2b4c5c28f6d05e36e253f58702a577c4a6181dfc5c79dde2ad72366a8ac3b4fe

Analysis

max time kernel
62s
max time network
43s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-03-2023 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898.msi
Size

4.5MB
MD5

68ba045e1427d63d03660ef2d88584d0
SHA1

a3e9bd9adddf1aaaaff03cd69a7128e6fc774977
SHA256

e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898
SHA512

d677806a4c4ed419995b0ead65db4081c3e4b002e400fafb8d042d6695e7e17cc476a0ccc8df9c1caed164254ba2536c73891f89f6f9f57aea7a5421a6d964e8
SSDEEP

98304:MYGKdAHTgvV1OsKnG5vgzfTVkdRTpRjbrvC7gEjT7A3:i81OsKG6zfTVkddpdTCRj

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1704	powershell.exe

Loads dropped DLL 4 IoCs

pid	Process
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6c8853.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8891.tmp	msiexec.exe
File created	C:\Windows\Installer\6c8855.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9321.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c8855.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI8B22.tmp	msiexec.exe
File created	C:\Windows\Installer\6c8853.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B90.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\6c8857.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI8DD2.tmp	msiexec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51\BE04CB4DB6ECE7E4C8A99529959C6F31	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BE04CB4DB6ECE7E4C8A99529959C6F31\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\PackageName = "e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\PackageCode = "94EDD224D2A9E134DBED2B44DF521151"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\Language = "1046"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BE04CB4DB6ECE7E4C8A99529959C6F31	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\ProductName = "Winrar"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\AdvertiseFlags = "388"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1724	msiexec.exe
1724	msiexec.exe
1704	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1372	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeSecurityPrivilege	1724	msiexec.exe
Token: SeCreateTokenPrivilege	1372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1372	msiexec.exe
Token: SeLockMemoryPrivilege	1372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1372	msiexec.exe
Token: SeMachineAccountPrivilege	1372	msiexec.exe
Token: SeTcbPrivilege	1372	msiexec.exe
Token: SeSecurityPrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe
Token: SeLoadDriverPrivilege	1372	msiexec.exe
Token: SeSystemProfilePrivilege	1372	msiexec.exe
Token: SeSystemtimePrivilege	1372	msiexec.exe
Token: SeProfSingleProcessPrivilege	1372	msiexec.exe
Token: SeIncBasePriorityPrivilege	1372	msiexec.exe
Token: SeCreatePagefilePrivilege	1372	msiexec.exe
Token: SeCreatePermanentPrivilege	1372	msiexec.exe
Token: SeBackupPrivilege	1372	msiexec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeShutdownPrivilege	1372	msiexec.exe
Token: SeDebugPrivilege	1372	msiexec.exe
Token: SeAuditPrivilege	1372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1372	msiexec.exe
Token: SeChangeNotifyPrivilege	1372	msiexec.exe
Token: SeRemoteShutdownPrivilege	1372	msiexec.exe
Token: SeUndockPrivilege	1372	msiexec.exe
Token: SeSyncAgentPrivilege	1372	msiexec.exe
Token: SeEnableDelegationPrivilege	1372	msiexec.exe
Token: SeManageVolumePrivilege	1372	msiexec.exe
Token: SeImpersonatePrivilege	1372	msiexec.exe
Token: SeCreateGlobalPrivilege	1372	msiexec.exe
Token: SeBackupPrivilege	972	vssvc.exe
Token: SeRestorePrivilege	972	vssvc.exe
Token: SeAuditPrivilege	972	vssvc.exe
Token: SeBackupPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1696	DrvInst.exe
Token: SeRestorePrivilege	1696	DrvInst.exe
Token: SeRestorePrivilege	1696	DrvInst.exe
Token: SeRestorePrivilege	1696	DrvInst.exe
Token: SeRestorePrivilege	1696	DrvInst.exe
Token: SeRestorePrivilege	1696	DrvInst.exe
Token: SeRestorePrivilege	1696	DrvInst.exe
Token: SeLoadDriverPrivilege	1696	DrvInst.exe
Token: SeLoadDriverPrivilege	1696	DrvInst.exe
Token: SeLoadDriverPrivilege	1696	DrvInst.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1372	msiexec.exe
1372	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1472	1724	msiexec.exe	32
PID 1724 wrote to memory of 1472	1724	msiexec.exe	32
PID 1724 wrote to memory of 1472	1724	msiexec.exe	32
PID 1724 wrote to memory of 1472	1724	msiexec.exe	32
PID 1724 wrote to memory of 1472	1724	msiexec.exe	32
PID 1724 wrote to memory of 1472	1724	msiexec.exe	32
PID 1724 wrote to memory of 1472	1724	msiexec.exe	32
PID 1472 wrote to memory of 1704	1472	MsiExec.exe	33
PID 1472 wrote to memory of 1704	1472	MsiExec.exe	33
PID 1472 wrote to memory of 1704	1472	MsiExec.exe	33
PID 1472 wrote to memory of 1704	1472	MsiExec.exe	33

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 34AD1C47F38E3CB6FCA4E12799F18515
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss93DB.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi936A.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr937B.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr938C.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000498" "0000000000000558"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c8856.rbs

Filesize
606KB

MD5
f07a86d00a3c6876bf5ab98817143fac

SHA1
c23db1a44d52643a516f4076fc00070e87336b28

SHA256
93f37e85ef754d873b67f8f56dcf86c07b574cce52e3f0f2ce86ca3045942aed

SHA512
d1ed72eda03972929b9b07ecc0a53e1091fc7fc242d3b05149921939c9659f7bac8c1c000e6291f9c9beb8b2f1f5b58fb64ba54faab86a92d1d0a107a139c518

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss93DB.ps1

Filesize
5KB

MD5
fc1bb6c87fd1f08b534e52546561c53c

SHA1
db402c5c1025cf8d3e79df7b868fd186243aa9d1

SHA256
a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b

SHA512
5495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr937B.ps1

Filesize
17KB

MD5
d815da347cf3c1a260840649beb56ff7

SHA1
4da95ffed10e7369b685a390fe4e99a6a1e1f416

SHA256
d6f001aeb36cdb8e6bbcb0d35ffe55c86ad5f942f9d0d15a089706801fdad931

SHA512
ca2cd68cf615db854c7ccc6cc5c84da4a8b5f6913229c856fc343ba3e7af8563b0afcd29e9d14ca75eb4cf833102a2ea8b802629f284819bfb2630a82d61b170

Download Submit
C:\Windows\Installer\6c8853.msi

Filesize
4.5MB

MD5
68ba045e1427d63d03660ef2d88584d0

SHA1
a3e9bd9adddf1aaaaff03cd69a7128e6fc774977

SHA256
e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898

SHA512
d677806a4c4ed419995b0ead65db4081c3e4b002e400fafb8d042d6695e7e17cc476a0ccc8df9c1caed164254ba2536c73891f89f6f9f57aea7a5421a6d964e8

Download Submit
C:\Windows\Installer\MSI8891.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8B22.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8B90.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8B90.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI9321.tmp

Filesize
574KB

MD5
7b7d9e2c9b8236e7155f2f97254cb40e

SHA1
99621fc9d14511428d62d91c31865fb2c4625663

SHA256
df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

SHA512
fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

Download Submit
\Windows\Installer\MSI8891.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSI8B22.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSI8B90.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSI9321.tmp

Filesize
574KB

MD5
7b7d9e2c9b8236e7155f2f97254cb40e

SHA1
99621fc9d14511428d62d91c31865fb2c4625663

SHA256
df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

SHA512
fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

Download Submit
memory/1704-91-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/1704-90-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download