Analysis
-
max time kernel
510s -
max time network
512s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 21:06
Static task
static1
Behavioral task
behavioral1
Sample
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi
Resource
win7-20220901-en
General
-
Target
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi
-
Size
597KB
-
MD5
13bd4a09264d6312d957d61d64e79f53
-
SHA1
5ebf19ba1be83ad9e15991e76e509a57aaa9e9c0
-
SHA256
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad
-
SHA512
b7943be0b78a7de293b19e2b75a6b44bae34997c555e1a83a0064087d828616e601cc04cb8f13e6e44e8b9cb67fe2328b3826c8d31edf8cd5a74e9def710e582
-
SSDEEP
12288:rZzDzxF3RR3sSRogrrYW4OH5IBwBZ3TzChsL4o1U:rZzDzvvRoCBH2WBJChsMo1U
Malware Config
Extracted
qakbot
403.573
AA
1649749884
120.150.218.241:995
186.64.67.38:443
196.203.37.215:80
1.161.71.109:443
82.152.39.39:443
76.69.155.202:2222
72.66.116.235:995
103.107.113.120:443
113.11.89.165:995
208.107.221.224:443
103.88.226.30:443
75.99.168.194:443
75.113.214.234:2222
76.169.147.192:32103
190.73.3.148:2222
39.52.2.90:995
38.70.253.226:2222
5.95.58.211:2087
74.15.2.252:2222
76.70.9.169:2222
121.74.167.191:995
197.167.62.14:993
108.60.213.141:443
47.23.89.62:993
86.97.247.20:2222
47.23.89.62:995
176.67.56.94:443
86.98.33.251:443
96.37.113.36:993
148.64.96.100:443
47.180.172.159:443
140.82.49.12:443
80.11.74.81:2222
96.21.251.127:2222
177.158.7.155:443
125.168.47.127:2222
41.228.22.180:443
181.208.248.227:443
81.215.196.174:443
105.226.83.196:995
176.88.238.122:995
46.107.48.202:443
24.43.99.75:443
172.115.177.204:2222
180.129.102.214:995
2.50.137.197:443
78.87.206.213:995
72.76.94.99:443
66.98.42.102:443
109.228.220.196:443
75.99.168.194:61201
71.13.93.154:2222
45.9.20.200:443
173.174.216.62:443
31.35.28.29:443
93.48.80.198:995
32.221.224.140:995
203.122.46.130:443
47.180.172.159:50010
187.207.48.194:61202
39.44.144.159:995
92.132.172.197:2222
176.205.119.81:2078
144.202.2.175:995
45.76.167.26:995
149.28.238.199:995
45.76.167.26:443
144.202.2.175:443
144.202.3.39:995
45.63.1.12:995
140.82.63.183:995
144.202.3.39:443
149.28.238.199:443
45.63.1.12:443
140.82.63.183:443
63.143.92.99:995
70.46.220.114:443
103.87.95.133:2222
1.161.71.109:995
117.248.109.38:21
180.183.97.165:2222
86.97.11.43:443
202.134.152.2:2222
39.57.23.116:995
91.177.173.10:995
217.128.122.65:2222
24.178.196.158:2222
37.210.164.171:2222
37.186.54.254:995
86.98.208.214:2222
83.110.75.225:2222
174.69.215.101:443
217.165.147.83:993
172.114.160.81:995
84.241.8.23:32103
111.125.245.118:995
173.21.10.71:2222
182.191.92.203:995
191.99.191.28:443
73.151.236.31:443
119.158.121.244:995
71.74.12.34:443
101.50.103.193:995
47.158.25.67:443
187.172.232.250:443
47.156.191.217:443
187.250.114.15:443
187.195.19.24:443
201.145.189.252:443
72.252.201.34:990
72.252.201.34:995
45.46.53.140:2222
190.252.242.69:443
187.251.132.144:22
181.62.0.59:443
72.12.115.90:22
103.246.242.202:443
100.1.108.246:443
191.17.223.222:32101
40.134.246.185:995
24.55.67.176:443
109.12.111.14:443
90.120.65.153:2078
179.158.105.44:443
72.252.201.34:993
201.103.199.197:443
37.34.253.233:443
70.51.138.126:2222
187.102.135.142:2222
187.52.231.156:443
86.97.247.20:1194
41.84.242.5:995
186.105.121.166:443
31.48.166.122:2078
89.137.52.44:443
96.29.208.97:443
85.74.48.5:995
197.205.101.36:443
102.182.232.3:995
86.195.158.178:2222
217.164.210.192:443
197.89.8.167:443
201.211.64.196:2222
45.241.202.203:995
175.145.235.37:443
86.98.33.141:995
85.246.82.244:443
43.252.72.97:2222
67.209.195.198:990
41.38.167.179:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 2 1444 msiexec.exe 4 1444 msiexec.exe 6 1444 msiexec.exe 10 1940 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1716 regsvr32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\6c7b87.msi msiexec.exe File opened for modification C:\Windows\Installer\6c7b87.msi msiexec.exe File created C:\Windows\Installer\6c7b88.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\6c7b88.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI7F6F.tmp msiexec.exe File created C:\Windows\Installer\6c7b8a.msi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeregsvr32.exeexplorer.exepid process 1940 msiexec.exe 1940 msiexec.exe 1716 regsvr32.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe 1512 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 1444 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
regsvr32.exepid process 1716 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1444 msiexec.exe Token: SeIncreaseQuotaPrivilege 1444 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeSecurityPrivilege 1940 msiexec.exe Token: SeCreateTokenPrivilege 1444 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1444 msiexec.exe Token: SeLockMemoryPrivilege 1444 msiexec.exe Token: SeIncreaseQuotaPrivilege 1444 msiexec.exe Token: SeMachineAccountPrivilege 1444 msiexec.exe Token: SeTcbPrivilege 1444 msiexec.exe Token: SeSecurityPrivilege 1444 msiexec.exe Token: SeTakeOwnershipPrivilege 1444 msiexec.exe Token: SeLoadDriverPrivilege 1444 msiexec.exe Token: SeSystemProfilePrivilege 1444 msiexec.exe Token: SeSystemtimePrivilege 1444 msiexec.exe Token: SeProfSingleProcessPrivilege 1444 msiexec.exe Token: SeIncBasePriorityPrivilege 1444 msiexec.exe Token: SeCreatePagefilePrivilege 1444 msiexec.exe Token: SeCreatePermanentPrivilege 1444 msiexec.exe Token: SeBackupPrivilege 1444 msiexec.exe Token: SeRestorePrivilege 1444 msiexec.exe Token: SeShutdownPrivilege 1444 msiexec.exe Token: SeDebugPrivilege 1444 msiexec.exe Token: SeAuditPrivilege 1444 msiexec.exe Token: SeSystemEnvironmentPrivilege 1444 msiexec.exe Token: SeChangeNotifyPrivilege 1444 msiexec.exe Token: SeRemoteShutdownPrivilege 1444 msiexec.exe Token: SeUndockPrivilege 1444 msiexec.exe Token: SeSyncAgentPrivilege 1444 msiexec.exe Token: SeEnableDelegationPrivilege 1444 msiexec.exe Token: SeManageVolumePrivilege 1444 msiexec.exe Token: SeImpersonatePrivilege 1444 msiexec.exe Token: SeCreateGlobalPrivilege 1444 msiexec.exe Token: SeBackupPrivilege 892 vssvc.exe Token: SeRestorePrivilege 892 vssvc.exe Token: SeAuditPrivilege 892 vssvc.exe Token: SeBackupPrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1244 DrvInst.exe Token: SeRestorePrivilege 1244 DrvInst.exe Token: SeRestorePrivilege 1244 DrvInst.exe Token: SeRestorePrivilege 1244 DrvInst.exe Token: SeRestorePrivilege 1244 DrvInst.exe Token: SeRestorePrivilege 1244 DrvInst.exe Token: SeRestorePrivilege 1244 DrvInst.exe Token: SeLoadDriverPrivilege 1244 DrvInst.exe Token: SeLoadDriverPrivilege 1244 DrvInst.exe Token: SeLoadDriverPrivilege 1244 DrvInst.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1444 msiexec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
msiexec.exeMsiExec.exeregsvr32.exedescription pid process target process PID 1940 wrote to memory of 2004 1940 msiexec.exe MsiExec.exe PID 1940 wrote to memory of 2004 1940 msiexec.exe MsiExec.exe PID 1940 wrote to memory of 2004 1940 msiexec.exe MsiExec.exe PID 1940 wrote to memory of 2004 1940 msiexec.exe MsiExec.exe PID 1940 wrote to memory of 2004 1940 msiexec.exe MsiExec.exe PID 1940 wrote to memory of 2004 1940 msiexec.exe MsiExec.exe PID 1940 wrote to memory of 2004 1940 msiexec.exe MsiExec.exe PID 2004 wrote to memory of 1716 2004 MsiExec.exe regsvr32.exe PID 2004 wrote to memory of 1716 2004 MsiExec.exe regsvr32.exe PID 2004 wrote to memory of 1716 2004 MsiExec.exe regsvr32.exe PID 2004 wrote to memory of 1716 2004 MsiExec.exe regsvr32.exe PID 2004 wrote to memory of 1716 2004 MsiExec.exe regsvr32.exe PID 2004 wrote to memory of 1716 2004 MsiExec.exe regsvr32.exe PID 2004 wrote to memory of 1716 2004 MsiExec.exe regsvr32.exe PID 1716 wrote to memory of 1512 1716 regsvr32.exe explorer.exe PID 1716 wrote to memory of 1512 1716 regsvr32.exe explorer.exe PID 1716 wrote to memory of 1512 1716 regsvr32.exe explorer.exe PID 1716 wrote to memory of 1512 1716 regsvr32.exe explorer.exe PID 1716 wrote to memory of 1512 1716 regsvr32.exe explorer.exe PID 1716 wrote to memory of 1512 1716 regsvr32.exe explorer.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 03A5A7A085A82EB6BB46716EE5B0DFFC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" C:\Users\Admin\AppData\Local\SetupTest\1.dll3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003BC" "0000000000000578"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBFilesize
765B
MD56af6b6f4ae6196f189dddbc3359153d0
SHA1a6b8bcd8d52bc78e6ab09a4691eb235bc342da76
SHA25656843ed6f900a0b68969b73463c867953773db38d9070ad3f3bc9f17019199e4
SHA5123ceab49c2e2ed4103e34f9174c69931dba4fd85442084ce37d7bd6bd829068e023f8dcba5f5cdc6c9f5633ab549d481cb322252b75ffd58ae316c273e70888e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472Filesize
637B
MD5f65e6919f241c149d42e36d0e6751e12
SHA1ed0f88a86d27ab339f1b5ac02dd8a01fdd969a0e
SHA2566e31167e7da0fc7f95061a6ba9201fe52bcaf0e58bca6b22d3d2be857fff1a69
SHA5123b02e7a213b3f625c942ec818a53dcb2c08916b3820991256d9c8168b9cccfa4193019e410ddae30ce52c1afacb3068421da1c0ffa506709673871a263c1bdfb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225FFilesize
1KB
MD5c2e74c923e71f2331e4ac3e559feed88
SHA10dafbf3c9b11edb7a0c7d149f545b88004a951f8
SHA256e2d1f43e63c1fda37b1c26cbeac110ad9edd19f6e3b337b616d57a6c0cb0c54c
SHA5127ee607f0f947a04137c3849697ad5b8ca70b142d2cca8520c7b1f29e009369aff67528ccc01f8a64909bc250dbfcfbf7cbe3a42625a6320196f2f5b253ac9e71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBFilesize
484B
MD587c8627254a5c6185bdf73b0006e0a03
SHA1bac75eb563cf4b72c1dc8f7510fc0086a0787da9
SHA2563a23bb46e8f3feafd41b8d50b204d9c0554f6e4e4770e8a47d829ddca3ab6eaf
SHA512b8ca37fb33df89f60db2bf6351c2f0ceebd9f461efce316c502378158665138e2ccc657edd30568a6391fc9c455bc2cbc8deb7475665671e4c490844fe6674bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD55db142672c46c24ec1a3eb2c0924ee10
SHA141e3aed24e7c1aeb0c53a31bed301c651c9a4054
SHA2569cfbc79fa4744efa4d25de6d298cca5ca769f36fcbd7f48ef882dc826d0c2c40
SHA51289235195c46202442267a1308b4ce5d8f80c18dbb8e32f7d9d616b96f9918a7ce0df3941050ade897372952d5b71808c7a5b68f311e2f1e751960fc80a63a14e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472Filesize
488B
MD5073c45fe16b7c283fdd22ce3d67a0b8b
SHA12bc57b1f3ae1f67c85b49e36da28399bf7ce2e2d
SHA2566e4a7817ba2e7800ad016c6bcf392c296a7c39406cb36b8b81b3d7a70ef8897b
SHA512ff09ac2eca3c9b5063af816c5d4e960957deb248928416f34bef814efb0645b0ded9f089caa404637941e34b5721b4b1bcb566c53aa04980c4c94c06de2a798f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225FFilesize
482B
MD51e7bb7e1b214b7e5eee0dba98b532934
SHA1d73982d16c95e1b3a87734919397ac6fd946094f
SHA2565711988a4a6af026294cc168161fb9be628af2764b0ddc99c2686ad09db710c3
SHA512e63b20fb0f232e4c1f22ad13b83c93fb65a5e494d96b40b5989721b9fb515788383a73f7db0cc905a829cb91228347950ac7bbe1e87d60e92cb0e3a0020be2b2
-
C:\Users\Admin\AppData\Local\SetupTest\1.dllFilesize
716KB
MD5726a41b2959768c5c3d2c7c213e6d0d8
SHA1e28186bc0d771d20527b5f80757f4ee3f0ce442e
SHA2566d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647
SHA5124c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34
-
\Users\Admin\AppData\Local\SetupTest\1.dllFilesize
716KB
MD5726a41b2959768c5c3d2c7c213e6d0d8
SHA1e28186bc0d771d20527b5f80757f4ee3f0ce442e
SHA2566d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647
SHA5124c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34
-
memory/1444-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/1512-76-0x0000000000000000-mapping.dmp
-
memory/1512-78-0x0000000074BE1000-0x0000000074BE3000-memory.dmpFilesize
8KB
-
memory/1512-79-0x0000000000180000-0x000000000020F000-memory.dmpFilesize
572KB
-
memory/1512-80-0x0000000000180000-0x000000000020F000-memory.dmpFilesize
572KB
-
memory/1716-66-0x0000000000000000-mapping.dmp
-
memory/1716-70-0x0000000010000000-0x000000001008F000-memory.dmpFilesize
572KB
-
memory/2004-64-0x0000000000000000-mapping.dmp
-
memory/2004-65-0x0000000075D71000-0x0000000075D73000-memory.dmpFilesize
8KB