84157138f75922b237d7cfb2af404c465528385ef85b2b6c097c4a22d998e17d

Analysis

max time kernel
135s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RemotePlayInstaller.exe
Size

3.7MB
MD5

7b67007d349cdea6580b4cd22079cfe0
SHA1

ae920be22e3f468b54aeec8a4c8195022553c561
SHA256

84157138f75922b237d7cfb2af404c465528385ef85b2b6c097c4a22d998e17d
SHA512

455a720ddec161566e3565e4992d92b85198e90cade55dab7156c12ffede422c94badb72fca0038941e1c9fa5a705448648af23a79a7523ba59f1b5d2f134b7b
SSDEEP

49152:0zueeFod/wDQfKK7wllllLZU3ylTi3+GPhS8alqwtUKTw3wox8wGJS77EkT27:FXFodoDQfKK7IU7+GPh3wCtAM8RJS3E

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE

Executes dropped EXE 1 IoCs

pid	Process
1000	RemotePlayInstaller.exe

Loads dropped DLL 1 IoCs

pid	Process
2416	MsiExec.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	RemotePlayInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	RemotePlayInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	RemotePlayInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	RemotePlayInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	RemotePlayInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3660	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3660	MSIEXEC.EXE
Token: SeSecurityPrivilege	4408	msiexec.exe
Token: SeCreateTokenPrivilege	3660	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3660	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3660	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3660	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3660	MSIEXEC.EXE
Token: SeTcbPrivilege	3660	MSIEXEC.EXE
Token: SeSecurityPrivilege	3660	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3660	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3660	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3660	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3660	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3660	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3660	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3660	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3660	MSIEXEC.EXE
Token: SeBackupPrivilege	3660	MSIEXEC.EXE
Token: SeRestorePrivilege	3660	MSIEXEC.EXE
Token: SeShutdownPrivilege	3660	MSIEXEC.EXE
Token: SeDebugPrivilege	3660	MSIEXEC.EXE
Token: SeAuditPrivilege	3660	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3660	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3660	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3660	MSIEXEC.EXE
Token: SeUndockPrivilege	3660	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3660	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3660	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3660	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3660	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3660	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3660	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3660	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3660	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3660	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3660	MSIEXEC.EXE
Token: SeTcbPrivilege	3660	MSIEXEC.EXE
Token: SeSecurityPrivilege	3660	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3660	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3660	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3660	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3660	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3660	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3660	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3660	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3660	MSIEXEC.EXE
Token: SeBackupPrivilege	3660	MSIEXEC.EXE
Token: SeRestorePrivilege	3660	MSIEXEC.EXE
Token: SeShutdownPrivilege	3660	MSIEXEC.EXE
Token: SeDebugPrivilege	3660	MSIEXEC.EXE
Token: SeAuditPrivilege	3660	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3660	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3660	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3660	MSIEXEC.EXE
Token: SeUndockPrivilege	3660	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3660	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3660	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3660	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3660	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3660	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3660	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3660	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3660	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3660	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1000	2212	RemotePlayInstaller.exe	85
PID 2212 wrote to memory of 1000	2212	RemotePlayInstaller.exe	85
PID 2212 wrote to memory of 1000	2212	RemotePlayInstaller.exe	85
PID 1000 wrote to memory of 3660	1000	RemotePlayInstaller.exe	92
PID 1000 wrote to memory of 3660	1000	RemotePlayInstaller.exe	92
PID 1000 wrote to memory of 3660	1000	RemotePlayInstaller.exe	92
PID 4408 wrote to memory of 2416	4408	msiexec.exe	95
PID 4408 wrote to memory of 2416	4408	msiexec.exe	95
PID 4408 wrote to memory of 2416	4408	msiexec.exe	95

C:\Users\Admin\AppData\Local\Temp\RemotePlayInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RemotePlayInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\RemotePlayInstaller.exe
  C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\RemotePlayInstaller.exe /q"C:\Users\Admin\AppData\Local\Temp\RemotePlayInstaller.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\RemotePlayInstaller_6.0.0.02240_Win32.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="RemotePlayInstaller.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03A94B7E981F676CBDE030B3E55D22CB C
  2⤵
  - Loads dropped DLL
  PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_D3FEC69ED46425E25283608F1B41FD70

Filesize
1KB

MD5
999833ab8f9a2c9516f7e0dbbd975012

SHA1
4bbaf3824fc6d2a53842a1f64fdfb1de36f4df39

SHA256
a3e2dde49c449f62eb8a1e022fc2bbb6de452fd4aaddf183b3539b39d312592e

SHA512
4101953c4c4101b5a3b154761ee91a7323f372da47bfcf425e84a59e6cde5595664c91c821edbec72f808c276abfd64f87e97ce8cb24029385829f0a8d880822

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
c54dcdbe9ab336c770fe8ae8299b15c2

SHA1
3b254eed2cf9e2d775bbb7c0b26d45c0e8dcb6d4

SHA256
f201c2b3cf6da4db9b67b88fb62f272f01a6fcd28247dadc4d4922867d3bb86b

SHA512
530bca9ab13ea21ef3af6a4af99dbef7fde4516369a414498946e6823856599b51ece54ccc74f19ad0789c208ebe4230793fba18df0717fc189bdebcb5bf9716

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

Filesize
1KB

MD5
f0c87a960d263e1fc2b9a9e749a0f1c8

SHA1
3de8919328112d2ff55eafda434f2b5e60c992fb

SHA256
22a780008a4f789603ee68457e57fe5a86b2d8ab990a80a06053d2a52f3b3f18

SHA512
7995c7b773ef4e65a513c972f30ccd623b7bebffbf6dc52a0ac6a0cdd73e4b5819f736e2848104f3ed31008aaeccbee2462bce98c10f4aae3da514949e894673

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_D3FEC69ED46425E25283608F1B41FD70

Filesize
544B

MD5
8eed2aa1cbf53f80fa1e8b84ec6968ce

SHA1
2a2e9e1d4e25433adfb399e0dcb6b1b0cdd9d2a3

SHA256
1299c99d46c86535718b9b49b337dae343aae3a60985a2cb8b680856b227fcef

SHA512
6a814b8c4fbe959fd2ed6d2952f048df0f6e424826e49eede4f6b7b93b25e680935a02ee02b0991985a6a2c054416794cf86a2cef4f4d48be9624a46ad9e8f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
8096e83953880aa71499336eced7c3cf

SHA1
0f3089098de73ab6f232cdc8beca1cfc7b07f63d

SHA256
23920cc47daed4c32086f18042f26da2a14e5ddea0f441fdf7377a3eda4d8c75

SHA512
9b3006ff99f7ce65aa4257f48fe25d67ef9834a44e33acf9f539929e7d8536088a9baa9d107ae25bedcef9acdf5d6a225f9549c136b583212a2174ee592aa924

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

Filesize
508B

MD5
fe05a235f9532a0bdc5a80f2068487e7

SHA1
e1e80a1452cd3fce8a8aa3df9364abac6e5f0388

SHA256
59e4ce059405d8bf918b25def30a048eca0f3d965001957ac08e6e3fb5036871

SHA512
0409cf1b8eb94f439c8dd55cc2b647c48c25eca136b087ea901116c9b92c4f5fc6f68c984b3082cf4474345318d2b87455ecc6e3f891831702d0a4bacec52312

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC51A.tmp

Filesize
153KB

MD5
90018b97c65c127614fa355528354f52

SHA1
3dc2230145e174f75f7924c749bc1ad03c23785f

SHA256
f1e2a9376ffe5497056d73f43a994609be14d0934695ceb1cb4689ae3d80a5a8

SHA512
54e527654013c7e46a857f1e5aceb813e6cfb8f30617f3506803f144cd47479e092aa134c4b66e5bc66d016d02f98f12ed958f482b829b47874c70020b0ee926

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC51A.tmp

Filesize
153KB

MD5
90018b97c65c127614fa355528354f52

SHA1
3dc2230145e174f75f7924c749bc1ad03c23785f

SHA256
f1e2a9376ffe5497056d73f43a994609be14d0934695ceb1cb4689ae3d80a5a8

SHA512
54e527654013c7e46a857f1e5aceb813e6cfb8f30617f3506803f144cd47479e092aa134c4b66e5bc66d016d02f98f12ed958f482b829b47874c70020b0ee926

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss9D71.tmp

Filesize
7.2MB

MD5
8b440301aaa56c7aaf322aab1cfd5591

SHA1
3e9f52641abb891ed2784c765994652e5830d164

SHA256
4303bb1d6a415816abc6bf9150646f0fa2511e738686c89f9b53dbd9ad207e56

SHA512
eea79fc5c18526b4786c396f6c5fc08eaea0dd1be3a09fcea3da538c1170eee5ae3e366923c1b1def3e3e932fb1e8ab0bec256b8deee856d0b85efa56ecd4e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2576EA30-5DD2-452F-9069-8A460EE7FABC}\_isres_0x080a.dll

Filesize
1.8MB

MD5
2ca7126edc52813420d1ec7523202d0c

SHA1
e9920a367d0368bc691ebb8e2b9ccca2ef9b5384

SHA256
82c6831668ce75131fb4c00f5923f76c948496628d989c416070ffb5182a02d4

SHA512
f8161ebb0e02c84ae62a1a8c28968b9acc6fe089dc76192b7e3782ae08a13bef1a4cd32df04be01ccef5eb4a66fd26c9505b14bb34047b4ecceb04c67c3cd015

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\0x0409.ini

Filesize
21KB

MD5
8f201e5d0a6ea9a04603708b83873638

SHA1
5c07d87ee442cd1f15e31c4c14cac839c67bc939

SHA256
e048d655c49166993b56a27af6ec2c10ab66194dd85f05cf8b6efcefb76172a9

SHA512
3de812bac55605441cc3c145a2d2437e60253e04b73aa683563127165385086fb7eea95cc67f86d54efac9963a0cf548238f9d13225252d3ebb08cb0be828e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\1033.MST

Filesize
36KB

MD5
3357d8b1a969020f783854fc1ee037ba

SHA1
abfa5a3f9eccb1b64eb953f45c2c8b0dafb3413d

SHA256
ec2a9fd1f398bac4f2db08e17a37e86041ece1de456bf651ae18255f2c4ca671

SHA512
6f82e603aa66fea9539ba9f8636b4412f68c39c71d9b0a0ca4406c76c8ad9de3ad340ef8c129550f1ab1c4b0b6ef927174daa7106cd6aaa4bb8d4452e41dd5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\RemotePlayInstaller.exe

Filesize
3.7MB

MD5
7b67007d349cdea6580b4cd22079cfe0

SHA1
ae920be22e3f468b54aeec8a4c8195022553c561

SHA256
84157138f75922b237d7cfb2af404c465528385ef85b2b6c097c4a22d998e17d

SHA512
455a720ddec161566e3565e4992d92b85198e90cade55dab7156c12ffede422c94badb72fca0038941e1c9fa5a705448648af23a79a7523ba59f1b5d2f134b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\RemotePlayInstaller.exe

Filesize
3.7MB

MD5
7b67007d349cdea6580b4cd22079cfe0

SHA1
ae920be22e3f468b54aeec8a4c8195022553c561

SHA256
84157138f75922b237d7cfb2af404c465528385ef85b2b6c097c4a22d998e17d

SHA512
455a720ddec161566e3565e4992d92b85198e90cade55dab7156c12ffede422c94badb72fca0038941e1c9fa5a705448648af23a79a7523ba59f1b5d2f134b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\RemotePlayInstaller_6.0.0.02240_Win32.msi

Filesize
13.0MB

MD5
026d96a28e4f1b6273f294f9ce87d0db

SHA1
79a0d73308a3cd275818cffbedb0aebff3433444

SHA256
6f44268424bd2d1ff02caff332f9dbb86c3903f1ed1c33e234814ac252396683

SHA512
4be6aa303061815e40ab76e04aa47e3039a4852beb6c3c87d6318d21fbdee70f66dee74a8c088f626dd75c724c0b302f352f27b3e3357c4a0b23ab5b8ed6b461

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\RemotePlayInstaller_6.0.0.02240_Win32.msi

Filesize
13.0MB

MD5
026d96a28e4f1b6273f294f9ce87d0db

SHA1
79a0d73308a3cd275818cffbedb0aebff3433444

SHA256
6f44268424bd2d1ff02caff332f9dbb86c3903f1ed1c33e234814ac252396683

SHA512
4be6aa303061815e40ab76e04aa47e3039a4852beb6c3c87d6318d21fbdee70f66dee74a8c088f626dd75c724c0b302f352f27b3e3357c4a0b23ab5b8ed6b461

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\Setup.INI

Filesize
6KB

MD5
568b8e2dc70447c7d3247afdec598056

SHA1
7b20a7d98991a517cf2ea5b3eede2e04d0207cc6

SHA256
282c9379ba1d21e1518a7f2058b80948e65d3e44c63f952877cd861da4fc8fe0

SHA512
bd46efe8f84f3539af340ab164212a1770498b90ce6614ab0b03ff483d24e20d94cb2e9dfc12632cc30e998e93ae2ff73522a38e0726a1fd87890c4ea756e593

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\_ISMSIDEL.INI

Filesize
648B

MD5
a6ec9e2ee757902db330e22f2e324fc8

SHA1
338683f090763bd7f721d43a66f98e204bfb40f1

SHA256
2a8cd997e49b785e03e23f065eb4b25ac4a48e080ebd4821c85927e24a5f2c2c

SHA512
b22223cf317b46ea66eecc59c415cdb2b1d699a9f7e12d1cad14edfb756333bdbd742f6ca1319e5c73b4adf532c3e5c094be74d4e19e582ea483aff3de6eb86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32FE1CAD-46C4-4439-9C16-1D7331A18440}\_ISMSIDEL.INI

Filesize
5KB

MD5
8c5f698c0b8125e34a7cc84c7e653578

SHA1
e698ca0de37782bf3e572f22aff9afeec6823536

SHA256
a3a3447782f757b716cf8fc2aa018fd5846457cba7edc04866db71ede7a33e3a

SHA512
44c3edf25cb2c6001fe6dbe24ab9760551fedf37f05fb5b4e8de7ab3b4b70c493fdcd831e4170e183466135f4a42a86a952613227a49c348d93e8b9c2ccda20e

Download Submit