4ae5d3c4da666a0f1df3f6d5da48de193cb1237a35d373147cfc1cdaa71affc2

Analysis

max time kernel
63s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2022 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BoxToolsInstaller.exe
Size

6.4MB
MD5

1fd1d804cf0a0e914b9388db1fd30099
SHA1

e30c994ae50dfba30e9fe5f1390338e5eca691eb
SHA256

4ae5d3c4da666a0f1df3f6d5da48de193cb1237a35d373147cfc1cdaa71affc2
SHA512

4af57086a3455e31f2467309a3185675c4ba55e5f482e31bcbea9f4c6635132771ba13fc05b853cee0f5e0530f81e3a6860bd229e6bfd26acd493509797bae2e
SSDEEP

98304:OcPdQFUj53wCVAeRKTemf7A+UUZ9J6NzL3Hy+GMe1lTCg93C/52TTs:1I/CrefZZ9J2zHypp1lTCg80Ts

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

Processes:

BoxToolsInstaller.exeMsiExec.exe

pid	process
3368	BoxToolsInstaller.exe
3368	BoxToolsInstaller.exe
4912	MsiExec.exe
4912	MsiExec.exe
4912	MsiExec.exe
4912	MsiExec.exe
4912	MsiExec.exe
4912	MsiExec.exe
4912	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

BoxToolsInstaller.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	BoxToolsInstaller.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	BoxToolsInstaller.exe
File opened (read-only)	\??\N:	BoxToolsInstaller.exe
File opened (read-only)	\??\O:	BoxToolsInstaller.exe
File opened (read-only)	\??\S:	BoxToolsInstaller.exe
File opened (read-only)	\??\U:	BoxToolsInstaller.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	BoxToolsInstaller.exe
File opened (read-only)	\??\Z:	BoxToolsInstaller.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	BoxToolsInstaller.exe
File opened (read-only)	\??\G:	BoxToolsInstaller.exe
File opened (read-only)	\??\T:	BoxToolsInstaller.exe
File opened (read-only)	\??\X:	BoxToolsInstaller.exe
File opened (read-only)	\??\Y:	BoxToolsInstaller.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	BoxToolsInstaller.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	BoxToolsInstaller.exe
File opened (read-only)	\??\W:	BoxToolsInstaller.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	BoxToolsInstaller.exe
File opened (read-only)	\??\F:	BoxToolsInstaller.exe
File opened (read-only)	\??\Q:	BoxToolsInstaller.exe
File opened (read-only)	\??\R:	BoxToolsInstaller.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	BoxToolsInstaller.exe
File opened (read-only)	\??\L:	BoxToolsInstaller.exe
File opened (read-only)	\??\M:	BoxToolsInstaller.exe
File opened (read-only)	\??\P:	BoxToolsInstaller.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

BoxToolsInstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	BoxToolsInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BoxToolsInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BoxToolsInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BoxToolsInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BoxToolsInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeBoxToolsInstaller.exe

description	pid	process
Token: SeSecurityPrivilege	4604	msiexec.exe
Token: SeCreateTokenPrivilege	3368	BoxToolsInstaller.exe
Token: SeAssignPrimaryTokenPrivilege	3368	BoxToolsInstaller.exe
Token: SeLockMemoryPrivilege	3368	BoxToolsInstaller.exe
Token: SeIncreaseQuotaPrivilege	3368	BoxToolsInstaller.exe
Token: SeMachineAccountPrivilege	3368	BoxToolsInstaller.exe
Token: SeTcbPrivilege	3368	BoxToolsInstaller.exe
Token: SeSecurityPrivilege	3368	BoxToolsInstaller.exe
Token: SeTakeOwnershipPrivilege	3368	BoxToolsInstaller.exe
Token: SeLoadDriverPrivilege	3368	BoxToolsInstaller.exe
Token: SeSystemProfilePrivilege	3368	BoxToolsInstaller.exe
Token: SeSystemtimePrivilege	3368	BoxToolsInstaller.exe
Token: SeProfSingleProcessPrivilege	3368	BoxToolsInstaller.exe
Token: SeIncBasePriorityPrivilege	3368	BoxToolsInstaller.exe
Token: SeCreatePagefilePrivilege	3368	BoxToolsInstaller.exe
Token: SeCreatePermanentPrivilege	3368	BoxToolsInstaller.exe
Token: SeBackupPrivilege	3368	BoxToolsInstaller.exe
Token: SeRestorePrivilege	3368	BoxToolsInstaller.exe
Token: SeShutdownPrivilege	3368	BoxToolsInstaller.exe
Token: SeDebugPrivilege	3368	BoxToolsInstaller.exe
Token: SeAuditPrivilege	3368	BoxToolsInstaller.exe
Token: SeSystemEnvironmentPrivilege	3368	BoxToolsInstaller.exe
Token: SeChangeNotifyPrivilege	3368	BoxToolsInstaller.exe
Token: SeRemoteShutdownPrivilege	3368	BoxToolsInstaller.exe
Token: SeUndockPrivilege	3368	BoxToolsInstaller.exe
Token: SeSyncAgentPrivilege	3368	BoxToolsInstaller.exe
Token: SeEnableDelegationPrivilege	3368	BoxToolsInstaller.exe
Token: SeManageVolumePrivilege	3368	BoxToolsInstaller.exe
Token: SeImpersonatePrivilege	3368	BoxToolsInstaller.exe
Token: SeCreateGlobalPrivilege	3368	BoxToolsInstaller.exe
Token: SeCreateTokenPrivilege	3368	BoxToolsInstaller.exe
Token: SeAssignPrimaryTokenPrivilege	3368	BoxToolsInstaller.exe
Token: SeLockMemoryPrivilege	3368	BoxToolsInstaller.exe
Token: SeIncreaseQuotaPrivilege	3368	BoxToolsInstaller.exe
Token: SeMachineAccountPrivilege	3368	BoxToolsInstaller.exe
Token: SeTcbPrivilege	3368	BoxToolsInstaller.exe
Token: SeSecurityPrivilege	3368	BoxToolsInstaller.exe
Token: SeTakeOwnershipPrivilege	3368	BoxToolsInstaller.exe
Token: SeLoadDriverPrivilege	3368	BoxToolsInstaller.exe
Token: SeSystemProfilePrivilege	3368	BoxToolsInstaller.exe
Token: SeSystemtimePrivilege	3368	BoxToolsInstaller.exe
Token: SeProfSingleProcessPrivilege	3368	BoxToolsInstaller.exe
Token: SeIncBasePriorityPrivilege	3368	BoxToolsInstaller.exe
Token: SeCreatePagefilePrivilege	3368	BoxToolsInstaller.exe
Token: SeCreatePermanentPrivilege	3368	BoxToolsInstaller.exe
Token: SeBackupPrivilege	3368	BoxToolsInstaller.exe
Token: SeRestorePrivilege	3368	BoxToolsInstaller.exe
Token: SeShutdownPrivilege	3368	BoxToolsInstaller.exe
Token: SeDebugPrivilege	3368	BoxToolsInstaller.exe
Token: SeAuditPrivilege	3368	BoxToolsInstaller.exe
Token: SeSystemEnvironmentPrivilege	3368	BoxToolsInstaller.exe
Token: SeChangeNotifyPrivilege	3368	BoxToolsInstaller.exe
Token: SeRemoteShutdownPrivilege	3368	BoxToolsInstaller.exe
Token: SeUndockPrivilege	3368	BoxToolsInstaller.exe
Token: SeSyncAgentPrivilege	3368	BoxToolsInstaller.exe
Token: SeEnableDelegationPrivilege	3368	BoxToolsInstaller.exe
Token: SeManageVolumePrivilege	3368	BoxToolsInstaller.exe
Token: SeImpersonatePrivilege	3368	BoxToolsInstaller.exe
Token: SeCreateGlobalPrivilege	3368	BoxToolsInstaller.exe
Token: SeCreateTokenPrivilege	3368	BoxToolsInstaller.exe
Token: SeAssignPrimaryTokenPrivilege	3368	BoxToolsInstaller.exe
Token: SeLockMemoryPrivilege	3368	BoxToolsInstaller.exe
Token: SeIncreaseQuotaPrivilege	3368	BoxToolsInstaller.exe
Token: SeMachineAccountPrivilege	3368	BoxToolsInstaller.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

BoxToolsInstaller.exe

pid process

3368 BoxToolsInstaller.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4604 wrote to memory of 4912	4604	msiexec.exe	MsiExec.exe
PID 4604 wrote to memory of 4912	4604	msiexec.exe	MsiExec.exe
PID 4604 wrote to memory of 4912	4604	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\BoxToolsInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\BoxToolsInstaller.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FD726A2A880215E3813F53138718F272 C
2⤵
- Loads dropped DLL
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIC113.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC113.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC25D.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC25D.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC29C.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC29C.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC2DC.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC2DC.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC30B.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC30B.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC399.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC399.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC407.tmp

Filesize
380KB

MD5
3eb31b9a689d506f3b1d3738d28ab640

SHA1
1681fe3bbdcbe617a034b092ea77249dd4c3e986

SHA256
3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46

SHA512
2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC407.tmp

Filesize
380KB

MD5
3eb31b9a689d506f3b1d3738d28ab640

SHA1
1681fe3bbdcbe617a034b092ea77249dd4c3e986

SHA256
3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46

SHA512
2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

Download Submit
C:\Users\Admin\AppData\Roaming\Box\Box Tools 4.19.0.956\install\decoder.dll

Filesize
149KB

MD5
dbd33ec82bcbf0cbc9e9166a77a705a1

SHA1
5e2bf7f788e8ad7cadd11b2a091af0f081a85fcc

SHA256
eb34b67bd0db30de7e3b3001c2eb0bd781f0f358bb447e93a8dead0290370f18

SHA512
4883d4bf073a92289ecf098c9b663d01f1b5e61a41e25e8327a36f9003ba0c7dda76fd2388aa208bc58ede476ac30f274bb038108f80322abf84a964a55e27bd

Download Submit
C:\Users\Admin\AppData\Roaming\Box\Box Tools 4.19.0.956\install\decoder.dll

Filesize
149KB

MD5
dbd33ec82bcbf0cbc9e9166a77a705a1

SHA1
5e2bf7f788e8ad7cadd11b2a091af0f081a85fcc

SHA256
eb34b67bd0db30de7e3b3001c2eb0bd781f0f358bb447e93a8dead0290370f18

SHA512
4883d4bf073a92289ecf098c9b663d01f1b5e61a41e25e8327a36f9003ba0c7dda76fd2388aa208bc58ede476ac30f274bb038108f80322abf84a964a55e27bd

Download Submit
memory/4912-134-0x0000000000000000-mapping.dmp

Download