9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-04-2023 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader.msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1372	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c621f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6c621f.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c621e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c621e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64FB.tmp	msiexec.exe
File created	C:\Windows\Installer\6c6221.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	readerdc64.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	readerdc64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	readerdc64.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1052	msiexec.exe
1052	msiexec.exe
2000	powershell.exe
2000	powershell.exe
1372	readerdc64.exe
1372	readerdc64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeSecurityPrivilege	1052	msiexec.exe
Token: SeCreateTokenPrivilege	1212	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1212	msiexec.exe
Token: SeLockMemoryPrivilege	1212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1212	msiexec.exe
Token: SeMachineAccountPrivilege	1212	msiexec.exe
Token: SeTcbPrivilege	1212	msiexec.exe
Token: SeSecurityPrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeLoadDriverPrivilege	1212	msiexec.exe
Token: SeSystemProfilePrivilege	1212	msiexec.exe
Token: SeSystemtimePrivilege	1212	msiexec.exe
Token: SeProfSingleProcessPrivilege	1212	msiexec.exe
Token: SeIncBasePriorityPrivilege	1212	msiexec.exe
Token: SeCreatePagefilePrivilege	1212	msiexec.exe
Token: SeCreatePermanentPrivilege	1212	msiexec.exe
Token: SeBackupPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeShutdownPrivilege	1212	msiexec.exe
Token: SeDebugPrivilege	1212	msiexec.exe
Token: SeAuditPrivilege	1212	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1212	msiexec.exe
Token: SeChangeNotifyPrivilege	1212	msiexec.exe
Token: SeRemoteShutdownPrivilege	1212	msiexec.exe
Token: SeUndockPrivilege	1212	msiexec.exe
Token: SeSyncAgentPrivilege	1212	msiexec.exe
Token: SeEnableDelegationPrivilege	1212	msiexec.exe
Token: SeManageVolumePrivilege	1212	msiexec.exe
Token: SeImpersonatePrivilege	1212	msiexec.exe
Token: SeCreateGlobalPrivilege	1212	msiexec.exe
Token: SeBackupPrivilege	680	vssvc.exe
Token: SeRestorePrivilege	680	vssvc.exe
Token: SeAuditPrivilege	680	vssvc.exe
Token: SeBackupPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	888	DrvInst.exe
Token: SeRestorePrivilege	888	DrvInst.exe
Token: SeRestorePrivilege	888	DrvInst.exe
Token: SeRestorePrivilege	888	DrvInst.exe
Token: SeRestorePrivilege	888	DrvInst.exe
Token: SeRestorePrivilege	888	DrvInst.exe
Token: SeRestorePrivilege	888	DrvInst.exe
Token: SeLoadDriverPrivilege	888	DrvInst.exe
Token: SeLoadDriverPrivilege	888	DrvInst.exe
Token: SeLoadDriverPrivilege	888	DrvInst.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1212	msiexec.exe
1212	msiexec.exe
1372	readerdc64.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1372	readerdc64.exe
1372	readerdc64.exe
1372	readerdc64.exe
1372	readerdc64.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2000	1052	msiexec.exe	32
PID 1052 wrote to memory of 2000	1052	msiexec.exe	32
PID 1052 wrote to memory of 2000	1052	msiexec.exe	32
PID 1052 wrote to memory of 1372	1052	msiexec.exe	34
PID 1052 wrote to memory of 1372	1052	msiexec.exe	34
PID 1052 wrote to memory of 1372	1052	msiexec.exe	34
PID 1052 wrote to memory of 1372	1052	msiexec.exe	34
PID 2000 wrote to memory of 560	2000	powershell.exe	35
PID 2000 wrote to memory of 560	2000	powershell.exe	35
PID 2000 wrote to memory of 560	2000	powershell.exe	35
PID 560 wrote to memory of 1548	560	csc.exe	36
PID 560 wrote to memory of 1548	560	csc.exe	36
PID 560 wrote to memory of 1548	560	csc.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AdobePDFReader.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1212

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bozytvm5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DC2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6DB2.tmp"
      4⤵
      PID:1548
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "000000000000005C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c6220.rbs

Filesize
7KB

MD5
6445a70e2e7cac82217c6205665d1ebe

SHA1
72629ed4cb3c87f886cd1d52a657478148c25c6b

SHA256
beaf77d510e5c42870181874c8635599cbf45329a3866213fd8503e114d4b50e

SHA512
f44da5b7cd8bb7ad095811393e28eb782900f7923cc0393487bfb11c241f0b25cdc23777b4e21bc4c7eecf74ab36f5500777eaa763690b1b48f2247fe9341b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6DC2.tmp

Filesize
1KB

MD5
68ee73755bf96797b6a46df2b210de37

SHA1
e9ed152d818abf3eab80639ea43040d331fcade5

SHA256
7ffe0e3282e08dfd92861ffb7313b4fdb0a25408fb0af74fba1b2935460a30d6

SHA512
7924b15888044e1716ec3b269ff1fc92c39f6a516b05275232342b24ef47276d9cf693b9fce39cd28cca433584f9f1d9d4df8002314ab5d7221b38faafab189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bozytvm5.dll

Filesize
3KB

MD5
7375a689d6140dfb7192de28f4f91611

SHA1
4bd7ed83668a7dadc673a6eac2f9d48d10a4fe2f

SHA256
22511afde4f5d2763b5a8013accfc886fb714e02d2ce7935e0fc1c21ef729324

SHA512
f43d03bd9627606fb9a72d67ddef0e731b789cf1b9d70edab05faf51e9014adc0928a8fc8c8a113cd5fd179ac51137481b1e539206869cdbffdf7d96448b07e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bozytvm5.pdb

Filesize
7KB

MD5
7dcf50bc977f8f6965981bad82732b7b

SHA1
73ac4cb5d3de9dadf2d9e03222aa4e2c9668902c

SHA256
6e552208ba7c341da3dab3159f343497b350f6acd3d0936323d825506a32d56d

SHA512
0aa57ffe509aa629d7030ecad7e96e251bbff4828474498f650958a41cb6e60439d8fac623cc2583da4599d0b2675a4552499bfa30b4d4a1ef4d7917b819c6bc

Download Submit
C:\Windows\Installer\6c621e.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6DB2.tmp

Filesize
652B

MD5
1df693b6e3f3d9ae21676e1937a7624a

SHA1
49005af41836518d5d8aab7f348a57724933bfd5

SHA256
92523a330d416800f2013d2ee6d1c0540be52bc5acbf1fc0966fad5b2223b80b

SHA512
070889ac73913df54563a1d4fab35d234b467b90b82dd718500c979d985f2c8b5f647a41f35dd6d3b008abd676a3d6817df17765c94ec6636c007ee9c1918a63

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bozytvm5.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bozytvm5.cmdline

Filesize
309B

MD5
8491045716440d782c03ffb3addc23c5

SHA1
65e347986e25efb1b2a8c642a0277595a54b82cd

SHA256
cdfbf993fccb77190d855654126f1a4397acbc7210f638f4f8ef10d989569046

SHA512
ba37df45357bfad1a7f0797e46676f65f14844c1856a973bbecea8d9b8fcd24eb841f006ab828a0eca0af5e69521f78d2cffaa934b9b0744a7ccd6de84a5a6ef

Download Submit
memory/1372-169-0x00000000012D0000-0x0000000001709000-memory.dmp

Filesize
4.2MB

Download
memory/1372-198-0x00000000012D0000-0x0000000001709000-memory.dmp

Filesize
4.2MB

Download
memory/1372-204-0x00000000012D0000-0x0000000001709000-memory.dmp

Filesize
4.2MB

Download
memory/1372-201-0x00000000012D0000-0x0000000001709000-memory.dmp

Filesize
4.2MB

Download
memory/1372-80-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1372-200-0x00000000012D0000-0x0000000001709000-memory.dmp

Filesize
4.2MB

Download
memory/1372-199-0x00000000012D0000-0x0000000001709000-memory.dmp

Filesize
4.2MB

Download
memory/1372-194-0x00000000012D0000-0x0000000001709000-memory.dmp

Filesize
4.2MB

Download
memory/1372-163-0x00000000012D0000-0x0000000001709000-memory.dmp

Filesize
4.2MB

Download
memory/1372-164-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1372-79-0x00000000012D0000-0x0000000001709000-memory.dmp

Filesize
4.2MB

Download
memory/1372-172-0x00000000012D0000-0x0000000001709000-memory.dmp

Filesize
4.2MB

Download
memory/2000-110-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2000-86-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2000-109-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2000-108-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2000-105-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/2000-85-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download