bumblebee | 805fe11684791108ec8cbbca67d6c94f235704743847fa8d5d469346e28eddd8

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
27-11-2023 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Size

6.1MB
MD5

4a657cf9c1289e3df987268e32961a66
SHA1

77167ba7c7adb768ba4a1a0d561a8828e73f5035
SHA256

4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579
SHA512

3515c161728c0294b822cfb8a313d85dfb9305e6283f533d20b61894468129012991bec1709e001a8067660668aa6c3a2894273a8f251c3cc15cc0d548a88976
SSDEEP

98304:QAs++BUHecpbpx+sborjZGS/maM8jwsWjMZd3CuwQ3dm0vZ0QgKuEf:QAKBx4px+sNgHW4H3CkZqEf

Score

10^/10

bumblebee onkomsi2 loader

Malware Config

Extracted

Family

bumblebee

Botnet

onkomsi2

Attributes

dga
n64c2akw.life

zefawfb0.life

dph3pby8.life

hx0hysyg.life

1qa3k743.life

luw8ubf2.life

rbvsf6io.life

4huoqrsp.life

8qwcvseh.life

37zi55wc.life

i9f44mju.life

aqnx9c9h.life

3nmeg5wa.life

r5ue5rok.life

et53yjoc.life

tvgco82h.life

0xtmu3tz.life

6xhpschv.life

6o26tws0.life

0oz7923s.life

54y2q50j.life

9hh7hq5r.life

r0ca080m.life

43vtghfz.life

qal55els.life

p5e68m36.life

x698iah6.life

kqn0zkig.life

wq6w8jkq.life

i6n08gx7.life

yykdmh0r.life

is45ipqt.life

btycmaq0.life

bei9dppm.life

3jhcm6ou.life

1q04n1r6.life

10ciy2hb.life

11ou1grl.life

83b0leyy.life

t31jn4t1.life

b24f19ne.life

igak9l9s.life

hkgd9kar.life

02uhomlq.life

zpy1vssg.life

j57fzy12.life

zmlly8xo.life

pe6r5tzc.life

cg4cuoyi.life

pyjijjlm.life

m3vc2ce4.life

p1p97dov.life

ep0kbvph.life

0rlxan4o.life

zdx0i18o.life

7kmzys39.life

e97igyz6.life

hjcbhzd8.life

az77sw77.life

d0k4fdaa.life

c9l8ri53.life

ay03u2te.life

t99iv15x.life

6a1fbhay.life

zna5lybe.life

vxyojl27.life

mddoknvi.life

2z2dl1og.life

vojg90l2.life

awr5omre.life

tcjcv520.life

aqjjchti.life

6qwim2j8.life

1p34o0do.life

8hxwl72r.life

wykpnxcx.life

o10qz4xe.life

7564a2mg.life

aiv8bb2b.life

jwyxm0f3.life

4soexc4m.life

3xqy6csn.life

3k8iq1nb.life

w2hje2t7.life

fra3xqrx.life

4r3inwrt.life

qhfoevow.life

a9nhflze.life

jpngew6a.life

baunjh6t.life

yqofro9q.life

uq034w07.life

oq36weoi.life

vv5sfo80.life

0req10rd.life

m4v4xq2f.life

1p24echu.life

ohwv1vpp.life

z2tp7x2v.life

q65io756.life
dga_seed
anjd78ka
domain_length
8
num_dga_domains
100
port
443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee

Loads dropped DLL 7 IoCs

pid	Process
2612	MsiExec.exe
2612	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1208	MsiExec.exe
1440	MsiExec.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2328	msiexec.exe
5	2804	msiexec.exe
11	1208	MsiExec.exe
13	1208	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\U:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\K:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\G:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\X:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\Q:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\O:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\W:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\Y:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\T:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\R:	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
File opened (read-only)	\??\P:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1208	MsiExec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f766133.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6750.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI685B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6985.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F40.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f766136.ipi	msiexec.exe
File created	C:\Windows\Installer\f766133.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI683B.tmp	msiexec.exe
File created	C:\Windows\Installer\f766136.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65E8.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	msiexec.exe
2804	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2328	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2804	msiexec.exe
Token: SeTakeOwnershipPrivilege	2804	msiexec.exe
Token: SeSecurityPrivilege	2804	msiexec.exe
Token: SeCreateTokenPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeAssignPrimaryTokenPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeLockMemoryPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeIncreaseQuotaPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeMachineAccountPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeTcbPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeSecurityPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeTakeOwnershipPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeLoadDriverPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeSystemProfilePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeSystemtimePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeProfSingleProcessPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeIncBasePriorityPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeCreatePagefilePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeCreatePermanentPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeBackupPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeRestorePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeShutdownPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeDebugPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeAuditPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeSystemEnvironmentPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeChangeNotifyPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeRemoteShutdownPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeUndockPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeSyncAgentPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeEnableDelegationPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeManageVolumePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeImpersonatePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeCreateGlobalPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeCreateTokenPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeAssignPrimaryTokenPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeLockMemoryPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeIncreaseQuotaPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeMachineAccountPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeTcbPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeSecurityPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeTakeOwnershipPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeLoadDriverPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeSystemProfilePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeSystemtimePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeProfSingleProcessPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeIncBasePriorityPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeCreatePagefilePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeCreatePermanentPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeBackupPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeRestorePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeShutdownPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeDebugPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeAuditPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeSystemEnvironmentPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeChangeNotifyPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeRemoteShutdownPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeUndockPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeSyncAgentPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeEnableDelegationPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeManageVolumePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeImpersonatePrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeCreateGlobalPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeCreateTokenPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeAssignPrimaryTokenPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
Token: SeLockMemoryPrivilege	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2328	msiexec.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2612	2804	msiexec.exe	29
PID 2804 wrote to memory of 2612	2804	msiexec.exe	29
PID 2804 wrote to memory of 2612	2804	msiexec.exe	29
PID 2804 wrote to memory of 2612	2804	msiexec.exe	29
PID 2804 wrote to memory of 2612	2804	msiexec.exe	29
PID 2804 wrote to memory of 2612	2804	msiexec.exe	29
PID 2804 wrote to memory of 2612	2804	msiexec.exe	29
PID 2120 wrote to memory of 2328	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe	30
PID 2120 wrote to memory of 2328	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe	30
PID 2120 wrote to memory of 2328	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe	30
PID 2120 wrote to memory of 2328	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe	30
PID 2120 wrote to memory of 2328	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe	30
PID 2120 wrote to memory of 2328	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe	30
PID 2120 wrote to memory of 2328	2120	4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe	30
PID 2804 wrote to memory of 1440	2804	msiexec.exe	31
PID 2804 wrote to memory of 1440	2804	msiexec.exe	31
PID 2804 wrote to memory of 1440	2804	msiexec.exe	31
PID 2804 wrote to memory of 1440	2804	msiexec.exe	31
PID 2804 wrote to memory of 1440	2804	msiexec.exe	31
PID 2804 wrote to memory of 1440	2804	msiexec.exe	31
PID 2804 wrote to memory of 1440	2804	msiexec.exe	31
PID 2804 wrote to memory of 1208	2804	msiexec.exe	32
PID 2804 wrote to memory of 1208	2804	msiexec.exe	32
PID 2804 wrote to memory of 1208	2804	msiexec.exe	32
PID 2804 wrote to memory of 1208	2804	msiexec.exe	32
PID 2804 wrote to memory of 1208	2804	msiexec.exe	32

C:\Users\Admin\AppData\Local\Temp\4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe
"C:\Users\Admin\AppData\Local\Temp\4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\security update\security update 1.5.2.3\install\A6B488A\security update.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\4203f929fe8fab1c990e027216ef732955cc4fbfe598e9dc02dbf61fefd2e579.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1700790186 " AI_EUIMSI=""
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 241B293274818CBB51565EF896DF9900 C
  2⤵
  - Loads dropped DLL
  PID:2612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86F15103E9C189F3277581AACE31171C
  2⤵
  - Loads dropped DLL
  PID:1440
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding D010D2A3150A0E597D4288C4D77CB2C0
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f766137.rbs

Filesize
1KB

MD5
492d8f46bcdaf2b336ab7114d14229fa

SHA1
b7a03e983a852b9598d50345ec92b8eb35828a47

SHA256
42fa4f7cd1726ead5e4201a9b18fe71f9546c7081b3b0ee4136ff207a8ac11ec

SHA512
10451b14f86683cc1a5bc90bdbbd5b93fba7d4bece29c4b92569e320b62c7f1327afe9b6b6de105633d5dd69d01c3cf728b99e9f7e712405ebd79f87511893f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aecbc8f889eaf0ec172cdd04a14b93ab

SHA1
adedd282973bd6effe12c7017de726f9c4a56b72

SHA256
953acc322a4725658b17716d837d1a5cae2dbb81b7b3057394ce429946504132

SHA512
8172ec6d7ab8993a932b930b39ee1641e4e7ce85d8a0d27823657e11a9fa73de23260ebbe02dfe7ab363be15ce54a4228308ef4e6c3dcb5604eecc89a9029819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ca99a27260e79df79a5d32a56131d2f

SHA1
33fa4250d8f755db3607fd96a26a554bf63c3dfb

SHA256
c71936e5ceaa7a923c72706d9fdfa551146dd30098cfdb6c81bfcd8d5cc6796a

SHA512
308f180f83e08694fdacf7e3616230e599abb9edce592a4be61da7b9ba7b402ce313745bf56f5a241da22fdd60bfd0951d9c923b6e22ac3032123aac2d0bbe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab55B0.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5982.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5B28.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5601.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\security update\security update 1.5.2.3\install\A6B488A\security update.msi

Filesize
7.8MB

MD5
cbce77f88d5fd1df590d5172bbb83a2c

SHA1
65bd87e1c512e9cd60a3952e0712d0f67aa952e1

SHA256
8ae7694001a73e0eebf0ea394396cd1aacc3a817e1e321da288e445f4feb1465

SHA512
4d579a70782b99c4fb19398f9d7b430cbe5f9ee5b67dbf360f543fecd010aba373a43266b63b5e7bbe00f8636cdd7d9346806cdaffbaa02608c08310cd752ded

Download Submit
C:\Users\Admin\AppData\Roaming\security update\security update 1.5.2.3\install\A6B488A\security update.msi

Filesize
7.8MB

MD5
cbce77f88d5fd1df590d5172bbb83a2c

SHA1
65bd87e1c512e9cd60a3952e0712d0f67aa952e1

SHA256
8ae7694001a73e0eebf0ea394396cd1aacc3a817e1e321da288e445f4feb1465

SHA512
4d579a70782b99c4fb19398f9d7b430cbe5f9ee5b67dbf360f543fecd010aba373a43266b63b5e7bbe00f8636cdd7d9346806cdaffbaa02608c08310cd752ded

Download Submit
C:\Windows\Installer\MSI65E8.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Windows\Installer\MSI65E8.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Windows\Installer\MSI6750.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Windows\Installer\MSI683B.tmp

Filesize
2.1MB

MD5
bedb0f369ebb79dbcf856379ecb6566c

SHA1
4a8c27c1a2f0be31b73fdad222782648c9ce6b0c

SHA256
189046093d0018570c1d9a12ad4aca14d4ccd65fb63d228275fd7067c24d2ecd

SHA512
06a3d60bf011453711d2f1df385b28edc3815f6e108567169690821b3085b8fda526a123cfbacb6e42290a0576fa878c41cdebef77609367965df12a159a02ee

Download Submit
C:\Windows\Installer\MSI685B.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Windows\Installer\MSI6985.tmp

Filesize
838KB

MD5
4a3f6a4023abd6bba56534de47d20017

SHA1
02dd888e467143e2e35465d73f39cf3e66afad10

SHA256
a8dfdc283ad8d4dc6f500ddfab564e79dadae075c0d54784b50e1ca548709b30

SHA512
580c7918ef90eb0020901bab645b72bcaf945ceb5bd56c2e7847f229b31a961bc4cd4ca9cb2583db480947ca8a0880b5ae4bd26717217abcacc9754352aaba28

Download Submit
\Users\Admin\AppData\Local\Temp\MSI5982.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI5B28.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
\Windows\Installer\MSI65E8.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
\Windows\Installer\MSI6750.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
\Windows\Installer\MSI683B.tmp

Filesize
2.1MB

MD5
bedb0f369ebb79dbcf856379ecb6566c

SHA1
4a8c27c1a2f0be31b73fdad222782648c9ce6b0c

SHA256
189046093d0018570c1d9a12ad4aca14d4ccd65fb63d228275fd7067c24d2ecd

SHA512
06a3d60bf011453711d2f1df385b28edc3815f6e108567169690821b3085b8fda526a123cfbacb6e42290a0576fa878c41cdebef77609367965df12a159a02ee

Download Submit
\Windows\Installer\MSI685B.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
\Windows\Installer\MSI6985.tmp

Filesize
838KB

MD5
4a3f6a4023abd6bba56534de47d20017

SHA1
02dd888e467143e2e35465d73f39cf3e66afad10

SHA256
a8dfdc283ad8d4dc6f500ddfab564e79dadae075c0d54784b50e1ca548709b30

SHA512
580c7918ef90eb0020901bab645b72bcaf945ceb5bd56c2e7847f229b31a961bc4cd4ca9cb2583db480947ca8a0880b5ae4bd26717217abcacc9754352aaba28

Download Submit
memory/1208-137-0x0000000002640000-0x0000000002727000-memory.dmp

Filesize
924KB

Download
memory/1208-138-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/1208-140-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/1208-139-0x0000000002950000-0x0000000002B68000-memory.dmp

Filesize
2.1MB

Download
memory/1208-142-0x0000000002950000-0x0000000002B68000-memory.dmp

Filesize
2.1MB

Download
memory/1208-143-0x0000000002950000-0x0000000002B68000-memory.dmp

Filesize
2.1MB

Download
memory/1208-144-0x0000000002640000-0x0000000002727000-memory.dmp

Filesize
924KB

Download
memory/1208-145-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download