19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0

Analysis

max time kernel
151s
max time network
78s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/10/2022, 12:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Size

40.6MB
MD5

a9fd01617601c7532cb62872f242403a
SHA1

81f1424f3cac49da94a8824fdca85942ae4fc356
SHA256

19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0
SHA512

4118f204fa60b07c5c95d73668ffcb4053acb3ccc49b21274f906403c1d753ba4594601c255e71cd00944e05d0c0c90c7ece7baae16a9b00954ea5260e08356c
SSDEEP

786432:bnsRF43ZUveBx2C5QuvOTo41nRHeDHYxpjq5XU/XFmNO5txTWVL:Ds34yeCCLOToEejPd6EO5tpWVL

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1020	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
596	MsiExec.exe
596	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\Y:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\I:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\V:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\M:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\Q:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\O:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\R:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\X:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
596	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1240	msiexec.exe
Token: SeTakeOwnershipPrivilege	1240	msiexec.exe
Token: SeSecurityPrivilege	1240	msiexec.exe
Token: SeCreateTokenPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeAssignPrimaryTokenPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeLockMemoryPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeIncreaseQuotaPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeMachineAccountPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeTcbPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeSecurityPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeTakeOwnershipPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeLoadDriverPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeSystemProfilePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeSystemtimePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeProfSingleProcessPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeIncBasePriorityPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeCreatePagefilePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeCreatePermanentPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeBackupPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeRestorePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeShutdownPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeDebugPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeAuditPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeSystemEnvironmentPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeChangeNotifyPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeRemoteShutdownPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeUndockPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeSyncAgentPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeEnableDelegationPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeManageVolumePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeImpersonatePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeCreateGlobalPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeCreateTokenPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeAssignPrimaryTokenPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeLockMemoryPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeIncreaseQuotaPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeMachineAccountPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeTcbPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeSecurityPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeTakeOwnershipPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeLoadDriverPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeSystemProfilePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeSystemtimePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeProfSingleProcessPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeIncBasePriorityPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeCreatePagefilePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeCreatePermanentPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeBackupPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeRestorePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeShutdownPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeDebugPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeAuditPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeSystemEnvironmentPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeChangeNotifyPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeRemoteShutdownPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeUndockPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeSyncAgentPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeEnableDelegationPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeManageVolumePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeImpersonatePrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeCreateGlobalPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeCreateTokenPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeAssignPrimaryTokenPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
Token: SeLockMemoryPrivilege	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
1020	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 596	1240	msiexec.exe	28
PID 1240 wrote to memory of 596	1240	msiexec.exe	28
PID 1240 wrote to memory of 596	1240	msiexec.exe	28
PID 1240 wrote to memory of 596	1240	msiexec.exe	28
PID 1240 wrote to memory of 596	1240	msiexec.exe	28
PID 1240 wrote to memory of 596	1240	msiexec.exe	28
PID 1240 wrote to memory of 596	1240	msiexec.exe	28
PID 1712 wrote to memory of 1020	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe	29
PID 1712 wrote to memory of 1020	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe	29
PID 1712 wrote to memory of 1020	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe	29
PID 1712 wrote to memory of 1020	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe	29
PID 1712 wrote to memory of 1020	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe	29
PID 1712 wrote to memory of 1020	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe	29
PID 1712 wrote to memory of 1020	1712	19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe	29

C:\Users\Admin\AppData\Local\Temp\19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe
"C:\Users\Admin\AppData\Local\Temp\19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Inc\Telegram 4.6.0\install\Telegram.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\19f780d3cd00939c3f0a87b60657d5c9a8fb3869f8326e9433ed87dbd2edbef0.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1665750742 " ALLUSERS="1" AI_EUIMSI=""
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03C027DD5C7D564D53C1330FC2B2B6A3 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1212

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000494" "00000000000004E8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dce25fff9b788d530cda97a16a39bccb

SHA1
745df8d7d789f02a24ea54be3c19c0903060853f

SHA256
6cba3aed3a8eb435e4eff95a14a7858aa00033588569f1272c76ae10b7752da0

SHA512
8d8a1e3601949a6d2e2f7da19ca0a07856a733ba28d8ab27bde233b081a84778e0b79c265a5eeb22d846bc59b58a636f3c8b04e414a413c574f9a28640b33721

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI15EF.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI16F9.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit
C:\Users\Admin\AppData\Roaming\Inc\Telegram 4.6.0\install\Telegram.msi

Filesize
3.6MB

MD5
450bb5e2e9f07d3b752ca9f063147549

SHA1
2a218db1d50e974d1e0fa747e70a4426e0183be7

SHA256
d07e318d90d253120bf0eab14f67e8e41ab86266c6a7dead2583fe1e850d260e

SHA512
8a9001d7b9a8c10c262853b829b6ab9be42d4eea1ae3b3188e3d32a7f28c9075ec2ad5270301d05ed2aefe59fb71dc8e3c3fd851e67525af5a20656772bd0bb8

Download Submit
\Users\Admin\AppData\Local\Temp\INA1581.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\Users\Admin\AppData\Local\Temp\MSI15EF.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI16F9.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit
memory/1240-56-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1712-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1712-55-0x00000000739F1000-0x00000000739F3000-memory.dmp

Filesize
8KB

Download