7fb90587eaf8f9a0cc378e960e14335ab70473c612275b62a9dd7d41fbfec5a2

Analysis

max time kernel
67s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RaiDrive_2022.6.56_x64.exe
Size

16.8MB
MD5

a48a5f5ef58e36cc1ab2b3a2064fe526
SHA1

f6328cce1fd5f88a3620d16a5586879d53852468
SHA256

7fb90587eaf8f9a0cc378e960e14335ab70473c612275b62a9dd7d41fbfec5a2
SHA512

2b43aa7ae3fb8332f25e37b0bcfa3da682f492272e093b47d221efbe4eb4ef8c2a242c1dce00e550c5d5a276497234d813704ae32636eb218dc0c4a936f96f8c
SSDEEP

393216:xHVeiu9Wd0Gt8NgOqu6cFCkiTAENVv/7bWXd1YOz4pFlFj1:xHwiu9WaGS1XHMAENVvWX0RlZ1

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3076	RaiDrive_2022.6.56_x64.exe
3076	RaiDrive_2022.6.56_x64.exe
996	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\V:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\J:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\R:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\N:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\O:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\W:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\I:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\S:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\Y:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\F:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\M:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\P:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\T:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\Z:	RaiDrive_2022.6.56_x64.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	RaiDrive_2022.6.56_x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	RaiDrive_2022.6.56_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	RaiDrive_2022.6.56_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	RaiDrive_2022.6.56_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	RaiDrive_2022.6.56_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	RaiDrive_2022.6.56_x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2552	msiexec.exe
Token: SeCreateTokenPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeAssignPrimaryTokenPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeLockMemoryPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeIncreaseQuotaPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeMachineAccountPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeTcbPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeSecurityPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeTakeOwnershipPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeLoadDriverPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeSystemProfilePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeSystemtimePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeProfSingleProcessPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeIncBasePriorityPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeCreatePagefilePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeCreatePermanentPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeBackupPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeRestorePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeShutdownPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeDebugPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeAuditPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeSystemEnvironmentPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeChangeNotifyPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeRemoteShutdownPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeUndockPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeSyncAgentPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeEnableDelegationPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeManageVolumePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeImpersonatePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeCreateGlobalPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeCreateTokenPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeAssignPrimaryTokenPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeLockMemoryPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeIncreaseQuotaPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeMachineAccountPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeTcbPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeSecurityPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeTakeOwnershipPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeLoadDriverPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeSystemProfilePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeSystemtimePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeProfSingleProcessPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeIncBasePriorityPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeCreatePagefilePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeCreatePermanentPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeBackupPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeRestorePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeShutdownPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeDebugPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeAuditPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeSystemEnvironmentPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeChangeNotifyPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeRemoteShutdownPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeUndockPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeSyncAgentPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeEnableDelegationPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeManageVolumePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeImpersonatePrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeCreateGlobalPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeCreateTokenPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeAssignPrimaryTokenPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeLockMemoryPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeIncreaseQuotaPrivilege	3076	RaiDrive_2022.6.56_x64.exe
Token: SeMachineAccountPrivilege	3076	RaiDrive_2022.6.56_x64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3076	RaiDrive_2022.6.56_x64.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 996	2552	msiexec.exe	84
PID 2552 wrote to memory of 996	2552	msiexec.exe	84
PID 2552 wrote to memory of 996	2552	msiexec.exe	84

C:\Users\Admin\AppData\Local\Temp\RaiDrive_2022.6.56_x64.exe
"C:\Users\Admin\AppData\Local\Temp\RaiDrive_2022.6.56_x64.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6396C892D20D2EF038C1BABAB1CA2888 C
  2⤵
  - Loads dropped DLL
  PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3076\dialog.scale200.jpg

Filesize
643KB

MD5
709351e45cc8f62830f58fd1b52179f3

SHA1
1271e2c3c3b3904f4844191ba32c2d223bc80de9

SHA256
2d50185784755b53625a315617f48d773f1402fc956769c2e80b9937a93cfc88

SHA512
acf6770b3c05ab7dcd1e361dc0d0922f9ab45ff51ae231bf1b92065d62e6a1f38c37492edfbbc7d15cd77d5433cdd586d738d5a3f6316e73d9cfaf0088fa5c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI89A9.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI89A9.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2022.6.56\install\61365C0\RaiDrive_2022.6.56_x64.msi

Filesize
8.0MB

MD5
1e99e990504afebdd7d5d4f29bdfdcdd

SHA1
1c7fcf63b81054e91a3b25215aa354e16d8a2d2f

SHA256
6518ff25384765a4d240cbbf5ed9788c79cf2ca1210178d42d90a687b5ce7c74

SHA512
9f0ef9452c963882b1797b16174854a267277381f14a8230dc69f0943be353be154e6e3f3e7548ad810f87f707d88e736072c6a25deb209f12dfdf864f36a83f

Download Submit
C:\Users\Admin\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2022.6.56\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
C:\Users\Admin\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2022.6.56\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
C:\Users\Admin\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2022.6.56\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit