006b8578f0b6717bc5a987f12bc0746c61c20e6ba777fde6d4aa53ee54b937cd

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 14:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

nvim-win64.msi
Size

40.5MB
MD5

460beecd80d3207814ae27f57b71bc08
SHA1

f6f2f0c6f86967690b433aa8a5a72636c0e1ffc0
SHA256

006b8578f0b6717bc5a987f12bc0746c61c20e6ba777fde6d4aa53ee54b937cd
SHA512

06548d2fe22d330e32ec0463848d4e9550148565a63656b91fc35fec94ecdfa8631e5c1ff47b9afab20fa7a7bf4c0ffa3f44eadc32b7f251d13fb84234bded7c
SSDEEP

786432:MBEnLMhcai1lT0CY+LdZ4/i9m/X+etaxnlOKuxB6:CSEa1loCBiiM/VvB6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2892	MsiExec.exe
1332	msiexec.exe
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\m3build.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\keymap\slovak.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\autoload\rustfmt.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\colors\darkblue.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\compiler\fortran_elf90.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\keymap\arabic.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\gkrellmrc.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\haste.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\doc\job_control.txt	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\mermaid.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\scala.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\zsh.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\indent\eruby.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\chatito.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\netrc.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\slpspi.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\queries\lua\folds.scm	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\cpp.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\jargon.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\java.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\lua\vim\lsp\protocol.lua	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\indent\testdir\vb.ok	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\pack\dist\opt\vimball\autoload\vimball.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\compiler\rspec.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\doc\russian.txt	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\ada.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\indent\quarto.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\autoload\vimexpect.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\ps1.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\plugin\gzip.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\exports.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\icon.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\ist.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\pbtxt.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\colors\elflord.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\doc\ui.txt	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\indent\bash.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\lua\vim\filetype\detect.lua	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\optwin.vim	msiexec.exe
File created	C:\Program Files\Neovim\bin\translations\qt_fr.qm	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\ishd.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\pack\dist\opt\matchit\plugin\matchit.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\sgml.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\compiler\context.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\rcs.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\doc\usr_11.txt	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\lynx.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\indent\json.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\debsources.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\locale\nl\LC_MESSAGES\nvim.mo	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\xmodmap.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\sgml.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\help_ru.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\snnspat.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\autoload\freebasic.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\compiler\podchecker.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\routeros.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\calendar.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\dylan.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\pamconf.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\snobol4.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\syntax\xbl.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\compiler\tidy.vim	msiexec.exe
File created	C:\Program Files\Neovim\share\nvim\runtime\ftplugin\neomuttrc.vim	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76f2b8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI252.tmp	msiexec.exe
File created	C:\Windows\Installer\f76f2bb.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76f2b8.msi	msiexec.exe
File created	C:\Windows\Installer\f76f2b9.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76f2b9.ipi	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1332	msiexec.exe
1332	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3060	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeSecurityPrivilege	1332	msiexec.exe
Token: SeCreateTokenPrivilege	3060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3060	msiexec.exe
Token: SeLockMemoryPrivilege	3060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3060	msiexec.exe
Token: SeMachineAccountPrivilege	3060	msiexec.exe
Token: SeTcbPrivilege	3060	msiexec.exe
Token: SeSecurityPrivilege	3060	msiexec.exe
Token: SeTakeOwnershipPrivilege	3060	msiexec.exe
Token: SeLoadDriverPrivilege	3060	msiexec.exe
Token: SeSystemProfilePrivilege	3060	msiexec.exe
Token: SeSystemtimePrivilege	3060	msiexec.exe
Token: SeProfSingleProcessPrivilege	3060	msiexec.exe
Token: SeIncBasePriorityPrivilege	3060	msiexec.exe
Token: SeCreatePagefilePrivilege	3060	msiexec.exe
Token: SeCreatePermanentPrivilege	3060	msiexec.exe
Token: SeBackupPrivilege	3060	msiexec.exe
Token: SeRestorePrivilege	3060	msiexec.exe
Token: SeShutdownPrivilege	3060	msiexec.exe
Token: SeDebugPrivilege	3060	msiexec.exe
Token: SeAuditPrivilege	3060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3060	msiexec.exe
Token: SeChangeNotifyPrivilege	3060	msiexec.exe
Token: SeRemoteShutdownPrivilege	3060	msiexec.exe
Token: SeUndockPrivilege	3060	msiexec.exe
Token: SeSyncAgentPrivilege	3060	msiexec.exe
Token: SeEnableDelegationPrivilege	3060	msiexec.exe
Token: SeManageVolumePrivilege	3060	msiexec.exe
Token: SeImpersonatePrivilege	3060	msiexec.exe
Token: SeCreateGlobalPrivilege	3060	msiexec.exe
Token: SeCreateTokenPrivilege	3060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3060	msiexec.exe
Token: SeLockMemoryPrivilege	3060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3060	msiexec.exe
Token: SeMachineAccountPrivilege	3060	msiexec.exe
Token: SeTcbPrivilege	3060	msiexec.exe
Token: SeSecurityPrivilege	3060	msiexec.exe
Token: SeTakeOwnershipPrivilege	3060	msiexec.exe
Token: SeLoadDriverPrivilege	3060	msiexec.exe
Token: SeSystemProfilePrivilege	3060	msiexec.exe
Token: SeSystemtimePrivilege	3060	msiexec.exe
Token: SeProfSingleProcessPrivilege	3060	msiexec.exe
Token: SeIncBasePriorityPrivilege	3060	msiexec.exe
Token: SeCreatePagefilePrivilege	3060	msiexec.exe
Token: SeCreatePermanentPrivilege	3060	msiexec.exe
Token: SeBackupPrivilege	3060	msiexec.exe
Token: SeRestorePrivilege	3060	msiexec.exe
Token: SeShutdownPrivilege	3060	msiexec.exe
Token: SeDebugPrivilege	3060	msiexec.exe
Token: SeAuditPrivilege	3060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3060	msiexec.exe
Token: SeChangeNotifyPrivilege	3060	msiexec.exe
Token: SeRemoteShutdownPrivilege	3060	msiexec.exe
Token: SeUndockPrivilege	3060	msiexec.exe
Token: SeSyncAgentPrivilege	3060	msiexec.exe
Token: SeEnableDelegationPrivilege	3060	msiexec.exe
Token: SeManageVolumePrivilege	3060	msiexec.exe
Token: SeImpersonatePrivilege	3060	msiexec.exe
Token: SeCreateGlobalPrivilege	3060	msiexec.exe
Token: SeCreateTokenPrivilege	3060	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3060	msiexec.exe
3060	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2892	1332	msiexec.exe	29
PID 1332 wrote to memory of 2892	1332	msiexec.exe	29
PID 1332 wrote to memory of 2892	1332	msiexec.exe	29
PID 1332 wrote to memory of 2892	1332	msiexec.exe	29
PID 1332 wrote to memory of 2892	1332	msiexec.exe	29
PID 1332 wrote to memory of 2892	1332	msiexec.exe	29
PID 1332 wrote to memory of 2892	1332	msiexec.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nvim-win64.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3060

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7DF18105C9543C4D853459AA2231DF03 C
  2⤵
  - Loads dropped DLL
  PID:2892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2688

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "00000000000003B0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76f2ba.rbs

Filesize
323KB

MD5
f9e412163770cc39194270e52331e705

SHA1
b29ed44aa560dff27c5f602cd62334c7820506f7

SHA256
95c5eb60c919b71152d336c2ea46da6bce417fbe035275b894ae4d7ee732b4d7

SHA512
5f018367529a76bd0b1350d0ae1d9ed48cadb146bb796598c2db5100dbc1cdc98adb92c054bf9f600d23a77324bc256f2ed213fdae601f2d191de9ab63e45ac3

Download Submit
C:\Program Files\Neovim\bin\nvim-qt.exe

Filesize
3.6MB

MD5
248542f04503f79bd62f5606405a6c7c

SHA1
b75faa1cf48a3daa1407f44fc81352e54c441d0d

SHA256
98f8d620ea6c88d31a13bb9012da7f491a6e83097663b2cc0d77a6769364e84c

SHA512
2dcc7156c25c013bdad39c5b4b12280e7578163743599e5d3ac98fd887aa905e2e3e53a8bea42e03ebe22bb776e213e51471e167754788762a4fb865295fa7c3

Download Submit
C:\Program Files\Neovim\share\nvim\runtime\ftplugin\d.lua

Filesize
33B

MD5
8352b5a6f13d67ad2c73f072796a1a39

SHA1
d0e47d775fc6606c71416c4daa0adbb15189f453

SHA256
2eff59bce8ddee7f0a539f1d31e20db6d3d07bd03215df2f661bf02c5499d345

SHA512
276c8eab9aa94a4658a4c900f5f6feee56a5c80663a9332f22484dcf1af28cc497ad59042ab88b06e27f6e8725d0fd6ae448fe8e015358be7ede5e5f3496fa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9CFB.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Windows\Installer\f76f2b8.msi

Filesize
35.4MB

MD5
83248870310527831af3919b12f770fa

SHA1
bc581b978afbde3da60a0cc4c47d34ddd480a235

SHA256
869e0b45c4e3b7b6ac935fa00f90be8638b87808d9095b681a44065c161fb4d4

SHA512
e24724fad7c1b36c8043a18acda8c00340318e40f270ee9d92f4a39859f796c987b6670434dbd1d16008c12b2d17e012cd0405d0a62e4ad9c9d42bfb95dbf3a5

Download Submit
\Program Files\Neovim\bin\nvim.exe

Filesize
5.0MB

MD5
0f5896b7fdc0669aed0bc10ce6a1d083

SHA1
63c922ea2b31fb83c5e310122d69dbc30400ac9d

SHA256
d60036b942091c668dc2d7f2e3ecc7f76d534457c37adce102bd3c01c273c2ff

SHA512
a336f6dd7b9020487104cc83ce385c75cf99ba3bfb7cfe3f060e5d6f650f82162013b749c46ff3adaa67d214b2a5fb21a928684c01d523842061484186bbb996

Download Submit