3bd813b5eef1dcf7c07c0c11985f134f507be766c0e60e7d5f9129b6356a415c

Analysis

max time kernel
51s
max time network
104s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/09/2022, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bd813b5eef1dcf7c07c0c11985f134f507be766c0e60e7d5f9129b6356a415c.msi
Size

108.2MB
MD5

092cb4f416ab6b65bd04798070a73310
SHA1

58e6de1202d2ec4991a94636fc9dd86099363e34
SHA256

3bd813b5eef1dcf7c07c0c11985f134f507be766c0e60e7d5f9129b6356a415c
SHA512

b608105fa87aef1cad2bbb1231511a5af6c94f74924258174d1127f5fce9b6937905ff79a777cc1cb55fe4093c5993f53bcf2fc6a1118fd44aa50756f7ea0d4b
SSDEEP

3145728:VFEp1cAjJNOCsXvY27nm0LT419R/pt8OBp4e0/QNou:K7FfknLdTC9R/piq0

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1736	msiexec.exe
4	1736	msiexec.exe
6	1904	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
552	MsiExec.exe
552	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\sk\CustomControls.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\sk\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3E7A69B2EFFA9FAAF41F4089660598D5	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2AEC0031CBACEA327D1A729324A20385	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\de\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\sk\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\d3dcompiler_47.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1DB1BB71E688FDDC4EB645FDD15ED31E	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2CF0AC81DD9032C68B7DA4FABB3D72BC	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ServiceClient.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\el\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1E9AFA0B56D982F051EF86DFEE232637	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\de\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\zh-CN\NovaPDFUtils.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\WAFramework.dll.config	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil00E113EC0B2CEFEA482C5923D3F33052	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\tr\ActivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3C0E99644F122F8B1C0FA5AEF39A6C58	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ro\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\sk\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\sk\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\WPFToolkit.Extended.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0E771EBBB9FF1BA83296681907F8DF0B	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0F46D9D0648B828C721543E887222379	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\el\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3A9F6A02E9030FC1A4F94BD4020EDB64	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\de\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\FileUploader.exe	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\en\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0AC5C86543029C8EC40EF1D6DF8D84A8	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1D34BA0FA1D2CA1CEC3C6553F6B0BD2F	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ru\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ro\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1A22837021A319E55FA49BC1DB0AD3AD	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1DB6E7A59421E9C1A72DB0904F5EF1D5	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\OAuthGmail.exe	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3D5AD5CC97D379F5BEECF6668323BE8A	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ne\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3CD69AC1789061D88B9926CE6584D744	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3DBB20CBAF4CE6EF61DB819852952845	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\zh-CN\NovaPDFComponent.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\en\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\it\Ops.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0FFBE1B21FB9F9A933F1B3FB9BE1E836	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1B8C73536C45A852E3EEF534412A6418	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil3BC9EA9576E71044B96FDBDA4E383ECB	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\my\ProfileManager.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\pt-BR\WAFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\es\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2C645C62F726258F33D3180AA8D1464C	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil2EE9C0B2955BAA40F474504479D6A60A	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\es\CustomControls.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\CustomControls.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\LayoutEditor.dll.Config	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\pt\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\Google.Apis.Auth.PlatformServices.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ne\Ops.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\ne\DeactivationClientLibrary.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\el\LayoutEditor.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\AgileDotNet.VMRuntime.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil0D419F999347EF83C5220CC2C86C0308	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\fil1CBC19238C0BCDD41D635E4617DD628D	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\FirstFloor.ModernUI.dll	msiexec.exe
File created	C:\Program Files (x86)\Softland\novaPDF 11\Tools\libssl-1_1-x64.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c8b7e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI922F.tmp	msiexec.exe
File created	C:\Windows\Installer\6c8b80.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI9C6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c8b80.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC802.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\6c8b7e.msi	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1904	msiexec.exe
1904	msiexec.exe
1084	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeSecurityPrivilege	1904	msiexec.exe
Token: SeCreateTokenPrivilege	1736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1736	msiexec.exe
Token: SeLockMemoryPrivilege	1736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1736	msiexec.exe
Token: SeMachineAccountPrivilege	1736	msiexec.exe
Token: SeTcbPrivilege	1736	msiexec.exe
Token: SeSecurityPrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe
Token: SeLoadDriverPrivilege	1736	msiexec.exe
Token: SeSystemProfilePrivilege	1736	msiexec.exe
Token: SeSystemtimePrivilege	1736	msiexec.exe
Token: SeProfSingleProcessPrivilege	1736	msiexec.exe
Token: SeIncBasePriorityPrivilege	1736	msiexec.exe
Token: SeCreatePagefilePrivilege	1736	msiexec.exe
Token: SeCreatePermanentPrivilege	1736	msiexec.exe
Token: SeBackupPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeShutdownPrivilege	1736	msiexec.exe
Token: SeDebugPrivilege	1736	msiexec.exe
Token: SeAuditPrivilege	1736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1736	msiexec.exe
Token: SeChangeNotifyPrivilege	1736	msiexec.exe
Token: SeRemoteShutdownPrivilege	1736	msiexec.exe
Token: SeUndockPrivilege	1736	msiexec.exe
Token: SeSyncAgentPrivilege	1736	msiexec.exe
Token: SeEnableDelegationPrivilege	1736	msiexec.exe
Token: SeManageVolumePrivilege	1736	msiexec.exe
Token: SeImpersonatePrivilege	1736	msiexec.exe
Token: SeCreateGlobalPrivilege	1736	msiexec.exe
Token: SeBackupPrivilege	1196	vssvc.exe
Token: SeRestorePrivilege	1196	vssvc.exe
Token: SeAuditPrivilege	1196	vssvc.exe
Token: SeBackupPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	320	DrvInst.exe
Token: SeRestorePrivilege	320	DrvInst.exe
Token: SeRestorePrivilege	320	DrvInst.exe
Token: SeRestorePrivilege	320	DrvInst.exe
Token: SeRestorePrivilege	320	DrvInst.exe
Token: SeRestorePrivilege	320	DrvInst.exe
Token: SeRestorePrivilege	320	DrvInst.exe
Token: SeLoadDriverPrivilege	320	DrvInst.exe
Token: SeLoadDriverPrivilege	320	DrvInst.exe
Token: SeLoadDriverPrivilege	320	DrvInst.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeRestorePrivilege	1904	msiexec.exe
Token: SeTakeOwnershipPrivilege	1904	msiexec.exe
Token: SeDebugPrivilege	1084	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1736	msiexec.exe
1736	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 552	1904	msiexec.exe	32
PID 1904 wrote to memory of 552	1904	msiexec.exe	32
PID 1904 wrote to memory of 552	1904	msiexec.exe	32
PID 1904 wrote to memory of 552	1904	msiexec.exe	32
PID 1904 wrote to memory of 552	1904	msiexec.exe	32
PID 1904 wrote to memory of 552	1904	msiexec.exe	32
PID 1904 wrote to memory of 552	1904	msiexec.exe	32
PID 552 wrote to memory of 1084	552	MsiExec.exe	33
PID 552 wrote to memory of 1084	552	MsiExec.exe	33
PID 552 wrote to memory of 1084	552	MsiExec.exe	33
PID 552 wrote to memory of 1084	552	MsiExec.exe	33

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3bd813b5eef1dcf7c07c0c11985f134f507be766c0e60e7d5f9129b6356a415c.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8EA54E15B6D0893342E14727D75971DC
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssC833.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiC811.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrC812.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrC813.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000047C" "000000000000056C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
61becdfc339c7a021d40271b6baf97e1

SHA1
166d20d95ddb9f45774552f68f1e882a4911c476

SHA256
9c64e10de60f5386ef375ac379852fb57f798ce089f096e2a2da7dd9a55e7253

SHA512
97425bd05a1349d2539b035965d066f12d5d03d4c7b8ef392ff9dd8baa0168b9ef65671686efc86f8c8bcf8cd84f18a99bc663ea57cd2a5325b15e248d109ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssC833.ps1

Filesize
5KB

MD5
8f69da7a9f4b3c2d0f423583b262ed49

SHA1
b6d2ceb18fe78d279f76f412e4660bff5f6a88c7

SHA256
dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43

SHA512
71782d54137e87ec8d4311adf83b9b269aadfcba55b753ce8562d0fe74cc95f00118b01f3139b8ff0a142156d6461bececfc38380e9acd0c117b2fff0e846edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrC812.ps1

Filesize
938B

MD5
150fcd3b26ad73ca622f31a76539e203

SHA1
baae826e08e91e8ea8a8490b1da288dad5059216

SHA256
2800f26315cb87bb348ba6c80965ac991199e11b14011136d90dbeaea754f606

SHA512
02e66adac47773c49a5ede1ab5c74bb96722bbc48015bdfd3334ba0a1324ed7de7d5b911508dbcd6d69749d27a83e90ce980fb7dc59eba27de0cf368ca209859

Download Submit
C:\Windows\Installer\MSI922F.tmp

Filesize
268KB

MD5
b862a8faa3bdfd0dc181010c58460340

SHA1
855626e83f2f2364ce663ef280e2479d10963d0f

SHA256
4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

SHA512
b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

Download Submit
C:\Windows\Installer\MSIC802.tmp

Filesize
670KB

MD5
846afe3ed676561d5f2cb293177f6c03

SHA1
bd31e948dca976ab54f8a01b87cbd6920659dc92

SHA256
d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

SHA512
e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

Download Submit
\Windows\Installer\MSI922F.tmp

Filesize
268KB

MD5
b862a8faa3bdfd0dc181010c58460340

SHA1
855626e83f2f2364ce663ef280e2479d10963d0f

SHA256
4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

SHA512
b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

Download Submit
\Windows\Installer\MSIC802.tmp

Filesize
670KB

MD5
846afe3ed676561d5f2cb293177f6c03

SHA1
bd31e948dca976ab54f8a01b87cbd6920659dc92

SHA256
d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

SHA512
e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

Download Submit
memory/552-59-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1736-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download