Analysis
-
max time kernel
161s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 19:21
Static task
static1
Behavioral task
behavioral1
Sample
Market_Time_New_Conditions.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Market_Time_New_Conditions.exe
Resource
win10v2004-20231215-en
General
-
Target
Market_Time_New_Conditions.exe
-
Size
630KB
-
MD5
553ac66062429d5a0423d4b286e53c31
-
SHA1
0acea7bcaea5c8a9a4e19232e3ca114863aa6968
-
SHA256
428d51259ad927c58ea5abb9eca6e0dce4fee5d97e20f78abba194c8c4faadfd
-
SHA512
16df91a5240bffdfe4af26350b3f81a6ad97dd64e534443839832549793a35bf44ae882c430183357b8fb2dae9b4fdeaf5ab373488dac7f8c48daaaeaaf33720
-
SSDEEP
12288:nL6hD2x/HAWbR2zS4sisO1A83u2BSDoCqKcuz:L6uHAW92zt/sWu2BSMCqDuz
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Drops file in Drivers directory 2 IoCs
Processes:
winst64.exedescription ioc process File created C:\Windows\system32\drivers\nskbfltr.sys winst64.exe File created C:\Windows\system32\drivers\nskbfltr2.sys winst64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
MSI6D4A.tmpdescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" MSI6D4A.tmp -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Market_Time_New_Conditions.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation Market_Time_New_Conditions.exe -
Executes dropped EXE 10 IoCs
Processes:
MSI54F6.tmpMSI5AF8.tmpcheckdvd.exeMSI6D4A.tmpwinst64.exeMSI74AF.tmpclient32.execlient32.exepcicfgui_client.exepcicfgui_client.exepid process 4524 MSI54F6.tmp 1480 MSI5AF8.tmp 64 checkdvd.exe 4120 MSI6D4A.tmp 232 winst64.exe 2220 MSI74AF.tmp 3616 client32.exe 1616 client32.exe 3888 pcicfgui_client.exe 948 pcicfgui_client.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exewinst64.exeMSI6D4A.tmpclient32.execlient32.exepid process 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 2440 MsiExec.exe 4440 MsiExec.exe 4440 MsiExec.exe 4440 MsiExec.exe 4440 MsiExec.exe 232 winst64.exe 4120 MSI6D4A.tmp 4440 MsiExec.exe 4440 MsiExec.exe 4440 MsiExec.exe 3616 client32.exe 3616 client32.exe 3616 client32.exe 3616 client32.exe 3616 client32.exe 3616 client32.exe 3616 client32.exe 3616 client32.exe 3616 client32.exe 1616 client32.exe 1616 client32.exe 1616 client32.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
winst64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32 winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ = "Client32Provider.dll" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ThreadingModel = "Apartment" winst64.exe -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 59 4804 msiexec.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
client32.exemsiexec.exedescription ioc process File opened (read-only) \??\A: client32.exe File opened (read-only) \??\B: client32.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
MSI6D4A.tmpdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" MSI6D4A.tmp -
Drops file in System32 directory 9 IoCs
Processes:
client32.exeMSI6D4A.tmpwinst64.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\loca[1].htm client32.exe File created C:\Windows\SysWOW64\pcimsg.dll MSI6D4A.tmp File created C:\Windows\system32\client32provider.dll winst64.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 client32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE client32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies client32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 client32.exe File opened for modification C:\Windows\SysWOW64\pcimsg.dll MSI6D4A.tmp File opened for modification C:\Windows\system32\client32provider.dll winst64.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
pcicfgui_client.exepid process 3888 pcicfgui_client.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.execlient32.exeMSI6D4A.tmpdescription ioc process File created C:\Program Files (x86)\NetSupport\NetSupport Manager\gdihook5.INF msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nssres_125.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-process-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-profile-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\CryptPak.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_down.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\x64\gdihook5.sys msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcisys.sys msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\WINSTALL.EXE msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.ini msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\msvcr100.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Control.kbd msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_up_grey.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.inf msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-conio-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-rtlsupport-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\libcrypto-1_1.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\DeskDup.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-time-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-private-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32Provider.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\AudioCapture.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\Ixmqmccr_HW_U1.bin client32.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\remcmdstub.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\bar.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\disk2.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\keyboard2.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nsmres_250.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-runtime-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-string-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIVDD.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\computer2.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nskbfltr2.sys msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_up.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\msvcp100.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\shfolder.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\logo.png msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nskbfltr.inf msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.cat msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCICHEK.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.LIC msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\vcruntime140.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-heap-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-interlocked-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\StoreInvDll.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.sys msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-sysinfo-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-file-l2-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\injlib.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIinv.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\redbar.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicapi.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\_Data.lnk MSI6D4A.tmp File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nssres.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-libraryloader-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\_Gedeelde gegevens.lnk MSI6D4A.tmp File created C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\toastImageAndText.png msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NSClient32UI.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nssres_300.dll msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exeMSI6D4A.tmpdescription ioc process File opened for modification C:\Windows\Installer\MSI4176.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5126.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5873.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4F5F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI53F8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5AF8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4E62.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4E92.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4F4E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI58D1.tmp msiexec.exe File opened for modification C:\Windows\setuperr.log MSI6D4A.tmp File opened for modification C:\Windows\Installer\MSI53C6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI54D6.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI749F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI856B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5308.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI409A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4204.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI53E7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI54C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5275.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5296.tmp msiexec.exe File created C:\Windows\Installer\e593500.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI4B7D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4CB8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D17.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5244.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI52C8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI53B5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI858B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5DA9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B77.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3FCE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4224.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI51C4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5223.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5264.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI52B8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI42C1.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI7346.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4C59.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5234.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI53D7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A1B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A6B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6D4A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI74AF.tmp msiexec.exe File opened for modification C:\Windows\Installer\e593500.msi msiexec.exe File created C:\Windows\Installer\SourceHash{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A} msiexec.exe File opened for modification C:\Windows\Installer\MSI4B0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5146.tmp msiexec.exe File opened for modification C:\Windows\setupact.log MSI6D4A.tmp File opened for modification C:\Windows\Installer\MSI5089.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI53C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D95.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI54F6.tmp msiexec.exe File created C:\Windows\Installer\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\Installer\e593504.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5286.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI52A7.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 24 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
client32.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 client32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
client32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 client32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz client32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
cscript.execlient32.exemsiexec.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" client32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" client32.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root client32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ client32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced" client32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TELEPHONY\HANDOFFPRIORITIES\MEDIAMODES svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs cscript.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exeMsiExec.exeMSI6D4A.tmpwinst64.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\DefaultIcon msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\0\win32\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\IcoViewer.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command MSI6D4A.tmp Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ = "IIconViewer" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\TypeLib\Version = "1.0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\ = "IconViewer Class" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ = "IconViewer Class" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\pcinssui.exe\" /ShowVideo \"%L\"" MSI6D4A.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\IcoViewer.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1\CLSID\ = "{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ThreadingModel = "Apartment" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Insertable\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1\CLSID\ = "{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\649B16CFFC9B3DA40924F48FFC0F44A0\InstalledByMSI = "CommonFiles" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib\ = "{C58E5039-E78C-441D-AA62-383AD6F38FC8}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version\ = "1.0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\649B16CFFC9B3DA40924F48FFC0F44A0\CommonFiles = "NSM" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\ = "IcoViewer 1.0 Type Library" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID\ = "IcoViewer.IconViewer.1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\649B16CFFC9B3DA40924F48FFC0F44A0 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\CLSID msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692} winst64.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Programmable msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\0\win32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\FLAGS msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\IcoViewer.dll, 101" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version\ = "1.0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\FLAGS\ = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\TypeLib\Version = "1.0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\PackageCode = "EC858AFDC98CBA84B9C222A071FA1749" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\AuthorizedLUAApp = "1" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VERSIONINDEPENDENTPROGID MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell MSI6D4A.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Control\ msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show MSI6D4A.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\ = "Client32Provider" winst64.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus\1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\SourceList\PackageName = "whopper.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\Language = "1043" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Programmable MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Tonen met NetSupport School" MSI6D4A.tmp Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ToolboxBitmap32 msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
client32.exepid process 1616 client32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msiexec.exeMSI6D4A.tmpclient32.execlient32.exepid process 4804 msiexec.exe 4804 msiexec.exe 4120 MSI6D4A.tmp 4120 MSI6D4A.tmp 4120 MSI6D4A.tmp 4120 MSI6D4A.tmp 3616 client32.exe 3616 client32.exe 1616 client32.exe 1616 client32.exe 1616 client32.exe 1616 client32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Market_Time_New_Conditions.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4484 Market_Time_New_Conditions.exe Token: SeShutdownPrivilege 1228 msiexec.exe Token: SeIncreaseQuotaPrivilege 1228 msiexec.exe Token: SeSecurityPrivilege 4804 msiexec.exe Token: SeCreateTokenPrivilege 1228 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1228 msiexec.exe Token: SeLockMemoryPrivilege 1228 msiexec.exe Token: SeIncreaseQuotaPrivilege 1228 msiexec.exe Token: SeMachineAccountPrivilege 1228 msiexec.exe Token: SeTcbPrivilege 1228 msiexec.exe Token: SeSecurityPrivilege 1228 msiexec.exe Token: SeTakeOwnershipPrivilege 1228 msiexec.exe Token: SeLoadDriverPrivilege 1228 msiexec.exe Token: SeSystemProfilePrivilege 1228 msiexec.exe Token: SeSystemtimePrivilege 1228 msiexec.exe Token: SeProfSingleProcessPrivilege 1228 msiexec.exe Token: SeIncBasePriorityPrivilege 1228 msiexec.exe Token: SeCreatePagefilePrivilege 1228 msiexec.exe Token: SeCreatePermanentPrivilege 1228 msiexec.exe Token: SeBackupPrivilege 1228 msiexec.exe Token: SeRestorePrivilege 1228 msiexec.exe Token: SeShutdownPrivilege 1228 msiexec.exe Token: SeDebugPrivilege 1228 msiexec.exe Token: SeAuditPrivilege 1228 msiexec.exe Token: SeSystemEnvironmentPrivilege 1228 msiexec.exe Token: SeChangeNotifyPrivilege 1228 msiexec.exe Token: SeRemoteShutdownPrivilege 1228 msiexec.exe Token: SeUndockPrivilege 1228 msiexec.exe Token: SeSyncAgentPrivilege 1228 msiexec.exe Token: SeEnableDelegationPrivilege 1228 msiexec.exe Token: SeManageVolumePrivilege 1228 msiexec.exe Token: SeImpersonatePrivilege 1228 msiexec.exe Token: SeCreateGlobalPrivilege 1228 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe Token: SeTakeOwnershipPrivilege 4804 msiexec.exe Token: SeRestorePrivilege 4804 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
client32.exepid process 1616 client32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
Market_Time_New_Conditions.exemsiexec.execmd.exeMSI6D4A.tmpclient32.exepcicfgui_client.execlient32.exedescription pid process target process PID 4484 wrote to memory of 1228 4484 Market_Time_New_Conditions.exe msiexec.exe PID 4484 wrote to memory of 1228 4484 Market_Time_New_Conditions.exe msiexec.exe PID 4484 wrote to memory of 1228 4484 Market_Time_New_Conditions.exe msiexec.exe PID 4804 wrote to memory of 2440 4804 msiexec.exe MsiExec.exe PID 4804 wrote to memory of 2440 4804 msiexec.exe MsiExec.exe PID 4804 wrote to memory of 2440 4804 msiexec.exe MsiExec.exe PID 4804 wrote to memory of 3340 4804 msiexec.exe cmd.exe PID 4804 wrote to memory of 3340 4804 msiexec.exe cmd.exe PID 3340 wrote to memory of 3760 3340 cmd.exe attrib.exe PID 3340 wrote to memory of 3760 3340 cmd.exe attrib.exe PID 3340 wrote to memory of 3760 3340 cmd.exe attrib.exe PID 4804 wrote to memory of 4524 4804 msiexec.exe MSI54F6.tmp PID 4804 wrote to memory of 4524 4804 msiexec.exe MSI54F6.tmp PID 4804 wrote to memory of 4524 4804 msiexec.exe MSI54F6.tmp PID 4804 wrote to memory of 4440 4804 msiexec.exe MsiExec.exe PID 4804 wrote to memory of 4440 4804 msiexec.exe MsiExec.exe PID 4804 wrote to memory of 4440 4804 msiexec.exe MsiExec.exe PID 4804 wrote to memory of 1480 4804 msiexec.exe MSI5AF8.tmp PID 4804 wrote to memory of 1480 4804 msiexec.exe MSI5AF8.tmp PID 4804 wrote to memory of 1480 4804 msiexec.exe MSI5AF8.tmp PID 4804 wrote to memory of 64 4804 msiexec.exe checkdvd.exe PID 4804 wrote to memory of 64 4804 msiexec.exe checkdvd.exe PID 4804 wrote to memory of 64 4804 msiexec.exe checkdvd.exe PID 4804 wrote to memory of 4120 4804 msiexec.exe MSI6D4A.tmp PID 4804 wrote to memory of 4120 4804 msiexec.exe MSI6D4A.tmp PID 4804 wrote to memory of 4120 4804 msiexec.exe MSI6D4A.tmp PID 4120 wrote to memory of 232 4120 MSI6D4A.tmp winst64.exe PID 4120 wrote to memory of 232 4120 MSI6D4A.tmp winst64.exe PID 4804 wrote to memory of 2220 4804 msiexec.exe MSI74AF.tmp PID 4804 wrote to memory of 2220 4804 msiexec.exe MSI74AF.tmp PID 4804 wrote to memory of 2220 4804 msiexec.exe MSI74AF.tmp PID 3616 wrote to memory of 1616 3616 client32.exe client32.exe PID 3616 wrote to memory of 1616 3616 client32.exe client32.exe PID 3616 wrote to memory of 1616 3616 client32.exe client32.exe PID 4804 wrote to memory of 3888 4804 msiexec.exe pcicfgui_client.exe PID 4804 wrote to memory of 3888 4804 msiexec.exe pcicfgui_client.exe PID 4804 wrote to memory of 3888 4804 msiexec.exe pcicfgui_client.exe PID 3888 wrote to memory of 948 3888 pcicfgui_client.exe pcicfgui_client.exe PID 3888 wrote to memory of 948 3888 pcicfgui_client.exe pcicfgui_client.exe PID 3888 wrote to memory of 948 3888 pcicfgui_client.exe pcicfgui_client.exe PID 1616 wrote to memory of 2632 1616 client32.exe cscript.exe PID 1616 wrote to memory of 2632 1616 client32.exe cscript.exe PID 1616 wrote to memory of 2632 1616 client32.exe cscript.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe"C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\whopper.msi /q2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E2DE02605713CA7F0CE658F432EDB4A02⤵
- Loads dropped DLL
PID:2440 -
C:\Windows\system32\cmd.execmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\\nsm.lic"2⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\attrib.exeATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\\nsm.lic"3⤵
- Views/modifies file attributes
PID:3760 -
C:\Windows\Installer\MSI54F6.tmp"C:\Windows\Installer\MSI54F6.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU2⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0D57307C35BFAB0B5DD3A5622F9915EA E Global\MSI00002⤵
- Loads dropped DLL
- Modifies registry class
PID:4440 -
C:\Windows\Installer\MSI5AF8.tmp"C:\Windows\Installer\MSI5AF8.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU2⤵
- Executes dropped EXE
PID:1480 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"2⤵
- Executes dropped EXE
PID:64 -
C:\Windows\Installer\MSI6D4A.tmp"C:\Windows\Installer\MSI6D4A.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EV"NetSupport School" /EF".\Log Files" /EF".\Bookmarks" /EF".\Tests" /EF".\Store" /EF".\inv" /EF".\Resources" /EF".\Help" /EF".\Image" /EF".\Sound" /EF".\Video" /EA /EX /EC /Q /V /Q /I *2⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exewinst64.exe /q /q /ex /i3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in System32 directory
- Modifies registry class
PID:232 -
C:\Windows\Installer\MSI74AF.tmp"C:\Windows\Installer\MSI74AF.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EI2⤵
- Executes dropped EXE
PID:2220 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"3⤵
- Executes dropped EXE
PID:948
-
C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" * /VistaUI2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cscript.exe"cscript.exe" C:\Windows\system32\Printing_Admin_Scripts\en-US\prnport.vbs -a -r NSM001 -h 127.0.0.1 -o raw -n 581283⤵
- Modifies data under HKEY_USERS
PID:2632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
- Modifies data under HKEY_USERS
PID:4204
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5fa710a744bd7b4505ff8e9ccc46a0bc3
SHA1661dc100ad1b418e4da79eac331ce3e111dc7063
SHA2567989b57d7fb600eb628eaa2f88fc80c7b392a2b29d2f3e15480ad8f3add37e96
SHA5129f6dbbb2f59726d8ce5ecfaf20dd17b27c1bd2c755038665c341e47480b5560c87a39cf6e719253e9e2cf752edd7593185ed61b20aa7717abfed37df099989f5
-
Filesize
742KB
MD53dcc148a999c6fe570b61a0cb8635057
SHA1cd6d084b0b696f6d4083ff0b81c8b64956c221e4
SHA25655c901291f733771c04cf3eef0c831f7923652001d316ed58f3f620be706c5bc
SHA5121bc406cdd72f5791f71e9f0dff380174f92c764a2323c1ba95fb38a5a5b01a85535c62d4a0f3f36a38839a524246fb27c86c8a92304a578492ea0a66ebe4d314
-
Filesize
7KB
MD5ecebf33c351a8f487e1e5dbfcbeee352
SHA164c3f5dcc9bf09440b9f935c47fcdea4fa53740f
SHA2566acc3f9012eddea3874404a805c3f0453593bc8d09b19ee44f55a00ce14827d9
SHA5124ac1b79bc092bc1cbbfdb51ecd0937aad486ee34813c198003af31ee706b251704bf88ae7b9d92358c6d26af056b97b129b8a387c9b326cf393d3814b2645725
-
Filesize
880B
MD5f21c50aa6dc247c7b4284b61e76c525f
SHA1873865fc3528f98713eb99f495beb90085a596e1
SHA256587a341b24eab5e18ff78169d9ba5dc15181fc4390b801cd2c7f549440a4d24a
SHA5126d49d33433d4971602b48140fd57d9fbd339fc1e1f352a3eb93e49f628018a0ad4f6c23c5e222e27decac07b1cb428beefe3004f218e525e058913d0e594e95e
-
Filesize
253B
MD5d2c2217861f5535686409d80a0867f6f
SHA1f4d90bebfcf8f501e5b9f0427028f696c3a191c7
SHA256af9c79cf3af6a7e969208da78dfcfac54d6f956545b46f434d0e447cff94807b
SHA512656deac03f9d81792e3d78108fb7d6754ca4a21a30f0e8da72e71f64b0b015dfc299d5478a8cc27acb05a0ec7e01c2c1cfcc9eb40041e4fe0a790414e42b4a37
-
Filesize
11.0MB
MD5fe67aa0ba045bf84861f1f6a65749ebd
SHA1777a28dc06204438b797c0b8d924713350d5c87f
SHA256016b1bb3c921add87c24d78449db3d4c0760512cd16cc80782bc7d2b6eefd143
SHA512dc36b03f0418c41e3665c1b2707b2b0fa36d5854197767771a4513be7527e9b4853e101d830d6848f72066c4329b7fee828977ab78bc116186226c6622ae94b4
-
Filesize
6.5MB
MD50c74e5ae7fc61202d305f16e4e8433a1
SHA1d07bdd8e2a41a1ef1899036c614bbc999d42d8ee
SHA256f4153bb9e48f2b638e511b6d346cb1f83a8d5c3294a40dcb3f839aa729773294
SHA512bbcc6dacbfe35dd143e35c21b3ba50c804f1f50a2bb0a78ef7818be01929bddd670bc1e13eb609c86a9db357be87908f24d2da68cf3036772f34160dae19d406
-
Filesize
506B
MD5ff7c0d2dbb9195083bbabaff482d5ed6
SHA15c2efbf855c376ce1b93e681c54a367a407495dc
SHA256065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075
SHA512ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9
-
Filesize
169KB
MD50e6fda2b8425c9513c774cf29a1bc72d
SHA1a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa
-
Filesize
511KB
MD5d524b639a3a088155981b9b4efa55631
SHA139d8eea673c02c1522b110829b93d61310555b98
SHA25603d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289
SHA51284f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac
-
Filesize
505KB
MD5ea15a2262abd2cb7c4d241a58ba92d51
SHA1307b5da3ea460dc7f3bc3e8420acb526a9d51233
SHA25630c9c51a46dd6a3405f73c3ebc96199e08299315990c0ed53c4fd72498aaf002
SHA512c552acafb70a4561d049f8bda3a58d3858a5df7380a93a9bef47ff5a2c99c605f4f408fc6a4a147bbf7c0b2231475e9629609036f9d1c354890d6a4ce0833eb3
-
Filesize
153KB
MD5a1b7850763af9593b66ee459a081bddf
SHA16e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA25641b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1
-
Filesize
448KB
MD52d16190938ed8fbe7a39edbd172e5374
SHA1183a4f1c92a762e48d5b0171b6e002f51395352b
SHA2561c0b33e7e648c877537e47051e799a4feda0c6ee200f0bedcf1e393e853f437c
SHA512f75a792d9c8cda3f79b5addb7e80b598f576dd7bf895eae017a5605f727de15f0605a7bf1d1546bbbb1239cb4f68d3f65543a3ae1c62c5fb409eed9a5749d6ad
-
Filesize
164KB
MD57d754a7f0d51626a1b139d555da4ae0e
SHA13bfdcebb18cd151c6b1b007fa546aec0c08b8cde
SHA25602324ec9dbcfbf8a2a923b4f86a4108fd1a9c8e7f78f1b8ff9706a4edbc82f9f
SHA512004cb932456335ed82fa2c5c6fb089d4398feaa16b8fd7189e3c6e5097b69c6e06dec2fe57c76c4314b6dc66533aef56ddf80fb28a9cc6cc3d35e52af9f0d033
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
244KB
MD5c4ca339bc85aae8999e4b101556239dd
SHA1d090fc385e0002e35db276960a360c67c4fc85cd
SHA2564ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9
SHA5129185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0