2e8eb6d245d56b83f5.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:04 /tn hodqehtlb /ET 17:15 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA" /SC ONCE5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Users\Admin\AppData\Local\AdobeFontPack\main.dll3⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_32ADABCB823BA1231EA36C215C0D3FFBFilesize
727B
MD50d26fcd430e8da3f1d2268e5f2c96948
SHA1fde47603630d4b585d3d9d0b9c71a2d04b8d0e4f
SHA25698a8204e097137c5ac750cb4154fe9579c2254180cc842f15d8344e8e2be37ee
SHA51280ba38928c8d6eedfb8e0cb537f0bbab152918c2c65b917ecf33ebad22a49976783560dd963f253dd5a439ee2de695802f357cba2a8aa29b9bd5dc72eb71673a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
727B
MD5a485d69614a6015dd87f332f156dbcda
SHA1e173979fc219cc09b20f79a8ac9d2ee72d93668d
SHA25644a294a4e02743fc51bfa36b844d2cbf5f7ee94a9476dcd01ff5300a71860c48
SHA5124f7d64e45b6cb134c8676a4b1e2cc3e43bf24c15670aa8f9b7a4101ca8383d3c2bcf09dfc3856847e72168043dd8ddcf553cf5ecfe99c69032b8eb48508dad60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_32ADABCB823BA1231EA36C215C0D3FFBFilesize
408B
MD5e76ffa7952dba33605daa88634086d1e
SHA100c9f59d2a967022b1232b5885833cf1d76d7181
SHA256e9b2d317ec450ae38bc348f393672f1d71c86d69c57257d70d581bb3af3df617
SHA51281c4db42514d562c5b1b44f93ceeca4291a3bd3a637255e646091071d59836880dc1b748036f5ede6ea49d1cfb6d2e8f0e48e8d64f5868b38c6cf17bdb950340
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
412B
MD562ba4607d3fbf883ae7eceb6720f3042
SHA122411cae724a5e025ca805eea4099a1d2b4b5cca
SHA256ab9c07c77ab34a36c3ee729e0522cebd9d300464ad7ef0b5e03fb6f40cddd1d2
SHA512819a3cbc7a9851975c2a771e33bb0d2b07fd30fed9a91cb29077909ba57ec012ed42d73f54b1181c1643821bc16050bf2bf76e98b725dd3d1d1001988b3e184d
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
1.3MB
MD52fce945f0621e3812618f55c4a3926e9
SHA165aa7e9e33d25ee812e9ac86f45488c6c531d9ad
SHA256c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a
SHA51295a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
1.3MB
MD52fce945f0621e3812618f55c4a3926e9
SHA165aa7e9e33d25ee812e9ac86f45488c6c531d9ad
SHA256c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a
SHA51295a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
1.3MB
MD52fce945f0621e3812618f55c4a3926e9
SHA165aa7e9e33d25ee812e9ac86f45488c6c531d9ad
SHA256c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a
SHA51295a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
1.3MB
MD52fce945f0621e3812618f55c4a3926e9
SHA165aa7e9e33d25ee812e9ac86f45488c6c531d9ad
SHA256c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a
SHA51295a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614
-
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbsFilesize
68B
MD50308aa2c8dab8a69de41f5d16679bb9b
SHA1c6827bf44a433ff086e787653361859d6f6e2fb3
SHA2560a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489
SHA5121a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5937ea5f1c25fdc6763beb157c5787bc0
SHA19ce46fde420bfbdfaa94546136ed6db7e405841f
SHA256bec68424e36a3ee88c55ca0876f044f412b5150f67abfb60468d6a39c771b88d
SHA5122ca5f427e2fbffafccedd62e52c2fcb1422bf4dcc3310e2dc1142e08f0e5d310cef9ce8913f87618f47462437d89841cd6c1fafdd8c0263a7ccb83e2aa832fdb
-
\??\Volume{edc211e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{53e9cfab-6a5c-4e75-8f3b-d1075e64c696}_OnDiskSnapshotPropFilesize
5KB
MD5ac2bdd5812f305b27ff190a1b66c414f
SHA17427c41766ed5400657c52bcae914b994344eccf
SHA256ada6a112b60a3ff39080aba9b08680563d0d487db663034c6cfe61431d44e8f9
SHA512c5ceb2674ef3e454c131d0262bfa74b28502e91efcb29742aba0400ee999199918151b33b0d640cc3d8b56c0f1831b23bf72857d3c46d3326b4bc052c5236631
-
memory/988-130-0x0000000000000000-mapping.dmp
-
memory/1124-151-0x00000173FAE80000-0x00000173FAEA2000-memory.dmpFilesize
136KB
-
memory/1124-156-0x00007FFD50F30000-0x00007FFD519F1000-memory.dmpFilesize
10.8MB
-
memory/1324-154-0x0000000000000000-mapping.dmp
-
memory/1324-157-0x0000000001510000-0x0000000001532000-memory.dmpFilesize
136KB
-
memory/1324-161-0x0000000001510000-0x0000000001532000-memory.dmpFilesize
136KB
-
memory/1324-159-0x0000000001510000-0x0000000001532000-memory.dmpFilesize
136KB
-
memory/1324-158-0x00000000014C0000-0x00000000014E2000-memory.dmpFilesize
136KB
-
memory/1356-149-0x0000000000DC0000-0x0000000000DE2000-memory.dmpFilesize
136KB
-
memory/1356-150-0x0000000000DC0000-0x0000000000DE2000-memory.dmpFilesize
136KB
-
memory/1356-146-0x0000000000000000-mapping.dmp
-
memory/1644-147-0x0000000003670000-0x0000000003692000-memory.dmpFilesize
136KB
-
memory/1644-143-0x0000000003670000-0x0000000003692000-memory.dmpFilesize
136KB
-
memory/1644-139-0x0000000000000000-mapping.dmp
-
memory/1644-145-0x0000000003670000-0x0000000003692000-memory.dmpFilesize
136KB
-
memory/1644-144-0x0000000003620000-0x0000000003642000-memory.dmpFilesize
136KB
-
memory/1828-160-0x0000000000000000-mapping.dmp
-
memory/1828-162-0x0000000000890000-0x00000000008B2000-memory.dmpFilesize
136KB
-
memory/1828-163-0x0000000000890000-0x00000000008B2000-memory.dmpFilesize
136KB
-
memory/4628-135-0x0000000000000000-mapping.dmp
-
memory/4704-152-0x0000000000000000-mapping.dmp
-
memory/4812-148-0x0000000000000000-mapping.dmp
-
memory/5028-136-0x0000000000000000-mapping.dmp