41d4f3ba691da9d0c0e7a269f8d3fff7c843c3f8249131dcf112cb149499ec73

Analysis

max time kernel
135s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2023, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.0.2-154219-Win(1).exe
Size

105.0MB
MD5

5615443c79de81d4427fcb36a0048ec2
SHA1

55df20799f7f33fd8a004fc9583aafba1ead4f90
SHA256

41d4f3ba691da9d0c0e7a269f8d3fff7c843c3f8249131dcf112cb149499ec73
SHA512

62787b79c5631e63c948a4eb1ef88eecae03b01b39f0134d975579f430f92e63443a5e05f04bacc7c2484f7b7eae60bb83fdbe4a1bd4fb301c314dedb3b54fdf
SSDEEP

3145728:IJG3vysnMAfaW1IfA96jD6yMcU+VnBmK4:IJG36sMtuuBm

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\K:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\S:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\T:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\I:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\N:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\H:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\L:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\M:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\W:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\V:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\J:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\U:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\X:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\R:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\K:	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
1952	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.2-154219-Win(1).exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeIncreaseQuotaPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSecurityPrivilege	3480	msiexec.exe
Token: SeCreateTokenPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeAssignPrimaryTokenPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeLockMemoryPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeIncreaseQuotaPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeMachineAccountPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeTcbPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSecurityPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeTakeOwnershipPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeLoadDriverPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemProfilePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemtimePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeProfSingleProcessPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeIncBasePriorityPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreatePagefilePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreatePermanentPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeBackupPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeRestorePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeShutdownPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeDebugPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeAuditPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemEnvironmentPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeChangeNotifyPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeRemoteShutdownPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeUndockPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSyncAgentPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeEnableDelegationPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeManageVolumePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeImpersonatePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreateGlobalPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreateTokenPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeAssignPrimaryTokenPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeLockMemoryPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeIncreaseQuotaPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeMachineAccountPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeTcbPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSecurityPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeTakeOwnershipPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeLoadDriverPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemProfilePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemtimePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeProfSingleProcessPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeIncBasePriorityPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreatePagefilePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreatePermanentPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeBackupPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeRestorePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeShutdownPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeDebugPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeAuditPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemEnvironmentPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeChangeNotifyPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeRemoteShutdownPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeUndockPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSyncAgentPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeEnableDelegationPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeManageVolumePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeImpersonatePrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreateGlobalPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreateTokenPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeAssignPrimaryTokenPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeLockMemoryPrivilege	4408	VirtualBox-7.0.2-154219-Win(1).exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4408	VirtualBox-7.0.2-154219-Win(1).exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 1952	3480	msiexec.exe	88
PID 3480 wrote to memory of 1952	3480	msiexec.exe	88

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.2-154219-Win(1).exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.2-154219-Win(1).exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 217902E6A5467B0DB7F3D373568080B4 C
  2⤵
  - Loads dropped DLL
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIF0AE.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF0AE.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF65C.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF65C.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF67C.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF67C.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF67C.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF69D.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF69D.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\r27uuy1zqczicclb2x9b9swc\2blhop2xmfdokidqs8be34fn.msi

Filesize
104.4MB

MD5
545e2bb954f4791292bfc34a3cce9804

SHA1
630aa38b5b826b20264d281a7037299db4d42faf

SHA256
c7ad5a63e966d856ab37d0c903d151bc7db949a22e7c1a406eb2419b2abbcfaa

SHA512
730d902886b22f45ea323f2b353d04fe642da92c64f52469745b17454992857b371b49d1afbd32e51b0f41ecebeea41a1af5b3942923429e2a9989e030181870

Download Submit