265f515d5661fc4a08ba03504e3b61923c36981bf05ff0fe717e480967a0f512

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cdburner.exe

Executes dropped EXE 7 IoCs

pid	Process
2480	cdburner.exe
3144	cdburner.exe
2904	cdburner.exe
748	cdburner.exe
3844	cdburner.exe
4372	cdburner.exe
1696	cdburner.exe

Loads dropped DLL 15 IoCs

pid	Process
460	MsiExec.exe
2480	cdburner.exe
2480	cdburner.exe
3144	cdburner.exe
3144	cdburner.exe
2904	cdburner.exe
2904	cdburner.exe
748	cdburner.exe
748	cdburner.exe
3844	cdburner.exe
3844	cdburner.exe
4372	cdburner.exe
4372	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	cdburner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	cdburner.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	cdburner.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{46EA6992-A2BD-46C6-8B08-356FF7E79910}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB319.tmp	msiexec.exe
File created	C:\Windows\Installer\e56adc9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56adc9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE84.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4816	msiexec.exe
4816	msiexec.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe
1696	cdburner.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4800	msiexec.exe
Token: SeSecurityPrivilege	4816	msiexec.exe
Token: SeCreateTokenPrivilege	4800	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4800	msiexec.exe
Token: SeLockMemoryPrivilege	4800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4800	msiexec.exe
Token: SeMachineAccountPrivilege	4800	msiexec.exe
Token: SeTcbPrivilege	4800	msiexec.exe
Token: SeSecurityPrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeLoadDriverPrivilege	4800	msiexec.exe
Token: SeSystemProfilePrivilege	4800	msiexec.exe
Token: SeSystemtimePrivilege	4800	msiexec.exe
Token: SeProfSingleProcessPrivilege	4800	msiexec.exe
Token: SeIncBasePriorityPrivilege	4800	msiexec.exe
Token: SeCreatePagefilePrivilege	4800	msiexec.exe
Token: SeCreatePermanentPrivilege	4800	msiexec.exe
Token: SeBackupPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeShutdownPrivilege	4800	msiexec.exe
Token: SeDebugPrivilege	4800	msiexec.exe
Token: SeAuditPrivilege	4800	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4800	msiexec.exe
Token: SeChangeNotifyPrivilege	4800	msiexec.exe
Token: SeRemoteShutdownPrivilege	4800	msiexec.exe
Token: SeUndockPrivilege	4800	msiexec.exe
Token: SeSyncAgentPrivilege	4800	msiexec.exe
Token: SeEnableDelegationPrivilege	4800	msiexec.exe
Token: SeManageVolumePrivilege	4800	msiexec.exe
Token: SeImpersonatePrivilege	4800	msiexec.exe
Token: SeCreateGlobalPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4816	msiexec.exe
Token: SeTakeOwnershipPrivilege	4816	msiexec.exe
Token: SeRestorePrivilege	4816	msiexec.exe
Token: SeTakeOwnershipPrivilege	4816	msiexec.exe
Token: SeRestorePrivilege	4816	msiexec.exe
Token: SeTakeOwnershipPrivilege	4816	msiexec.exe
Token: SeRestorePrivilege	4816	msiexec.exe
Token: SeTakeOwnershipPrivilege	4816	msiexec.exe
Token: SeRestorePrivilege	4816	msiexec.exe
Token: SeTakeOwnershipPrivilege	4816	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4800	msiexec.exe
4800	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 460	4816	msiexec.exe	85
PID 4816 wrote to memory of 460	4816	msiexec.exe	85
PID 4816 wrote to memory of 460	4816	msiexec.exe	85
PID 460 wrote to memory of 2480	460	MsiExec.exe	92
PID 460 wrote to memory of 2480	460	MsiExec.exe	92
PID 460 wrote to memory of 2480	460	MsiExec.exe	92
PID 2480 wrote to memory of 3144	2480	cdburner.exe	93
PID 2480 wrote to memory of 3144	2480	cdburner.exe	93
PID 2480 wrote to memory of 3144	2480	cdburner.exe	93
PID 2480 wrote to memory of 2904	2480	cdburner.exe	97
PID 2480 wrote to memory of 2904	2480	cdburner.exe	97
PID 2480 wrote to memory of 2904	2480	cdburner.exe	97
PID 2480 wrote to memory of 748	2480	cdburner.exe	96
PID 2480 wrote to memory of 748	2480	cdburner.exe	96
PID 2480 wrote to memory of 748	2480	cdburner.exe	96
PID 2480 wrote to memory of 3844	2480	cdburner.exe	95
PID 2480 wrote to memory of 3844	2480	cdburner.exe	95
PID 2480 wrote to memory of 3844	2480	cdburner.exe	95
PID 2480 wrote to memory of 4372	2480	cdburner.exe	94
PID 2480 wrote to memory of 4372	2480	cdburner.exe	94
PID 2480 wrote to memory of 4372	2480	cdburner.exe	94
PID 4372 wrote to memory of 1696	4372	cdburner.exe	98
PID 4372 wrote to memory of 1696	4372	cdburner.exe	98
PID 4372 wrote to memory of 1696	4372	cdburner.exe	98
PID 3844 wrote to memory of 3716	3844	cdburner.exe	100
PID 3844 wrote to memory of 3716	3844	cdburner.exe	100
PID 3844 wrote to memory of 3716	3844	cdburner.exe	100

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\0 Currículo tzk.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4800

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2B0F0FA3D02CB4FD1342F42206BC5D58
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Users\Admin\BSPlayer\cdburner.exe
    "C:\Users\Admin\BSPlayer\cdburner.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\BSPlayer\cdburner.exe
      "C:\Users\Admin\BSPlayer\cdburner.exe" /systemstartup
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3144
  - - C:\Users\Admin\BSPlayer\cdburner.exe
      "C:\Users\Admin\BSPlayer\cdburner.exe" --type=renderer--field-trial-handle=4304.754958
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Users\Admin\BSPlayer\cdburner.exe
        
        "C:\Users\Admin\BSPlayer\cdburner.exe" neto2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
  - - C:\Users\Admin\BSPlayer\cdburner.exe
      "C:\Users\Admin\BSPlayer\cdburner.exe" --type=gpu-process--field-trial-handle=4305.474
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /xml "C:\Users\Admin\BSPlayer\\settings.xml" /tn "run HKZDB"
        5⤵
        Creates scheduled task(s)
        
        PID:3716
  - - C:\Users\Admin\BSPlayer\cdburner.exe
      "C:\Users\Admin\BSPlayer\cdburner.exe" --type=utility--utility-sub-type=network.mojom.
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:748
  - - C:\Users\Admin\BSPlayer\cdburner.exe
      "C:\Users\Admin\BSPlayer\cdburner.exe" -type:exit-monitor-method:collectupload-session-token
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery