194e334039c0fbbdc574ccae592042b2699814912ac2053f5e0aacf5d0fd44be

Analysis

max time kernel
112s
max time network
157s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/09/2022, 12:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

194e334039c0fbbdc574ccae592042b2699814912ac2053f5e0aacf5d0fd44be.msi
Size

100.8MB
MD5

7d97d8d7556272f7199e25bbff076cfb
SHA1

2325a09a83f0855aaecc8da00b2c316dac03ad0f
SHA256

194e334039c0fbbdc574ccae592042b2699814912ac2053f5e0aacf5d0fd44be
SHA512

4639c796551a44bf49b3f13a06b86d99b7956c56423987eeb636e471afb95edbcff351ea3ae6c86f48cfd7e81eafdb9e4a939c394b33619cf95836b590d04589
SSDEEP

3145728:RFEp1cAjJNOCsXvY27nm0LT419R/pt8OBpt:m7FfknLdTC9R/piqt

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1256	msiexec.exe
4	1256	msiexec.exe
8	472	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
436	MsiExec.exe
436	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\es\CustomControls.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\tr\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0BF2B6CE244B60681FDA5E0A813AB3F5	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0F713D31BED5C9526054044DCF2E72E9	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2BF148D7355A09D2AAB0A61497130BB3	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\de\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ko\NovaPDFUtils.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\it\WAFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3DBB20CBAF4CE6EF61DB819852952845	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Google.Apis.Auth.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil01FFE147EFB84208F3761FD781111C77	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2F82462EC41101704830C33334C2D797	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\pl\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Qt5Quick.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ko\ActivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\CTLUtil.XmlSerializers.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\NovaPDFUtils.XMLSerializers.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Qt5Core.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\tr\CustomControls.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ro\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\BouncyCastle.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Ops.dll.Config	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2F6147DFDF6BB4E7CCCF86E77C563EEA	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3C86CED598CAC819ECD0D4D7408540A8	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ko\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\es\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1CC9BC03695BCF4E524EEF2CA89DE624	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ro\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil00E05745ED5C07F91096D8EEDECB78ED	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0C419F665EE2B0940D35F79DD0B96100	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2D706FF52A113A3DEC6BA439A7480725	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2EE9C0B2955BAA40F474504479D6A60A	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\zh-CN\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\pt\Ops.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0F46D9D0648B828C721543E887222379	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1E03E0CD1C6E2C873B3ABF6F22EC5CC5	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2E1F1703D7F967367E789882B5848538	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ms\ActivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\pt\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\libwinpthread-1.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0BA58D57B95EAD7F551723A4AE37456F	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0DA8E38D5A1A3BBE838768BB49C88EFF	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1E8411AE168E4CFA49D5FB0346A39E45	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ko\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2A8F2FC7ED3B2D14055D1E1498242E88	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2C9BF1370DEAFDFD386151DC5541021E	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\id\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Newtonsoft.Json.xml	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ro\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\es\WAFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0FFBE1B21FB9F9A933F1B3FB9BE1E836	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3CE445458D8542570D6C998EDFE723D8	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\da\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0EBD49B5D033DCAB6AA0D9FEF23A2A05	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3A57D342FA876A87544782913BA2A897	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3E46E1FDDFE35FDED440524B00B9C4A5	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\pt-BR\ActivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\sk\ActivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\pl\CustomControls.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\sk\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\en\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\NovaPDFComponent.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3D918E21831DA45FD703259413E0D282	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\libEGL.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6d8c0b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI948F.tmp	msiexec.exe
File created	C:\Windows\Installer\6d8c0d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB76B.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\6d8c0b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6d8c0d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC3B.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
472	msiexec.exe
472	msiexec.exe
1976	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1256	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	472	msiexec.exe
Token: SeTakeOwnershipPrivilege	472	msiexec.exe
Token: SeSecurityPrivilege	472	msiexec.exe
Token: SeCreateTokenPrivilege	1256	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1256	msiexec.exe
Token: SeLockMemoryPrivilege	1256	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1256	msiexec.exe
Token: SeMachineAccountPrivilege	1256	msiexec.exe
Token: SeTcbPrivilege	1256	msiexec.exe
Token: SeSecurityPrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeLoadDriverPrivilege	1256	msiexec.exe
Token: SeSystemProfilePrivilege	1256	msiexec.exe
Token: SeSystemtimePrivilege	1256	msiexec.exe
Token: SeProfSingleProcessPrivilege	1256	msiexec.exe
Token: SeIncBasePriorityPrivilege	1256	msiexec.exe
Token: SeCreatePagefilePrivilege	1256	msiexec.exe
Token: SeCreatePermanentPrivilege	1256	msiexec.exe
Token: SeBackupPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeShutdownPrivilege	1256	msiexec.exe
Token: SeDebugPrivilege	1256	msiexec.exe
Token: SeAuditPrivilege	1256	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1256	msiexec.exe
Token: SeChangeNotifyPrivilege	1256	msiexec.exe
Token: SeRemoteShutdownPrivilege	1256	msiexec.exe
Token: SeUndockPrivilege	1256	msiexec.exe
Token: SeSyncAgentPrivilege	1256	msiexec.exe
Token: SeEnableDelegationPrivilege	1256	msiexec.exe
Token: SeManageVolumePrivilege	1256	msiexec.exe
Token: SeImpersonatePrivilege	1256	msiexec.exe
Token: SeCreateGlobalPrivilege	1256	msiexec.exe
Token: SeBackupPrivilege	524	vssvc.exe
Token: SeRestorePrivilege	524	vssvc.exe
Token: SeAuditPrivilege	524	vssvc.exe
Token: SeBackupPrivilege	472	msiexec.exe
Token: SeRestorePrivilege	472	msiexec.exe
Token: SeRestorePrivilege	672	DrvInst.exe
Token: SeRestorePrivilege	672	DrvInst.exe
Token: SeRestorePrivilege	672	DrvInst.exe
Token: SeRestorePrivilege	672	DrvInst.exe
Token: SeRestorePrivilege	672	DrvInst.exe
Token: SeRestorePrivilege	672	DrvInst.exe
Token: SeRestorePrivilege	672	DrvInst.exe
Token: SeLoadDriverPrivilege	672	DrvInst.exe
Token: SeLoadDriverPrivilege	672	DrvInst.exe
Token: SeLoadDriverPrivilege	672	DrvInst.exe
Token: SeRestorePrivilege	472	msiexec.exe
Token: SeTakeOwnershipPrivilege	472	msiexec.exe
Token: SeRestorePrivilege	472	msiexec.exe
Token: SeTakeOwnershipPrivilege	472	msiexec.exe
Token: SeRestorePrivilege	472	msiexec.exe
Token: SeTakeOwnershipPrivilege	472	msiexec.exe
Token: SeRestorePrivilege	472	msiexec.exe
Token: SeTakeOwnershipPrivilege	472	msiexec.exe
Token: SeRestorePrivilege	472	msiexec.exe
Token: SeTakeOwnershipPrivilege	472	msiexec.exe
Token: SeRestorePrivilege	472	msiexec.exe
Token: SeTakeOwnershipPrivilege	472	msiexec.exe
Token: SeRestorePrivilege	472	msiexec.exe
Token: SeTakeOwnershipPrivilege	472	msiexec.exe
Token: SeDebugPrivilege	1976	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1256	msiexec.exe
1256	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 472 wrote to memory of 436	472	msiexec.exe	30
PID 472 wrote to memory of 436	472	msiexec.exe	30
PID 472 wrote to memory of 436	472	msiexec.exe	30
PID 472 wrote to memory of 436	472	msiexec.exe	30
PID 472 wrote to memory of 436	472	msiexec.exe	30
PID 472 wrote to memory of 436	472	msiexec.exe	30
PID 472 wrote to memory of 436	472	msiexec.exe	30
PID 436 wrote to memory of 1976	436	MsiExec.exe	31
PID 436 wrote to memory of 1976	436	MsiExec.exe	31
PID 436 wrote to memory of 1976	436	MsiExec.exe	31
PID 436 wrote to memory of 1976	436	MsiExec.exe	31

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\194e334039c0fbbdc574ccae592042b2699814912ac2053f5e0aacf5d0fd44be.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1256

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5124469F7DC00E2933C00E4E42763449
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss40A.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi3B9.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr3CA.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr3CB.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E0" "00000000000003E4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pss40A.ps1

Filesize
5KB

MD5
8f69da7a9f4b3c2d0f423583b262ed49

SHA1
b6d2ceb18fe78d279f76f412e4660bff5f6a88c7

SHA256
dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43

SHA512
71782d54137e87ec8d4311adf83b9b269aadfcba55b753ce8562d0fe74cc95f00118b01f3139b8ff0a142156d6461bececfc38380e9acd0c117b2fff0e846edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr3CA.ps1

Filesize
916B

MD5
c8afd6b715f5ae640a1f303497d312e3

SHA1
129a1e62212b0ae8e50930304f11c68f0ec1fc5b

SHA256
06674b4b5c0463751d1ce08787cf8e939dc3aabe98464a15063b1cdf9ff289b1

SHA512
6b3e3f18cd199c054d57c40ebaf1f1496d4e8a31cc48d25651e405d846cefb550d4018103340e561b4a40f22b9d47a38bca274a15e747ab90cf02367a6e58ad8

Download Submit
C:\Windows\Installer\MSI948F.tmp

Filesize
268KB

MD5
b862a8faa3bdfd0dc181010c58460340

SHA1
855626e83f2f2364ce663ef280e2479d10963d0f

SHA256
4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

SHA512
b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

Download Submit
C:\Windows\Installer\MSIFC3B.tmp

Filesize
670KB

MD5
846afe3ed676561d5f2cb293177f6c03

SHA1
bd31e948dca976ab54f8a01b87cbd6920659dc92

SHA256
d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

SHA512
e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

Download Submit
\Windows\Installer\MSI948F.tmp

Filesize
268KB

MD5
b862a8faa3bdfd0dc181010c58460340

SHA1
855626e83f2f2364ce663ef280e2479d10963d0f

SHA256
4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

SHA512
b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

Download Submit
\Windows\Installer\MSIFC3B.tmp

Filesize
670KB

MD5
846afe3ed676561d5f2cb293177f6c03

SHA1
bd31e948dca976ab54f8a01b87cbd6920659dc92

SHA256
d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

SHA512
e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

Download Submit
memory/436-58-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1256-54-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1976-67-0x00000000724A0000-0x00000000739C8000-memory.dmp

Filesize
21.2MB

Download