88fa1a52922482a0e80c5c410421c38e557514796a53f9e6839304fd049cd753

Analysis

max time kernel
136s
max time network
112s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-04-2023 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

401ae8a7c8a882dd7846fd4c62b99f60.exe
Size

30.9MB
MD5

401ae8a7c8a882dd7846fd4c62b99f60
SHA1

4b77e688de4234376cf18f5c9db5466cd012b945
SHA256

88fa1a52922482a0e80c5c410421c38e557514796a53f9e6839304fd049cd753
SHA512

8a018e727d1b886381ae0ab0ce8b07c1fd044d9ab3dbd79d5c3108c1bba3114341c1066bc18d9e236b61e81b029f6b5fbfcf056a6903a14ec3cdf2356a05c6f6
SSDEEP

786432:TZSM7H/daLUKzGOEViOK+LJE4K9WnbtR5IX+1Qw:T7lbi8iOKqoWbL58+z

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 13 IoCs

Processes:

401ae8a7c8a882dd7846fd4c62b99f60.exeMsiExec.exe

pid	process
1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

401ae8a7c8a882dd7846fd4c62b99f60.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\P:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\M:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\N:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\O:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\R:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\S:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\J:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\U:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\V:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\Y:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\F:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\T:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\K:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\W:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\Z:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\X:	401ae8a7c8a882dd7846fd4c62b99f60.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.11\install\0918F48\urbanvpninstaller.x64.msi	nsis_installer_2

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

401ae8a7c8a882dd7846fd4c62b99f60.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	401ae8a7c8a882dd7846fd4c62b99f60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	401ae8a7c8a882dd7846fd4c62b99f60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	401ae8a7c8a882dd7846fd4c62b99f60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	401ae8a7c8a882dd7846fd4c62b99f60.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MsiExec.exe

pid process

1520 MsiExec.exe
1520 MsiExec.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

401ae8a7c8a882dd7846fd4c62b99f60.exe

pid process

1880 401ae8a7c8a882dd7846fd4c62b99f60.exe

pid	process
1520	MsiExec.exe
1520	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exe401ae8a7c8a882dd7846fd4c62b99f60.exe

description	pid	process
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeSecurityPrivilege	808	msiexec.exe
Token: SeCreateTokenPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeAssignPrimaryTokenPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeLockMemoryPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeIncreaseQuotaPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeMachineAccountPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeTcbPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeSecurityPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeTakeOwnershipPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeLoadDriverPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeSystemProfilePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeSystemtimePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeProfSingleProcessPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeIncBasePriorityPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeCreatePagefilePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeCreatePermanentPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeBackupPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeRestorePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeShutdownPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeDebugPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeAuditPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeSystemEnvironmentPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeChangeNotifyPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeRemoteShutdownPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeUndockPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeSyncAgentPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeEnableDelegationPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeManageVolumePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeImpersonatePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeCreateGlobalPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeCreateTokenPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeAssignPrimaryTokenPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeLockMemoryPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeIncreaseQuotaPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeMachineAccountPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeTcbPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeSecurityPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeTakeOwnershipPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeLoadDriverPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeSystemProfilePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeSystemtimePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeProfSingleProcessPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeIncBasePriorityPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeCreatePagefilePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeCreatePermanentPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeBackupPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeRestorePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeShutdownPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeDebugPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeAuditPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeSystemEnvironmentPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeChangeNotifyPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeRemoteShutdownPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeUndockPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeSyncAgentPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeEnableDelegationPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeManageVolumePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeImpersonatePrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeCreateGlobalPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeCreateTokenPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeAssignPrimaryTokenPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe
Token: SeLockMemoryPrivilege	1880	401ae8a7c8a882dd7846fd4c62b99f60.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 808 wrote to memory of 1520	808	msiexec.exe	MsiExec.exe
PID 808 wrote to memory of 1520	808	msiexec.exe	MsiExec.exe
PID 808 wrote to memory of 1520	808	msiexec.exe	MsiExec.exe
PID 808 wrote to memory of 1520	808	msiexec.exe	MsiExec.exe
PID 808 wrote to memory of 1520	808	msiexec.exe	MsiExec.exe
PID 808 wrote to memory of 1520	808	msiexec.exe	MsiExec.exe
PID 808 wrote to memory of 1520	808	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\401ae8a7c8a882dd7846fd4c62b99f60.exe
"C:\Users\Admin\AppData\Local\Temp\401ae8a7c8a882dd7846fd4c62b99f60.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 27D7DF1C5CA417268903BA43B2DCBF76 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\tracking.ini

Filesize
84B

MD5
a6d8953f60ba7e82f2712561736d08f0

SHA1
1dc1aad2b85534d9955bdf2cc6faa3701cc95d41

SHA256
a8d2bf454b2d8eafad2c553ae31d2cf2ddd430cacb4af5da6b2daef1249389b3

SHA512
fdd2fc2604464902134d86819e10b60ca4d031d2e1658f619f70a1d439dbd2cb988f2f4dee9271a02a46743948acd04161abf825f858b6acc051ac4fb7349641

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\{F6BA9460-8090-4501-B88B-5D82930300C0}.session

Filesize
21KB

MD5
554d0dd33d24eab3d3e6e9c57cdca776

SHA1
90cf6fb6d3adee37bd4c2b3f3fab1ed86766a3b9

SHA256
018f541cfd3ca65626b56c5a92ca43c8e40358263968c8acfa042a16c5e3ca12

SHA512
9561d1710370a7d816c1d60b3abba450b20f8ad0956413a066a541eb5914579d672abb1df92232260d03739448e1f5a17bbcb6453cc0aa9676573d2429967684

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\{F6BA9460-8090-4501-B88B-5D82930300C0}.session

Filesize
21KB

MD5
554d0dd33d24eab3d3e6e9c57cdca776

SHA1
90cf6fb6d3adee37bd4c2b3f3fab1ed86766a3b9

SHA256
018f541cfd3ca65626b56c5a92ca43c8e40358263968c8acfa042a16c5e3ca12

SHA512
9561d1710370a7d816c1d60b3abba450b20f8ad0956413a066a541eb5914579d672abb1df92232260d03739448e1f5a17bbcb6453cc0aa9676573d2429967684

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1880\dialog.jpg

Filesize
21KB

MD5
81b61102f7970a8c83ecd382c4ab6def

SHA1
165795d45b6fa70661d073bb8c791114c0e6748e

SHA256
9a9ab67db52355b3d091e0bd58275e5c6633adbffc300ddb6607db7bbda88a15

SHA512
2b58f4da52cd687073cae64a0f467c3666daaca14bd95e38e544ae76319c3a9e7b5a223db6de2d92848822e23a9028d2cc97c64d7b2133aebbea5876e81e9937

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab372A.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3E14.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3F9B.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI44F8.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4595.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4595.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4642.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI478B.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI478B.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4AC6.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4B63.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4D29.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4DB6.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4EB1.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4F3E.tmp

Filesize
203KB

MD5
6593ea498fa2721a84d6602a8c5e79e2

SHA1
520a3126bc9f7a061dcb5d42822a0187643eb546

SHA256
e5953bb102b59a342abbd5ae82ad7af4fb0018c22a7546ae142b2333ffa89c2b

SHA512
3e0f766d7e001664921ac7eed843d8ef2427124612aae6d766856ea74632d5e5a99613145bebe6f80e8f38c017f58f61c9a736927516f059fa151fcbffe2aa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar38C2.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.11\install\0918F48\urbanvpninstaller.x64.msi

Filesize
8.9MB

MD5
9751a48e1777859f060f66b3642cf766

SHA1
63730681961647c704a1dcb889c7e341d9169d0d

SHA256
9425a49da070614a9b58dfcf7bad69ff4a34addb645a15ac99b12d5603169470

SHA512
db31839ab69521b975fde691c0be0a95feecfae2ea249b89197626ac66e05f01862ffdfccbdde582e4ef9fba09cbfedd5ddc2e5e80644de4aa31d288f183e55d

Download Submit
\Users\Admin\AppData\Local\Temp\INA3DA5.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3E14.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3F9B.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
\Users\Admin\AppData\Local\Temp\MSI44F8.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4595.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4642.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI478B.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4AC6.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4B63.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4D29.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4DB6.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4EB1.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4F3E.tmp

Filesize
203KB

MD5
6593ea498fa2721a84d6602a8c5e79e2

SHA1
520a3126bc9f7a061dcb5d42822a0187643eb546

SHA256
e5953bb102b59a342abbd5ae82ad7af4fb0018c22a7546ae142b2333ffa89c2b

SHA512
3e0f766d7e001664921ac7eed843d8ef2427124612aae6d766856ea74632d5e5a99613145bebe6f80e8f38c017f58f61c9a736927516f059fa151fcbffe2aa6e

Download Submit
memory/1880-181-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1880-336-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download