a1de4d1a8c1b03c8e9834bb15d6cf553c7d67f2b16b513cfa1db18b292098e4e

Analysis

max time kernel
67s
max time network
98s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Modrinth App_0.2.2_x64_en-US.msi
Size

3.7MB
MD5

d3b8653bd74ece722d1fb5431c72ffc5
SHA1

c18d5d0bbf930d9c1d17c897c77d44b2992b92b7
SHA256

a1de4d1a8c1b03c8e9834bb15d6cf553c7d67f2b16b513cfa1db18b292098e4e
SHA512

6d70eaf3fc90838aeba2d31c935c3e7a880ac18e0fa9c4b4282bbe6500b9bb44d259b9a9a4b47673b2c08ff73d2984f44bdc737201fe5264872e2673cdd15271
SSDEEP

49152:kTrNeceH8ZhTrY3MtlF9gxCEq9VbtFG63Ys2BOY2u3ZRZ0EM4mrQakSkhQLqgtjI:8r0cX+dq9VbNIswhn6rQakLhTKvr1W

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2160	msiexec.exe
4	2160	msiexec.exe
6	2160	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
2932	MsiExec.exe
2072	msiexec.exe
2072	msiexec.exe
1224	Process not Found
1224	Process not Found
1224	Process not Found
1224	Process not Found

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Modrinth App\Modrinth App.exe	msiexec.exe
File created	C:\Program Files\Modrinth App\Uninstall Modrinth App.lnk	msiexec.exe
File opened for modification	C:\Program Files\Modrinth App\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6dc90b.ipi	msiexec.exe
File created	C:\Windows\Installer\6dc90a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6dc90a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD8F.tmp	msiexec.exe
File created	C:\Windows\Installer\{52D985AB-70DE-46FD-86C0-351E33603368}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\6dc90d.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6dc90b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{52D985AB-70DE-46FD-86C0-351E33603368}\ProductIcon	msiexec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BA589D25ED07DF64680C53E133063386\Environment = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\PackageCode = "8AEF102EA1324CE4F934E1087AA45A80"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\BA589D25ED07DF64680C53E133063386	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BA589D25ED07DF64680C53E133063386	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\ProductName = "Modrinth App"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13CC58B29F9FD325381898EFA5ED7FD8	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BA589D25ED07DF64680C53E133063386\External	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList\PackageName = "Modrinth App_0.2.2_x64_en-US.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13CC58B29F9FD325381898EFA5ED7FD8\BA589D25ED07DF64680C53E133063386	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\Version = "131074"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\ProductIcon = "C:\\Windows\\Installer\\{52D985AB-70DE-46FD-86C0-351E33603368}\\ProductIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13CC58B29F9FD325381898EFA5ED7FD8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BA589D25ED07DF64680C53E133063386\MainProgram	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BA589D25ED07DF64680C53E133063386\ShortcutsFeature = "MainProgram"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA589D25ED07DF64680C53E133063386\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BA589D25ED07DF64680C53E133063386	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2072	msiexec.exe
2072	msiexec.exe
1584	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2160	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2072	msiexec.exe
Token: SeTakeOwnershipPrivilege	2072	msiexec.exe
Token: SeSecurityPrivilege	2072	msiexec.exe
Token: SeCreateTokenPrivilege	2160	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2160	msiexec.exe
Token: SeLockMemoryPrivilege	2160	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2160	msiexec.exe
Token: SeMachineAccountPrivilege	2160	msiexec.exe
Token: SeTcbPrivilege	2160	msiexec.exe
Token: SeSecurityPrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeLoadDriverPrivilege	2160	msiexec.exe
Token: SeSystemProfilePrivilege	2160	msiexec.exe
Token: SeSystemtimePrivilege	2160	msiexec.exe
Token: SeProfSingleProcessPrivilege	2160	msiexec.exe
Token: SeIncBasePriorityPrivilege	2160	msiexec.exe
Token: SeCreatePagefilePrivilege	2160	msiexec.exe
Token: SeCreatePermanentPrivilege	2160	msiexec.exe
Token: SeBackupPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeShutdownPrivilege	2160	msiexec.exe
Token: SeDebugPrivilege	2160	msiexec.exe
Token: SeAuditPrivilege	2160	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2160	msiexec.exe
Token: SeChangeNotifyPrivilege	2160	msiexec.exe
Token: SeRemoteShutdownPrivilege	2160	msiexec.exe
Token: SeUndockPrivilege	2160	msiexec.exe
Token: SeSyncAgentPrivilege	2160	msiexec.exe
Token: SeEnableDelegationPrivilege	2160	msiexec.exe
Token: SeManageVolumePrivilege	2160	msiexec.exe
Token: SeImpersonatePrivilege	2160	msiexec.exe
Token: SeCreateGlobalPrivilege	2160	msiexec.exe
Token: SeCreateTokenPrivilege	2160	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2160	msiexec.exe
Token: SeLockMemoryPrivilege	2160	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2160	msiexec.exe
Token: SeMachineAccountPrivilege	2160	msiexec.exe
Token: SeTcbPrivilege	2160	msiexec.exe
Token: SeSecurityPrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeLoadDriverPrivilege	2160	msiexec.exe
Token: SeSystemProfilePrivilege	2160	msiexec.exe
Token: SeSystemtimePrivilege	2160	msiexec.exe
Token: SeProfSingleProcessPrivilege	2160	msiexec.exe
Token: SeIncBasePriorityPrivilege	2160	msiexec.exe
Token: SeCreatePagefilePrivilege	2160	msiexec.exe
Token: SeCreatePermanentPrivilege	2160	msiexec.exe
Token: SeBackupPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeShutdownPrivilege	2160	msiexec.exe
Token: SeDebugPrivilege	2160	msiexec.exe
Token: SeAuditPrivilege	2160	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2160	msiexec.exe
Token: SeChangeNotifyPrivilege	2160	msiexec.exe
Token: SeRemoteShutdownPrivilege	2160	msiexec.exe
Token: SeUndockPrivilege	2160	msiexec.exe
Token: SeSyncAgentPrivilege	2160	msiexec.exe
Token: SeEnableDelegationPrivilege	2160	msiexec.exe
Token: SeManageVolumePrivilege	2160	msiexec.exe
Token: SeImpersonatePrivilege	2160	msiexec.exe
Token: SeCreateGlobalPrivilege	2160	msiexec.exe
Token: SeCreateTokenPrivilege	2160	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2160	msiexec.exe
2160	msiexec.exe
2160	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2932	2072	msiexec.exe	30
PID 2072 wrote to memory of 2932	2072	msiexec.exe	30
PID 2072 wrote to memory of 2932	2072	msiexec.exe	30
PID 2072 wrote to memory of 2932	2072	msiexec.exe	30
PID 2072 wrote to memory of 2932	2072	msiexec.exe	30
PID 2072 wrote to memory of 2932	2072	msiexec.exe	30
PID 2072 wrote to memory of 2932	2072	msiexec.exe	30
PID 2072 wrote to memory of 1584	2072	msiexec.exe	34
PID 2072 wrote to memory of 1584	2072	msiexec.exe	34
PID 2072 wrote to memory of 1584	2072	msiexec.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.2.2_x64_en-US.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2160

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24B2FCD086DE52222757D0D72432DF63 C
  2⤵
  - Loads dropped DLL
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1616

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000005B8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Modrinth App\Modrinth App.exe

Filesize
6.9MB

MD5
8c81a2a021a1d089d6bc2e678af7db78

SHA1
cfc1b1f0dbe44b74fa8dd8f2e333a9b5ea4e02a8

SHA256
765f0d0d3e33c8ccb5633dae9c0f33df8bad7f178440681db851e9aa9cc379d7

SHA512
89b3b59068f11653f38df99f78b66ff7fea9b3068b7bd7b1c27bd93cbbfff56bbdaa4195f1fe8a3959faa91be5542b1923fb02a5c94e035b80be6a3bb0a1ba61

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Modrinth App\Modrinth App.lnk

Filesize
2KB

MD5
c020c7e90b0604e33017e685f4dccd8d

SHA1
9abb80f68c0d4960468691d322905dc2b35c32ca

SHA256
0a4ce30198c50b17e8246a374fec755e1e19105be3fc2e0b3270ac8a2b2fd6a8

SHA512
8dd4cd83c1a58b6c769dce0dcc547e73b3c4f117a42ddceb65ea3fa95b838bfe4063375fcc48ffef1aeaa8cb6e2fb1661653d72cd4e592b66d499ef4b1e1926c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
354b9d67153b515760621f2a5eefdfad

SHA1
4dcf627210e3a251e05c5609215cd670c696ab9d

SHA256
c7b52eb2015ebb255450225438503169e7218fcc61a613e76a492a00fb2794bd

SHA512
8ec4873572762120fd6aa3ba5c5c3af416bd8e66ba6da8f4305f913dca23289feb006011353b6b1e10c4ae48f6c8e1be952c9e5fffe3d9f0e1b0603842664118

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_7907B0D1F2DC082B9BA6064FC995BD36

Filesize
727B

MD5
751866c3c1e5c67a1a029978e988440a

SHA1
56aaf5c2412fa81a8b1ba5de271f5a80effad9ad

SHA256
623c6f93f8f5e7e99e9948463c3c6abdfb23a9aa28e6716890d63dc955d00df9

SHA512
8737c78baed56358a50ad61ddb6aa5ea01c51e19ac65ed7dc6c807dd5e6fafab3c90d5807876417b2b27ae4ac64a449cf81aaebd8f307cbe01c30550ba91dc75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
c6ab0eabe090cd1ca8c297c2f38b8fda

SHA1
22b873a224bd892b189d0285454bccef0753364a

SHA256
db208f193ceeaeb9a3d1cad41582d6d7d3eba23688b757cb8fc602920fd160bf

SHA512
75a1a7ab5581d8c2b379a8369210e7bf8ccceeb106623d5f2637f0d5e3d98c3b5911c7d3cedfc278ecb635b5da9fd1d4c8c0247577ccbd7785236399aea6eb28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
23be8ee9e5d3ca1d298a71c8ccc816e7

SHA1
575aad3e22a52d4da9c1c4622f9a6a074e2b00e1

SHA256
f0f5f5ba3527b14ea3e16a4acaf846fa5b9aad2db5ca4c3540e974ab56ba0d91

SHA512
3237ad76cea4a2d388b645b5c47fc68f890954bacdd7ee2b9dca102078c6fcaf99d9e1f20db2d8fed3697f718b0be02201e0c2ec26ce0ce66d30c0f52a0dbd2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_7907B0D1F2DC082B9BA6064FC995BD36

Filesize
420B

MD5
8c0ca08fc9b114709c7548e5599428a3

SHA1
efe721cc905f77f55fba92ae07711bf54d4e40c7

SHA256
4315c665caf9259a0f5e3f2862ee43906f5524d1b82d2bd33595f10ff2c54fc4

SHA512
381c3124942456043ce84ff2f482350f3f0807f7098154668a5452d339d4a7db4a47321ff6554a04f1a9c21ea957a7ce445aeb28576c1ea2e6cd902bfef5b33f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f45b643626950db56736aca208fe849

SHA1
9bc98b74c6fa6874087663cedcc7619d425b4ff9

SHA256
753d179d8cb9978be8ed8bdf0468d69747dd8225165b06ddb140eb1519f4d2f0

SHA512
869a28eecf7a4c97bbc8383b359125746b3dd2a594569b74f1ab1032e4ee945517dc8f92434f9e6d98588b55022ff95692d48e999c76d55655349a22e0236528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
debf0c3b064120efc04013c5de9d425f

SHA1
30cd308f4a403798d31ad4423e9c2512dcf2ab1e

SHA256
305cf4fb498e250165b2c0bf44c4249ed7f97e26bc7b7eaa484cc5ad15e31f79

SHA512
cc47af674da3adede77fc6bbe67eaf7426e90cf75b26f0ad13b27baabc0fe3d4320af3fc2002553992f2e407b096aadf11148c7a310a4349d62dcd0a35fd871e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2926.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI633D.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B6A.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Windows\Installer\6dc90a.msi

Filesize
3.7MB

MD5
d3b8653bd74ece722d1fb5431c72ffc5

SHA1
c18d5d0bbf930d9c1d17c897c77d44b2992b92b7

SHA256
a1de4d1a8c1b03c8e9834bb15d6cf553c7d67f2b16b513cfa1db18b292098e4e

SHA512
6d70eaf3fc90838aeba2d31c935c3e7a880ac18e0fa9c4b4282bbe6500b9bb44d259b9a9a4b47673b2c08ff73d2984f44bdc737201fe5264872e2673cdd15271

Download Submit
\Program Files\Modrinth App\Modrinth App.exe

Filesize
6.9MB

MD5
8c81a2a021a1d089d6bc2e678af7db78

SHA1
cfc1b1f0dbe44b74fa8dd8f2e333a9b5ea4e02a8

SHA256
765f0d0d3e33c8ccb5633dae9c0f33df8bad7f178440681db851e9aa9cc379d7

SHA512
89b3b59068f11653f38df99f78b66ff7fea9b3068b7bd7b1c27bd93cbbfff56bbdaa4195f1fe8a3959faa91be5542b1923fb02a5c94e035b80be6a3bb0a1ba61

Download Submit
\Program Files\Modrinth App\Modrinth App.exe

Filesize
6.9MB

MD5
8c81a2a021a1d089d6bc2e678af7db78

SHA1
cfc1b1f0dbe44b74fa8dd8f2e333a9b5ea4e02a8

SHA256
765f0d0d3e33c8ccb5633dae9c0f33df8bad7f178440681db851e9aa9cc379d7

SHA512
89b3b59068f11653f38df99f78b66ff7fea9b3068b7bd7b1c27bd93cbbfff56bbdaa4195f1fe8a3959faa91be5542b1923fb02a5c94e035b80be6a3bb0a1ba61

Download Submit
\Program Files\Modrinth App\Modrinth App.exe

Filesize
6.9MB

MD5
8c81a2a021a1d089d6bc2e678af7db78

SHA1
cfc1b1f0dbe44b74fa8dd8f2e333a9b5ea4e02a8

SHA256
765f0d0d3e33c8ccb5633dae9c0f33df8bad7f178440681db851e9aa9cc379d7

SHA512
89b3b59068f11653f38df99f78b66ff7fea9b3068b7bd7b1c27bd93cbbfff56bbdaa4195f1fe8a3959faa91be5542b1923fb02a5c94e035b80be6a3bb0a1ba61

Download Submit
\Program Files\Modrinth App\Modrinth App.exe

Filesize
6.9MB

MD5
8c81a2a021a1d089d6bc2e678af7db78

SHA1
cfc1b1f0dbe44b74fa8dd8f2e333a9b5ea4e02a8

SHA256
765f0d0d3e33c8ccb5633dae9c0f33df8bad7f178440681db851e9aa9cc379d7

SHA512
89b3b59068f11653f38df99f78b66ff7fea9b3068b7bd7b1c27bd93cbbfff56bbdaa4195f1fe8a3959faa91be5542b1923fb02a5c94e035b80be6a3bb0a1ba61

Download Submit
\Program Files\Modrinth App\Modrinth App.exe

Filesize
6.9MB

MD5
8c81a2a021a1d089d6bc2e678af7db78

SHA1
cfc1b1f0dbe44b74fa8dd8f2e333a9b5ea4e02a8

SHA256
765f0d0d3e33c8ccb5633dae9c0f33df8bad7f178440681db851e9aa9cc379d7

SHA512
89b3b59068f11653f38df99f78b66ff7fea9b3068b7bd7b1c27bd93cbbfff56bbdaa4195f1fe8a3959faa91be5542b1923fb02a5c94e035b80be6a3bb0a1ba61

Download Submit
\Program Files\Modrinth App\Modrinth App.exe

Filesize
6.9MB

MD5
8c81a2a021a1d089d6bc2e678af7db78

SHA1
cfc1b1f0dbe44b74fa8dd8f2e333a9b5ea4e02a8

SHA256
765f0d0d3e33c8ccb5633dae9c0f33df8bad7f178440681db851e9aa9cc379d7

SHA512
89b3b59068f11653f38df99f78b66ff7fea9b3068b7bd7b1c27bd93cbbfff56bbdaa4195f1fe8a3959faa91be5542b1923fb02a5c94e035b80be6a3bb0a1ba61

Download Submit
\Users\Admin\AppData\Local\Temp\MSI633D.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
memory/1584-149-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1584-150-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1584-152-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1584-151-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1584-172-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download