Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 07:48
Static task
static1
Behavioral task
behavioral1
Sample
UltraMailer V3.5/UltraMailer V3.5 [CRAX.PRO]/DHTMLEd [INSTALL THIS 1ST]/DhtmlEd.msi
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
UltraMailer V3.5/UltraMailer V3.5 [CRAX.PRO]/DHTMLEd [INSTALL THIS 1ST]/DhtmlEd.msi
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
UltraMailer V3.5/UltraMailer V3.5 [CRAX.PRO]/setup.exe
Resource
win7-20230220-en
General
-
Target
UltraMailer V3.5/UltraMailer V3.5 [CRAX.PRO]/DHTMLEd [INSTALL THIS 1ST]/DhtmlEd.msi
-
Size
345KB
-
MD5
cdf797b7d8fae7406fe2a4894f15c8d3
-
SHA1
0b04cf43e1abad1a617f1251fdeed47f736376c5
-
SHA256
b610a81cdc5c1e3a19af235c9dc1ca0045bd8498689ffa2f8223acd5b34cfb24
-
SHA512
318df6035ec361bd4da52cb2aaa9aac2822fd3ea75559369df598d57bcb1ffe125e07c5b3fcfb84dee4479dea3d9dbb36d8bec89a3b7cb2322e83f579ac0301e
-
SSDEEP
6144:5edosggBGbLkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkM:4qspBGbLkkkkkkkkkkkkkkkkkkkkkkkb
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 4616 msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Microsoft Shared\DhtmlEd\TriEdit.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\DhtmlEd\DHTMLEd.ocx msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{2EA870FA-585F-4187-903D-CB9FFD21E2E0} msiexec.exe File opened for modification C:\Windows\Installer\MSI9A86.tmp msiexec.exe File created C:\Windows\Installer\e588f2d.msi msiexec.exe File created C:\Windows\Installer\e588f2b.msi msiexec.exe File opened for modification C:\Windows\Installer\e588f2b.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000206f4107d723b55a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000206f41070000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900206f4107000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683364A1-B37D-11D1-ADC5-006008A5848C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DhtmlEd\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\DEGetBlockFmtNamesParam.DEGetBlockFmtNamesParam.1\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\DHTMLEdit.DHTMLEdit\CurVer msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{47B0DFC6-B7A3-11D1-ADC5-006008A5848C}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{2D360200-FFF5-11d1-8D03-00A0C959BC0A}\Version msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\DEInsertTableParam.DEInsertTableParam\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0\ = "Triedit" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF078AE2F585781409D3BCF9DF122E0E\SourceList\PackageName = "DhtmlEd.msi" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{2D360200-FFF5-11d1-8D03-00A0C959BC0A}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AF078AE2F585781409D3BCF9DF122E0E msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\DEGetBlockFmtNamesParam.DEGetBlockFmtNamesParam\CurVer msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{588D5040-CF28-11D1-8CD3-00A0C959BC0A} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DhtmlEd\\triedit.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{47B0DFC7-B7A3-11D1-ADC5-006008A5848C}\ = "DEInsertTableParam Class" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{47B0DFC7-B7A3-11D1-ADC5-006008A5848C}\ProgID\ = "DEInsertTableParam.DEInsertTableParam.1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\InprocServer32\ThreadingModel\ = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3310FED00A6E18A4983CB4EC9B4689DA\AF078AE2F585781409D3BCF9DF122E0E msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\DEGetBlockFmtNamesParam.DEGetBlockFmtNamesParam msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\TypeLib\Version\ = "1.0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D360200-FFF5-11d1-8D03-00A0C959BC0A}\InprocServer32\ThreadingModel\ = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditParse.TriEditParse.1\ = "TriEditParse Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CE04B591-2B1F-11D2-8D1E-00A0C959BC0A}\ProxyStubClsid msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\DEGetBlockFmtNamesParam.DEGetBlockFmtNamesParam.1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DHTMLEdit.DHTMLEdit\CLSID\ = "{2D360200-FFF5-11d1-8D03-00A0C959BC0A}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\InprocServer32\ThreadingModel msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3310FED00A6E18A4983CB4EC9B4689DA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DhtmlEd\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683364A1-B37D-11D1-ADC5-006008A5848C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DhtmlEd\\dhtmled.ocx" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D91090D-B955-11D1-ADC5-006008A5848C}\ = "DEGetBlockFmtNamesParam" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CE04B591-2B1F-11D2-8D1E-00A0C959BC0A} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{2D360200-FFF5-11d1-8D03-00A0C959BC0A}\Control msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{2D360200-FFF5-11d1-8D03-00A0C959BC0A}\Programmable msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{47B0DFC7-B7A3-11D1-ADC5-006008A5848C}\InprocServer32\ThreadingModel msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{683364A1-B37D-11D1-ADC5-006008A5848C}\1.0\0\win32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{47B0DFC6-B7A3-11D1-ADC5-006008A5848C}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\TypeLib\ = "{438DA5D1-F171-11D0-984E-0000F80270F8}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE04B591-2B1F-11D2-8D1E-00A0C959BC0A}\TypeLib\Version\ = "1.0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D91090E-B955-11D1-ADC5-006008A5848C}\ = "DEGetBlockFmtNamesParam Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TriEditDocument.TriEditDocument msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF078AE2F585781409D3BCF9DF122E0E\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF078AE2F585781409D3BCF9DF122E0E\Version = "100794369" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\DEInsertTableParam.DEInsertTableParam.1\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{47B0DFC6-B7A3-11D1-ADC5-006008A5848C}\ProxyStubClsid msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF078AE2F585781409D3BCF9DF122E0E\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DEGetBlockFmtNamesParam.DEGetBlockFmtNamesParam\CurVer\ = "DEGetBlockFmtNamesParam.DEGetBlockFmtNamesParam.1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditDocument.TriEditDocument.1\ = "TriEditDocument Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{47B0DFC6-B7A3-11D1-ADC5-006008A5848C} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D91090D-B955-11D1-ADC5-006008A5848C}\ProxyStubClsid msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE04B591-2B1F-11D2-8D1E-00A0C959BC0A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CE04B591-2B1F-11D2-8D1E-00A0C959BC0A}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683364A1-B37D-11D1-ADC5-006008A5848C}\1.0\ = "DHTML Editing Control" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{683364A1-B37D-11D1-ADC5-006008A5848C}\1.0\HELPDIR msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF078AE2F585781409D3BCF9DF122E0E\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\VersionIndependentProgID\ = "TriEditDocument.TriEditDocument" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF078AE2F585781409D3BCF9DF122E0E\PackageCode = "94ED76CBD766D6549BB24A2BC67F6103" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\TypeLib\Version msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D91090D-B955-11D1-ADC5-006008A5848C}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\InprocServer32\ThreadingModel\ = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{2D360200-FFF5-11d1-8D03-00A0C959BC0A}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{47B0DFC7-B7A3-11D1-ADC5-006008A5848C}\Version msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\ProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{683364A1-B37D-11D1-ADC5-006008A5848C}\1.0\0 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1596 msiexec.exe 1596 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4616 msiexec.exe Token: SeIncreaseQuotaPrivilege 4616 msiexec.exe Token: SeSecurityPrivilege 1596 msiexec.exe Token: SeCreateTokenPrivilege 4616 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4616 msiexec.exe Token: SeLockMemoryPrivilege 4616 msiexec.exe Token: SeIncreaseQuotaPrivilege 4616 msiexec.exe Token: SeMachineAccountPrivilege 4616 msiexec.exe Token: SeTcbPrivilege 4616 msiexec.exe Token: SeSecurityPrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeLoadDriverPrivilege 4616 msiexec.exe Token: SeSystemProfilePrivilege 4616 msiexec.exe Token: SeSystemtimePrivilege 4616 msiexec.exe Token: SeProfSingleProcessPrivilege 4616 msiexec.exe Token: SeIncBasePriorityPrivilege 4616 msiexec.exe Token: SeCreatePagefilePrivilege 4616 msiexec.exe Token: SeCreatePermanentPrivilege 4616 msiexec.exe Token: SeBackupPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeShutdownPrivilege 4616 msiexec.exe Token: SeDebugPrivilege 4616 msiexec.exe Token: SeAuditPrivilege 4616 msiexec.exe Token: SeSystemEnvironmentPrivilege 4616 msiexec.exe Token: SeChangeNotifyPrivilege 4616 msiexec.exe Token: SeRemoteShutdownPrivilege 4616 msiexec.exe Token: SeUndockPrivilege 4616 msiexec.exe Token: SeSyncAgentPrivilege 4616 msiexec.exe Token: SeEnableDelegationPrivilege 4616 msiexec.exe Token: SeManageVolumePrivilege 4616 msiexec.exe Token: SeImpersonatePrivilege 4616 msiexec.exe Token: SeCreateGlobalPrivilege 4616 msiexec.exe Token: SeBackupPrivilege 4032 vssvc.exe Token: SeRestorePrivilege 4032 vssvc.exe Token: SeAuditPrivilege 4032 vssvc.exe Token: SeBackupPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe Token: SeTakeOwnershipPrivilege 1596 msiexec.exe Token: SeRestorePrivilege 1596 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4616 msiexec.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1596 wrote to memory of 1448 1596 msiexec.exe 96 PID 1596 wrote to memory of 1448 1596 msiexec.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\UltraMailer V3.5\UltraMailer V3.5 [CRAX.PRO]\DHTMLEd [INSTALL THIS 1ST]\DhtmlEd.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4616
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1448
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD53ee0f9d06c3af82e9d30163c7a3e03f1
SHA16fbe6866532fff98f188d2f6724c10b30ebde9ed
SHA2569bcc50324fd66d9dd6a62e00f58888ed951f509197922187e1113222989af159
SHA51251a5fc23e3f564ef766a8e6282f5a90bc3952d6090500b8ca439be837c8d1dcd767d4c073badfe744079eb56f4878b17a7e8c737379104ada63646ebcc770d63
-
Filesize
345KB
MD5cdf797b7d8fae7406fe2a4894f15c8d3
SHA10b04cf43e1abad1a617f1251fdeed47f736376c5
SHA256b610a81cdc5c1e3a19af235c9dc1ca0045bd8498689ffa2f8223acd5b34cfb24
SHA512318df6035ec361bd4da52cb2aaa9aac2822fd3ea75559369df598d57bcb1ffe125e07c5b3fcfb84dee4479dea3d9dbb36d8bec89a3b7cb2322e83f579ac0301e
-
Filesize
23.0MB
MD57ca605c04d74109609a4f1e0fb55b919
SHA1e3e334a22204fba2d44d66aab569a0babce860d0
SHA256f8307e33b06337fde49df424cfb5801b02c8ba6156036b8e2d55be5d138b2c9c
SHA512aa0bf9d91ad4e871e10c99dea6fc217d77cdba2b2203f39641e6cbe0a6596b67860378611ec7044a76f3abf77597d6bd606185ffa437d43d5eebbfdfab83c778
-
\??\Volume{07416f20-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7cb9758b-e570-4da5-a53d-b320100d80ab}_OnDiskSnapshotProp
Filesize5KB
MD5af0f0057fd23febac18c2bb357d495f5
SHA13e1b3f91b0f026d7ac821f82190bffaf5050c6e0
SHA256fdac1cd14787a83b190cf82ec8269a7b4334e5ba1b050a3269c5eaa437d7bf16
SHA51230d23d8c97b8e13f74ecfa4d290924aab100307c2bd5cd44770a35d057350b0d7ca75366028ecb4d2b137ad8ed0ac1048500ade91537bb216df50f866943d795