dd3bac003b3a51881727eabebf2a03dc9658998875b755be1b41a6b98dcac2e4

General

Target

bridge_2.6.0_x64_en-US.msi
Size

13.8MB
MD5

9d34f5b91bf8cea768101ef518d5485f
SHA1

5a74a3d7a13dedd801713b4b376372ce5bafffc6
SHA256

dd3bac003b3a51881727eabebf2a03dc9658998875b755be1b41a6b98dcac2e4
SHA512

a29e8ddce36663ecc85d9e874b58c494521ddfcefbd29c3b3645626a4e863567ecdd54226c524f0650e3f12c5ca7bed10ffa9ff3dd72cac19f811ce90ecec05f
SSDEEP

393216:YuZjvjpxdnKUMS98zxRhVI0dQOnnqrJ9JZzx:Yu9LpvKjrhq0dQOnnqzJz

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

Processes:

MsiExec.exemsiexec.exe

pid process

1240 MsiExec.exe
1320 msiexec.exe
1320 msiexec.exe
1268
1268
1268
1268

pid	process
1240	MsiExec.exe
1320	msiexec.exe
1320	msiexec.exe
1268
1268
1268
1268

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Program Files directory 3 IoCs

Processes:

msiexec.exepowershell.exe

description	ioc	process
File created	C:\Program Files\bridge\bridge.exe	msiexec.exe
File created	C:\Program Files\bridge\Uninstall bridge.lnk	msiexec.exe
File opened for modification	C:\Program Files\bridge\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI9E91.tmp	msiexec.exe
File created	C:\Windows\Installer\{5C7DECC3-E2F7-4EF8-B62D-F9E8514DE413}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\6c9aec.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\6c9ae9.msi	msiexec.exe
File created	C:\Windows\Installer\6c9ae9.msi	msiexec.exe
File created	C:\Windows\Installer\6c9aea.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{5C7DECC3-E2F7-4EF8-B62D-F9E8514DE413}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\6c9aea.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe

Modifies registry class 35 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3CCED7C57F2E8FE46BD29F8E15D44E31\MainProgram	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList\PackageName = "bridge_2.6.0_x64_en-US.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\3CCED7C57F2E8FE46BD29F8E15D44E31	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\55CD7B4F0D82AC85BA12355C9AF4DE28	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\Version = "33947648"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\55CD7B4F0D82AC85BA12355C9AF4DE28	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\Language = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\55CD7B4F0D82AC85BA12355C9AF4DE28\3CCED7C57F2E8FE46BD29F8E15D44E31	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3CCED7C57F2E8FE46BD29F8E15D44E31	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\ProductIcon = "C:\\Windows\\Installer\\{5C7DECC3-E2F7-4EF8-B62D-F9E8514DE413}\\ProductIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3CCED7C57F2E8FE46BD29F8E15D44E31	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3CCED7C57F2E8FE46BD29F8E15D44E31\Environment = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\PackageCode = "48D2313C4D79DA54BBAE66A20AAA4656"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3CCED7C57F2E8FE46BD29F8E15D44E31\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3CCED7C57F2E8FE46BD29F8E15D44E31\External	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\ProductName = "bridge"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3CCED7C57F2E8FE46BD29F8E15D44E31\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exepowershell.exe

pid process

1320 msiexec.exe
1320 msiexec.exe
752 powershell.exe

pid	process
1320	msiexec.exe
1320	msiexec.exe
752	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1320	msiexec.exe
Token: SeTakeOwnershipPrivilege	1320	msiexec.exe
Token: SeSecurityPrivilege	1320	msiexec.exe
Token: SeCreateTokenPrivilege	1428	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1428	msiexec.exe
Token: SeLockMemoryPrivilege	1428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1428	msiexec.exe
Token: SeMachineAccountPrivilege	1428	msiexec.exe
Token: SeTcbPrivilege	1428	msiexec.exe
Token: SeSecurityPrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeLoadDriverPrivilege	1428	msiexec.exe
Token: SeSystemProfilePrivilege	1428	msiexec.exe
Token: SeSystemtimePrivilege	1428	msiexec.exe
Token: SeProfSingleProcessPrivilege	1428	msiexec.exe
Token: SeIncBasePriorityPrivilege	1428	msiexec.exe
Token: SeCreatePagefilePrivilege	1428	msiexec.exe
Token: SeCreatePermanentPrivilege	1428	msiexec.exe
Token: SeBackupPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeShutdownPrivilege	1428	msiexec.exe
Token: SeDebugPrivilege	1428	msiexec.exe
Token: SeAuditPrivilege	1428	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1428	msiexec.exe
Token: SeChangeNotifyPrivilege	1428	msiexec.exe
Token: SeRemoteShutdownPrivilege	1428	msiexec.exe
Token: SeUndockPrivilege	1428	msiexec.exe
Token: SeSyncAgentPrivilege	1428	msiexec.exe
Token: SeEnableDelegationPrivilege	1428	msiexec.exe
Token: SeManageVolumePrivilege	1428	msiexec.exe
Token: SeImpersonatePrivilege	1428	msiexec.exe
Token: SeCreateGlobalPrivilege	1428	msiexec.exe
Token: SeCreateTokenPrivilege	1428	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1428	msiexec.exe
Token: SeLockMemoryPrivilege	1428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1428	msiexec.exe
Token: SeMachineAccountPrivilege	1428	msiexec.exe
Token: SeTcbPrivilege	1428	msiexec.exe
Token: SeSecurityPrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeLoadDriverPrivilege	1428	msiexec.exe
Token: SeSystemProfilePrivilege	1428	msiexec.exe
Token: SeSystemtimePrivilege	1428	msiexec.exe
Token: SeProfSingleProcessPrivilege	1428	msiexec.exe
Token: SeIncBasePriorityPrivilege	1428	msiexec.exe
Token: SeCreatePagefilePrivilege	1428	msiexec.exe
Token: SeCreatePermanentPrivilege	1428	msiexec.exe
Token: SeBackupPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeShutdownPrivilege	1428	msiexec.exe
Token: SeDebugPrivilege	1428	msiexec.exe
Token: SeAuditPrivilege	1428	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1428	msiexec.exe
Token: SeChangeNotifyPrivilege	1428	msiexec.exe
Token: SeRemoteShutdownPrivilege	1428	msiexec.exe
Token: SeUndockPrivilege	1428	msiexec.exe
Token: SeSyncAgentPrivilege	1428	msiexec.exe
Token: SeEnableDelegationPrivilege	1428	msiexec.exe
Token: SeManageVolumePrivilege	1428	msiexec.exe
Token: SeImpersonatePrivilege	1428	msiexec.exe
Token: SeCreateGlobalPrivilege	1428	msiexec.exe
Token: SeCreateTokenPrivilege	1428	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1428 msiexec.exe

pid	process
1428	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1320 wrote to memory of 1240	1320	msiexec.exe	MsiExec.exe
PID 1320 wrote to memory of 1240	1320	msiexec.exe	MsiExec.exe
PID 1320 wrote to memory of 1240	1320	msiexec.exe	MsiExec.exe
PID 1320 wrote to memory of 1240	1320	msiexec.exe	MsiExec.exe
PID 1320 wrote to memory of 1240	1320	msiexec.exe	MsiExec.exe
PID 1320 wrote to memory of 1240	1320	msiexec.exe	MsiExec.exe
PID 1320 wrote to memory of 1240	1320	msiexec.exe	MsiExec.exe
PID 1320 wrote to memory of 752	1320	msiexec.exe	powershell.exe
PID 1320 wrote to memory of 752	1320	msiexec.exe	powershell.exe
PID 1320 wrote to memory of 752	1320	msiexec.exe	powershell.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bridge_2.6.0_x64_en-US.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1428

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4EDF9F467DCF3C2AD0525F2ED938D015 C
2⤵
- Loads dropped DLL
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:972

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004EC" "0000000000000590"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI2859.tmp
Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
\Program Files\bridge\bridge.exe
Filesize
18.3MB

MD5
a63d9d9efb0e04a21d79b5c90cb5d797

SHA1
daae9583cc42420a69c78901881e3c45e6abae1d

SHA256
e817989ec80868e2666ff9f73ac44adf76dc56a00b4fef9453d416cd4d3922f8

SHA512
65eec38ba0f36852e9f6f8ef383dfb056fd1d1776e02872f0bdbd0a7f3888d4001a0172c8ca7675791e8e95711e5a6dc32c9e05700f83029166b017a600498e2

Download Submit
\Program Files\bridge\bridge.exe
Filesize
18.3MB

MD5
a63d9d9efb0e04a21d79b5c90cb5d797

SHA1
daae9583cc42420a69c78901881e3c45e6abae1d

SHA256
e817989ec80868e2666ff9f73ac44adf76dc56a00b4fef9453d416cd4d3922f8

SHA512
65eec38ba0f36852e9f6f8ef383dfb056fd1d1776e02872f0bdbd0a7f3888d4001a0172c8ca7675791e8e95711e5a6dc32c9e05700f83029166b017a600498e2

Download Submit
\Program Files\bridge\bridge.exe
Filesize
18.3MB

MD5
a63d9d9efb0e04a21d79b5c90cb5d797

SHA1
daae9583cc42420a69c78901881e3c45e6abae1d

SHA256
e817989ec80868e2666ff9f73ac44adf76dc56a00b4fef9453d416cd4d3922f8

SHA512
65eec38ba0f36852e9f6f8ef383dfb056fd1d1776e02872f0bdbd0a7f3888d4001a0172c8ca7675791e8e95711e5a6dc32c9e05700f83029166b017a600498e2

Download Submit
\Program Files\bridge\bridge.exe
Filesize
18.3MB

MD5
a63d9d9efb0e04a21d79b5c90cb5d797

SHA1
daae9583cc42420a69c78901881e3c45e6abae1d

SHA256
e817989ec80868e2666ff9f73ac44adf76dc56a00b4fef9453d416cd4d3922f8

SHA512
65eec38ba0f36852e9f6f8ef383dfb056fd1d1776e02872f0bdbd0a7f3888d4001a0172c8ca7675791e8e95711e5a6dc32c9e05700f83029166b017a600498e2

Download Submit
\Program Files\bridge\bridge.exe
Filesize
18.3MB

MD5
a63d9d9efb0e04a21d79b5c90cb5d797

SHA1
daae9583cc42420a69c78901881e3c45e6abae1d

SHA256
e817989ec80868e2666ff9f73ac44adf76dc56a00b4fef9453d416cd4d3922f8

SHA512
65eec38ba0f36852e9f6f8ef383dfb056fd1d1776e02872f0bdbd0a7f3888d4001a0172c8ca7675791e8e95711e5a6dc32c9e05700f83029166b017a600498e2

Download Submit
\Program Files\bridge\bridge.exe
Filesize
18.3MB

MD5
a63d9d9efb0e04a21d79b5c90cb5d797

SHA1
daae9583cc42420a69c78901881e3c45e6abae1d

SHA256
e817989ec80868e2666ff9f73ac44adf76dc56a00b4fef9453d416cd4d3922f8

SHA512
65eec38ba0f36852e9f6f8ef383dfb056fd1d1776e02872f0bdbd0a7f3888d4001a0172c8ca7675791e8e95711e5a6dc32c9e05700f83029166b017a600498e2

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2859.tmp
Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
memory/752-66-0x0000000000000000-mapping.dmp

Download
memory/752-68-0x000007FEF37D0000-0x000007FEF41F3000-memory.dmp

Filesize
10.1MB

Download
memory/752-70-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/752-69-0x000007FEF2C70000-0x000007FEF37CD000-memory.dmp

Filesize
11.4MB

Download
memory/752-71-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/752-72-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/752-73-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/1240-57-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1240-56-0x0000000000000000-mapping.dmp

Download
memory/1428-54-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads