69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31

Analysis

max time kernel
197s
max time network
244s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Size

11.6MB
MD5

cda5fd050f3e83d1ef81d3a7687c6059
SHA1

257d5e4404c04fe00ffecfe0a443881a2d5235d8
SHA256

69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31
SHA512

dd86615a45aab5fca4fd6f3ab97a74d2672f64796dd0d8335073b6bb59836d730303bfc6a04b86a02f407b3d57c2a161e10b11a08b7bcc0e10c257f3fa3f8f56
SSDEEP

196608:KHtH/2biu9WpiapQ46dAtb9SZxWqd7uB+JUFQYZPhUFJbgCfYbCJvCn1WZeLl+J3:KHVeiu9WodLZIqd74+sPeJbmbCJ21WZv

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
5012	MsiExec.exe
5012	MsiExec.exe
5012	MsiExec.exe
5012	MsiExec.exe
5012	MsiExec.exe
5012	MsiExec.exe
5012	MsiExec.exe
5012	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\T:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\Z:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\H:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\L:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\U:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\V:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\Y:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\Q:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\R:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\S:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\O:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\W:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\K:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\P:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\X:	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4916	msiexec.exe
Token: SeCreateTokenPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeAssignPrimaryTokenPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeLockMemoryPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeIncreaseQuotaPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeMachineAccountPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeTcbPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSecurityPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeTakeOwnershipPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeLoadDriverPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemProfilePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemtimePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeProfSingleProcessPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeIncBasePriorityPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreatePagefilePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreatePermanentPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeBackupPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeRestorePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeShutdownPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeDebugPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeAuditPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemEnvironmentPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeChangeNotifyPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeRemoteShutdownPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeUndockPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSyncAgentPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeEnableDelegationPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeManageVolumePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeImpersonatePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreateGlobalPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreateTokenPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeAssignPrimaryTokenPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeLockMemoryPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeIncreaseQuotaPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeMachineAccountPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeTcbPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSecurityPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeTakeOwnershipPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeLoadDriverPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemProfilePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemtimePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeProfSingleProcessPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeIncBasePriorityPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreatePagefilePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreatePermanentPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeBackupPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeRestorePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeShutdownPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeDebugPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeAuditPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSystemEnvironmentPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeChangeNotifyPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeRemoteShutdownPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeUndockPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeSyncAgentPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeEnableDelegationPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeManageVolumePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeImpersonatePrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreateGlobalPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeCreateTokenPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeAssignPrimaryTokenPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeLockMemoryPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeIncreaseQuotaPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
Token: SeMachineAccountPrivilege	2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2776	69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 5012	4916	msiexec.exe	90
PID 4916 wrote to memory of 5012	4916	msiexec.exe	90
PID 4916 wrote to memory of 5012	4916	msiexec.exe	90

C:\Users\Admin\AppData\Local\Temp\69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe
"C:\Users\Admin\AppData\Local\Temp\69ceb6c58c37c36e6608cb3e9cf60265c5ec787eb3e0e778f9a7219718e7cb31.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C99971C290E98A5902AD42EDB8A7166A C
  2⤵
  - Loads dropped DLL
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2776\EFS_Info.png_1

Filesize
269KB

MD5
1621d6c4107cc24e1cd6c0fa86a76688

SHA1
25000c635bc9217f8a814cb4e429d632ec8256dd

SHA256
9c36e488bac31dea4dc689cc3752f3c7ee4efdcc3c0213cf2f4c4063c1683aee

SHA512
ec055cb81d7d89cfd30fadcf71b2d3b6103ef770221f3ed4f9a24f8c4da40bb920377a1f785ef41b6df1c75b6e1ab72fa39200b3250604134bb467879d89dde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI35CD.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI35CD.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI366A.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI366A.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI368A.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI368A.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5A7E.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5A7E.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5A7E.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI74CE.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI74CE.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI95F3.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI95F3.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID28.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID28.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDE4.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDE4.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.2\install\CFF9AE2\PlanForce.msi

Filesize
3.9MB

MD5
afb4a87f5e2f40e845e689191604a6ca

SHA1
d7414e5c2f012bef76d983033c9d391c930a3961

SHA256
0a058c7f8d83a335c9a6c2d84f1e3a4c64bab31127b62398049e30dda21d808e

SHA512
0bf603b0eff6b6121410697a6335adb3389cd26bfc146f00e7c5b16b38fbe38c0f0a13cb3ff6825a230d2bb33d0d0e1208dda13865402090c26b4595b0e395d8

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.2\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.2\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20927.2\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit