plugx | b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2022 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft.exe
Size

4.0MB
MD5

083f54e1891baeb8783adc6ee775fc41
SHA1

9f7b44476da46086e38f89f4eb2b9900629082a4
SHA256

b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1
SHA512

4c0ab2a86af49ed0fd129095962e11baa9fa9a9e0276473832be6c47bb8918c5c39a2f228a06e6f7d2aaa8d791c75645102ee5674ba44a9e3b9dc079c936d8ab
SSDEEP

98304:Zwa9JkoXTaSRr+aV1uHIx5gjSTBvq+TYIMV3hMAo:Zr9UY5g0v0g

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 4 IoCs

resource	yara_rule
behavioral3/memory/3056-159-0x0000000002A30000-0x0000000003A30000-memory.dmp	family_plugx
behavioral3/memory/2164-165-0x0000000000EE0000-0x0000000001EE0000-memory.dmp	family_plugx
behavioral3/memory/5092-167-0x0000000000E80000-0x0000000001E80000-memory.dmp	family_plugx
behavioral3/memory/5084-170-0x0000000000FF0000-0x0000000001FF0000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
4136	MSI2E6A.tmp
3056	bdreinit.exe
2164	bdreinit.exe

Loads dropped DLL 9 IoCs

pid	Process
5116	MsiExec.exe
3188	MsiExec.exe
3188	MsiExec.exe
3188	MsiExec.exe
3188	MsiExec.exe
3188	MsiExec.exe
3188	MsiExec.exe
3056	bdreinit.exe
2164	bdreinit.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Microsoft.exe
File opened (read-only)	\??\T:	Microsoft.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	Microsoft.exe
File opened (read-only)	\??\P:	Microsoft.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	Microsoft.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	Microsoft.exe
File opened (read-only)	\??\Q:	Microsoft.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	Microsoft.exe
File opened (read-only)	\??\Z:	Microsoft.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	Microsoft.exe
File opened (read-only)	\??\R:	Microsoft.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	Microsoft.exe
File opened (read-only)	\??\X:	Microsoft.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	Microsoft.exe
File opened (read-only)	\??\O:	Microsoft.exe
File opened (read-only)	\??\V:	Microsoft.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	Microsoft.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	Microsoft.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	Microsoft.exe
File opened (read-only)	\??\Y:	Microsoft.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	Microsoft.exe
File opened (read-only)	\??\U:	Microsoft.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Microsoft\log.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\BitDefender\Handler\log.dll	bdreinit.exe
File created	C:\Program Files (x86)\BitDefender\Handler\log.dll	bdreinit.exe
File opened for modification	C:\Program Files (x86)\BitDefender\Handler\log.dat	bdreinit.exe
File created	C:\Program Files (x86)\BitDefender\Handler\log.dat	bdreinit.exe
File created	C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Office\Microsoft\log.dat	msiexec.exe
File opened for modification	C:\Program Files (x86)\BitDefender\Handler	bdreinit.exe
File opened for modification	C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe	bdreinit.exe
File created	C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe	bdreinit.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2D5E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AD9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C24.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CADD28DF-723D-4BD4-AAFC-FAE439BAE647}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DCD.tmp	msiexec.exe
File created	C:\Windows\Installer\e572858.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e572858.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D4E.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e57285b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BF4.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9A63D6CDA60BAB248B02E4255D3A74C1\FD82DDACD3274DB4AACFAF4E93AB6E74	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD82DDACD3274DB4AACFAF4E93AB6E74\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9A63D6CDA60BAB248B02E4255D3A74C1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\KET.FAST	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD82DDACD3274DB4AACFAF4E93AB6E74	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\ProductName = "Microsoft"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 33004100390039003600300037003000440045004300330042003100430037000000	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\PackageName = "Microsoft.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\PackageCode = "C3DCF6D77E9A82E4884CC7833DE2C026"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\AdvertiseFlags = "388"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	msiexec.exe
2432	msiexec.exe
4136	MSI2E6A.tmp
4136	MSI2E6A.tmp
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5092	svchost.exe
5092	svchost.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5092	svchost.exe
5092	svchost.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5092	svchost.exe
5092	svchost.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5092	svchost.exe
5092	svchost.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe
5084	userinit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2432	msiexec.exe
Token: SeCreateTokenPrivilege	3560	Microsoft.exe
Token: SeAssignPrimaryTokenPrivilege	3560	Microsoft.exe
Token: SeLockMemoryPrivilege	3560	Microsoft.exe
Token: SeIncreaseQuotaPrivilege	3560	Microsoft.exe
Token: SeMachineAccountPrivilege	3560	Microsoft.exe
Token: SeTcbPrivilege	3560	Microsoft.exe
Token: SeSecurityPrivilege	3560	Microsoft.exe
Token: SeTakeOwnershipPrivilege	3560	Microsoft.exe
Token: SeLoadDriverPrivilege	3560	Microsoft.exe
Token: SeSystemProfilePrivilege	3560	Microsoft.exe
Token: SeSystemtimePrivilege	3560	Microsoft.exe
Token: SeProfSingleProcessPrivilege	3560	Microsoft.exe
Token: SeIncBasePriorityPrivilege	3560	Microsoft.exe
Token: SeCreatePagefilePrivilege	3560	Microsoft.exe
Token: SeCreatePermanentPrivilege	3560	Microsoft.exe
Token: SeBackupPrivilege	3560	Microsoft.exe
Token: SeRestorePrivilege	3560	Microsoft.exe
Token: SeShutdownPrivilege	3560	Microsoft.exe
Token: SeDebugPrivilege	3560	Microsoft.exe
Token: SeAuditPrivilege	3560	Microsoft.exe
Token: SeSystemEnvironmentPrivilege	3560	Microsoft.exe
Token: SeChangeNotifyPrivilege	3560	Microsoft.exe
Token: SeRemoteShutdownPrivilege	3560	Microsoft.exe
Token: SeUndockPrivilege	3560	Microsoft.exe
Token: SeSyncAgentPrivilege	3560	Microsoft.exe
Token: SeEnableDelegationPrivilege	3560	Microsoft.exe
Token: SeManageVolumePrivilege	3560	Microsoft.exe
Token: SeImpersonatePrivilege	3560	Microsoft.exe
Token: SeCreateGlobalPrivilege	3560	Microsoft.exe
Token: SeCreateTokenPrivilege	3560	Microsoft.exe
Token: SeAssignPrimaryTokenPrivilege	3560	Microsoft.exe
Token: SeLockMemoryPrivilege	3560	Microsoft.exe
Token: SeIncreaseQuotaPrivilege	3560	Microsoft.exe
Token: SeMachineAccountPrivilege	3560	Microsoft.exe
Token: SeTcbPrivilege	3560	Microsoft.exe
Token: SeSecurityPrivilege	3560	Microsoft.exe
Token: SeTakeOwnershipPrivilege	3560	Microsoft.exe
Token: SeLoadDriverPrivilege	3560	Microsoft.exe
Token: SeSystemProfilePrivilege	3560	Microsoft.exe
Token: SeSystemtimePrivilege	3560	Microsoft.exe
Token: SeProfSingleProcessPrivilege	3560	Microsoft.exe
Token: SeIncBasePriorityPrivilege	3560	Microsoft.exe
Token: SeCreatePagefilePrivilege	3560	Microsoft.exe
Token: SeCreatePermanentPrivilege	3560	Microsoft.exe
Token: SeBackupPrivilege	3560	Microsoft.exe
Token: SeRestorePrivilege	3560	Microsoft.exe
Token: SeShutdownPrivilege	3560	Microsoft.exe
Token: SeDebugPrivilege	3560	Microsoft.exe
Token: SeAuditPrivilege	3560	Microsoft.exe
Token: SeSystemEnvironmentPrivilege	3560	Microsoft.exe
Token: SeChangeNotifyPrivilege	3560	Microsoft.exe
Token: SeRemoteShutdownPrivilege	3560	Microsoft.exe
Token: SeUndockPrivilege	3560	Microsoft.exe
Token: SeSyncAgentPrivilege	3560	Microsoft.exe
Token: SeEnableDelegationPrivilege	3560	Microsoft.exe
Token: SeManageVolumePrivilege	3560	Microsoft.exe
Token: SeImpersonatePrivilege	3560	Microsoft.exe
Token: SeCreateGlobalPrivilege	3560	Microsoft.exe
Token: SeCreateTokenPrivilege	3560	Microsoft.exe
Token: SeAssignPrimaryTokenPrivilege	3560	Microsoft.exe
Token: SeLockMemoryPrivilege	3560	Microsoft.exe
Token: SeIncreaseQuotaPrivilege	3560	Microsoft.exe
Token: SeMachineAccountPrivilege	3560	Microsoft.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3560	Microsoft.exe
1808	msiexec.exe
1808	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 5116	2432	msiexec.exe	85
PID 2432 wrote to memory of 5116	2432	msiexec.exe	85
PID 2432 wrote to memory of 5116	2432	msiexec.exe	85
PID 3560 wrote to memory of 1808	3560	Microsoft.exe	86
PID 3560 wrote to memory of 1808	3560	Microsoft.exe	86
PID 3560 wrote to memory of 1808	3560	Microsoft.exe	86
PID 2432 wrote to memory of 3684	2432	msiexec.exe	99
PID 2432 wrote to memory of 3684	2432	msiexec.exe	99
PID 2432 wrote to memory of 3188	2432	msiexec.exe	102
PID 2432 wrote to memory of 3188	2432	msiexec.exe	102
PID 2432 wrote to memory of 3188	2432	msiexec.exe	102
PID 2432 wrote to memory of 4136	2432	msiexec.exe	103
PID 2432 wrote to memory of 4136	2432	msiexec.exe	103
PID 2432 wrote to memory of 4136	2432	msiexec.exe	103
PID 2164 wrote to memory of 5092	2164	bdreinit.exe	106
PID 2164 wrote to memory of 5092	2164	bdreinit.exe	106
PID 2164 wrote to memory of 5092	2164	bdreinit.exe	106
PID 2164 wrote to memory of 5092	2164	bdreinit.exe	106
PID 2164 wrote to memory of 5092	2164	bdreinit.exe	106
PID 2164 wrote to memory of 5092	2164	bdreinit.exe	106
PID 2164 wrote to memory of 5092	2164	bdreinit.exe	106
PID 5092 wrote to memory of 5084	5092	svchost.exe	107
PID 5092 wrote to memory of 5084	5092	svchost.exe	107
PID 5092 wrote to memory of 5084	5092	svchost.exe	107
PID 5092 wrote to memory of 5084	5092	svchost.exe	107
PID 5092 wrote to memory of 5084	5092	svchost.exe	107
PID 5092 wrote to memory of 5084	5092	svchost.exe	107
PID 5092 wrote to memory of 5084	5092	svchost.exe	107

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\Microsoft.msi AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Microsoft.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1661178649 "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CE5C1C581C1ED9E529D12477AD61B648 C
  2⤵
  - Loads dropped DLL
  PID:5116
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3684
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FB0A5D258DE7C15F1AB8900D470E7372
  2⤵
  - Loads dropped DLL
  PID:3188
- C:\Windows\Installer\MSI2E6A.tmp
  "C:\Windows\Installer\MSI2E6A.tmp" "C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3768

C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe
"C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3056

C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe
"C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe" 600 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 601 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe 609 5092
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe

Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe

Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\Program Files (x86)\BitDefender\Handler\log.dat

Filesize
199KB

MD5
4d46b087b62183d86c53bf05ce4e2c8d

SHA1
174bd3886bd598f621eb758f469f69e85532f5c0

SHA256
49686cbde9535055fa48a0742bbe765f9d6ec1104e7efa8f71d1894f2d7d7873

SHA512
cf87b40dd69306285adff88de6050c1d456c34b2056e8f98ca7cf046459b6839afe67f4b13e25e5162ab311f1033a004b7e1bdc2955a10e8490eaef0f882a117

Download Submit
C:\Program Files (x86)\BitDefender\Handler\log.dll

Filesize
139KB

MD5
c55b6938f885c07d627c15165c21390a

SHA1
9d2e460fd11791e78eb7fbc1357c973493293572

SHA256
f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

SHA512
9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

Download Submit
C:\Program Files (x86)\BitDefender\Handler\log.dll

Filesize
139KB

MD5
c55b6938f885c07d627c15165c21390a

SHA1
9d2e460fd11791e78eb7fbc1357c973493293572

SHA256
f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

SHA512
9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

Download Submit
C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe

Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe

Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\Program Files (x86)\Microsoft Office\Microsoft\log.dat

Filesize
199KB

MD5
4d46b087b62183d86c53bf05ce4e2c8d

SHA1
174bd3886bd598f621eb758f469f69e85532f5c0

SHA256
49686cbde9535055fa48a0742bbe765f9d6ec1104e7efa8f71d1894f2d7d7873

SHA512
cf87b40dd69306285adff88de6050c1d456c34b2056e8f98ca7cf046459b6839afe67f4b13e25e5162ab311f1033a004b7e1bdc2955a10e8490eaef0f882a117

Download Submit
C:\Program Files (x86)\Microsoft Office\Microsoft\log.dll

Filesize
139KB

MD5
c55b6938f885c07d627c15165c21390a

SHA1
9d2e460fd11791e78eb7fbc1357c973493293572

SHA256
f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

SHA512
9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

Download Submit
C:\Program Files (x86)\Microsoft Office\Microsoft\log.dll

Filesize
139KB

MD5
c55b6938f885c07d627c15165c21390a

SHA1
9d2e460fd11791e78eb7fbc1357c973493293572

SHA256
f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

SHA512
9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6DF2.tmp

Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6DF2.tmp

Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.msi

Filesize
1.5MB

MD5
df26d42194e934122c73559987f3ab84

SHA1
c526f8e1f8f4b22c0b62f76af448c63a7e5f2073

SHA256
eec36f5b2d28bb8076648f96899def8e297347322dd7d13368234680eaaee01d

SHA512
e62bd5773649251dfaa4870b2e5f6ebff6e69dd18ac4ecdeb296d0826b02b4a76d878037ea183a2653044afe5b807cee15c9fd1d7032bb6e75e761609e8f30b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft1.cab

Filesize
351KB

MD5
a66bc9849ba7d090a983e1aa64275e9a

SHA1
86f35c1a29cde722c2c822c46e4c4eac0b360f4a

SHA256
1b1a6809886af74850a817d23854ada702af6e6f094ac477049faa46c317d9cc

SHA512
e1a5f7b65bbca6a6eba9bcfaa278882961e3d0ad3b03a18a6fdda91558372d9a902d6ebe2f203d5b1174145eb84b3b5ebfe9fc78bb1d081f34d72b9b03993f90

Download Submit
C:\Windows\Installer\MSI2AD9.tmp

Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSI2AD9.tmp

Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSI2BB4.tmp

Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSI2BB4.tmp

Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSI2BF4.tmp

Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSI2BF4.tmp

Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSI2C24.tmp

Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSI2C24.tmp

Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSI2D5E.tmp

Filesize
529KB

MD5
aab600da7532150b6fd984f3c6e6d781

SHA1
30c95ec5f80d8595221c9f37c0f172ea2ce7b917

SHA256
c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

SHA512
70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

Download Submit
C:\Windows\Installer\MSI2D5E.tmp

Filesize
529KB

MD5
aab600da7532150b6fd984f3c6e6d781

SHA1
30c95ec5f80d8595221c9f37c0f172ea2ce7b917

SHA256
c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

SHA512
70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

Download Submit
C:\Windows\Installer\MSI2DCD.tmp

Filesize
529KB

MD5
aab600da7532150b6fd984f3c6e6d781

SHA1
30c95ec5f80d8595221c9f37c0f172ea2ce7b917

SHA256
c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

SHA512
70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

Download Submit
C:\Windows\Installer\MSI2DCD.tmp

Filesize
529KB

MD5
aab600da7532150b6fd984f3c6e6d781

SHA1
30c95ec5f80d8595221c9f37c0f172ea2ce7b917

SHA256
c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

SHA512
70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

Download Submit
C:\Windows\Installer\MSI2E6A.tmp

Filesize
401KB

MD5
8c7085c86a4b14296f6e76525f20c828

SHA1
6113087876f86c9247bc4080c08ce1ae578d9a99

SHA256
beeaa8bfc97d87c1739611a88d3f4fa9a561cecbc5379309543dd850cc3f956c

SHA512
97dcbe469ec14114b90c0c52c289af173c6078b8aad3f9bb78c212278f1980d2750ce8bfba6b1ac0aaf72aa956f4c0be0c471ffbc7e811d4affa5896d36367e0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
ad2fa6eeabe3c08750b7262d72eef9b9

SHA1
4817af3534704471354ca09f135d595067bad890

SHA256
77fdb8bababc08a357d4b3a5dea90554dac9f5a412f92842b2311253f99c1215

SHA512
ca29db5d9b7b6d091983ccb0de245cb9fe11bbc6fcb339e84333b791438944f77cbf024e72f802e70cf1b1592f50af90e1ed563cf40a4e012d1431316004affd

Download Submit
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f3cca708-c7f3-49ba-8519-33c0ceab290a}_OnDiskSnapshotProp

Filesize
5KB

MD5
db7dfbe67b1e3a1acfd0619f68ef828b

SHA1
fecb23e986d53841963363ff270ca3d808b14215

SHA256
e12998cac58b727721d4909597c84e324c7f3486df94ff112418f44b42abbc4b

SHA512
bb7219299756bbdc52f987179798d4bca283bda13c66261ed2c9662b3ec985d372dccf7c7b4d8fd6224e0eebcf4af2d57654501ab1defede4eaf9a06ed12f07b

Download Submit
memory/2164-168-0x0000000000970000-0x00000000009A2000-memory.dmp

Filesize
200KB

Download
memory/2164-165-0x0000000000EE0000-0x0000000001EE0000-memory.dmp

Filesize
16.0MB

Download
memory/3056-159-0x0000000002A30000-0x0000000003A30000-memory.dmp

Filesize
16.0MB

Download
memory/5084-170-0x0000000000FF0000-0x0000000001FF0000-memory.dmp

Filesize
16.0MB

Download
memory/5092-167-0x0000000000E80000-0x0000000001E80000-memory.dmp

Filesize
16.0MB

Download