9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Resubmissions

09-10-2023 22:51

231009-2syt5sba42 10

26-04-2023 10:03

230426-l3jvzaae4s 10

Analysis

max time kernel
143s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-04-2023 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader (9).msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
304	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6c58ad.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\6c58ac.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c58ac.msi	msiexec.exe
File created	C:\Windows\Installer\6c58ad.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B5A.tmp	msiexec.exe
File created	C:\Windows\Installer\6c58af.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	readerdc64.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	readerdc64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	readerdc64.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1284	msiexec.exe
1284	msiexec.exe
812	powershell.exe
812	powershell.exe
304	readerdc64.exe
304	readerdc64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1320	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1320	msiexec.exe
Token: SeRestorePrivilege	1284	msiexec.exe
Token: SeTakeOwnershipPrivilege	1284	msiexec.exe
Token: SeSecurityPrivilege	1284	msiexec.exe
Token: SeCreateTokenPrivilege	1320	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1320	msiexec.exe
Token: SeLockMemoryPrivilege	1320	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1320	msiexec.exe
Token: SeMachineAccountPrivilege	1320	msiexec.exe
Token: SeTcbPrivilege	1320	msiexec.exe
Token: SeSecurityPrivilege	1320	msiexec.exe
Token: SeTakeOwnershipPrivilege	1320	msiexec.exe
Token: SeLoadDriverPrivilege	1320	msiexec.exe
Token: SeSystemProfilePrivilege	1320	msiexec.exe
Token: SeSystemtimePrivilege	1320	msiexec.exe
Token: SeProfSingleProcessPrivilege	1320	msiexec.exe
Token: SeIncBasePriorityPrivilege	1320	msiexec.exe
Token: SeCreatePagefilePrivilege	1320	msiexec.exe
Token: SeCreatePermanentPrivilege	1320	msiexec.exe
Token: SeBackupPrivilege	1320	msiexec.exe
Token: SeRestorePrivilege	1320	msiexec.exe
Token: SeShutdownPrivilege	1320	msiexec.exe
Token: SeDebugPrivilege	1320	msiexec.exe
Token: SeAuditPrivilege	1320	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1320	msiexec.exe
Token: SeChangeNotifyPrivilege	1320	msiexec.exe
Token: SeRemoteShutdownPrivilege	1320	msiexec.exe
Token: SeUndockPrivilege	1320	msiexec.exe
Token: SeSyncAgentPrivilege	1320	msiexec.exe
Token: SeEnableDelegationPrivilege	1320	msiexec.exe
Token: SeManageVolumePrivilege	1320	msiexec.exe
Token: SeImpersonatePrivilege	1320	msiexec.exe
Token: SeCreateGlobalPrivilege	1320	msiexec.exe
Token: SeBackupPrivilege	1080	vssvc.exe
Token: SeRestorePrivilege	1080	vssvc.exe
Token: SeAuditPrivilege	1080	vssvc.exe
Token: SeBackupPrivilege	1284	msiexec.exe
Token: SeRestorePrivilege	1284	msiexec.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeLoadDriverPrivilege	1944	DrvInst.exe
Token: SeLoadDriverPrivilege	1944	DrvInst.exe
Token: SeLoadDriverPrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1284	msiexec.exe
Token: SeTakeOwnershipPrivilege	1284	msiexec.exe
Token: SeRestorePrivilege	1284	msiexec.exe
Token: SeTakeOwnershipPrivilege	1284	msiexec.exe
Token: SeRestorePrivilege	1284	msiexec.exe
Token: SeTakeOwnershipPrivilege	1284	msiexec.exe
Token: SeRestorePrivilege	1284	msiexec.exe
Token: SeTakeOwnershipPrivilege	1284	msiexec.exe
Token: SeRestorePrivilege	1284	msiexec.exe
Token: SeTakeOwnershipPrivilege	1284	msiexec.exe
Token: SeRestorePrivilege	1284	msiexec.exe
Token: SeTakeOwnershipPrivilege	1284	msiexec.exe
Token: SeRestorePrivilege	1284	msiexec.exe
Token: SeTakeOwnershipPrivilege	1284	msiexec.exe
Token: SeRestorePrivilege	1284	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1320	msiexec.exe
1320	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
304	readerdc64.exe
304	readerdc64.exe
304	readerdc64.exe
304	readerdc64.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 812	1284	msiexec.exe	32
PID 1284 wrote to memory of 812	1284	msiexec.exe	32
PID 1284 wrote to memory of 812	1284	msiexec.exe	32
PID 1284 wrote to memory of 304	1284	msiexec.exe	33
PID 1284 wrote to memory of 304	1284	msiexec.exe	33
PID 1284 wrote to memory of 304	1284	msiexec.exe	33
PID 1284 wrote to memory of 304	1284	msiexec.exe	33
PID 812 wrote to memory of 1944	812	powershell.exe	36
PID 812 wrote to memory of 1944	812	powershell.exe	36
PID 812 wrote to memory of 1944	812	powershell.exe	36
PID 1944 wrote to memory of 1108	1944	csc.exe	37
PID 1944 wrote to memory of 1108	1944	csc.exe	37
PID 1944 wrote to memory of 1108	1944	csc.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\AdobePDFReader (9).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\266qb-wg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CAA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6CA9.tmp"
      4⤵
      PID:1108
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000060"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c58ae.rbs

Filesize
7KB

MD5
6ac681127ce03a0c9b0547f33bd80844

SHA1
ce2bb65b35cdd482109b789bfb52bb95fcfcf309

SHA256
5eca4fa9bd95839d86538b4d9399e82c89902c61c8c2b6788f4ca4b8327613b4

SHA512
a56161f29db139498c4c0803ebcb3f849dbe1ffecfcacc520b06f0c12568f8867e0c5c821f8c8d5f210c2f11786173cea672ab4075e2e56bb03253b018beeef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\266qb-wg.dll

Filesize
3KB

MD5
1ddf29008ab4bba24142bce69e1a96af

SHA1
5419af1c52478fd26411ae1a701c40a513f4a220

SHA256
6189a2fe03891d8d8db608f05d21faf2c02d68395f098df7e4a9422b235ce112

SHA512
783d072fc6932e3003f2d4008e2b5dbc439a5321e98538faabf103d9e77349ffbd8614df5deb7fdc1b75a03efcb396dafc1c199dce5c93b77ec21ecd6effaa02

Download Submit
C:\Users\Admin\AppData\Local\Temp\266qb-wg.pdb

Filesize
7KB

MD5
c70151470cba4ac1f71267cae9864088

SHA1
cf382ea973e056d82eb8d7d8b76b1ea3ad73c20d

SHA256
fb5d42dbb8180c25a4ab3d22e50f92b0b638c90975610557b31e3a91e2f237a4

SHA512
9cbbbaf157ad36706869aeb19ea35c2ae743684a6d91056af8f65696560c8775304e59d22add551f99401abdd1a07358dfe1ebc8e82ac8e4a4c6461a95e819ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6CAA.tmp

Filesize
1KB

MD5
f0ade2a3dda553cc625715e8a6c78637

SHA1
94b0b9ea23ec65df7ee45335421dcb613cc2b608

SHA256
195b9aef99bffad60e17c24fbd7c4089fb85249b59d326146759de77b40f3625

SHA512
484e72791b5c9ccbcf36aee5e019d4be6d97f900fd492e2b6189ebcf5f24b4fa87903f0d8a7e4d02fcab8be33b1f55ba6a92f27653bfe3f30e7f0ab3e59f239f

Download Submit
C:\Windows\Installer\6c58ac.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\266qb-wg.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\266qb-wg.cmdline

Filesize
309B

MD5
c60306a797ff1770076d1d5b2d9a6d9e

SHA1
b0496fbead382cacf135e36cb898790b14876b9a

SHA256
2e1dcd07ca8d886d19bc5442def2eae25b10d5746a20b30447087d3f7b069eee

SHA512
867a1f4efd259d07173b0fcc01d3498e03079d4baa041c1104c074440121fcf1679b8e5cad2e02f2f9cd9335789f829901e8c890e9c6dc303e49caa095d0702b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6CA9.tmp

Filesize
652B

MD5
7c2856fe765e4403120b40966df11f0d

SHA1
6dfd19e86659b1ce6259ff1bd074fc57c9dc165f

SHA256
e62d1bada1a77eee5c5205f15ae9ddf82d12e6a21fa4006b253a56ddb34197a9

SHA512
264ce1b2fe6e42350d592ef43e15ba2262a0bc004460890da9f1f36e298a0b2ef52fc3ee26742f8a21090ab79177a459a6cc03d54c08757726e56670fc57a5ec

Download Submit
memory/304-186-0x0000000001260000-0x0000000001699000-memory.dmp

Filesize
4.2MB

Download
memory/304-197-0x0000000001260000-0x0000000001699000-memory.dmp

Filesize
4.2MB

Download
memory/304-164-0x0000000001260000-0x0000000001699000-memory.dmp

Filesize
4.2MB

Download
memory/304-165-0x0000000001260000-0x0000000001699000-memory.dmp

Filesize
4.2MB

Download
memory/304-79-0x0000000001260000-0x0000000001699000-memory.dmp

Filesize
4.2MB

Download
memory/304-200-0x0000000001260000-0x0000000001699000-memory.dmp

Filesize
4.2MB

Download
memory/304-199-0x0000000001260000-0x0000000001699000-memory.dmp

Filesize
4.2MB

Download
memory/304-80-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/304-203-0x0000000001260000-0x0000000001699000-memory.dmp

Filesize
4.2MB

Download
memory/304-198-0x0000000001260000-0x0000000001699000-memory.dmp

Filesize
4.2MB

Download
memory/812-110-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/812-94-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/812-89-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/812-92-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/812-93-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/812-88-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/1944-166-0x0000000002030000-0x00000000020B0000-memory.dmp

Filesize
512KB

Download
memory/1944-109-0x0000000002030000-0x00000000020B0000-memory.dmp

Filesize
512KB

Download