758f7211d631b2b5b52df7214485fe2082661e5ba18054c8d91be0d7e27dbb2f

Analysis

max time kernel
81s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2022, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VMware-workstation-full-16.2.4-20089737.exe
Size

615.6MB
MD5

d60f20003600b70defb72215417aadee
SHA1

b89035349ad4894e1837b81e3e826ca4572f4f88
SHA256

758f7211d631b2b5b52df7214485fe2082661e5ba18054c8d91be0d7e27dbb2f
SHA512

e9be925c8d3fe9fe81383398709fa4a992ccf2a50b833421ff54d629b1088cb8a773af64c87bed3c513f03a6a84f8eb5001f8cf52f895808c6f002c49d44abfe
SSDEEP

12582912:HsiQc7JR+tkXSznRL4KY0XxCDhc/jVPil7pbuhbKDe0uDe07:MiQc7JR+tMSznJY0XxCD6/jVPil7pbDi

Score

8^/10

discovery evasion

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4864	vcredist_x86.exe
4892	vcredist_x86.exe
2032	vcredist_x64.exe
1812	vcredist_x64.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	VMware-workstation-full-16.2.4-20089737.exe

Loads dropped DLL 4 IoCs

pid	Process
4892	vcredist_x86.exe
1812	vcredist_x64.exe
3948	MsiExec.exe
3948	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\K:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\P:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\Q:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\S:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\N:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\X:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\Y:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\T:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\G:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\J:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\L:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\V:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\I:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\W:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\H:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\O:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\U:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\Z:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\VMware\InstallerCache\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}.msi	VMware-workstation-full-16.2.4-20089737.exe
File opened for modification	C:\Program Files (x86)\Common Files\VMware\InstallerCache\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}.msi	VMware-workstation-full-16.2.4-20089737.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1412	3948	WerFault.exe	92

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VMware-workstation-full-16.2.4-20089737.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VMware-workstation-full-16.2.4-20089737.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VMware-workstation-full-16.2.4-20089737.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VMware-workstation-full-16.2.4-20089737.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VMware-workstation-full-16.2.4-20089737.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeIncreaseQuotaPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSecurityPrivilege	3648	msiexec.exe
Token: SeCreateTokenPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeAssignPrimaryTokenPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeLockMemoryPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeIncreaseQuotaPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeMachineAccountPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeTcbPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSecurityPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeTakeOwnershipPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeLoadDriverPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemProfilePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemtimePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeProfSingleProcessPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeIncBasePriorityPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreatePagefilePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreatePermanentPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeBackupPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeRestorePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeShutdownPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeDebugPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeAuditPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemEnvironmentPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeChangeNotifyPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeRemoteShutdownPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeUndockPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSyncAgentPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeEnableDelegationPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeManageVolumePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeImpersonatePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreateGlobalPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreateTokenPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeAssignPrimaryTokenPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeLockMemoryPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeIncreaseQuotaPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeMachineAccountPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeTcbPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSecurityPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeTakeOwnershipPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeLoadDriverPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemProfilePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemtimePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeProfSingleProcessPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeIncBasePriorityPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreatePagefilePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreatePermanentPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeBackupPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeRestorePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeShutdownPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeDebugPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeAuditPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemEnvironmentPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeChangeNotifyPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeRemoteShutdownPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeUndockPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSyncAgentPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeEnableDelegationPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeManageVolumePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeImpersonatePrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreateGlobalPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreateTokenPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeAssignPrimaryTokenPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe
Token: SeLockMemoryPrivilege	5104	VMware-workstation-full-16.2.4-20089737.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5104	VMware-workstation-full-16.2.4-20089737.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 4864	5104	VMware-workstation-full-16.2.4-20089737.exe	79
PID 5104 wrote to memory of 4864	5104	VMware-workstation-full-16.2.4-20089737.exe	79
PID 5104 wrote to memory of 4864	5104	VMware-workstation-full-16.2.4-20089737.exe	79
PID 4864 wrote to memory of 4892	4864	vcredist_x86.exe	80
PID 4864 wrote to memory of 4892	4864	vcredist_x86.exe	80
PID 4864 wrote to memory of 4892	4864	vcredist_x86.exe	80
PID 5104 wrote to memory of 2032	5104	VMware-workstation-full-16.2.4-20089737.exe	83
PID 5104 wrote to memory of 2032	5104	VMware-workstation-full-16.2.4-20089737.exe	83
PID 5104 wrote to memory of 2032	5104	VMware-workstation-full-16.2.4-20089737.exe	83
PID 2032 wrote to memory of 1812	2032	vcredist_x64.exe	84
PID 2032 wrote to memory of 1812	2032	vcredist_x64.exe	84
PID 2032 wrote to memory of 1812	2032	vcredist_x64.exe	84
PID 3648 wrote to memory of 3948	3648	msiexec.exe	92
PID 3648 wrote to memory of 3948	3648	msiexec.exe	92
PID 3648 wrote to memory of 3948	3648	msiexec.exe	92

C:\Users\Admin\AppData\Local\Temp\VMware-workstation-full-16.2.4-20089737.exe
"C:\Users\Admin\AppData\Local\Temp\VMware-workstation-full-16.2.4-20089737.exe"
1⤵
- Looks for VMWare Tools registry key
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x86.exe
  "C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x86.exe" /Q /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\Temp\{9B6B9E5C-9924-4541-8265-09B2A28D7BE7}\.cr\vcredist_x86.exe
    "C:\Windows\Temp\{9B6B9E5C-9924-4541-8265-09B2A28D7BE7}\.cr\vcredist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /Q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4892
- C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x64.exe" /Q /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\Temp\{FA3B4156-EA11-4EC2-9A6B-8027379BDA36}\.cr\vcredist_x64.exe
    "C:\Windows\Temp\{FA3B4156-EA11-4EC2-9A6B-8027379BDA36}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /Q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0B14CF2673166BCB98FE2A5FB80E8487 C
  2⤵
  - Loads dropped DLL
  PID:3948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 932
    3⤵
    - Program crash
    PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3948 -ip 3948
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIE7A1.tmp

Filesize
2.7MB

MD5
828b8828a7600b984e212dec961d4c3f

SHA1
cb74a27bf2d09e90fe26cd058f72a663be9effb7

SHA256
ff3ffc884bfaf4717d60d0a07afd970479c24c560a25b625c21aaa231b1a3969

SHA512
c49a29e9981a6034f6049daae441e03a8e46690c6052eae84b83e05bfb915d4803140242bc7e5ece61c33f11ed22a4bb7dbfcebf0b6d16f24478224070dcf4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE7A1.tmp

Filesize
2.7MB

MD5
828b8828a7600b984e212dec961d4c3f

SHA1
cb74a27bf2d09e90fe26cd058f72a663be9effb7

SHA256
ff3ffc884bfaf4717d60d0a07afd970479c24c560a25b625c21aaa231b1a3969

SHA512
c49a29e9981a6034f6049daae441e03a8e46690c6052eae84b83e05bfb915d4803140242bc7e5ece61c33f11ed22a4bb7dbfcebf0b6d16f24478224070dcf4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF202.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF202.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vminst.log

Filesize
34KB

MD5
b24961b12c344a557cf45423f4a0ba62

SHA1
300e556e7f33e1d736543b5b7c1595ad110a5c1d

SHA256
ffd99bb3ef92bb63e0533d84053da6f80e66113ea20ff5070f09b0bd20cf9a17

SHA512
61612fda1f60527ed893195c6988604970a980a6cab638a64fa8fce1c392dee58c62b691ccdc14c1be443418be701c8687087bc89cc98bf28389e3213496603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x64.exe

Filesize
14.2MB

MD5
a56672c4522a1b9bb767c8b6cfbe0ba4

SHA1
18a31b3f7fed28870b882909d91dfa8ec5bc87a6

SHA256
015edd4e5d36e053b23a01adb77a2b12444d3fb6eccefe23e3a8cd6388616a16

SHA512
5170b3fd4a0fc637184044c9dbe7ab3f8ca115fbac5ec851802c290139a3d99aacfd458fe2e925eb3282612c9b18d4c857f8c39284efbf3da49317a1fecc16ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x64.exe

Filesize
14.2MB

MD5
a56672c4522a1b9bb767c8b6cfbe0ba4

SHA1
18a31b3f7fed28870b882909d91dfa8ec5bc87a6

SHA256
015edd4e5d36e053b23a01adb77a2b12444d3fb6eccefe23e3a8cd6388616a16

SHA512
5170b3fd4a0fc637184044c9dbe7ab3f8ca115fbac5ec851802c290139a3d99aacfd458fe2e925eb3282612c9b18d4c857f8c39284efbf3da49317a1fecc16ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x86.exe

Filesize
13.7MB

MD5
b347c30bd3394b01039b1bf0c3efde53

SHA1
d7a91e4225d0b52310fdfec2331b15ad39f3391f

SHA256
e830c313aa99656748f9d2ed582c28101eaaf75f5377e3fb104c761bf3f808b2

SHA512
a5c33e0f588e11b228caf7da0d64ee1456601680703ed35769bd7bc56a891e182fd35d5501598e344ca46f2bcc83fc388f27489f7512c81d27bff4a61d1fdbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x86.exe

Filesize
13.7MB

MD5
b347c30bd3394b01039b1bf0c3efde53

SHA1
d7a91e4225d0b52310fdfec2331b15ad39f3391f

SHA256
e830c313aa99656748f9d2ed582c28101eaaf75f5377e3fb104c761bf3f808b2

SHA512
a5c33e0f588e11b228caf7da0d64ee1456601680703ed35769bd7bc56a891e182fd35d5501598e344ca46f2bcc83fc388f27489f7512c81d27bff4a61d1fdbda

Download Submit
C:\Windows\Temp\{5DCEB25D-978C-4F4C-8AD4-8C8AE3421150}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{9B6B9E5C-9924-4541-8265-09B2A28D7BE7}\.cr\vcredist_x86.exe

Filesize
632KB

MD5
4d6b31d542ec3fd96bcf8a0cfae9f8ea

SHA1
b5be29ab2f0d30825c763df5a3cb071d1a708e05

SHA256
55d27902ffebfc7e5ab55962c0c3e6f9c901729a40abe5e564ee8e436a07ba17

SHA512
bbbb13c0aca849ebd5369a07e2b089d298f7d1f0ccb4dfaaf23c6d7deb9bda885f6c12d62f921dbdac2a473d0ffd23b60f04bc387210bf3e9ab33ee60e3f2c20

Download Submit
C:\Windows\Temp\{9B6B9E5C-9924-4541-8265-09B2A28D7BE7}\.cr\vcredist_x86.exe

Filesize
632KB

MD5
4d6b31d542ec3fd96bcf8a0cfae9f8ea

SHA1
b5be29ab2f0d30825c763df5a3cb071d1a708e05

SHA256
55d27902ffebfc7e5ab55962c0c3e6f9c901729a40abe5e564ee8e436a07ba17

SHA512
bbbb13c0aca849ebd5369a07e2b089d298f7d1f0ccb4dfaaf23c6d7deb9bda885f6c12d62f921dbdac2a473d0ffd23b60f04bc387210bf3e9ab33ee60e3f2c20

Download Submit
C:\Windows\Temp\{FA3B4156-EA11-4EC2-9A6B-8027379BDA36}\.cr\vcredist_x64.exe

Filesize
632KB

MD5
cd3e6f264b47b68097363494b9a389ad

SHA1
a9af64b7608e66338e90709e7d1fd3aed8a3b83e

SHA256
63debb4675d2875d5787e7bae52e73bddc040939ea9235df897c3fd7818de9d3

SHA512
171e42561f3e9a2dcec37ead64bed9b754e52f8bcd45a4ad157e2ca1cc85cac94547cda5ade8d34b64029d14e4545cea7508d9ca9bb3e2b914dc953f7de332f4

Download Submit
C:\Windows\Temp\{FA3B4156-EA11-4EC2-9A6B-8027379BDA36}\.cr\vcredist_x64.exe

Filesize
632KB

MD5
cd3e6f264b47b68097363494b9a389ad

SHA1
a9af64b7608e66338e90709e7d1fd3aed8a3b83e

SHA256
63debb4675d2875d5787e7bae52e73bddc040939ea9235df897c3fd7818de9d3

SHA512
171e42561f3e9a2dcec37ead64bed9b754e52f8bcd45a4ad157e2ca1cc85cac94547cda5ade8d34b64029d14e4545cea7508d9ca9bb3e2b914dc953f7de332f4

Download Submit
C:\Windows\Temp\{FFD0856E-D225-42EE-9DBD-82336F410C33}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads