96fac7a175e67b7a1ba4e33932507d3990a60f8eda19756f0fa939ee0e2f27bc

Analysis

max time kernel
191s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20230703-es
resource tags

arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03/08/2023, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ContentComponents.msi
Size

2.0MB
MD5

1f876453b919daccdaea21f385fb1e28
SHA1

76e82c01a564ca43f91790a063deca7f6aa28bdd
SHA256

96fac7a175e67b7a1ba4e33932507d3990a60f8eda19756f0fa939ee0e2f27bc
SHA512

ade298d51b8334d9ace7d8a8c6f27546c1b5de67e71d4bc5f58446792867d90ba2077bc440e6cfba2b6e934727515df932883894381b124881977577c48e985d
SSDEEP

24576:xtrig59Qb7S9DR4AZqDH8TEDlID+RMyX99Gz3Ax5e6kWYIX1YTSqDN2+Qol6Ogz9:v2MN4jDcgB56y9i3E5e69RXGSXHe

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\20 Bells\35 Reso Noise Bells.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\04 Action Pads\+68 Reverse Nano Action.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\12 Hard Leads\20 TensionLead.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\21 Guitars\10 Nylon String Harmonics.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\05 Ambience + FX\13 It's Damp In Here.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\18 Brass + Woodwind\+03 Bright Trombone + Brass.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\02 Bright Pads\+59 HPF Church Organ.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\14 E Pianos + Clav\+10 Bright CP80.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\10 Simple Arpeggios\+12 DX Dreams.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\05 Ambience + FX\68 Pouring Data.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\25 Basses\+06 Fat Slap.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\23 Hits\+01 The BIG TONE.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\28 Loops\+120 Percussive Shaker.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\14 E Pianos + Clav\04 Riders.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\24 Synth Basses\+59 Wired.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\28 Loops\+066 Pop Hop 111.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\22 Ethnic\15 Ambient Pipes.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\01 Soft Pads\19 Soft-Phase.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\06 Polysynths\+39 Vanilla Ice.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\24 Synth Basses\+23 Off The Beat.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\10 Simple Arpeggios\+23 Dream Arp.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\02 Bright Pads\31 Bright Octaves.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\18 Brass + Woodwind\+16 Trumpets + Mute.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\01 Soft Pads\+42 Air Max Pad.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\13 Acoustic Piano\16 Latin Piano.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\21 Guitars\16 Soft Nylon Picked.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\03 Huge Pads\+24 Pan Pad.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\04 Action Pads\42 Slow Starter.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\09 Multitrack Arpeggios\28 Techno Tunes.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\06 Polysynths\+74 Airy Space Mallets.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\28 Loops\+063 Pop Hop 1 100.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\05 Ambience + FX\67 Clairvoyant.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\20 Bells\+22 Org Octabell.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\19 Mallets\+09 Bright FM Vibraphone.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\24 Synth Basses\47 Everybody In The Place.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\03 Huge Pads\22 Fly Over.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\08 Percussive\+16 Percussive Wires.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\18 Brass + Woodwind\+39 Clarinet + Flute.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\17 Vocals\32 Freddy.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\03 Huge Pads\+14 The Third Kind.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\28 Loops\043 Mad Electro Pattern.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\09 Multitrack Arpeggios\+06 Computer Games.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\15 Organs\+11 Solo.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\14 E Pianos + Clav\19 Pretty FM + Tremolo.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\06 Polysynths\15 Analog Underlayed.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\10 Simple Arpeggios\04 Syncophant.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\05 Ambience + FX\+27 Jet Lord.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\09 Multitrack Arpeggios\+10 Stairway To Heaven.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\03 Huge Pads\17 Celeste.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\06 Polysynths\+72 Saw Action.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\06 Polysynths\+66 Steel Saw.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\23 Hits\14 Discovery.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\06 Polysynths\37 Stratosphere.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\02 Bright Pads\19 Bellypad.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\18 Brass + Woodwind\+22 Soprano Sax.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\20 Bells\13 Light Bells.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\17 Vocals\01 Aah Choir.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\14 E Pianos + Clav\10 Phaser Mark1.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\28 Loops\+009 PopHop Groove.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\05 Ambience + FX\36 Noisy Shutdown.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\05 Ambience + FX\14 Endless Sonar.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\07 Synth Brass\09 Tune Up Brass.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\02 Bright Pads\+60 Strato Pad.tfx	msiexec.exe
File created	C:\Program Files (x86)\AIR Music Technology\Xpand!2\Presets\01 Soft Pads\40 Triangle Bend.tfx	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{AEB475C2-FC86-4082-87D7-352DFB075B2C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9D3.tmp	msiexec.exe
File created	C:\Windows\Installer\e595d7a.msi	msiexec.exe
File created	C:\Windows\Installer\e595d78.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e595d78.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\SourceList\PackageName = "ContentComponents.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\17B85C5625617334480FE39001F5E1BC	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2C574BEA68CF2804787D53D2BF70B5C2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2C574BEA68CF2804787D53D2BF70B5C2\Xpand2Content	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\PackageCode = "687FD51ABF817684F842BF4410385B2F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\ProductName = "Xpand!2 Content"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\Version = "33685511"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C574BEA68CF2804787D53D2BF70B5C2\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\17B85C5625617334480FE39001F5E1BC\2C574BEA68CF2804787D53D2BF70B5C2	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2088	msiexec.exe
2088	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4996	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4996	msiexec.exe
Token: SeSecurityPrivilege	2088	msiexec.exe
Token: SeCreateTokenPrivilege	4996	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4996	msiexec.exe
Token: SeLockMemoryPrivilege	4996	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4996	msiexec.exe
Token: SeMachineAccountPrivilege	4996	msiexec.exe
Token: SeTcbPrivilege	4996	msiexec.exe
Token: SeSecurityPrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeLoadDriverPrivilege	4996	msiexec.exe
Token: SeSystemProfilePrivilege	4996	msiexec.exe
Token: SeSystemtimePrivilege	4996	msiexec.exe
Token: SeProfSingleProcessPrivilege	4996	msiexec.exe
Token: SeIncBasePriorityPrivilege	4996	msiexec.exe
Token: SeCreatePagefilePrivilege	4996	msiexec.exe
Token: SeCreatePermanentPrivilege	4996	msiexec.exe
Token: SeBackupPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeShutdownPrivilege	4996	msiexec.exe
Token: SeDebugPrivilege	4996	msiexec.exe
Token: SeAuditPrivilege	4996	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4996	msiexec.exe
Token: SeChangeNotifyPrivilege	4996	msiexec.exe
Token: SeRemoteShutdownPrivilege	4996	msiexec.exe
Token: SeUndockPrivilege	4996	msiexec.exe
Token: SeSyncAgentPrivilege	4996	msiexec.exe
Token: SeEnableDelegationPrivilege	4996	msiexec.exe
Token: SeManageVolumePrivilege	4996	msiexec.exe
Token: SeImpersonatePrivilege	4996	msiexec.exe
Token: SeCreateGlobalPrivilege	4996	msiexec.exe
Token: SeBackupPrivilege	2996	vssvc.exe
Token: SeRestorePrivilege	2996	vssvc.exe
Token: SeAuditPrivilege	2996	vssvc.exe
Token: SeBackupPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeBackupPrivilege	3148	srtasks.exe
Token: SeRestorePrivilege	3148	srtasks.exe
Token: SeSecurityPrivilege	3148	srtasks.exe
Token: SeTakeOwnershipPrivilege	3148	srtasks.exe
Token: SeBackupPrivilege	3148	srtasks.exe
Token: SeRestorePrivilege	3148	srtasks.exe
Token: SeSecurityPrivilege	3148	srtasks.exe
Token: SeTakeOwnershipPrivilege	3148	srtasks.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4996	msiexec.exe
4996	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 3148	2088	msiexec.exe	99
PID 2088 wrote to memory of 3148	2088	msiexec.exe	99

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ContentComponents.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4996

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\e595d78.msi

Filesize
2.0MB

MD5
1f876453b919daccdaea21f385fb1e28

SHA1
76e82c01a564ca43f91790a063deca7f6aa28bdd

SHA256
96fac7a175e67b7a1ba4e33932507d3990a60f8eda19756f0fa939ee0e2f27bc

SHA512
ade298d51b8334d9ace7d8a8c6f27546c1b5de67e71d4bc5f58446792867d90ba2077bc440e6cfba2b6e934727515df932883894381b124881977577c48e985d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
4ce9dd2bf24f58cf8c593ebd7203ea50

SHA1
828c2cde9d1cb0c0a38d0a183ec29f992eadd079

SHA256
088a07a167c5695d096ca2be8c3f0bc0d258cbed5d370e2b18be53d70a8f876a

SHA512
107567954a6e165d2010c7c59d0cb5cad0f4f9a6d764ff8bed572c3bcd998d0afd4549fb3cb21ac9283711cb8b85eb167e737ee4961dceb3c45ae0a74c4674c0

Download Submit
\??\Volume{e5d54008-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2f6cca6e-75ee-44bd-b741-fa5f7560f09d}_OnDiskSnapshotProp

Filesize
5KB

MD5
6b6fe0d6857ab3a5a6be6b61469063ff

SHA1
9e2cf99246394ec7408860fc33b5af74c80b93b9

SHA256
f37969c165368d4054bb2c7659a0a535dea088655404d78d927df2b3a4855295

SHA512
4b5312f0bf0666abb5b6080e920c92539d9aec10e8b42cd9e5715a0f28f479c94a8ad2bbf1182b047dff9456686a95257f9af14be813a700168a0760ec49135a

Download Submit