ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d704e453e065a23ed414927d9b203086.exe
Size

11.8MB
MD5

d704e453e065a23ed414927d9b203086
SHA1

352e4b98faebc35f5c8cfeaebb7bcb36d7c7fbfc
SHA256

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf
SHA512

0ec2c8cd14a7f4dfd704b19729239ee78e54fc1fb87ba1a2a80da4b7d595fd573861271ca220c3a7b264209ceed1ca96da12d6bdf2b34c35771790cd6337cf49
SSDEEP

196608:AAKBx4px+sN23RSEfvYfXf1v3j+FX3/yXg3Kf5T72gFUbUamFbSf4k5EBGUQ:AAK/4px/23bfvYvf1bI/8RfVGwdFbSfD

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exed704e453e065a23ed414927d9b203086.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\O:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\T:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\U:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\P:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\W:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\E:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\K:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\H:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\Q:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\L:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\Y:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\R:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\X:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\Z:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\S:	d704e453e065a23ed414927d9b203086.exe
File opened (read-only)	\??\V:	d704e453e065a23ed414927d9b203086.exe

Loads dropped DLL 11 IoCs

Processes:

MsiExec.exe

pid	process
456	MsiExec.exe
456	MsiExec.exe
456	MsiExec.exe
456	MsiExec.exe
456	MsiExec.exe
456	MsiExec.exe
456	MsiExec.exe
456	MsiExec.exe
456	MsiExec.exe
456	MsiExec.exe
456	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 7 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

d704e453e065a23ed414927d9b203086.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	d704e453e065a23ed414927d9b203086.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d704e453e065a23ed414927d9b203086.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d704e453e065a23ed414927d9b203086.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	d704e453e065a23ed414927d9b203086.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d704e453e065a23ed414927d9b203086.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d704e453e065a23ed414927d9b203086.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d704e453e065a23ed414927d9b203086.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exed704e453e065a23ed414927d9b203086.exe

description	pid	process
Token: SeRestorePrivilege	2152	msiexec.exe
Token: SeTakeOwnershipPrivilege	2152	msiexec.exe
Token: SeSecurityPrivilege	2152	msiexec.exe
Token: SeCreateTokenPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeAssignPrimaryTokenPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeLockMemoryPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeIncreaseQuotaPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeMachineAccountPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeTcbPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeSecurityPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeTakeOwnershipPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeLoadDriverPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeSystemProfilePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeSystemtimePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeProfSingleProcessPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeIncBasePriorityPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeCreatePagefilePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeCreatePermanentPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeBackupPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeRestorePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeShutdownPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeDebugPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeAuditPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeSystemEnvironmentPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeChangeNotifyPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeRemoteShutdownPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeUndockPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeSyncAgentPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeEnableDelegationPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeManageVolumePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeImpersonatePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeCreateGlobalPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeCreateTokenPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeAssignPrimaryTokenPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeLockMemoryPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeIncreaseQuotaPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeMachineAccountPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeTcbPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeSecurityPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeTakeOwnershipPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeLoadDriverPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeSystemProfilePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeSystemtimePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeProfSingleProcessPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeIncBasePriorityPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeCreatePagefilePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeCreatePermanentPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeBackupPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeRestorePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeShutdownPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeDebugPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeAuditPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeSystemEnvironmentPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeChangeNotifyPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeRemoteShutdownPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeUndockPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeSyncAgentPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeEnableDelegationPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeManageVolumePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeImpersonatePrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeCreateGlobalPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeCreateTokenPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeAssignPrimaryTokenPrivilege	3044	d704e453e065a23ed414927d9b203086.exe
Token: SeLockMemoryPrivilege	3044	d704e453e065a23ed414927d9b203086.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d704e453e065a23ed414927d9b203086.exe

pid process

3044 d704e453e065a23ed414927d9b203086.exe

pid	process
3044	d704e453e065a23ed414927d9b203086.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2152 wrote to memory of 456	2152	msiexec.exe	MsiExec.exe
PID 2152 wrote to memory of 456	2152	msiexec.exe	MsiExec.exe
PID 2152 wrote to memory of 456	2152	msiexec.exe	MsiExec.exe
PID 2152 wrote to memory of 456	2152	msiexec.exe	MsiExec.exe
PID 2152 wrote to memory of 456	2152	msiexec.exe	MsiExec.exe
PID 2152 wrote to memory of 456	2152	msiexec.exe	MsiExec.exe
PID 2152 wrote to memory of 456	2152	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\d704e453e065a23ed414927d9b203086.exe
"C:\Users\Admin\AppData\Local\Temp\d704e453e065a23ed414927d9b203086.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7DFC20E9C0C747F3D071055CAAD0A051 C
2⤵
- Loads dropped DLL
PID:456

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3044\TeraCopy.png
Filesize
43KB

MD5
f3e10dad17928bc47031a2205a26c17a

SHA1
8716244bc1ae996025246e1306db6f9a3bfe08a7

SHA256
9c7f720c1367e6ea08e4c8a93e7f1ea54f72328e85e1c04b58667383464dbf80

SHA512
180469a611cd9cdb73a74259125f334330915bc6ee6fee22851ed1fa7ce35ad61b501232be87a2fef8a0c887c3aabef913235def82c140cbf0c8fe285b406ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3044\aboutbtn
Filesize
1KB

MD5
b51b54b77e9cbfdb1063f7487c1c07ec

SHA1
8a8a7036cfbc86a537447bf71b9f6795923db8b9

SHA256
9d7243c688264329a8cb9e22da00b651e0a9407741d722e03dd67cc8b3ee1335

SHA512
04cef1aa3a530e7f03054369450eb42f36bf45c13c7445adf450ec4635a8601447c5bb6e978b3adabe9021019644681bf1609539eb548dd50ada973aac0c6555

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3044\background
Filesize
2KB

MD5
9e23da7c3cd3fb8113e698a12a3d3047

SHA1
6d021109495d77a53afe101f2b03a4da847e6d99

SHA256
b671008e5d4a15409051d7b3d2aa40f7c028e1dab5876c2882976793abb9356c

SHA512
65e885984681cee190764515f61bb8da3c29463b87f4371fff27ae4c4089af46c9b98910a847ec29d7368160d6aaf841fb93f1347c9abc47bce5cf997c8b4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3044\buttonimgs
Filesize
1KB

MD5
7633f00ea029a3b988c354441f0f4722

SHA1
a72a74af68d006a35efcf9be6fe3424ff31fb84c

SHA256
ed127a86f01d767643af667c1d52525a3cb7632713b981896af72628da7ee7fa

SHA512
52c70cbd6fa3cc292a1d5b505b272d88b6f950eac4d24df750b7c8ce5bcacdff9fc9fdd0ccff8f081d05852559ae187f50d4e6b4f5f95e8c648a658d4b9a03b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3044\checkboximgs
Filesize
1KB

MD5
bf7ac146eb80de9d4d3e6b5a7998ebbf

SHA1
532b1bae084af1bb3a8880c47a509ce1bb804df3

SHA256
73616e9e679089cd5c580d5ef9cc96859f13509af8150fe081d67a1935ce4885

SHA512
ea5ed62de728d88cf598b0b9bb1da953b2ee7675cb71d04f022ce41b2697e0f02bef269181c09ede6c28c6946dd8944abbb487ab4be8b190fc9b72423ca4a905

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3044\custominstallbtn
Filesize
914B

MD5
fb33dcad5260941fc9261b1f378d5775

SHA1
5bfbefc05e1d1f41b10974b1ca43495053ad95f3

SHA256
9ccbc0baba2efe3424610a0f282626e2364473c5afc5cd6d485e6673bff3a862

SHA512
7cc5481fbcb4e4f0420da5196a209124f615c0b42e2f1ff5da444ac13c0d8698b5f20472ee1743c126d0bbdc6241e2ccbb58f6ac0970dba6aff74189d600f0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab65F6.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICDCB.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID0C9.tmp
Filesize
1.1MB

MD5
25e52c5776a81e0c5ccb9bdd4c808c90

SHA1
e42104ef61ae4760a41552292091eb6a5089ced4

SHA256
0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

SHA512
746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6608.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\TeraCopy.x64.msi
Filesize
1.1MB

MD5
e6bc397e57a63a526fefe9a47c4ead3c

SHA1
bb5c568cbe4566a029c4681793a1608bd040d711

SHA256
ccb332aef681d0a27a8c883ea7da23c3fab075cc275a327b5414a7027897b0cc

SHA512
09aaea9c5fbe38bbe72bc8a28e3ed1b54dc7d9609d94872025977cd932103491680c89268124e1eeb4e66386d1c1b83384af7863ecf33692f803aa0ad14b1d38

Download Submit
memory/3044-0-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3044-208-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads