a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353

Analysis

max time kernel
117s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Size

11.6MB
MD5

3f75a68325e18c44b08b4fc45903956d
SHA1

703923b44976f8d111ac37c09a2ecbd1a91dc9d6
SHA256

a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353
SHA512

f80c3f3e82d2d8f0dc65e3f23f5928614e3031fe64c1c87d39e5a9ab393ec2303bddfb89c1a633e442abbf32cd5812b3d874054274bd630b2c8eb790c34d0d9d
SSDEEP

196608:SHtH/2biu9WpiapQwYf2PICw/p5V2f3IYvatKREgYRy3KPknGsdtzq6W:SHVeiu9Wef+kPcf3IqKPgNW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
568	MsiExec.exe
568	MsiExec.exe
568	MsiExec.exe
568	MsiExec.exe
568	MsiExec.exe
568	MsiExec.exe
568	MsiExec.exe
568	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\O:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\Y:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\Z:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\T:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\H:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\N:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\X:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\B:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\K:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\M:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\L:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\P:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\V:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeSecurityPrivilege	2936	msiexec.exe
Token: SeCreateTokenPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeAssignPrimaryTokenPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeLockMemoryPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeIncreaseQuotaPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeMachineAccountPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeTcbPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeSecurityPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeTakeOwnershipPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeLoadDriverPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeSystemProfilePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeSystemtimePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeProfSingleProcessPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeIncBasePriorityPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeCreatePagefilePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeCreatePermanentPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeBackupPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeRestorePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeShutdownPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeDebugPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeAuditPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeSystemEnvironmentPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeChangeNotifyPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeRemoteShutdownPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeUndockPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeSyncAgentPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeEnableDelegationPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeManageVolumePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeImpersonatePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeCreateGlobalPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeCreateTokenPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeAssignPrimaryTokenPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeLockMemoryPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeIncreaseQuotaPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeMachineAccountPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeTcbPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeSecurityPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeTakeOwnershipPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeLoadDriverPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeSystemProfilePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeSystemtimePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeProfSingleProcessPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeIncBasePriorityPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeCreatePagefilePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeCreatePermanentPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeBackupPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeRestorePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeShutdownPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeDebugPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeAuditPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeSystemEnvironmentPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeChangeNotifyPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeRemoteShutdownPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeUndockPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeSyncAgentPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeEnableDelegationPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeManageVolumePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeImpersonatePrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeCreateGlobalPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeCreateTokenPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeAssignPrimaryTokenPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
Token: SeLockMemoryPrivilege	2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2500	a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 568	2936	msiexec.exe	31
PID 2936 wrote to memory of 568	2936	msiexec.exe	31
PID 2936 wrote to memory of 568	2936	msiexec.exe	31
PID 2936 wrote to memory of 568	2936	msiexec.exe	31
PID 2936 wrote to memory of 568	2936	msiexec.exe	31
PID 2936 wrote to memory of 568	2936	msiexec.exe	31
PID 2936 wrote to memory of 568	2936	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe
"C:\Users\Admin\AppData\Local\Temp\a54d6f9e8c42f62b345f9c76258ed5c08d9534bd39fd7f72f643641b61766353.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2EE98505532042B229FC0E0F7159BB51 C
  2⤵
  - Loads dropped DLL
  PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2500\EFS_Info.png_1

Filesize
269KB

MD5
1621d6c4107cc24e1cd6c0fa86a76688

SHA1
25000c635bc9217f8a814cb4e429d632ec8256dd

SHA256
9c36e488bac31dea4dc689cc3752f3c7ee4efdcc3c0213cf2f4c4063c1683aee

SHA512
ec055cb81d7d89cfd30fadcf71b2d3b6103ef770221f3ed4f9a24f8c4da40bb920377a1f785ef41b6df1c75b6e1ab72fa39200b3250604134bb467879d89dde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5534.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI189A.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2029.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB1A7.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE17E.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE2F6.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE364.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE364.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE4BC.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF206.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20925.3\install\5AB2868\PlanForce.x64.msi

Filesize
3.9MB

MD5
dd74408810c820dced8e873a6ab0174e

SHA1
a601e97c0fc31b442737b87dd838fcfb023c7704

SHA256
cfb9074c333c628a208a58dadb38a3b34c2d0a441ed7c8927f3530d410aba957

SHA512
a54f262095fc1d7007416a948b3db0222f62adfaeb30b011fb325927eae01ac5550fde7f74ffd18d18e2ee7ec95cd04a138721b7b26064decede772584754844

Download Submit
C:\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20925.3\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
\Users\Admin\AppData\Local\Temp\MSI189A.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2029.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB1A7.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSIE17E.tmp

Filesize
945KB

MD5
75fdd4bafba5d7082126be37eef2598a

SHA1
73cb2823016ecb1ce287da67e135e02c13c556c6

SHA256
4ecd8241776a95987927cc7cc4854f2d1b4ce3e0631aed33c7639e931921ba15

SHA512
00bd76d4bb9ac5cb5ded051d37e8df5e4a9c6209e747b2b399f7744d833fad0e957fd4fa897db02bc3ea9ae1da8d25e29623ef19c968c7791481e51fd6a7f891

Download Submit
\Users\Admin\AppData\Local\Temp\MSIE2F6.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSIE364.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSIE4BC.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF206.tmp

Filesize
550KB

MD5
8259dc74965f3c8e91d152862580a773

SHA1
d2d029f9f9be25be3c5526c5a52449c034c673e1

SHA256
84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9

SHA512
50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

Download Submit
\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20925.3\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
\Users\Admin\AppData\Roaming\上海项腾信息技术有限公司\PlanForce 1.20925.3\install\decoder.dll

Filesize
215KB

MD5
bc00325b004cf04b852429f5b9e71ce0

SHA1
3584b23ae9f7e82be20a223afa15d7696449a60e

SHA256
23131f8af5f06ddf022cea7456430a41368f747f1eec276d93c872019b909456

SHA512
809a907a5633615cb142c3c003fd0dc713137aa86b167b5b2263cfd021f15ea7cdae5fa441e861b86559626b0b78e9225b833c6a9fb23651736b076afe906847

Download Submit
memory/2500-0-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download