Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
chrome_setup.msi
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
chrome_setup.msi
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
chrome_setup.msi
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
chrome_setup.msi
Resource
win11-20231222-en
General
-
Target
chrome_setup.msi
-
Size
304KB
-
MD5
6b63f4f44ed6a243acbf0ee18c5fb5a2
-
SHA1
3d6e13fa319d4de1393c23579753833260b3ef2e
-
SHA256
e34cf173d4a9a9f8c1556c52de1410f3086a1c3f080ea1a8f52726394277a994
-
SHA512
ba1811c4556d8bd113563d4c175795f6d76b48faa259915a30a341ac425cfa309d74d8028749fe5b87eaf26332136657aae5e34e0db08054f689276db746e809
-
SSDEEP
3072:NspAtO9mXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8hIZEZnWv:vtO9iRQYpgjpjew5DHyGxcqo8f
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exepid process 1140 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe 3020 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe 2164 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exepid process 2112 MsiExec.exe 2112 MsiExec.exe 2112 MsiExec.exe 2112 MsiExec.exe 2112 MsiExec.exe 3020 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe 2112 MsiExec.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
ICACLS.EXEICACLS.EXEpid process 2932 ICACLS.EXE 2064 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exeEXPAND.EXEDrvInst.exedescription ioc process File created C:\Windows\Installer\f761e88.msi msiexec.exe File created C:\Windows\Installer\f761e89.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI232B.tmp msiexec.exe File opened for modification C:\Windows\Installer\f761e88.msi msiexec.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSI234B.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI1FC0.tmp msiexec.exe File opened for modification C:\Windows\Installer\f761e89.ipi msiexec.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2052 2164 WerFault.exe 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
DrvInst.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1936 msiexec.exe 1936 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 2264 msiexec.exe Token: SeIncreaseQuotaPrivilege 2264 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeSecurityPrivilege 1936 msiexec.exe Token: SeCreateTokenPrivilege 2264 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2264 msiexec.exe Token: SeLockMemoryPrivilege 2264 msiexec.exe Token: SeIncreaseQuotaPrivilege 2264 msiexec.exe Token: SeMachineAccountPrivilege 2264 msiexec.exe Token: SeTcbPrivilege 2264 msiexec.exe Token: SeSecurityPrivilege 2264 msiexec.exe Token: SeTakeOwnershipPrivilege 2264 msiexec.exe Token: SeLoadDriverPrivilege 2264 msiexec.exe Token: SeSystemProfilePrivilege 2264 msiexec.exe Token: SeSystemtimePrivilege 2264 msiexec.exe Token: SeProfSingleProcessPrivilege 2264 msiexec.exe Token: SeIncBasePriorityPrivilege 2264 msiexec.exe Token: SeCreatePagefilePrivilege 2264 msiexec.exe Token: SeCreatePermanentPrivilege 2264 msiexec.exe Token: SeBackupPrivilege 2264 msiexec.exe Token: SeRestorePrivilege 2264 msiexec.exe Token: SeShutdownPrivilege 2264 msiexec.exe Token: SeDebugPrivilege 2264 msiexec.exe Token: SeAuditPrivilege 2264 msiexec.exe Token: SeSystemEnvironmentPrivilege 2264 msiexec.exe Token: SeChangeNotifyPrivilege 2264 msiexec.exe Token: SeRemoteShutdownPrivilege 2264 msiexec.exe Token: SeUndockPrivilege 2264 msiexec.exe Token: SeSyncAgentPrivilege 2264 msiexec.exe Token: SeEnableDelegationPrivilege 2264 msiexec.exe Token: SeManageVolumePrivilege 2264 msiexec.exe Token: SeImpersonatePrivilege 2264 msiexec.exe Token: SeCreateGlobalPrivilege 2264 msiexec.exe Token: SeBackupPrivilege 2348 vssvc.exe Token: SeRestorePrivilege 2348 vssvc.exe Token: SeAuditPrivilege 2348 vssvc.exe Token: SeBackupPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeRestorePrivilege 2520 DrvInst.exe Token: SeRestorePrivilege 2520 DrvInst.exe Token: SeRestorePrivilege 2520 DrvInst.exe Token: SeRestorePrivilege 2520 DrvInst.exe Token: SeRestorePrivilege 2520 DrvInst.exe Token: SeRestorePrivilege 2520 DrvInst.exe Token: SeRestorePrivilege 2520 DrvInst.exe Token: SeLoadDriverPrivilege 2520 DrvInst.exe Token: SeLoadDriverPrivilege 2520 DrvInst.exe Token: SeLoadDriverPrivilege 2520 DrvInst.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2264 msiexec.exe 2264 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
msiexec.exeMsiExec.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exedescription pid process target process PID 1936 wrote to memory of 2112 1936 msiexec.exe MsiExec.exe PID 1936 wrote to memory of 2112 1936 msiexec.exe MsiExec.exe PID 1936 wrote to memory of 2112 1936 msiexec.exe MsiExec.exe PID 1936 wrote to memory of 2112 1936 msiexec.exe MsiExec.exe PID 1936 wrote to memory of 2112 1936 msiexec.exe MsiExec.exe PID 1936 wrote to memory of 2112 1936 msiexec.exe MsiExec.exe PID 1936 wrote to memory of 2112 1936 msiexec.exe MsiExec.exe PID 2112 wrote to memory of 2932 2112 MsiExec.exe ICACLS.EXE PID 2112 wrote to memory of 2932 2112 MsiExec.exe ICACLS.EXE PID 2112 wrote to memory of 2932 2112 MsiExec.exe ICACLS.EXE PID 2112 wrote to memory of 2932 2112 MsiExec.exe ICACLS.EXE PID 2112 wrote to memory of 1560 2112 MsiExec.exe EXPAND.EXE PID 2112 wrote to memory of 1560 2112 MsiExec.exe EXPAND.EXE PID 2112 wrote to memory of 1560 2112 MsiExec.exe EXPAND.EXE PID 2112 wrote to memory of 1560 2112 MsiExec.exe EXPAND.EXE PID 2112 wrote to memory of 1140 2112 MsiExec.exe 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe PID 2112 wrote to memory of 1140 2112 MsiExec.exe 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe PID 2112 wrote to memory of 1140 2112 MsiExec.exe 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe PID 2112 wrote to memory of 1140 2112 MsiExec.exe 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe PID 3020 wrote to memory of 2164 3020 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe PID 3020 wrote to memory of 2164 3020 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe PID 3020 wrote to memory of 2164 3020 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe PID 3020 wrote to memory of 2164 3020 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe PID 3020 wrote to memory of 2164 3020 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe PID 2112 wrote to memory of 2064 2112 MsiExec.exe ICACLS.EXE PID 2112 wrote to memory of 2064 2112 MsiExec.exe ICACLS.EXE PID 2112 wrote to memory of 2064 2112 MsiExec.exe ICACLS.EXE PID 2112 wrote to memory of 2064 2112 MsiExec.exe ICACLS.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chrome_setup.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5C9FD9245146F31BB124D4D7A48574C22⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C0" "00000000000005AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 4763⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files.cabFilesize
56KB
MD5f8ba117f135d10e3eb80472c1ec46469
SHA16c084a82bf4ebafde30c5b3182f83dcb66933671
SHA2569bc48ce1d31060a52f1f879fd140d96d60f60dd2d53d83efca323819b048b9f1
SHA5123985a44a1a0907153f1a1eeaf8e91dcf25c0f6f27abc70edbbe5922e281b70fd7c308df022200a35daf2044eb2323f101ded0a5f0f592aed2bd8a50de4f0e0fa
-
C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exeFilesize
56KB
MD584c1567969b86089cc33dccf41562bcd
SHA153f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2
SHA256516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b
SHA51272a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa
-
C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\msiwrapper.iniFilesize
1KB
MD54034b06c78bf7ef130fc6e0c6649f608
SHA113f3f9058db699de2723d31d68f6131a0efb070a
SHA2563a3acbd214c5f034aadc4044258a052e784e6d5c591094103354041ef55d25ef
SHA5125eed62d949aa75c4c622f5afb7ce0642871c37712938af28cbd3abd6851536eb7d6025d3a14fd9e187ec8dbc4216e6813019192a965a6f861a9fe8df19747bfd
-
C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\msiwrapper.iniFilesize
1KB
MD5a8f4d87be9482a43eea6ab0b9d8ddf6c
SHA17c22d587508f4388aef683e999b9193e7af47571
SHA256f4246d56cd522969b18537f728d714a4e8559bba4396235fc5c4cf3749feaac4
SHA5121316b627f4bfd0290fc6d60f2fbd7413b333085ee434c5c09f30e47953d1346605738c08ecd067a2d23e145379a6ea1093b67848ef29792d0ad69d887951c258
-
C:\Windows\Installer\MSI1FC0.tmpFilesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108