76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384

Analysis

max time kernel
117s
max time network
134s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Size

10.4MB
MD5

a79a2512e67bfffc972920ec0c5588c5
SHA1

ac2d3864509acfbe1d489b84c38b00d0c149c48a
SHA256

76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384
SHA512

6100f9cba92de9aad12819eef953c5de91fed55dc5d16272b443887ff5bd679e3a4200db66cdb90852d9d8bc26516aeacf71e1e9aac4f6e83628c139c94d5a6c
SSDEEP

196608:3HtH/2biu9WpiapQA/6itorTn6qk6zUWs2YrC6rUv52cS5LaTjbjxwP7q2AFF5m:3HVeiu9WdkTnBk6Fs2EC6ohGIfjxw7qC

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\Z:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\X:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\L:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\Q:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\S:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\K:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\M:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\V:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\W:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\Y:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\J:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\U:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\R:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\N:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\P:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeSecurityPrivilege	2384	msiexec.exe
Token: SeCreateTokenPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeAssignPrimaryTokenPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeLockMemoryPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeIncreaseQuotaPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeMachineAccountPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeTcbPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSecurityPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeTakeOwnershipPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeLoadDriverPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemProfilePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemtimePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeProfSingleProcessPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeIncBasePriorityPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreatePagefilePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreatePermanentPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeBackupPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeRestorePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeShutdownPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeDebugPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeAuditPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemEnvironmentPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeChangeNotifyPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeRemoteShutdownPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeUndockPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSyncAgentPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeEnableDelegationPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeManageVolumePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeImpersonatePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreateGlobalPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreateTokenPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeAssignPrimaryTokenPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeLockMemoryPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeIncreaseQuotaPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeMachineAccountPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeTcbPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSecurityPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeTakeOwnershipPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeLoadDriverPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemProfilePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemtimePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeProfSingleProcessPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeIncBasePriorityPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreatePagefilePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreatePermanentPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeBackupPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeRestorePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeShutdownPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeDebugPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeAuditPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemEnvironmentPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeChangeNotifyPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeRemoteShutdownPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeUndockPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSyncAgentPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeEnableDelegationPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeManageVolumePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeImpersonatePrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreateGlobalPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreateTokenPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeAssignPrimaryTokenPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeLockMemoryPrivilege	1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1244	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1648	2384	msiexec.exe	31
PID 2384 wrote to memory of 1648	2384	msiexec.exe	31
PID 2384 wrote to memory of 1648	2384	msiexec.exe	31
PID 2384 wrote to memory of 1648	2384	msiexec.exe	31
PID 2384 wrote to memory of 1648	2384	msiexec.exe	31
PID 2384 wrote to memory of 1648	2384	msiexec.exe	31
PID 2384 wrote to memory of 1648	2384	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
"C:\Users\Admin\AppData\Local\Temp\76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1244

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 240546ADB6B29F27DE384A2415038EDD C
  2⤵
  - Loads dropped DLL
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1244\EFS_Info.png_1

Filesize
269KB

MD5
1621d6c4107cc24e1cd6c0fa86a76688

SHA1
25000c635bc9217f8a814cb4e429d632ec8256dd

SHA256
9c36e488bac31dea4dc689cc3752f3c7ee4efdcc3c0213cf2f4c4063c1683aee

SHA512
ec055cb81d7d89cfd30fadcf71b2d3b6103ef770221f3ed4f9a24f8c4da40bb920377a1f785ef41b6df1c75b6e1ab72fa39200b3250604134bb467879d89dde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4839.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2C.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9CE1.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAECD.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB0F0.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3ED.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3ED.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB46B.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEB92.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F3E.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.9\install\721538A\PlanForce.msi

Filesize
3.9MB

MD5
d414f095fecb236f04a3a8c3a8d84493

SHA1
b116a0ee65da2adc9fed6f9806d85fb5e2548ebb

SHA256
7cf3b7dbbeb6c8716594d792e0eda8b3d4294e5fc9ba3a7d64e2af55cb257191

SHA512
e7b40b3381c48b0e43058c906d6c4fcb4c7797fe1fd88bc8eff5ccee4d763f134fed60c0499222f7b7e1240943608c12d3fb0e3f93b54ebf83fb135de47b5b7f

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.9\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2C.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSI9CE1.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSIAECD.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB0F0.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB3ED.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB46B.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSIEB92.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.9\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.9\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
memory/1244-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download