76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Size

10.4MB
MD5

a79a2512e67bfffc972920ec0c5588c5
SHA1

ac2d3864509acfbe1d489b84c38b00d0c149c48a
SHA256

76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384
SHA512

6100f9cba92de9aad12819eef953c5de91fed55dc5d16272b443887ff5bd679e3a4200db66cdb90852d9d8bc26516aeacf71e1e9aac4f6e83628c139c94d5a6c
SSDEEP

196608:3HtH/2biu9WpiapQA/6itorTn6qk6zUWs2YrC6rUv52cS5LaTjbjxwP7q2AFF5m:3HVeiu9WdkTnBk6Fs2EC6ohGIfjxw7qC

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
4548	MsiExec.exe
4548	MsiExec.exe
4548	MsiExec.exe
4548	MsiExec.exe
4548	MsiExec.exe
4548	MsiExec.exe
4548	MsiExec.exe
4548	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\O:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\M:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\P:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\W:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\Y:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\E:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\Q:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\S:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\T:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\Z:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\L:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\G:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\K:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
File opened (read-only)	\??\R:	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2200	msiexec.exe
Token: SeCreateTokenPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeAssignPrimaryTokenPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeLockMemoryPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeIncreaseQuotaPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeMachineAccountPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeTcbPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSecurityPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeTakeOwnershipPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeLoadDriverPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemProfilePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemtimePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeProfSingleProcessPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeIncBasePriorityPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreatePagefilePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreatePermanentPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeBackupPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeRestorePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeShutdownPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeDebugPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeAuditPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemEnvironmentPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeChangeNotifyPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeRemoteShutdownPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeUndockPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSyncAgentPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeEnableDelegationPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeManageVolumePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeImpersonatePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreateGlobalPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreateTokenPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeAssignPrimaryTokenPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeLockMemoryPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeIncreaseQuotaPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeMachineAccountPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeTcbPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSecurityPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeTakeOwnershipPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeLoadDriverPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemProfilePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemtimePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeProfSingleProcessPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeIncBasePriorityPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreatePagefilePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreatePermanentPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeBackupPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeRestorePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeShutdownPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeDebugPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeAuditPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSystemEnvironmentPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeChangeNotifyPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeRemoteShutdownPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeUndockPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeSyncAgentPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeEnableDelegationPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeManageVolumePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeImpersonatePrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreateGlobalPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeCreateTokenPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeAssignPrimaryTokenPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeLockMemoryPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeIncreaseQuotaPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
Token: SeMachineAccountPrivilege	2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2980	76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 4548	2200	msiexec.exe	92
PID 2200 wrote to memory of 4548	2200	msiexec.exe	92
PID 2200 wrote to memory of 4548	2200	msiexec.exe	92

C:\Users\Admin\AppData\Local\Temp\76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe
"C:\Users\Admin\AppData\Local\Temp\76623703e743bdb53005339feda20d768e1a34de3f52affa46707dc42e9e8384.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5720421E0E1496D028713AC412550790 C
  2⤵
  - Loads dropped DLL
  PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2980\EFS_Info.png_1

Filesize
269KB

MD5
1621d6c4107cc24e1cd6c0fa86a76688

SHA1
25000c635bc9217f8a814cb4e429d632ec8256dd

SHA256
9c36e488bac31dea4dc689cc3752f3c7ee4efdcc3c0213cf2f4c4063c1683aee

SHA512
ec055cb81d7d89cfd30fadcf71b2d3b6103ef770221f3ed4f9a24f8c4da40bb920377a1f785ef41b6df1c75b6e1ab72fa39200b3250604134bb467879d89dde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1FA9.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1FA9.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI318D.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI318D.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI319D.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI319D.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI31BD.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI31BD.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI31BD.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI31CE.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI31CE.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI31DF.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI31DF.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI41DD.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI41DD.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4394.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4394.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.9\install\721538A\PlanForce.msi

Filesize
3.9MB

MD5
d414f095fecb236f04a3a8c3a8d84493

SHA1
b116a0ee65da2adc9fed6f9806d85fb5e2548ebb

SHA256
7cf3b7dbbeb6c8716594d792e0eda8b3d4294e5fc9ba3a7d64e2af55cb257191

SHA512
e7b40b3381c48b0e43058c906d6c4fcb4c7797fe1fd88bc8eff5ccee4d763f134fed60c0499222f7b7e1240943608c12d3fb0e3f93b54ebf83fb135de47b5b7f

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.9\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.9\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.9\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit