a4142ecf52657bd6e06b66573919ac342ef460a61f4ee7d35c235c54640c3a39

Analysis

max time kernel
138s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
15/03/2023, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.0.6-155176-Win.exe
Size

105.3MB
MD5

2ad82b25d85fca75b78f34df3223bbfe
SHA1

af9ece37b9d1bd7e8d942f48afe4d5cea8e1b206
SHA256

a4142ecf52657bd6e06b66573919ac342ef460a61f4ee7d35c235c54640c3a39
SHA512

c787271617785e94719e2bc5ec9a9f70455b61e6408f5f69e0bdaf2718d0d7e00fa8b7f044bbe78b98abbc474c6b25767520efb4c5baf80cd1f91369126e5688
SSDEEP

1572864:IloHyCtX4f1cFecNDgiA13VIfR89CrpWIlof8gM0GnPuCPIY4HaiTFJX0w0WCi4:dtX4d8Nkf13aRffloUgtGZPoXJkw0Fi4

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
936	MsiExec.exe
936	MsiExec.exe
936	MsiExec.exe
936	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.6-155176-Win.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.6-155176-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.6-155176-Win.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VirtualBox-7.0.6-155176-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.6-155176-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.6-155176-Win.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeIncreaseQuotaPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSecurityPrivilege	1944	msiexec.exe
Token: SeCreateTokenPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeLockMemoryPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeIncreaseQuotaPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeMachineAccountPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeTcbPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSecurityPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeTakeOwnershipPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeLoadDriverPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemProfilePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemtimePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeProfSingleProcessPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeIncBasePriorityPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreatePagefilePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreatePermanentPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeBackupPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeRestorePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeShutdownPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeDebugPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeAuditPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemEnvironmentPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeChangeNotifyPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeRemoteShutdownPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeUndockPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSyncAgentPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeEnableDelegationPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeManageVolumePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeImpersonatePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreateGlobalPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreateTokenPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeLockMemoryPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeIncreaseQuotaPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeMachineAccountPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeTcbPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSecurityPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeTakeOwnershipPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeLoadDriverPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemProfilePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemtimePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeProfSingleProcessPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeIncBasePriorityPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreatePagefilePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreatePermanentPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeBackupPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeRestorePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeShutdownPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeDebugPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeAuditPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemEnvironmentPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeChangeNotifyPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeRemoteShutdownPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeUndockPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeSyncAgentPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeEnableDelegationPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeManageVolumePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeImpersonatePrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreateGlobalPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreateTokenPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe
Token: SeLockMemoryPrivilege	4648	VirtualBox-7.0.6-155176-Win.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4648	VirtualBox-7.0.6-155176-Win.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 936	1944	msiexec.exe	86
PID 1944 wrote to memory of 936	1944	msiexec.exe	86

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.6-155176-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.6-155176-Win.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding FA6A350108D1A2E64EB158B350C77A72 C
  2⤵
  - Loads dropped DLL
  PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIBE15.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBE15.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC077.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC077.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC097.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC097.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC097.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC144.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC144.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\w6kywopdaysyd5fealrt2jzh\87myn9pwa2n1pfpdocm525s8.msi

Filesize
104.7MB

MD5
671e00c0b7e8a58a709467b6364bce4a

SHA1
d75192b8be4ecfc2b2a2bf7a9b39887b6806b3c9

SHA256
d64f01a383a02f2f76f4e537ba53fdeb9c06ad773fc33e2b3e20b58adabb465a

SHA512
7f889d526bcb3eab8633058012e9df515fb00ea9d09afb8d9da27aaf69548e9facc19f400506c586420b7f109905f7b5bfb0429c19f64e835d2eb094986a5143

Download Submit