be5c389c3907fbd2c8c29b38bd03d805d3bf8d486bc4711aef83e654a6a130c0

Analysis

max time kernel
122s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VMware-workstation-full-16.0.0-16894299.exe
Size

619.3MB
MD5

fcec2125fbaa98f51e17baa3fddb0be0
SHA1

29f7e060ed8bff4015ed137374734531d8fb2670
SHA256

be5c389c3907fbd2c8c29b38bd03d805d3bf8d486bc4711aef83e654a6a130c0
SHA512

da0fe098c37d75b71b516d31940600afc11b9757fd9cafed5ba79847037520dc0461e026d4bced5dbe277bbd6e1204e406b138425a198b13e90c7e272b78dbc2
SSDEEP

12582912:lHe+Il4ah7xm+vfi8UmkCvMDdITMD+mSbB1HZuOL+De04De0SUC:Ne+Il4E8mfi8LvMD8MD+mSbB1HcOiDeG

Score

9^/10

Malware Config

Signatures

Detect jar appended to MSI 1 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320a-172.dat	jar_in_msi

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\N:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\V:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\W:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\Z:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\L:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\X:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\Y:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\M:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\P:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\Q:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\S:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\K:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\R:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\J:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\T:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\A:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\I:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\U:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	VMware-workstation-full-16.0.0-16894299.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\VMware\InstallerCache\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}.msi	VMware-workstation-full-16.0.0-16894299.exe
File opened for modification	C:\Program Files (x86)\Common Files\VMware\InstallerCache\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}.msi	VMware-workstation-full-16.0.0-16894299.exe

Executes dropped EXE 4 IoCs

pid	Process
432	vcredist_x86.exe
4332	vcredist_x86.exe
2020	vcredist_x64.exe
2012	vcredist_x64.exe

Loads dropped DLL 3 IoCs

pid	Process
4332	vcredist_x86.exe
2012	vcredist_x64.exe
3656	MsiExec.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VMware-workstation-full-16.0.0-16894299.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VMware-workstation-full-16.0.0-16894299.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VMware-workstation-full-16.0.0-16894299.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VMware-workstation-full-16.0.0-16894299.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VMware-workstation-full-16.0.0-16894299.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeIncreaseQuotaPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSecurityPrivilege	4676	msiexec.exe
Token: SeCreateTokenPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeAssignPrimaryTokenPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeLockMemoryPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeIncreaseQuotaPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeMachineAccountPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeTcbPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSecurityPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeTakeOwnershipPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeLoadDriverPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSystemProfilePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSystemtimePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeProfSingleProcessPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeIncBasePriorityPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeCreatePagefilePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeCreatePermanentPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeBackupPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeRestorePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeShutdownPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeDebugPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeAuditPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSystemEnvironmentPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeChangeNotifyPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeRemoteShutdownPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeUndockPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSyncAgentPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeEnableDelegationPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeManageVolumePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeImpersonatePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeCreateGlobalPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeCreateTokenPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeAssignPrimaryTokenPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeLockMemoryPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeIncreaseQuotaPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeMachineAccountPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeTcbPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSecurityPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeTakeOwnershipPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeLoadDriverPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSystemProfilePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSystemtimePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeProfSingleProcessPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeIncBasePriorityPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeCreatePagefilePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeCreatePermanentPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeBackupPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeRestorePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeShutdownPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeDebugPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeAuditPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSystemEnvironmentPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeChangeNotifyPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeRemoteShutdownPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeUndockPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeSyncAgentPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeEnableDelegationPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeManageVolumePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeImpersonatePrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeCreateGlobalPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeCreateTokenPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeAssignPrimaryTokenPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe
Token: SeLockMemoryPrivilege	996	VMware-workstation-full-16.0.0-16894299.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
996	VMware-workstation-full-16.0.0-16894299.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 432	996	VMware-workstation-full-16.0.0-16894299.exe	85
PID 996 wrote to memory of 432	996	VMware-workstation-full-16.0.0-16894299.exe	85
PID 996 wrote to memory of 432	996	VMware-workstation-full-16.0.0-16894299.exe	85
PID 432 wrote to memory of 4332	432	vcredist_x86.exe	87
PID 432 wrote to memory of 4332	432	vcredist_x86.exe	87
PID 432 wrote to memory of 4332	432	vcredist_x86.exe	87
PID 996 wrote to memory of 2020	996	VMware-workstation-full-16.0.0-16894299.exe	88
PID 996 wrote to memory of 2020	996	VMware-workstation-full-16.0.0-16894299.exe	88
PID 996 wrote to memory of 2020	996	VMware-workstation-full-16.0.0-16894299.exe	88
PID 2020 wrote to memory of 2012	2020	vcredist_x64.exe	89
PID 2020 wrote to memory of 2012	2020	vcredist_x64.exe	89
PID 2020 wrote to memory of 2012	2020	vcredist_x64.exe	89
PID 4676 wrote to memory of 3656	4676	msiexec.exe	95
PID 4676 wrote to memory of 3656	4676	msiexec.exe	95
PID 4676 wrote to memory of 3656	4676	msiexec.exe	95

C:\Users\Admin\AppData\Local\Temp\VMware-workstation-full-16.0.0-16894299.exe
"C:\Users\Admin\AppData\Local\Temp\VMware-workstation-full-16.0.0-16894299.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\vcredist_x86.exe
  "C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\vcredist_x86.exe" /Q /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\Temp\{B2536206-8C95-4D5C-922C-74DEE2CB830F}\.cr\vcredist_x86.exe
    "C:\Windows\Temp\{B2536206-8C95-4D5C-922C-74DEE2CB830F}\.cr\vcredist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\vcredist_x86.exe" -burn.filehandle.attached=536 -burn.filehandle.self=688 /Q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4332
- C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\vcredist_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\vcredist_x64.exe" /Q /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\Temp\{740704B1-0299-47DA-A875-91A65348DD5D}\.cr\vcredist_x64.exe
    "C:\Windows\Temp\{740704B1-0299-47DA-A875-91A65348DD5D}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\vcredist_x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /Q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F626B9F7A4C74AD4BAFE68C6DCF4F729 C
  2⤵
  - Loads dropped DLL
  PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIA8ED.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA8ED.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\VMwareWorkstation.msi

Filesize
589.5MB

MD5
83e3911420ded145af6ea1422b3297e4

SHA1
5d2045f3872397e58d03c9ddf0e7ef582735503b

SHA256
219e0ede979589664d1bdff2ec1d781fd6cee674c7033d5ba0a3b7844512ad6d

SHA512
c24911bdd8dab06d2a44d3b996f3baca75d426998c3f289a1000f7c17d01f85651ddd206c380b20b114fd7e2ed7873343293114f78f34955c73775e7d057e664

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\vcredist_x64.exe

Filesize
14.4MB

MD5
be433764fa9bbe0f2f9c654f6512c9e0

SHA1
b87c38d093872d7be7e191f01107b39c87888a5a

SHA256
40ea2955391c9eae3e35619c4c24b5aaf3d17aeaa6d09424ee9672aa9372aeed

SHA512
8a050ebd392654ce5981af3d0bf99107bfa576529bce8325a7ccc46f92917515744026a2d0ea49afb72bbc4e4278638a0677c6596ad96b7019e47c250e438191

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\vcredist_x64.exe

Filesize
14.4MB

MD5
be433764fa9bbe0f2f9c654f6512c9e0

SHA1
b87c38d093872d7be7e191f01107b39c87888a5a

SHA256
40ea2955391c9eae3e35619c4c24b5aaf3d17aeaa6d09424ee9672aa9372aeed

SHA512
8a050ebd392654ce5981af3d0bf99107bfa576529bce8325a7ccc46f92917515744026a2d0ea49afb72bbc4e4278638a0677c6596ad96b7019e47c250e438191

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\vcredist_x86.exe

Filesize
13.7MB

MD5
24e8177b25c072f4fb0d37496ccdbb34

SHA1
afa5badce64ee67290add24e0dc3d8210954ac6c

SHA256
e59ae3e886bd4571a811fe31a47959ae5c40d87c583f786816c60440252cd7ec

SHA512
2fda8abc77b6ed9e98a2b120628e4e3b9458f2b18998c836eec1de82642244fe55234c7e52d6036d8b75c4b707a24f12fa639cc92d4234e94ed604a259d651e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D51F496C-D02A-4AFA-AB43-F61B94462C9E}~setup\vcredist_x86.exe

Filesize
13.7MB

MD5
24e8177b25c072f4fb0d37496ccdbb34

SHA1
afa5badce64ee67290add24e0dc3d8210954ac6c

SHA256
e59ae3e886bd4571a811fe31a47959ae5c40d87c583f786816c60440252cd7ec

SHA512
2fda8abc77b6ed9e98a2b120628e4e3b9458f2b18998c836eec1de82642244fe55234c7e52d6036d8b75c4b707a24f12fa639cc92d4234e94ed604a259d651e4

Download Submit
C:\Windows\Temp\{3A9600C5-B440-4A96-89D7-45462DC0D8EF}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{3A9600C5-B440-4A96-89D7-45462DC0D8EF}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{740704B1-0299-47DA-A875-91A65348DD5D}\.cr\vcredist_x64.exe

Filesize
632KB

MD5
94970fc3a8ed7b9de44f4117419ce829

SHA1
aa1292f049c4173e2ab60b59b62f267fd884d21a

SHA256
de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e

SHA512
b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

Download Submit
C:\Windows\Temp\{740704B1-0299-47DA-A875-91A65348DD5D}\.cr\vcredist_x64.exe

Filesize
632KB

MD5
94970fc3a8ed7b9de44f4117419ce829

SHA1
aa1292f049c4173e2ab60b59b62f267fd884d21a

SHA256
de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e

SHA512
b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

Download Submit
C:\Windows\Temp\{90ED05A3-193D-4775-BBF8-E6C05D8C53A0}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{90ED05A3-193D-4775-BBF8-E6C05D8C53A0}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{B2536206-8C95-4D5C-922C-74DEE2CB830F}\.cr\vcredist_x86.exe

Filesize
632KB

MD5
c9d95472a5627c6c455e74c8b8fef5be

SHA1
34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82

SHA256
4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b

SHA512
989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

Download Submit
C:\Windows\Temp\{B2536206-8C95-4D5C-922C-74DEE2CB830F}\.cr\vcredist_x86.exe

Filesize
632KB

MD5
c9d95472a5627c6c455e74c8b8fef5be

SHA1
34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82

SHA256
4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b

SHA512
989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

Download Submit