Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-05-2023 12:13
Static task
static1
Behavioral task
behavioral1
Sample
05234599.msi
Resource
win7-20230220-en
General
-
Target
05234599.msi
-
Size
5.8MB
-
MD5
82ff84cb9924f0855a894e75b5d3edb2
-
SHA1
df89381239f8a8ececeb697a6a35a573203bac09
-
SHA256
cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a
-
SHA512
416db643cbfda60b26bb3eac8b6a94b148b506bc016d562bc51e085f765400c56412462b42e2e29dcc44fa621349781c1c225081804c528a0a7fd1822663597b
-
SSDEEP
98304:ajJzMUpQ/2zKN5DmsQPKEvia5Zld9l4jH43ZnzgB1wLhQNHFRaFUDAQQHk8iQdvk:M5NzKNgsKKE6UZD9l4IZnzgLwLhQNHFd
Malware Config
Extracted
gozi
1000
https://sumarno.top
-
host_keep_time
2
-
host_shift_time
1
-
idle_time
1
-
request_time
10
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 4 1576 rundll32.exe 6 1576 rundll32.exe 8 1576 rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
MSI85C8.tmpMSI86C3.tmppid process 1168 MSI85C8.tmp 1316 MSI86C3.tmp -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exerundll32.exepid process 1888 MsiExec.exe 1888 MsiExec.exe 1888 MsiExec.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\6c7f6d.msi msiexec.exe File created C:\Windows\Installer\6c7f6d.msi msiexec.exe File created C:\Windows\Installer\6c7f71.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI86C3.tmp msiexec.exe File created C:\Windows\Installer\6c7f6f.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI82A9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8346.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI85C8.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c7f6f.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI8077.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8598.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 rundll32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeMSI86C3.tmppid process 2016 msiexec.exe 2016 msiexec.exe 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp 1316 MSI86C3.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 824 msiexec.exe Token: SeIncreaseQuotaPrivilege 824 msiexec.exe Token: SeRestorePrivilege 2016 msiexec.exe Token: SeTakeOwnershipPrivilege 2016 msiexec.exe Token: SeSecurityPrivilege 2016 msiexec.exe Token: SeCreateTokenPrivilege 824 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 824 msiexec.exe Token: SeLockMemoryPrivilege 824 msiexec.exe Token: SeIncreaseQuotaPrivilege 824 msiexec.exe Token: SeMachineAccountPrivilege 824 msiexec.exe Token: SeTcbPrivilege 824 msiexec.exe Token: SeSecurityPrivilege 824 msiexec.exe Token: SeTakeOwnershipPrivilege 824 msiexec.exe Token: SeLoadDriverPrivilege 824 msiexec.exe Token: SeSystemProfilePrivilege 824 msiexec.exe Token: SeSystemtimePrivilege 824 msiexec.exe Token: SeProfSingleProcessPrivilege 824 msiexec.exe Token: SeIncBasePriorityPrivilege 824 msiexec.exe Token: SeCreatePagefilePrivilege 824 msiexec.exe Token: SeCreatePermanentPrivilege 824 msiexec.exe Token: SeBackupPrivilege 824 msiexec.exe Token: SeRestorePrivilege 824 msiexec.exe Token: SeShutdownPrivilege 824 msiexec.exe Token: SeDebugPrivilege 824 msiexec.exe Token: SeAuditPrivilege 824 msiexec.exe Token: SeSystemEnvironmentPrivilege 824 msiexec.exe Token: SeChangeNotifyPrivilege 824 msiexec.exe Token: SeRemoteShutdownPrivilege 824 msiexec.exe Token: SeUndockPrivilege 824 msiexec.exe Token: SeSyncAgentPrivilege 824 msiexec.exe Token: SeEnableDelegationPrivilege 824 msiexec.exe Token: SeManageVolumePrivilege 824 msiexec.exe Token: SeImpersonatePrivilege 824 msiexec.exe Token: SeCreateGlobalPrivilege 824 msiexec.exe Token: SeBackupPrivilege 268 vssvc.exe Token: SeRestorePrivilege 268 vssvc.exe Token: SeAuditPrivilege 268 vssvc.exe Token: SeBackupPrivilege 2016 msiexec.exe Token: SeRestorePrivilege 2016 msiexec.exe Token: SeRestorePrivilege 808 DrvInst.exe Token: SeRestorePrivilege 808 DrvInst.exe Token: SeRestorePrivilege 808 DrvInst.exe Token: SeRestorePrivilege 808 DrvInst.exe Token: SeRestorePrivilege 808 DrvInst.exe Token: SeRestorePrivilege 808 DrvInst.exe Token: SeRestorePrivilege 808 DrvInst.exe Token: SeLoadDriverPrivilege 808 DrvInst.exe Token: SeLoadDriverPrivilege 808 DrvInst.exe Token: SeLoadDriverPrivilege 808 DrvInst.exe Token: SeRestorePrivilege 2016 msiexec.exe Token: SeTakeOwnershipPrivilege 2016 msiexec.exe Token: SeRestorePrivilege 2016 msiexec.exe Token: SeTakeOwnershipPrivilege 2016 msiexec.exe Token: SeRestorePrivilege 2016 msiexec.exe Token: SeTakeOwnershipPrivilege 2016 msiexec.exe Token: SeRestorePrivilege 2016 msiexec.exe Token: SeTakeOwnershipPrivilege 2016 msiexec.exe Token: SeRestorePrivilege 2016 msiexec.exe Token: SeTakeOwnershipPrivilege 2016 msiexec.exe Token: SeRestorePrivilege 2016 msiexec.exe Token: SeTakeOwnershipPrivilege 2016 msiexec.exe Token: SeRestorePrivilege 2016 msiexec.exe Token: SeTakeOwnershipPrivilege 2016 msiexec.exe Token: SeRestorePrivilege 2016 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 824 msiexec.exe 824 msiexec.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
msiexec.exerundll32.execmd.exenet.execmd.exedescription pid process target process PID 2016 wrote to memory of 1888 2016 msiexec.exe MsiExec.exe PID 2016 wrote to memory of 1888 2016 msiexec.exe MsiExec.exe PID 2016 wrote to memory of 1888 2016 msiexec.exe MsiExec.exe PID 2016 wrote to memory of 1888 2016 msiexec.exe MsiExec.exe PID 2016 wrote to memory of 1888 2016 msiexec.exe MsiExec.exe PID 2016 wrote to memory of 1888 2016 msiexec.exe MsiExec.exe PID 2016 wrote to memory of 1888 2016 msiexec.exe MsiExec.exe PID 2016 wrote to memory of 1168 2016 msiexec.exe MSI85C8.tmp PID 2016 wrote to memory of 1168 2016 msiexec.exe MSI85C8.tmp PID 2016 wrote to memory of 1168 2016 msiexec.exe MSI85C8.tmp PID 2016 wrote to memory of 1168 2016 msiexec.exe MSI85C8.tmp PID 2016 wrote to memory of 1168 2016 msiexec.exe MSI85C8.tmp PID 2016 wrote to memory of 1168 2016 msiexec.exe MSI85C8.tmp PID 2016 wrote to memory of 1168 2016 msiexec.exe MSI85C8.tmp PID 2016 wrote to memory of 1316 2016 msiexec.exe MSI86C3.tmp PID 2016 wrote to memory of 1316 2016 msiexec.exe MSI86C3.tmp PID 2016 wrote to memory of 1316 2016 msiexec.exe MSI86C3.tmp PID 2016 wrote to memory of 1316 2016 msiexec.exe MSI86C3.tmp PID 2016 wrote to memory of 1316 2016 msiexec.exe MSI86C3.tmp PID 2016 wrote to memory of 1316 2016 msiexec.exe MSI86C3.tmp PID 2016 wrote to memory of 1316 2016 msiexec.exe MSI86C3.tmp PID 1576 wrote to memory of 1504 1576 rundll32.exe cmd.exe PID 1576 wrote to memory of 1504 1576 rundll32.exe cmd.exe PID 1576 wrote to memory of 1504 1576 rundll32.exe cmd.exe PID 1504 wrote to memory of 860 1504 cmd.exe net.exe PID 1504 wrote to memory of 860 1504 cmd.exe net.exe PID 1504 wrote to memory of 860 1504 cmd.exe net.exe PID 860 wrote to memory of 1608 860 net.exe net1.exe PID 860 wrote to memory of 1608 860 net.exe net1.exe PID 860 wrote to memory of 1608 860 net.exe net1.exe PID 1576 wrote to memory of 1508 1576 rundll32.exe cmd.exe PID 1576 wrote to memory of 1508 1576 rundll32.exe cmd.exe PID 1576 wrote to memory of 1508 1576 rundll32.exe cmd.exe PID 1508 wrote to memory of 1152 1508 cmd.exe nltest.exe PID 1508 wrote to memory of 1152 1508 cmd.exe nltest.exe PID 1508 wrote to memory of 1152 1508 cmd.exe nltest.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\05234599.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:824
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24C7474EF82481C25281B64FB143BA032⤵
- Loads dropped DLL
PID:1888 -
C:\Windows\Installer\MSI85C8.tmp"C:\Windows\Installer\MSI85C8.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,vips2⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\Installer\MSI86C3.tmp"C:\Windows\Installer\MSI86C3.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\Admin\AppData\Roaming\MSTX340/Information_psw.pdf2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000390" "00000000000003CC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:808
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,vips1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\System32\cmd.execmd /c "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\4A90.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\net.exenet group "domain computers" /domain3⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "domain computers" /domain4⤵PID:1608
-
C:\Windows\System32\cmd.execmd /c "nltest /dclist:" >> C:\Users\Admin\AppData\Local\Temp\9424.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\System32\nltest.exenltest /dclist:3⤵PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
422KB
MD54911c02a23eef78756cf14cf502bf9c8
SHA11a7b3029c5a1fb3572838130bb024cf2bb50b645
SHA25630326be316793210a3cff941f742e3b4dcc2997da200f43daf343dc77b475e2c
SHA51288c506dfcd1e32c58e9ed3de7f53b234b4c40e93fe488d7ea49be69c2788b9c4650f15d3a2d5822cbc781f441cf76d82cc666a097c886f90b93dfd0c76d854cd
-
Filesize
62KB
MD5b5fcc55cffd66f38d548e8b63206c5e6
SHA179db08ababfa33a4f644fa8fe337195b5aba44c7
SHA2567730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1
SHA512aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649
-
Filesize
78B
MD5aaec14b2de8e2fdaf8427672122af65c
SHA1ca953efad669c93af85b968d747baa544d4465fb
SHA25614c94c44d0eb89a820d96e1791f4b754c87ee778b5f4478289df0fb22e1c3da1
SHA512a5cbad3de5070fdcd6aa7f3f5eda42b69faef44a431cf48e20ca1f4f42c648ee80bd5f1d9b981624ae6b39e2435b4278c9fd1e97491e3b244a2bba7d629021a8
-
Filesize
36B
MD5c58986635c266e6c06609b908580bede
SHA14672dce03d3dd9560cf74035aff3d9aebb7201e4
SHA256a2f1bb2817f976e129974b003e3ec12fb8a644c1952bb667116317fd26416042
SHA51236241e4bda8ad7e4137624bbfbb999c643d34a2095ba078f9886d92f4726913bdb9dc1e1f44141a6738c1e4d9042b802e49f774c0f1c6901735f4b069834449f
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
287KB
MD5d0584edcc980ef43e697629ade83c54b
SHA1a68deea2d4f40bef60c7f605bc2aae9698259e69
SHA256e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc
SHA512917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e
-
Filesize
5.8MB
MD582ff84cb9924f0855a894e75b5d3edb2
SHA1df89381239f8a8ececeb697a6a35a573203bac09
SHA256cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a
SHA512416db643cbfda60b26bb3eac8b6a94b148b506bc016d562bc51e085f765400c56412462b42e2e29dcc44fa621349781c1c225081804c528a0a7fd1822663597b
-
Filesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
Filesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
Filesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
Filesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
Filesize
414KB
MD50007940f5479831428131f029d3bd8f7
SHA18ded66acbd836388c1414512025bd9004c90903b
SHA256340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320
SHA512c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf
-
Filesize
414KB
MD50007940f5479831428131f029d3bd8f7
SHA18ded66acbd836388c1414512025bd9004c90903b
SHA256340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320
SHA512c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf
-
Filesize
414KB
MD50007940f5479831428131f029d3bd8f7
SHA18ded66acbd836388c1414512025bd9004c90903b
SHA256340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320
SHA512c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf
-
Filesize
287KB
MD5d0584edcc980ef43e697629ade83c54b
SHA1a68deea2d4f40bef60c7f605bc2aae9698259e69
SHA256e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc
SHA512917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e
-
Filesize
287KB
MD5d0584edcc980ef43e697629ade83c54b
SHA1a68deea2d4f40bef60c7f605bc2aae9698259e69
SHA256e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc
SHA512917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e
-
Filesize
287KB
MD5d0584edcc980ef43e697629ade83c54b
SHA1a68deea2d4f40bef60c7f605bc2aae9698259e69
SHA256e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc
SHA512917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e
-
Filesize
287KB
MD5d0584edcc980ef43e697629ade83c54b
SHA1a68deea2d4f40bef60c7f605bc2aae9698259e69
SHA256e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc
SHA512917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e
-
Filesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
Filesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
Filesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e