bb822b36d04c3cc4f45c70a8f33fbb7492ba922e2b6a880f96e81c238dd5caaf

Analysis

max time kernel
1199s
max time network
1825s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
10-01-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nanami Win7 for Win10/5- Windows Media Center/WMC-V8.8.2/bin/windows10.0-kb3106246-x64.msi
Size

9.1MB
MD5

86c8bcc1e84290b4536e7da66abbd84e
SHA1

0004f5036209a81588e1d1215c5a82a139a6c664
SHA256

97bffe621c4967aea619d32c23946eecf91511a7d6ce67094b05e54d5ae1828c
SHA512

d0e878735ae6d8e8b0da2a6f0ea1d5733d70e3d0fc784be026640977e520f10f55f940ade73a41eb40ed13e8113a49d97acd3393c78fa8d65a976734de951a3a
SSDEEP

196608:rOBTdQF6Abiv4oOt1RLofQnLHRjymrtxQp9GVpuUxUpukwJ:mpfAoOt7oyjdqNQk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5100	dismhost.exe

Loads dropped DLL 6 IoCs

pid	Process
3816	MsiExec.exe
5100	dismhost.exe
5100	dismhost.exe
5100	dismhost.exe
5100	dismhost.exe
5100	dismhost.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1128	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA53F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA5ED.tmp	msiexec.exe
File created	C:\Windows\Installer\e59a197.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File created	C:\Windows\Installer\e59a195.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59a195.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{25E80DAA-FD87-DCE5-202C-CC02F6673002}	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	PowerShell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	PowerShell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	PowerShell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	PowerShell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	PowerShell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	PowerShell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	PowerShell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	dismhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	PowerShell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerShell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E758817D6A21C9D83B08C37EC52D8CBD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Nanami Win7 for Win10\\5- Windows Media Center\\WMC-V8.8.2\\bin\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E758817D6A21C9D83B08C37EC52D8CBD\AAD08E5278DF5ECD02C2CC206F760320	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\SourceList\PackageName = "windows10.0-kb3106246-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nanami Win7 for Win10\\5- Windows Media Center\\WMC-V8.8.2\\bin\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AAD08E5278DF5ECD02C2CC206F760320	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\ProductName = "Microsoft DVD App Installation for Microsoft.WindowsDVDPlayer_2019.6.13291.0_neutral_~_8wekyb3d8bbwe (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AAD08E5278DF5ECD02C2CC206F760320\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\PackageCode = "DA5EB6ED00530F64FB17E1978617B326"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AAD08E5278DF5ECD02C2CC206F760320\DeploymentFlags = "3"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2124	msiexec.exe
2124	msiexec.exe
4652	PowerShell.exe
4652	PowerShell.exe
4652	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1128	msiexec.exe
Token: SeSecurityPrivilege	2124	msiexec.exe
Token: SeCreateTokenPrivilege	1128	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1128	msiexec.exe
Token: SeLockMemoryPrivilege	1128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1128	msiexec.exe
Token: SeMachineAccountPrivilege	1128	msiexec.exe
Token: SeTcbPrivilege	1128	msiexec.exe
Token: SeSecurityPrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeLoadDriverPrivilege	1128	msiexec.exe
Token: SeSystemProfilePrivilege	1128	msiexec.exe
Token: SeSystemtimePrivilege	1128	msiexec.exe
Token: SeProfSingleProcessPrivilege	1128	msiexec.exe
Token: SeIncBasePriorityPrivilege	1128	msiexec.exe
Token: SeCreatePagefilePrivilege	1128	msiexec.exe
Token: SeCreatePermanentPrivilege	1128	msiexec.exe
Token: SeBackupPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeShutdownPrivilege	1128	msiexec.exe
Token: SeDebugPrivilege	1128	msiexec.exe
Token: SeAuditPrivilege	1128	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1128	msiexec.exe
Token: SeChangeNotifyPrivilege	1128	msiexec.exe
Token: SeRemoteShutdownPrivilege	1128	msiexec.exe
Token: SeUndockPrivilege	1128	msiexec.exe
Token: SeSyncAgentPrivilege	1128	msiexec.exe
Token: SeEnableDelegationPrivilege	1128	msiexec.exe
Token: SeManageVolumePrivilege	1128	msiexec.exe
Token: SeImpersonatePrivilege	1128	msiexec.exe
Token: SeCreateGlobalPrivilege	1128	msiexec.exe
Token: SeBackupPrivilege	2508	vssvc.exe
Token: SeRestorePrivilege	2508	vssvc.exe
Token: SeAuditPrivilege	2508	vssvc.exe
Token: SeBackupPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeBackupPrivilege	5116	srtasks.exe
Token: SeRestorePrivilege	5116	srtasks.exe
Token: SeSecurityPrivilege	5116	srtasks.exe
Token: SeTakeOwnershipPrivilege	5116	srtasks.exe
Token: SeDebugPrivilege	4652	PowerShell.exe
Token: SeBackupPrivilege	5116	srtasks.exe
Token: SeRestorePrivilege	5116	srtasks.exe
Token: SeSecurityPrivilege	5116	srtasks.exe
Token: SeTakeOwnershipPrivilege	5116	srtasks.exe
Token: SeBackupPrivilege	4652	PowerShell.exe
Token: SeRestorePrivilege	4652	PowerShell.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1128	msiexec.exe
1128	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 5116	2124	msiexec.exe	76
PID 2124 wrote to memory of 5116	2124	msiexec.exe	76
PID 2124 wrote to memory of 3816	2124	msiexec.exe	78
PID 2124 wrote to memory of 3816	2124	msiexec.exe	78
PID 2124 wrote to memory of 3816	2124	msiexec.exe	78
PID 3816 wrote to memory of 4652	3816	MsiExec.exe	79
PID 3816 wrote to memory of 4652	3816	MsiExec.exe	79
PID 4652 wrote to memory of 5100	4652	PowerShell.exe	82
PID 4652 wrote to memory of 5100	4652	PowerShell.exe	82

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Nanami Win7 for Win10\5- Windows Media Center\WMC-V8.8.2\bin\windows10.0-kb3106246-x64.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FBE0B9EEFC26B165D428CF7024E6EABB E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
    "PowerShell" -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass "C:\Users\Admin\AppData\Local\Temp\InstallDVDAppxPackage\DvdInstall.ps1" "C:\Users\Admin\AppData\Local\Temp\InstallDVDAppxPackage\50ea4d02e68f4217869d054e06374b74.appxbundle" "C:\Users\Admin\AppData\Local\Temp\InstallDVDAppxPackage\50ea4d02e68f4217869d054e06374b74_License1.xml"
    3⤵
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\dismhost.exe
      C:\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\dismhost.exe {54374B66-216B-4228-8773-FCE0EF8ECF07}
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:5100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appreadiness -s AppReadiness
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59a196.rbs

Filesize
7KB

MD5
fb2e04b4c88cb687927b91793aa7af48

SHA1
2f776d119100cd1098f5c8cfdbe4684236db1d2e

SHA256
18e8a5429143b60c9237bc3e016d5eaf6dbec8b1c735e4a91ec5f459ec603257

SHA512
77e4894b61287ee6bc11437f6815d25914fc27cbe737070a96726aaf6088314635509af2225df5c8c22d601755be65d94665afc06b1b1e821e6bbc8cfc903666

Download Submit
C:\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\DismCorePS.dll

Filesize
35KB

MD5
ceb1c64a4fd2a6a23e2d7a9531e1a415

SHA1
3da1cbe244bcc72f24deca99693d49a67b3d2b42

SHA256
e5dd32e07bd1363578bde18937c6e78918f80b8b6bd715add688eef267efadb6

SHA512
84321259a01974f9b145f945863fe5e42ca9e05433f4bb2e802ce599ac33e7e3a456c9e32917fa48882a50580de2b70380d7f7d431726dd0910ffae52389a4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\DismHost.exe

Filesize
104KB

MD5
834fb6754f1f0142a138428d3e8324e7

SHA1
8ee2ccd24bfa3a89dbfbbbee7f197159a7c78cc7

SHA256
f8c60c5c9efb39a0bf9af47dc30d54975b41cf4e0a7612d7898001f2bad20ebc

SHA512
770310599c8040752301fc0813c571a3185692568f777d822fd600967a8ca1bfeae3145b0ad07d19e4833f84c1c9e58d691a810bd6f9cacb6ea7af26e44cfd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\OSProvider.dll

Filesize
16KB

MD5
4a3c863d6108ee7b51d07067bad843b4

SHA1
a7f1c1d5fac080722aa5bf5b2a9cd61c22e89cf4

SHA256
80d7015e9c94575a055714a4c9accc2eb864c22a919122c3539aa7bb0f17bd48

SHA512
e81d9882474ef41a64f3de327a73bbf0c49b983939752b28cb06e389ca0ebcecb75ad3d6a555a462092dc2cd13d680006648f3c38e0141d815e50f2a5b5a7aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\dismprov.dll

Filesize
152KB

MD5
fe76f7de5788ebd9f6c8734c30a05187

SHA1
bcea85e68820baa0e176fd1364afb37137070e43

SHA256
c52435f199e3798b5fa66c2842a3251bc82302e033f030170539a2fb22971050

SHA512
a41adb2b7263962e26d98d71f428b5733da92aa447bcdb002e716bce50d45006a8853b8096732ec1630302817eaf975020acde8a419113058e33a150143c7e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallDVDAppxPackage\50ea4d02e68f4217869d054e06374b74.appxbundle

Filesize
3.9MB

MD5
e2573befce96b83ed8f0dfc8b6666ee0

SHA1
5e3ed58dfee882c2665456201ee3180e5c6c071d

SHA256
bc4c5517f50475f2613fb74799e08304489b0fba1969a638a521592f0f06a5c9

SHA512
d9af10a7e9942da2b83b9e5e96d858fa6c7e2f2e8c38f8b3e9adcc823aa2c6b773cf9c05eb3c34e6cc299393b6829c80e7d74c09ffd70f83a800d0770780c0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallDVDAppxPackage\50ea4d02e68f4217869d054e06374b74_License1.xml

Filesize
2KB

MD5
8fa2e84c0b92be6bfe47574a1514dc47

SHA1
a594848f7f5ac04b0dbd38670ae9819c11a02035

SHA256
e5571f5063a9bf5f3cd679b5569bce0f04b53dca33ce969838cf434b49460ae7

SHA512
de9391c846669cde9f3d7a38b588f9b0ce298a739ec83046786abd4a4be9265ed170c4c4d90bb031e5490f36226c3481dafa27c2da42c35097179bb398a0d89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallDVDAppxPackage\DvdInstall.ps1

Filesize
219B

MD5
7a0f054c81513a89355f38c94504ebf6

SHA1
ee44f250a95f4c4eab3bcebf241c60515f529161

SHA256
83e11db191b3631d82980c966a5c8f4dd3e4980e347d0219fc6523fe51d748c6

SHA512
79ed001ca88b05da7189d4bf9251929aa67a146889cea8a34208639ae99a99d62a66cc60bc29d3ac1acb397ddf0a30d1839719074cf51d3c2414eb26799c3de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhz4wolw.lbl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\Installer\MSIA5ED.tmp

Filesize
153KB

MD5
4f8e2b401fd442ed8207c160a114627b

SHA1
5ce69d0a9ef7aec9ce8e6c9d28d2868adbba2c23

SHA256
e134d2e6085311b98d6cb180f31a1dabf9837d3c70ae11cc4c9acd4e1b96bfbe

SHA512
2b31710784fbad8078733077dfca8bf21d5313691f8c98e6265438857f7fa30f13664afadfd1109897de33338719b610262fba56132e842ac89030a662fa8788

Download Submit
C:\Windows\Installer\e59a195.msi

Filesize
3.0MB

MD5
9f02bacb764ebdfbdddcb1a554fc6ae7

SHA1
fc999d7751a8b6fa7f20736b251a8d34d3e50576

SHA256
fe17686dcde717be528697b50e74566df82ad1d6f25b6e9f91b21e537958d723

SHA512
29def6af6122b077a5fe5f8c700828205964228513cbb58637cc6591cc437c57238d57e2cd9aed1e14fa1c0adb7fb233142592680cbc8ff1a8ffb817788cd5e2

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
239KB

MD5
0a10b4044de309c9d159c28620e963df

SHA1
75be5053d6da321e4c5a6c2db36aa6ffe658e749

SHA256
24d2e7e8816ac4f9dc4cd38c452993edac288cc281abd9beacfc1c0f1fce5a7b

SHA512
85992a28b08b4f52e844b0b104ada3f2f4e9c89e25af5f11a05da544469697b9563ff4008687d3116e4208848be23530183ad815b144fcf22faa8dbbe0697ed8

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
201KB

MD5
3795cee85c670bb90bb4b60280e063bf

SHA1
8fa6d0116b4ffe68f7d72a782a412f87c8a07f34

SHA256
e7ce5d7cc0af32e8d174ae3735f68e90fc35260ea5c7c21b6b7ba0e310e9a13f

SHA512
22f10786b89ce45a79c0d0d2e3766ee1fe316a98821e0bc89727079e08726a4a4e817aaffa8a2bd125336d5369dbf56504ef6e8d0a6dd022eed6f8ce9bfc2d2e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
10.6MB

MD5
5e7c45d7b1d6693093aaf157bd0cd4c8

SHA1
38bfdd10c563efa0247864b8fe02a068f34d9321

SHA256
44a991269936378c650c6f7ee4c60e7ea36dbc9b000dc631af46fd4e32e6fb1a

SHA512
d7e1169fb87cf10cb3d23e1a8352ff67b4aebc51234b7f9a9842cf84b56952d2b58e4eaea3e129b051715898e601bff324bb3cabf3a30aa5f2c0d79d3663addc

Download Submit
\??\Volume{0e3789fe-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2726d91c-dcab-4457-af2c-dfe42105d1e2}_OnDiskSnapshotProp

Filesize
5KB

MD5
79fef00d89ae5f841e91d67e150ac3fc

SHA1
8afe08e6eb89873ef9e302620e3638b34f585fc4

SHA256
729e30d05f8300fc21a8da1c4846d20ecb680dae92e21edc799964d1ef2e439a

SHA512
d6e40a04e18b0135fa712ad7f1a1f4a5a701a3b9a04f71ae044a0a0eada39d4222c62bbc4f51f069412e8526629e1c6f8b06a16311e84ccbac2823eb1e2370b8

Download Submit
\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\AppxProvider.dll

Filesize
469KB

MD5
eb653d0475201308428c0ba479be969d

SHA1
d0eededdb29db980fa3afef23d87c2576fe616b2

SHA256
c0846f1a6e6ecf04c4cd7e76034505e709c3132c5917d0404aed9388d9cb8642

SHA512
e45191ed6a87471756e6e2e1b1973bc1d9337e6205e14461059017b6ef62f4aa7d2c7e3ed874f9d7d8cae80f8b914bd5add756d85b451fce0620397c005ec3ed

Download Submit
\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\DismCorePS.dll

Filesize
61KB

MD5
f18a276ef9307c87ba5addbcb42ba4cd

SHA1
e7d6d69b4b021a3bda8ebba1f23dc76a9bd2c68e

SHA256
e1170268ad5049b70b943a26b193b3f2b1882d52ec4a23a43191ff8bc0ec193c

SHA512
896787787316cf801bcc6f9809127bfe7ba45245530ec350eabe7d303a2f31ccd43773c11a86c3ad2f81781d466e0168b4520b7b1be02cb72b0490e48cde0d1e

Download Submit
\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\DismProv.dll

Filesize
152KB

MD5
79a951093dd75505ddf172ee9e380b18

SHA1
ea539a0bbe264dd5fe6e0708b83fc9a4030722b5

SHA256
4fd247411b09e731115d8add66acbfc3427b968601b2388124c3def8d4969ef2

SHA512
97e6fc24cd9ca09ea78f9a385cab7fcf9ef5c364e21184104f602ec69d488f59b4d5276f5e2a4ad3660863a2720211361d6dfc5173968124bcc193d540f80c83

Download Submit
\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\LogProvider.dll

Filesize
139KB

MD5
76dccc4bec94a870cb544ea0ac90d574

SHA1
0e500d42b98d340aadd3e886b0c4abefa8b92bc5

SHA256
53637290e64e395a0f07d7423096ccf341ccdf1dcb6e821f4e99d47197ea849e

SHA512
ef01adbf1dfb3856d5a84512556f38af291c0938c1267c8d627e1205385f7be56b0a7e2127f18818f987b53f0a3f910bc930d692be2a8429d03728d086e91a0b

Download Submit
\Users\Admin\AppData\Local\Temp\853886D7-69D9-46CB-91D7-CE0DCFC5190C\OSProvider.dll

Filesize
68KB

MD5
5198b5825f6f056da90aee8acb3383a9

SHA1
020744e9234f59cda123602b3d58c83d0c02928e

SHA256
d862cf0b8cca1ce8b7981192b2f228daa85a78a216b8a51ba067896a0a590888

SHA512
28cdbbf288a2255f432b89b21091d4982872e49236bc88855eb9011b5db36367bfef4265f48fc79a52812e320e57c3ecfdb986feb151881a03369913702fd58d

Download Submit
memory/4652-54-0x00000194AC1B0000-0x00000194AC1C0000-memory.dmp

Filesize
64KB

Download
memory/4652-73-0x00000194AC470000-0x00000194AC492000-memory.dmp

Filesize
136KB

Download
memory/4652-58-0x00000194AC1B0000-0x00000194AC1C0000-memory.dmp

Filesize
64KB

Download
memory/4652-626-0x00007FFD02D90000-0x00007FFD0377C000-memory.dmp

Filesize
9.9MB

Download
memory/4652-627-0x00000194AC1B0000-0x00000194AC1C0000-memory.dmp

Filesize
64KB

Download
memory/4652-628-0x00000194AC1B0000-0x00000194AC1C0000-memory.dmp

Filesize
64KB

Download
memory/4652-629-0x00000194AC1B0000-0x00000194AC1C0000-memory.dmp

Filesize
64KB

Download
memory/4652-55-0x00000194AC1B0000-0x00000194AC1C0000-memory.dmp

Filesize
64KB

Download
memory/4652-53-0x00007FFD02D90000-0x00007FFD0377C000-memory.dmp

Filesize
9.9MB

Download
memory/4652-1266-0x00007FFD02D90000-0x00007FFD0377C000-memory.dmp

Filesize
9.9MB

Download
memory/4652-37-0x00000194AC3C0000-0x00000194AC436000-memory.dmp

Filesize
472KB

Download
memory/4652-34-0x0000019494060000-0x0000019494082000-memory.dmp

Filesize
136KB

Download