69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31

Analysis

max time kernel
131s
max time network
131s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Size

11.6MB
MD5

cda5fd050f3e83d1ef81d3a7687c6059
SHA1

257d5e4404c04fe00ffecfe0a443881a2d5235d8
SHA256

69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31
SHA512

dd86615a45aab5fca4fd6f3ab97a74d2672f64796dd0d8335073b6bb59836d730303bfc6a04b86a02f407b3d57c2a161e10b11a08b7bcc0e10c257f3fa3f8f56
SSDEEP

196608:KHtH/2biu9WpiapQ46dAtb9SZxWqd7uB+JUFQYZPhUFJbgCfYbCJvCn1WZeLl+J3:KHVeiu9WodLZIqd74+sPeJbmbCJ21WZv

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\V:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\W:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\M:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\O:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\T:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\P:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\L:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\N:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\Q:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\J:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\S:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\X:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\Y:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\R:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeSecurityPrivilege	2672	msiexec.exe
Token: SeCreateTokenPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeAssignPrimaryTokenPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeLockMemoryPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeIncreaseQuotaPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeMachineAccountPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeTcbPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSecurityPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeTakeOwnershipPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeLoadDriverPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemProfilePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemtimePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeProfSingleProcessPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeIncBasePriorityPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreatePagefilePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreatePermanentPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeBackupPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeRestorePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeShutdownPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeDebugPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeAuditPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemEnvironmentPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeChangeNotifyPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeRemoteShutdownPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeUndockPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSyncAgentPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeEnableDelegationPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeManageVolumePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeImpersonatePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreateGlobalPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreateTokenPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeAssignPrimaryTokenPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeLockMemoryPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeIncreaseQuotaPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeMachineAccountPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeTcbPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSecurityPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeTakeOwnershipPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeLoadDriverPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemProfilePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemtimePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeProfSingleProcessPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeIncBasePriorityPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreatePagefilePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreatePermanentPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeBackupPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeRestorePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeShutdownPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeDebugPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeAuditPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemEnvironmentPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeChangeNotifyPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeRemoteShutdownPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeUndockPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSyncAgentPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeEnableDelegationPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeManageVolumePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeImpersonatePrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreateGlobalPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreateTokenPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeAssignPrimaryTokenPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeLockMemoryPrivilege	1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1984	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2556	2672	msiexec.exe	29
PID 2672 wrote to memory of 2556	2672	msiexec.exe	29
PID 2672 wrote to memory of 2556	2672	msiexec.exe	29
PID 2672 wrote to memory of 2556	2672	msiexec.exe	29
PID 2672 wrote to memory of 2556	2672	msiexec.exe	29
PID 2672 wrote to memory of 2556	2672	msiexec.exe	29
PID 2672 wrote to memory of 2556	2672	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
"C:\Users\Admin\AppData\Local\Temp\69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56B2C15E544317A7DBCF8EF4A8DD001B C
  2⤵
  - Loads dropped DLL
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1984\EFS_Info.png_1

Filesize
269KB

MD5
1621d6c4107cc24e1cd6c0fa86a76688

SHA1
25000c635bc9217f8a814cb4e429d632ec8256dd

SHA256
9c36e488bac31dea4dc689cc3752f3c7ee4efdcc3c0213cf2f4c4063c1683aee

SHA512
ec055cb81d7d89cfd30fadcf71b2d3b6103ef770221f3ed4f9a24f8c4da40bb920377a1f785ef41b6df1c75b6e1ab72fa39200b3250604134bb467879d89dde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD2FA.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID4D0.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID667.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID704.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID791.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID791.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID85D.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID9A6.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDA43.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.2\install\CFF9AE2\PlanForce.msi

Filesize
3.9MB

MD5
afb4a87f5e2f40e845e689191604a6ca

SHA1
d7414e5c2f012bef76d983033c9d391c930a3961

SHA256
0a058c7f8d83a335c9a6c2d84f1e3a4c64bab31127b62398049e30dda21d808e

SHA512
0bf603b0eff6b6121410697a6335adb3389cd26bfc146f00e7c5b16b38fbe38c0f0a13cb3ff6825a230d2bb33d0d0e1208dda13865402090c26b4595b0e395d8

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.2\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
\Users\Admin\AppData\Local\Temp\MSID4D0.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSID667.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
\Users\Admin\AppData\Local\Temp\MSID704.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSID791.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSID85D.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSID9A6.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDA43.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.2\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.2\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
memory/1984-0-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1984-95-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download