323278e8ab5c265c05c15f8017c03ab6c4ca2f382e7839b48d37bab6bb85277d

Analysis

max time kernel
135s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2023, 01:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ByClickDownloader-Setup.exe
Size

28.3MB
MD5

b468baaad4f585217b7c3f0844eed657
SHA1

f453d42e193d3a95c8ae930fa768336af9591548
SHA256

323278e8ab5c265c05c15f8017c03ab6c4ca2f382e7839b48d37bab6bb85277d
SHA512

6bab089195928867aeecec686da68ca577386ba254c8c4e5ba8e1abb170e823f43434a86b30c88e9d818701ab90dd8fc4966e7a5bb259738889df45bc58313da
SSDEEP

786432:ZtZSi2FPQ9eYS7Nvs0vPLFo30mMSdx7Yv:UFY9eYS7NvskjO3hdx7Yv

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4844	ByClickDownloader-Setup.exe
4844	ByClickDownloader-Setup.exe
2320	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\V:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Y:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\U:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\W:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\O:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\N:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Q:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\X:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\J:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\S:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\P:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\T:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\I:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\L:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Z:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	ByClickDownloader-Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 7 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ByClickDownloader-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ByClickDownloader-Setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1232	msiexec.exe
Token: SeCreateTokenPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeLockMemoryPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeIncreaseQuotaPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeMachineAccountPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeTcbPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeSecurityPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeTakeOwnershipPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeLoadDriverPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeSystemProfilePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeSystemtimePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeProfSingleProcessPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeIncBasePriorityPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeCreatePagefilePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeCreatePermanentPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeBackupPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeRestorePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeShutdownPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeDebugPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeAuditPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeSystemEnvironmentPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeChangeNotifyPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeRemoteShutdownPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeUndockPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeSyncAgentPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeEnableDelegationPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeManageVolumePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeImpersonatePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeCreateGlobalPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeCreateTokenPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeLockMemoryPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeIncreaseQuotaPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeMachineAccountPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeTcbPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeSecurityPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeTakeOwnershipPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeLoadDriverPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeSystemProfilePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeSystemtimePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeProfSingleProcessPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeIncBasePriorityPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeCreatePagefilePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeCreatePermanentPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeBackupPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeRestorePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeShutdownPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeDebugPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeAuditPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeSystemEnvironmentPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeChangeNotifyPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeRemoteShutdownPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeUndockPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeSyncAgentPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeEnableDelegationPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeManageVolumePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeImpersonatePrivilege	4844	ByClickDownloader-Setup.exe
Token: SeCreateGlobalPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeCreateTokenPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeLockMemoryPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeIncreaseQuotaPrivilege	4844	ByClickDownloader-Setup.exe
Token: SeMachineAccountPrivilege	4844	ByClickDownloader-Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4844	ByClickDownloader-Setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2320	1232	msiexec.exe	88
PID 1232 wrote to memory of 2320	1232	msiexec.exe	88
PID 1232 wrote to memory of 2320	1232	msiexec.exe	88

C:\Users\Admin\AppData\Local\Temp\ByClickDownloader-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\ByClickDownloader-Setup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B4230775B8A90AB0E1C01091302089FE C
  2⤵
  - Loads dropped DLL
  PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4844\background

Filesize
28KB

MD5
6c0ee49a7fd729049e4dd57a97242e62

SHA1
29bc6da2e1f568cb1c30993a4c4090d912079e01

SHA256
080c73382c5cb466ee27fcc5dc724becece17c20f7d3a87b59fc2df279a4647c

SHA512
359530f9b647f126dc723bcf6e7562903b6eefeae2d5a9b3d12d4e072fa938f1f8abcf69ddd030f8d788afea404440aa2fca65f4b6e229f004ac86b50ea27f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBAAB.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBAAB.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\YouTube By Click.msi

Filesize
3.8MB

MD5
39051b3ccc11dbde8ac9ff343d8eeaa5

SHA1
600a61e4d8fefb34bda6626ac2460dc896086dd7

SHA256
7cb15820b11fc3db7bd527ad4d3a3b4547851624de58e0332d9ffed9d2414606

SHA512
6f53f4663c67740858003a0dcf1e62bd34883149492f5fefa18a3656c281bfcb462247ed74384eb276ba660023309dbf2505cebcd7cba8a2043cfa3bccc7b855

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\decoder.dll

Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\decoder.dll

Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\decoder.dll

Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit