Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 23:33
Static task
static1
Behavioral task
behavioral1
Sample
f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe
Resource
win7-20220812-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe
-
Size
158KB
-
MD5
eb59d58706dc05f7a73b338b593c00ec
-
SHA1
7edafd519c846d391caa54347e65f0bada8ec478
-
SHA256
f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c
-
SHA512
6531cb5242fd59125b4df74381b0c85698056b7b25b8f911ff0d5e67f663945fe0a8e5e4923125a76aad75c9d40a654e197bd0d94e6a04ff7887b6f5ef9fb528
-
SSDEEP
3072:cSuKWO46D4PydkX4ykeaGybFjuvcZbmcy/yB8nT:3/46dkICaGyhjuLT
Score
8/10
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W1k21212\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\W1k21212.sys" MsiExec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe -
Loads dropped DLL 2 IoCs
pid Process 1584 MsiExec.exe 1584 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\I: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\Z: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\Q: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\R: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\T: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\X: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\F: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\Y: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\S: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\V: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\W: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\O: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\N: f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{D253A97A-3756-4248-8EAC-36DBF1CC8A7B} msiexec.exe File opened for modification C:\Windows\Installer\MSIB626.tmp msiexec.exe File created C:\Windows\Installer\e56b386.msi msiexec.exe File opened for modification C:\Windows\Installer\e56b386.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\PhishingFilter MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0" MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" MsiExec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1584 MsiExec.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeShutdownPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeIncreaseQuotaPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeSecurityPrivilege 4248 msiexec.exe Token: SeCreateTokenPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeAssignPrimaryTokenPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeLockMemoryPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeIncreaseQuotaPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeMachineAccountPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeTcbPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeSecurityPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeTakeOwnershipPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeLoadDriverPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeSystemProfilePrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeSystemtimePrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeProfSingleProcessPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeIncBasePriorityPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeCreatePagefilePrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeCreatePermanentPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeBackupPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeRestorePrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeShutdownPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeDebugPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeAuditPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeSystemEnvironmentPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeChangeNotifyPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeRemoteShutdownPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeUndockPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeSyncAgentPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeEnableDelegationPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeManageVolumePrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeImpersonatePrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeCreateGlobalPrivilege 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe Token: SeRestorePrivilege 4248 msiexec.exe Token: SeTakeOwnershipPrivilege 4248 msiexec.exe Token: SeRestorePrivilege 4248 msiexec.exe Token: SeTakeOwnershipPrivilege 4248 msiexec.exe Token: SeDebugPrivilege 1584 MsiExec.exe Token: SeLoadDriverPrivilege 1584 MsiExec.exe Token: SeRestorePrivilege 4248 msiexec.exe Token: SeTakeOwnershipPrivilege 4248 msiexec.exe Token: SeRestorePrivilege 4248 msiexec.exe Token: SeTakeOwnershipPrivilege 4248 msiexec.exe Token: SeRestorePrivilege 4248 msiexec.exe Token: SeTakeOwnershipPrivilege 4248 msiexec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4248 wrote to memory of 1584 4248 msiexec.exe 83 PID 4248 wrote to memory of 1584 4248 msiexec.exe 83 PID 4248 wrote to memory of 1584 4248 msiexec.exe 83 PID 4572 wrote to memory of 4016 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 84 PID 4572 wrote to memory of 4016 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 84 PID 4572 wrote to memory of 4016 4572 f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe"C:\Users\Admin\AppData\Local\Temp\f081aff290b96a63ded62dcdec5c548b7a83a1b7df2faf2fe9bf16df435b890c.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\10Q9TH~1 >> NUL2⤵PID:4016
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Users\Admin\AppData\Roaming\DllDropper.dll"2⤵
- Sets service image path in registry
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD52f7237f94dcab8d4357012f6c5e5f3ce
SHA1f4c0f4d0c1224fc05e831a3c4bfbbde9c249383e
SHA2560e7197e2dd3b50306c4ac549f4ddd1fc16e3090c3caa2e06839b2ab015a135d0
SHA5123221414fe47563eddcc0f4c1df0493ab24b33f251729b8b7ae761fff0b9937f539b94206aac24d708d8430e72c4b36855d9997085be5c4e623a202d03fe6301b
-
Filesize
74KB
MD5c7a2355764f892b1b21d967a04c4db7c
SHA199bb8aa60e43fe70adfe519e667b3fabbfb0f2a8
SHA256fe595885e4e2367986518e1e398f49c9eb86109012893482e5ca8ce4baeeb939
SHA512026c98c31f798e3b9f6e255ebc87afbef1b29b7e7cdd40b6dcface95b3bef760b8c014c097b95aa762a06865d5792cf3310cc730df94305b9273ef692b2ddea0
-
Filesize
74KB
MD5c7a2355764f892b1b21d967a04c4db7c
SHA199bb8aa60e43fe70adfe519e667b3fabbfb0f2a8
SHA256fe595885e4e2367986518e1e398f49c9eb86109012893482e5ca8ce4baeeb939
SHA512026c98c31f798e3b9f6e255ebc87afbef1b29b7e7cdd40b6dcface95b3bef760b8c014c097b95aa762a06865d5792cf3310cc730df94305b9273ef692b2ddea0
-
Filesize
74KB
MD5c7a2355764f892b1b21d967a04c4db7c
SHA199bb8aa60e43fe70adfe519e667b3fabbfb0f2a8
SHA256fe595885e4e2367986518e1e398f49c9eb86109012893482e5ca8ce4baeeb939
SHA512026c98c31f798e3b9f6e255ebc87afbef1b29b7e7cdd40b6dcface95b3bef760b8c014c097b95aa762a06865d5792cf3310cc730df94305b9273ef692b2ddea0