0d604def7d8c28469c49fa5d12a8deddb56ebbdf03fb4de5b31484b6a4ace3a0

Resubmissions

20/12/2022, 18:17

221220-ww6fhadf6x 8

20/12/2022, 14:06

221220-reqaqsch9y 8

Analysis

max time kernel
1192s
max time network
1201s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
20/12/2022, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ke.msi
Size

36KB
MD5

c0de445dfe49d2932cc7a55e81b06a38
SHA1

96738932eceae5ca5196401c059532024fce9d56
SHA256

0d604def7d8c28469c49fa5d12a8deddb56ebbdf03fb4de5b31484b6a4ace3a0
SHA512

5ad5bf1ce13b6e8f9972d8801a084ad490efda8580d9b103640edbe34cf166d7ffab294f2c38e91340c30235b84e076490a01379873a3b41601e67e395ff28ba
SSDEEP

384:0mcA5s8B88y+J4Hby3M5koXbGWv3m8V4x5Pey3M5sC0Loj8H:ro+uWMxGIweWMmC

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
8	2076	msiexec.exe
10	2076	msiexec.exe
12	2076	msiexec.exe
16	2076	msiexec.exe
17	2076	msiexec.exe
19	2076	msiexec.exe
20	2076	msiexec.exe
21	2076	msiexec.exe
22	2076	msiexec.exe
23	2076	msiexec.exe
24	2076	msiexec.exe
25	2076	msiexec.exe
26	2076	msiexec.exe
27	2076	msiexec.exe
28	2076	msiexec.exe
29	2076	msiexec.exe
30	2076	msiexec.exe
31	2076	msiexec.exe
32	2076	msiexec.exe
33	2076	msiexec.exe
34	2076	msiexec.exe
35	2076	msiexec.exe
36	2076	msiexec.exe
37	2076	msiexec.exe
38	2076	msiexec.exe
39	2076	msiexec.exe
40	2076	msiexec.exe
41	2076	msiexec.exe
42	2076	msiexec.exe
43	2076	msiexec.exe
47	2076	msiexec.exe
48	2076	msiexec.exe
49	2076	msiexec.exe
50	2076	msiexec.exe
51	2076	msiexec.exe
52	756	wscript.exe
53	2076	msiexec.exe
56	2076	msiexec.exe
57	2076	msiexec.exe
58	2076	msiexec.exe
59	2076	msiexec.exe
60	2076	msiexec.exe
61	2076	msiexec.exe
62	2076	msiexec.exe
63	2076	msiexec.exe
64	2076	msiexec.exe
65	2076	msiexec.exe
66	2076	msiexec.exe
67	2076	msiexec.exe
68	2076	msiexec.exe
69	2076	msiexec.exe
70	2076	msiexec.exe
71	2076	msiexec.exe
72	2076	msiexec.exe
73	2076	msiexec.exe
74	2076	msiexec.exe
75	2076	msiexec.exe
76	2076	msiexec.exe
77	2076	msiexec.exe
78	2076	msiexec.exe
79	2076	msiexec.exe
80	2076	msiexec.exe
81	2076	msiexec.exe
82	2076	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1232	i_view32.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Terminal App Service.lnk	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56c27a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC393.tmp	msiexec.exe
File created	C:\Windows\Installer\e56c27c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA102.tmp	msiexec.exe
File created	C:\Windows\Installer\e56c27f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD86.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC79.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e56c27a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E89AA589-4680-4525-99A5-EF6A17A83C6B}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2076	msiexec.exe
2076	msiexec.exe
2076	msiexec.exe
2076	msiexec.exe
2076	msiexec.exe
2076	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1984	msiexec.exe
Token: SeSecurityPrivilege	2076	msiexec.exe
Token: SeCreateTokenPrivilege	1984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1984	msiexec.exe
Token: SeLockMemoryPrivilege	1984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1984	msiexec.exe
Token: SeMachineAccountPrivilege	1984	msiexec.exe
Token: SeTcbPrivilege	1984	msiexec.exe
Token: SeSecurityPrivilege	1984	msiexec.exe
Token: SeTakeOwnershipPrivilege	1984	msiexec.exe
Token: SeLoadDriverPrivilege	1984	msiexec.exe
Token: SeSystemProfilePrivilege	1984	msiexec.exe
Token: SeSystemtimePrivilege	1984	msiexec.exe
Token: SeProfSingleProcessPrivilege	1984	msiexec.exe
Token: SeIncBasePriorityPrivilege	1984	msiexec.exe
Token: SeCreatePagefilePrivilege	1984	msiexec.exe
Token: SeCreatePermanentPrivilege	1984	msiexec.exe
Token: SeBackupPrivilege	1984	msiexec.exe
Token: SeRestorePrivilege	1984	msiexec.exe
Token: SeShutdownPrivilege	1984	msiexec.exe
Token: SeDebugPrivilege	1984	msiexec.exe
Token: SeAuditPrivilege	1984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1984	msiexec.exe
Token: SeChangeNotifyPrivilege	1984	msiexec.exe
Token: SeRemoteShutdownPrivilege	1984	msiexec.exe
Token: SeUndockPrivilege	1984	msiexec.exe
Token: SeSyncAgentPrivilege	1984	msiexec.exe
Token: SeEnableDelegationPrivilege	1984	msiexec.exe
Token: SeManageVolumePrivilege	1984	msiexec.exe
Token: SeImpersonatePrivilege	1984	msiexec.exe
Token: SeCreateGlobalPrivilege	1984	msiexec.exe
Token: SeBackupPrivilege	2288	vssvc.exe
Token: SeRestorePrivilege	2288	vssvc.exe
Token: SeAuditPrivilege	2288	vssvc.exe
Token: SeBackupPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1984	msiexec.exe
1984	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1508	2076	msiexec.exe	72
PID 2076 wrote to memory of 1508	2076	msiexec.exe	72
PID 2076 wrote to memory of 4276	2076	msiexec.exe	73
PID 2076 wrote to memory of 4276	2076	msiexec.exe	73
PID 2076 wrote to memory of 764	2076	msiexec.exe	76
PID 2076 wrote to memory of 764	2076	msiexec.exe	76
PID 2076 wrote to memory of 756	2076	msiexec.exe	77
PID 2076 wrote to memory of 756	2076	msiexec.exe	77
PID 764 wrote to memory of 1232	764	wscript.exe	78
PID 764 wrote to memory of 1232	764	wscript.exe	78
PID 764 wrote to memory of 1232	764	wscript.exe	78
PID 764 wrote to memory of 2312	764	wscript.exe	79
PID 764 wrote to memory of 2312	764	wscript.exe	79

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ke.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1508
- C:\Windows\system32\wscript.exe
  "wscript.exe" "Terminal App Service.vbs"
  2⤵
  PID:4276
- C:\Windows\system32\wscript.exe
  "wscript.exe" "app.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\ProgramData\Dored\i_view32.exe
    "C:\ProgramData\Dored\i_view32.exe" /capture /convert=skev.jpg
    3⤵
    - Executes dropped EXE
    PID:1232
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" product where name='FLibrary' call uninstall /nointeractive
    3⤵
    PID:2312
- C:\Windows\system32\wscript.exe
  "wscript.exe" "index.js"
  2⤵
  - Blocklisted process makes network request
  PID:756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Cis\Terminal App Service.vbs

Filesize
262B

MD5
323b8e4888440687ec3a20708b52760c

SHA1
aeb7051bb3bb7b1ed73d7f58fb2b279863cbc785

SHA256
27217d815fc504f6cb9d531028da2f058eb5ac4782e952290c19aacfaa1459da

SHA512
36ea0ec78b54c84a284496ac25499c41554422674bcbf093e5d489da974266441948a8dffaba9393d55cdb22544a4f67166bbebbdc788ab48e082e7588f35eb6

Download Submit
C:\ProgramData\Dored\app.js

Filesize
211B

MD5
89e320093ce9d3a9e61e58c1121b76e7

SHA1
a83783769a0a36d7560e4596aa53c3422c41ec88

SHA256
5496156c5c7d349f998d470231410b5ecfc62dd245eb686a8e77f5f40a28cac7

SHA512
403522e9b6a3058a12604c225f150f55a44034908b8ca32d534764717eb351db9252fab1ef7f5892d453a9c750b1b10afa8797df0c110adfb5b6ff9d5f48b9d3

Download Submit
C:\ProgramData\Dored\i_view32.exe

Filesize
1.9MB

MD5
b103655d23aab7ff124de7ea4fbc2361

SHA1
904bf233b9070af245f4dbcae11828615ef8715b

SHA256
6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc

SHA512
fda0e3855522039d3b56e15b169b4c634672ca181ced78a479b6723c22ce889308db55aa1ea58fa8cb01ed1657fddc52a2c45d904c6eb5b852a171bcba310a52

Download Submit
C:\ProgramData\Dored\i_view32.exe

Filesize
1.9MB

MD5
b103655d23aab7ff124de7ea4fbc2361

SHA1
904bf233b9070af245f4dbcae11828615ef8715b

SHA256
6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc

SHA512
fda0e3855522039d3b56e15b169b4c634672ca181ced78a479b6723c22ce889308db55aa1ea58fa8cb01ed1657fddc52a2c45d904c6eb5b852a171bcba310a52

Download Submit
C:\ProgramData\Dored\index.js

Filesize
742B

MD5
44839c07923d8a37f49782e6a2567950

SHA1
21e6e88de9b6efa47b0dc137ae942bdb6b113192

SHA256
ca830dabaa78487702826679e1d0caa7acb7ff2688537a2025aabb0b57fbd414

SHA512
d6484cf875a8970ad8826ec522acc1015233180c416c701c5b0bca71f8a29da2bd85aba9010d3e05178b898e20c2e6c76cdeae97e5a2995f53946d8c5cbb5e0b

Download Submit
C:\ProgramData\Dored\skev.jpg

Filesize
82KB

MD5
ae76e6fedf1a69f196d966a416f980e5

SHA1
f6868a845f7f95189b9eb75a5c7110d67422a742

SHA256
f32c1ddcbb3e7794e3ed8d9f38fe387558a2ed546df0affebe4b48a5df68ef4a

SHA512
cf6d39a8630f62e5a1bd95c6f92009c95e42a8c909f61516c22573aaa4ec612f8b803a9e946cc76a3692e9a469e7992a6340bd99e0a84c1600e22abe9af806dc

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
b3ad8cc29027360fb0d820fd99617de7

SHA1
80b72937c9d04178919651f9a98f1be0d26014cb

SHA256
b7857d39fb568932fdfc70298a93103aa4b0ee2ed2c50ab3728291ad8283dcde

SHA512
3ff1391e3349946c59054ef93675cd3f37716718e96370894bec81d91bca65cbd05b4f02f888ab49ff37d680084a69a9906c86c0ec102bd8a502fb59c985129b

Download Submit
\??\Volume{5f334692-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b98b200f-6954-41b7-8ad4-810d44e1ed34}_OnDiskSnapshotProp

Filesize
5KB

MD5
4af3f048432da4446b0ab95b7d17990b

SHA1
626389ae1b165253ee85975418062903ea617cee

SHA256
ef0cead65242ae35331dd5584ec4ca4005bbc52fced83db9deb460fd140989a1

SHA512
5d9830e0f20ace3fd2052607f1d0267674e90f1ead096a82485d9c532200db4fd502c473b218b98f3a43f038b7408ad5bdfda24e5d67db9e30dfe41a6a52cd41

Download Submit
memory/1232-146-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-151-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-134-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-135-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-136-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-137-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-138-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-139-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-141-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-140-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-142-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-143-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-144-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-145-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-132-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-147-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-148-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-149-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-150-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-133-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-152-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-153-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-154-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-155-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-156-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-157-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-158-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-159-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-160-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-162-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-163-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-164-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-165-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-166-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-161-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-167-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download