0f21d1be273c71a066d1a66189bf0082394de92c830cfaa7bbbe4370e1cb9592

Analysis

max time kernel
101s
max time network
133s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/09/2022, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f21d1be273c71a066d1a66189bf0082394de92c830cfaa7bbbe4370e1cb9592.msi
Size

107.1MB
MD5

608b4ff0db79baf5ca8bbaf57ec7af31
SHA1

c0c35f1d18172a5cbebb92387fd505f6509a095a
SHA256

0f21d1be273c71a066d1a66189bf0082394de92c830cfaa7bbbe4370e1cb9592
SHA512

49b6013ed5697ff95f3dbd43d55822cbe77ae633ffc0579d92a351103ee41b8f04883bb226391ea7357637b5cd4464d40f320265184d13327bc965f12ad8c549
SSDEEP

3145728:6FEp1cAjJNOCsXvY27nm0LT419R/pt8OBp4e0/QN:n7FfknLdTC9R/piq0

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	988	msiexec.exe
4	988	msiexec.exe
7	1520	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
1896	MsiExec.exe
1896	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2E191E1843EE8907DD08EF7257011562	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1A23C5ED27F9DC16A0C09B7B6EA02975	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\my\WAFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1ED2576B1D30BF1AB631AB8D84693E4A	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2A8F2FC7ED3B2D14055D1E1498242E88	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2B307969E3B9995C107553FFF10BA3B7	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\tr\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ms\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\it\Ops.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\libEGL.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\FirstFloor.ModernUI.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\de\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fi\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ms\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\WPFToolkit.Extended.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2FA840EDFB7F08A6DB791E26A1CF7181	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\it\ActivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\BouncyCastle.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Telemetry.dll.Config	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1DB1BB71E688FDDC4EB645FDD15ED31E	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1E0DF1784602471CEE64AE0A0491C8D3	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ru\ActivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\sk\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\AgileDotNet.VMRuntime.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil00BEA883B436F09BDDB07E047A0E39BC	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\it\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil00E113EC0B2CEFEA482C5923D3F33052	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\pt-BR\Ops.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\en\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\zh-CN\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\el\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\de\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil01C6098B409DF9D6963FED7724DB0B9E	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\en\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ro\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3C3381EAD16E04A387C367051CC77C74	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0DA8E38D5A1A3BBE838768BB49C88EFF	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Renci.SshNet.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ro\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\libgcc_s_seh-1.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1B8C73536C45A852E3EEF534412A6418	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2F6147DFDF6BB4E7CCCF86E77C563EEA	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ne\CustomControls.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Google.Apis.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Google.Apis.Auth.PlatformServices.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3DDA9405D25DD6BC4B0430249D3D95A1	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\AgileDotNetRT.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3CE445458D8542570D6C998EDFE723D8	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1AC66EE831342CC3E30130A7D3BA1B20	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil00C3B975CAC2C1D47FABA60AA67C0B90	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1F2D1455C213B906F92D0D9DDD874173	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Ops.dll.Config	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2FAD09C77CBBF7444653C9CDA5CDB5C5	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3CFE93B3701BD742877C010E154A9E22	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\pl\CustomControls.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2EE9C0B2955BAA40F474504479D6A60A	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\el\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\es\WAFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2A7E9F325322C2BA24DB2070B39F9AB0	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\OutlookEmail.exe	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\pl\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ms\WAFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1CC9BC03695BCF4E524EEF2CA89DE624	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2A3F1A7EA33C5BB31E9C5736340D2ED2	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI299E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6cf3b4.ipi	msiexec.exe
File created	C:\Windows\Installer\6cf3b2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cf3b2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF870.tmp	msiexec.exe
File created	C:\Windows\Installer\6cf3b4.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI9426.tmp	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1520	msiexec.exe
1520	msiexec.exe
1408	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	988	msiexec.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeSecurityPrivilege	1520	msiexec.exe
Token: SeCreateTokenPrivilege	988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	988	msiexec.exe
Token: SeLockMemoryPrivilege	988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	988	msiexec.exe
Token: SeMachineAccountPrivilege	988	msiexec.exe
Token: SeTcbPrivilege	988	msiexec.exe
Token: SeSecurityPrivilege	988	msiexec.exe
Token: SeTakeOwnershipPrivilege	988	msiexec.exe
Token: SeLoadDriverPrivilege	988	msiexec.exe
Token: SeSystemProfilePrivilege	988	msiexec.exe
Token: SeSystemtimePrivilege	988	msiexec.exe
Token: SeProfSingleProcessPrivilege	988	msiexec.exe
Token: SeIncBasePriorityPrivilege	988	msiexec.exe
Token: SeCreatePagefilePrivilege	988	msiexec.exe
Token: SeCreatePermanentPrivilege	988	msiexec.exe
Token: SeBackupPrivilege	988	msiexec.exe
Token: SeRestorePrivilege	988	msiexec.exe
Token: SeShutdownPrivilege	988	msiexec.exe
Token: SeDebugPrivilege	988	msiexec.exe
Token: SeAuditPrivilege	988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	988	msiexec.exe
Token: SeChangeNotifyPrivilege	988	msiexec.exe
Token: SeRemoteShutdownPrivilege	988	msiexec.exe
Token: SeUndockPrivilege	988	msiexec.exe
Token: SeSyncAgentPrivilege	988	msiexec.exe
Token: SeEnableDelegationPrivilege	988	msiexec.exe
Token: SeManageVolumePrivilege	988	msiexec.exe
Token: SeImpersonatePrivilege	988	msiexec.exe
Token: SeCreateGlobalPrivilege	988	msiexec.exe
Token: SeBackupPrivilege	1884	vssvc.exe
Token: SeRestorePrivilege	1884	vssvc.exe
Token: SeAuditPrivilege	1884	vssvc.exe
Token: SeBackupPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	772	DrvInst.exe
Token: SeRestorePrivilege	772	DrvInst.exe
Token: SeRestorePrivilege	772	DrvInst.exe
Token: SeRestorePrivilege	772	DrvInst.exe
Token: SeRestorePrivilege	772	DrvInst.exe
Token: SeRestorePrivilege	772	DrvInst.exe
Token: SeRestorePrivilege	772	DrvInst.exe
Token: SeLoadDriverPrivilege	772	DrvInst.exe
Token: SeLoadDriverPrivilege	772	DrvInst.exe
Token: SeLoadDriverPrivilege	772	DrvInst.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
988	msiexec.exe
988	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1896	1520	msiexec.exe	31
PID 1520 wrote to memory of 1896	1520	msiexec.exe	31
PID 1520 wrote to memory of 1896	1520	msiexec.exe	31
PID 1520 wrote to memory of 1896	1520	msiexec.exe	31
PID 1520 wrote to memory of 1896	1520	msiexec.exe	31
PID 1520 wrote to memory of 1896	1520	msiexec.exe	31
PID 1520 wrote to memory of 1896	1520	msiexec.exe	31
PID 1896 wrote to memory of 1408	1896	MsiExec.exe	32
PID 1896 wrote to memory of 1408	1896	MsiExec.exe	32
PID 1896 wrote to memory of 1408	1896	MsiExec.exe	32
PID 1896 wrote to memory of 1408	1896	MsiExec.exe	32

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0f21d1be273c71a066d1a66189bf0082394de92c830cfaa7bbbe4370e1cb9592.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 63514334BC174D27861503AA05850971
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9928.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9915.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9916.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9917.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000554" "0000000000000524"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5f6c33731566897b8e1f0800197d7da8

SHA1
a16a43de6c6ef07ee40bb72a61534ca8ece584be

SHA256
f32d2fea2756910bad322317bfb9551fc29b808c2e4063bb300c944e34792c39

SHA512
37efa9e075a3973f4aca762b66cf4b00542f9dd289a6f85d587a7db543b83abce80a0a53cf843817e959042325f1c7e8b469746302474d2424b257d17503e935

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss9928.ps1

Filesize
5KB

MD5
8f69da7a9f4b3c2d0f423583b262ed49

SHA1
b6d2ceb18fe78d279f76f412e4660bff5f6a88c7

SHA256
dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43

SHA512
71782d54137e87ec8d4311adf83b9b269aadfcba55b753ce8562d0fe74cc95f00118b01f3139b8ff0a142156d6461bececfc38380e9acd0c117b2fff0e846edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr9916.ps1

Filesize
916B

MD5
9cc0e053f9cb7fe7316ab4ac0f54b860

SHA1
27567b88e0d64fe00d7824e1d1f3a5f985b44f80

SHA256
11ef5da36a51f1546992b9c1ba34a5075cb22d468c81308c040dbc4fa2046f58

SHA512
59940809a75d083794da8d76e4ed74832198822c70d40c8f6544e75614ea68ca719087943d5c93e1ab61eeb628087ea87b776ca6590d97149edc2b7c26dbf9fc

Download Submit
C:\Windows\Installer\MSI9426.tmp

Filesize
670KB

MD5
846afe3ed676561d5f2cb293177f6c03

SHA1
bd31e948dca976ab54f8a01b87cbd6920659dc92

SHA256
d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

SHA512
e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

Download Submit
C:\Windows\Installer\MSIF870.tmp

Filesize
268KB

MD5
b862a8faa3bdfd0dc181010c58460340

SHA1
855626e83f2f2364ce663ef280e2479d10963d0f

SHA256
4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

SHA512
b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

Download Submit
\Windows\Installer\MSI9426.tmp

Filesize
670KB

MD5
846afe3ed676561d5f2cb293177f6c03

SHA1
bd31e948dca976ab54f8a01b87cbd6920659dc92

SHA256
d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

SHA512
e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

Download Submit
\Windows\Installer\MSIF870.tmp

Filesize
268KB

MD5
b862a8faa3bdfd0dc181010c58460340

SHA1
855626e83f2f2364ce663ef280e2479d10963d0f

SHA256
4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

SHA512
b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

Download Submit
memory/988-54-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download
memory/1896-59-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download