61b65fe68d4a0acbcb1ea4512ebdc5c7a41aee8a3bf848cb52657738a6033156

Analysis

max time kernel
150s
max time network
113s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/04/2023, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f_4_T_u_r_4_34536_45645_3345_wo.msi
Size

6.9MB
MD5

3987c0f3ab2a1bb65a0d5e9208b62d46
SHA1

6e7013e293c5a0910666ea488868d9216b2bb791
SHA256

61b65fe68d4a0acbcb1ea4512ebdc5c7a41aee8a3bf848cb52657738a6033156
SHA512

dc6a8d5aaaaa40c5feefbad29170933ea4764507d09655054d036295876f7957a2fb7a87964bee8088e4a01eaf35bbe60d1b95ae316f19458a478e0504a01732
SSDEEP

196608:2oWn7jJ96d9Beq0OdBL9lPy9tXL5pwRD:2oOSd9wHOnLDq7XL5p

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1496	abd1ª.exe

Loads dropped DLL 4 IoCs

pid	Process
1392	MsiExec.exe
1392	MsiExec.exe
1392	MsiExec.exe
1496	abd1ª.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\abd1ª.exe = "C:\\Users\\Admin\\AppData\\Roaming\\abd1ª.exe"	abd1ª.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1496	abd1ª.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c0d4a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI10A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c0d4a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE6.tmp	msiexec.exe
File created	C:\Windows\Installer\6c0d4c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1614.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c0d4c.ipi	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	abd1ª.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	abd1ª.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	abd1ª.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	abd1ª.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	abd1ª.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	abd1ª.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	abd1ª.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\http:\15.228.77.178\ytr\serv.php	abd1ª.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1408	msiexec.exe
1408	msiexec.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe
1496	abd1ª.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1052	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1408	msiexec.exe
Token: SeTakeOwnershipPrivilege	1408	msiexec.exe
Token: SeSecurityPrivilege	1408	msiexec.exe
Token: SeCreateTokenPrivilege	1052	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1052	msiexec.exe
Token: SeLockMemoryPrivilege	1052	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1052	msiexec.exe
Token: SeMachineAccountPrivilege	1052	msiexec.exe
Token: SeTcbPrivilege	1052	msiexec.exe
Token: SeSecurityPrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeLoadDriverPrivilege	1052	msiexec.exe
Token: SeSystemProfilePrivilege	1052	msiexec.exe
Token: SeSystemtimePrivilege	1052	msiexec.exe
Token: SeProfSingleProcessPrivilege	1052	msiexec.exe
Token: SeIncBasePriorityPrivilege	1052	msiexec.exe
Token: SeCreatePagefilePrivilege	1052	msiexec.exe
Token: SeCreatePermanentPrivilege	1052	msiexec.exe
Token: SeBackupPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeShutdownPrivilege	1052	msiexec.exe
Token: SeDebugPrivilege	1052	msiexec.exe
Token: SeAuditPrivilege	1052	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1052	msiexec.exe
Token: SeChangeNotifyPrivilege	1052	msiexec.exe
Token: SeRemoteShutdownPrivilege	1052	msiexec.exe
Token: SeUndockPrivilege	1052	msiexec.exe
Token: SeSyncAgentPrivilege	1052	msiexec.exe
Token: SeEnableDelegationPrivilege	1052	msiexec.exe
Token: SeManageVolumePrivilege	1052	msiexec.exe
Token: SeImpersonatePrivilege	1052	msiexec.exe
Token: SeCreateGlobalPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1408	msiexec.exe
Token: SeTakeOwnershipPrivilege	1408	msiexec.exe
Token: SeRestorePrivilege	1408	msiexec.exe
Token: SeTakeOwnershipPrivilege	1408	msiexec.exe
Token: SeRestorePrivilege	1408	msiexec.exe
Token: SeTakeOwnershipPrivilege	1408	msiexec.exe
Token: SeRestorePrivilege	1408	msiexec.exe
Token: SeTakeOwnershipPrivilege	1408	msiexec.exe
Token: SeRestorePrivilege	1408	msiexec.exe
Token: SeTakeOwnershipPrivilege	1408	msiexec.exe
Token: SeRestorePrivilege	1408	msiexec.exe
Token: SeTakeOwnershipPrivilege	1408	msiexec.exe
Token: SeRestorePrivilege	1408	msiexec.exe
Token: SeTakeOwnershipPrivilege	1408	msiexec.exe
Token: SeRestorePrivilege	1408	msiexec.exe
Token: SeTakeOwnershipPrivilege	1408	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1052	msiexec.exe
1052	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1496	abd1ª.exe
1496	abd1ª.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1392	1408	msiexec.exe	29
PID 1408 wrote to memory of 1392	1408	msiexec.exe	29
PID 1408 wrote to memory of 1392	1408	msiexec.exe	29
PID 1408 wrote to memory of 1392	1408	msiexec.exe	29
PID 1408 wrote to memory of 1392	1408	msiexec.exe	29
PID 1408 wrote to memory of 1392	1408	msiexec.exe	29
PID 1408 wrote to memory of 1392	1408	msiexec.exe	29
PID 1408 wrote to memory of 1496	1408	msiexec.exe	30
PID 1408 wrote to memory of 1496	1408	msiexec.exe	30
PID 1408 wrote to memory of 1496	1408	msiexec.exe	30
PID 1408 wrote to memory of 1496	1408	msiexec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f_4_T_u_r_4_34536_45645_3345_wo.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1052

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24FCB786D931A534C9893281748C43B6
  2⤵
  - Loads dropped DLL
  PID:1392
- C:\Users\Admin\AppData\Roaming\abd1ª.exe
  "C:\Users\Admin\AppData\Roaming\abd1ª.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c0d4d.rbs

Filesize
1KB

MD5
80c629b580b2060349f9655796e492d6

SHA1
c2ee9aeeedfc6d684924b77694407bb017669ea9

SHA256
c10a1ff7f7f92be76826c8039d0aaafbfe5d04ab8a54e094a59400e5c7173839

SHA512
659320507636400088eba32801d3d8cf2880aebd05ac167699f10f7298b2bb7340a81b1b9f17880bf2afdc57b6e2c6399aa069622c69b64ea3e69fc4771cb93a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6b51c20f2c6a7f23cbca69de75863129

SHA1
fb477a27e3be1665e742a73991f4bd983542a041

SHA256
8008704f73f580b5ec48ee8446b17863ba7a258ce81cf1edf6fdb15a684dd8a9

SHA512
906686396010d60b3f87f3eaba01056f79c409cdf5a8b493fe455ba95595e315e31d2994621d05ed50f87c6bdacd9b592597c561080b8e905af9234d33c7e26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab516D.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIc0aac.LOG

Filesize
20KB

MD5
001df423b06a8ffa51f55a0e61ef29fc

SHA1
9c6b32a4253e71903da860aaf30bae4101f7cf34

SHA256
7097220ff86f7bb0560f308cb9b5a0060fbaa302b15ee5479a03c9d989fe83fa

SHA512
1db0613aa2b3ba6def7ebbbc728d78526f2fff632c982980f16321ae5309fc7899cc89de6aad766c585f6686275a3e53a83ed7f5b757c2400e8ef4b10a6522f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar530A.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\WebUI.dll

Filesize
5.2MB

MD5
b407f1ee6dd56acfba29cf140109447b

SHA1
9b7c1a62a1480d496715b340c56f260b2a2ea2f7

SHA256
99ec15c63820e40dbe409aeeba542d4b0c23c6a24af878cd10e4b4726259db99

SHA512
8a4aa202b8fb1bbe8f98bb614cf81e82ef007435cb9ad7ed5838d7e86fed6a600738a631b3864ca6ddffb69972f74c911650198be70d5d5665ca2001bee1f71b

Download Submit
C:\Users\Admin\AppData\Roaming\abd1ª.exe

Filesize
1.8MB

MD5
ceef4762b36067f1d32a0db621ee967e

SHA1
d23da38df6b0fca8c524b641c59c700a2338648e

SHA256
efb6169bbb869a849afb91184a75b906fe509cbf6e672b6b4f3311c02343bbbb

SHA512
6301871a95e48f2873b60c706757af38d956c895112f14c28eac4c4a83456a1acdf15d0a5b1cd35f267a4149dc78b2469c427bde6a1bf5aa99de51d5e824d1b3

Download Submit
C:\Users\Admin\AppData\Roaming\abd1ª.exe

Filesize
1.8MB

MD5
ceef4762b36067f1d32a0db621ee967e

SHA1
d23da38df6b0fca8c524b641c59c700a2338648e

SHA256
efb6169bbb869a849afb91184a75b906fe509cbf6e672b6b4f3311c02343bbbb

SHA512
6301871a95e48f2873b60c706757af38d956c895112f14c28eac4c4a83456a1acdf15d0a5b1cd35f267a4149dc78b2469c427bde6a1bf5aa99de51d5e824d1b3

Download Submit
C:\Windows\Installer\MSI10A6.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSI10A6.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIDE6.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIFCB.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
\Users\Admin\AppData\Roaming\WebUI.dll

Filesize
5.2MB

MD5
b407f1ee6dd56acfba29cf140109447b

SHA1
9b7c1a62a1480d496715b340c56f260b2a2ea2f7

SHA256
99ec15c63820e40dbe409aeeba542d4b0c23c6a24af878cd10e4b4726259db99

SHA512
8a4aa202b8fb1bbe8f98bb614cf81e82ef007435cb9ad7ed5838d7e86fed6a600738a631b3864ca6ddffb69972f74c911650198be70d5d5665ca2001bee1f71b

Download Submit
\Windows\Installer\MSI10A6.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
\Windows\Installer\MSIDE6.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
\Windows\Installer\MSIFCB.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
memory/1496-110-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1496-128-0x0000000074CF0000-0x0000000074CFB000-memory.dmp

Filesize
44KB

Download
memory/1496-100-0x0000000000260000-0x0000000000265000-memory.dmp

Filesize
20KB

Download
memory/1496-99-0x0000000075B00000-0x0000000075BCC000-memory.dmp

Filesize
816KB

Download
memory/1496-101-0x0000000075280000-0x000000007530F000-memory.dmp

Filesize
572KB

Download
memory/1496-102-0x0000000075740000-0x000000007589C000-memory.dmp

Filesize
1.4MB

Download
memory/1496-103-0x0000000074DF0000-0x0000000074E09000-memory.dmp

Filesize
100KB

Download
memory/1496-106-0x0000000076270000-0x00000000762A5000-memory.dmp

Filesize
212KB

Download
memory/1496-107-0x0000000074D00000-0x0000000074D38000-memory.dmp

Filesize
224KB

Download
memory/1496-108-0x0000000074CD0000-0x0000000074CEC000-memory.dmp

Filesize
112KB

Download
memory/1496-109-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1496-95-0x0000000075DD0000-0x0000000075E7C000-memory.dmp

Filesize
688KB

Download
memory/1496-111-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/1496-112-0x00000000755F0000-0x0000000075637000-memory.dmp

Filesize
284KB

Download
memory/1496-114-0x0000000075740000-0x000000007589C000-memory.dmp

Filesize
1.4MB

Download
memory/1496-113-0x0000000075280000-0x000000007530F000-memory.dmp

Filesize
572KB

Download
memory/1496-115-0x0000000075DD0000-0x0000000075E7C000-memory.dmp

Filesize
688KB

Download
memory/1496-119-0x0000000076250000-0x0000000076256000-memory.dmp

Filesize
24KB

Download
memory/1496-118-0x0000000076270000-0x00000000762A5000-memory.dmp

Filesize
212KB

Download
memory/1496-120-0x0000000071850000-0x0000000073A88000-memory.dmp

Filesize
34.2MB

Download
memory/1496-124-0x0000000074E20000-0x0000000074E23000-memory.dmp

Filesize
12KB

Download
memory/1496-96-0x00000000755F0000-0x0000000075637000-memory.dmp

Filesize
284KB

Download
memory/1496-126-0x0000000076020000-0x0000000076023000-memory.dmp

Filesize
12KB

Download
memory/1496-122-0x0000000075B00000-0x0000000075BCC000-memory.dmp

Filesize
816KB

Download
memory/1496-129-0x0000000074CD0000-0x0000000074CEC000-memory.dmp

Filesize
112KB

Download
memory/1496-130-0x0000000074CC0000-0x0000000074CC7000-memory.dmp

Filesize
28KB

Download
memory/1496-93-0x0000000000610000-0x00000000006B0000-memory.dmp

Filesize
640KB

Download
memory/1496-94-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/1496-91-0x0000000071850000-0x0000000073A88000-memory.dmp

Filesize
34.2MB

Download
memory/1496-86-0x0000000071850000-0x0000000073A88000-memory.dmp

Filesize
34.2MB

Download
memory/1496-211-0x0000000071850000-0x0000000073A88000-memory.dmp

Filesize
34.2MB

Download
memory/1496-212-0x0000000000610000-0x00000000006B0000-memory.dmp

Filesize
640KB

Download
memory/1496-214-0x00000000755F0000-0x0000000075637000-memory.dmp

Filesize
284KB

Download
memory/1496-216-0x0000000075740000-0x000000007589C000-memory.dmp

Filesize
1.4MB

Download
memory/1496-217-0x0000000075DD0000-0x0000000075E7C000-memory.dmp

Filesize
688KB

Download
memory/1496-220-0x0000000076270000-0x00000000762A5000-memory.dmp

Filesize
212KB

Download
memory/1496-229-0x0000000074D00000-0x0000000074D38000-memory.dmp

Filesize
224KB

Download
memory/1496-233-0x0000000000260000-0x0000000000265000-memory.dmp

Filesize
20KB

Download
memory/1496-238-0x0000000075740000-0x000000007589C000-memory.dmp

Filesize
1.4MB

Download
memory/1496-239-0x0000000075DD0000-0x0000000075E7C000-memory.dmp

Filesize
688KB

Download
memory/1496-244-0x0000000071850000-0x0000000073A88000-memory.dmp

Filesize
34.2MB

Download