ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf

Analysis

max time kernel
123s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Size

11.8MB
MD5

d704e453e065a23ed414927d9b203086
SHA1

352e4b98faebc35f5c8cfeaebb7bcb36d7c7fbfc
SHA256

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf
SHA512

0ec2c8cd14a7f4dfd704b19729239ee78e54fc1fb87ba1a2a80da4b7d595fd573861271ca220c3a7b264209ceed1ca96da12d6bdf2b34c35771790cd6337cf49
SSDEEP

196608:AAKBx4px+sN23RSEfvYfXf1v3j+FX3/yXg3Kf5T72gFUbUamFbSf4k5EBGUQ:AAK/4px/23bfvYvf1bI/8RfVGwdFbSfD

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\L:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\T:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\V:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\Y:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\P:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\G:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\Z:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\E:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\I:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\J:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\H:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\R:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\U:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\W:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\X:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\O:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Loads dropped DLL 11 IoCs

Processes:

MsiExec.exe

pid	process
2140	MsiExec.exe
2140	MsiExec.exe
2140	MsiExec.exe
2140	MsiExec.exe
2140	MsiExec.exe
2140	MsiExec.exe
2140	MsiExec.exe
2140	MsiExec.exe
2140	MsiExec.exe
2140	MsiExec.exe
2140	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 7 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

description	pid	process
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeSecurityPrivilege	2184	msiexec.exe
Token: SeCreateTokenPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeAssignPrimaryTokenPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeLockMemoryPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeIncreaseQuotaPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeMachineAccountPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeTcbPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSecurityPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeTakeOwnershipPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeLoadDriverPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemProfilePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemtimePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeProfSingleProcessPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeIncBasePriorityPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreatePagefilePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreatePermanentPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeBackupPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeRestorePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeShutdownPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeDebugPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeAuditPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemEnvironmentPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeChangeNotifyPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeRemoteShutdownPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeUndockPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSyncAgentPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeEnableDelegationPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeManageVolumePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeImpersonatePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreateGlobalPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreateTokenPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeAssignPrimaryTokenPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeLockMemoryPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeIncreaseQuotaPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeMachineAccountPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeTcbPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSecurityPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeTakeOwnershipPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeLoadDriverPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemProfilePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemtimePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeProfSingleProcessPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeIncBasePriorityPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreatePagefilePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreatePermanentPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeBackupPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeRestorePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeShutdownPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeDebugPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeAuditPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemEnvironmentPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeChangeNotifyPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeRemoteShutdownPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeUndockPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSyncAgentPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeEnableDelegationPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeManageVolumePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeImpersonatePrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreateGlobalPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreateTokenPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeAssignPrimaryTokenPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeLockMemoryPrivilege	2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

pid process

2988 ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

pid	process
2988	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2184 wrote to memory of 2140	2184	msiexec.exe	MsiExec.exe
PID 2184 wrote to memory of 2140	2184	msiexec.exe	MsiExec.exe
PID 2184 wrote to memory of 2140	2184	msiexec.exe	MsiExec.exe
PID 2184 wrote to memory of 2140	2184	msiexec.exe	MsiExec.exe
PID 2184 wrote to memory of 2140	2184	msiexec.exe	MsiExec.exe
PID 2184 wrote to memory of 2140	2184	msiexec.exe	MsiExec.exe
PID 2184 wrote to memory of 2140	2184	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
"C:\Users\Admin\AppData\Local\Temp\ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 91F115FC0FC0A4B2A17DFCA0C29951DF C
2⤵
- Loads dropped DLL
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f61ce891c0c77ff9762f680e2cfc869d

SHA1
58d602027f64d846815ec1f7be78c0d931b034da

SHA256
2ff968a82e6a7be7bea6c3a15dadf98028dc0cf53db5b015793ad94882518f1f

SHA512
b22f16e767fa08933b089f0481c02f03859caac2f1c327bdd47430edc12799b1df64116d209a12ccab287d59e2c3f77102fb4140b6ee63e19a5666b5b964ef84

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2988\TeraCopy.png
Filesize
43KB

MD5
f3e10dad17928bc47031a2205a26c17a

SHA1
8716244bc1ae996025246e1306db6f9a3bfe08a7

SHA256
9c7f720c1367e6ea08e4c8a93e7f1ea54f72328e85e1c04b58667383464dbf80

SHA512
180469a611cd9cdb73a74259125f334330915bc6ee6fee22851ed1fa7ce35ad61b501232be87a2fef8a0c887c3aabef913235def82c140cbf0c8fe285b406ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2988\aboutbtn
Filesize
1KB

MD5
b51b54b77e9cbfdb1063f7487c1c07ec

SHA1
8a8a7036cfbc86a537447bf71b9f6795923db8b9

SHA256
9d7243c688264329a8cb9e22da00b651e0a9407741d722e03dd67cc8b3ee1335

SHA512
04cef1aa3a530e7f03054369450eb42f36bf45c13c7445adf450ec4635a8601447c5bb6e978b3adabe9021019644681bf1609539eb548dd50ada973aac0c6555

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2988\background
Filesize
2KB

MD5
9e23da7c3cd3fb8113e698a12a3d3047

SHA1
6d021109495d77a53afe101f2b03a4da847e6d99

SHA256
b671008e5d4a15409051d7b3d2aa40f7c028e1dab5876c2882976793abb9356c

SHA512
65e885984681cee190764515f61bb8da3c29463b87f4371fff27ae4c4089af46c9b98910a847ec29d7368160d6aaf841fb93f1347c9abc47bce5cf997c8b4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2988\buttonimgs
Filesize
1KB

MD5
7633f00ea029a3b988c354441f0f4722

SHA1
a72a74af68d006a35efcf9be6fe3424ff31fb84c

SHA256
ed127a86f01d767643af667c1d52525a3cb7632713b981896af72628da7ee7fa

SHA512
52c70cbd6fa3cc292a1d5b505b272d88b6f950eac4d24df750b7c8ce5bcacdff9fc9fdd0ccff8f081d05852559ae187f50d4e6b4f5f95e8c648a658d4b9a03b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2988\checkboximgs
Filesize
1KB

MD5
bf7ac146eb80de9d4d3e6b5a7998ebbf

SHA1
532b1bae084af1bb3a8880c47a509ce1bb804df3

SHA256
73616e9e679089cd5c580d5ef9cc96859f13509af8150fe081d67a1935ce4885

SHA512
ea5ed62de728d88cf598b0b9bb1da953b2ee7675cb71d04f022ce41b2697e0f02bef269181c09ede6c28c6946dd8944abbb487ab4be8b190fc9b72423ca4a905

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2988\custominstallbtn
Filesize
914B

MD5
fb33dcad5260941fc9261b1f378d5775

SHA1
5bfbefc05e1d1f41b10974b1ca43495053ad95f3

SHA256
9ccbc0baba2efe3424610a0f282626e2364473c5afc5cd6d485e6673bff3a862

SHA512
7cc5481fbcb4e4f0420da5196a209124f615c0b42e2f1ff5da444ac13c0d8698b5f20472ee1743c126d0bbdc6241e2ccbb58f6ac0970dba6aff74189d600f0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9D8A.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA69D.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA96C.tmp
Filesize
1.1MB

MD5
25e52c5776a81e0c5ccb9bdd4c808c90

SHA1
e42104ef61ae4760a41552292091eb6a5089ced4

SHA256
0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

SHA512
746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E29.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA20A.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\upd94EF.tmp
Filesize
822B

MD5
e750aa90012457a9c718ba564cc7c59d

SHA1
f2de0aebed40ab99ae10830a536b50282122102f

SHA256
9d48ea41da43018da9d980ffc26de5cb7601c5b8985985753bf0ea3a1e050e55

SHA512
fddadbfcc366af3aaa481d87bb5a1521f41090624048b39e4f77ba584eb161d6b19f32e22ec596e17b0f5792bbb353585a70b2b6455b5a4e59c3b810f515d818

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\TeraCopy.x64.msi
Filesize
5.6MB

MD5
9529d790607eca409b70c780f99e05a3

SHA1
c1852c6d0ce7ee0b424890a3d7e9c6ff338fd459

SHA256
c8077ad69802259fcb291e528c9be01eced4e7302c1dbd337d53bb879b6e7b02

SHA512
ab9debb175c7635ec3beb326c5a0f5486d7efb029872d6ddef4a64a9ba52cce4f2934f54e8b3bad6055d4277fca551a844cd1019239bf25fc7b7f6fa1e6779f4

Download Submit
\Users\Admin\AppData\Local\Temp\MSIABFF.tmp
Filesize
384KB

MD5
e7ee0ee84b9cea34dfcb6c9a007e3bf6

SHA1
b57b1a5cf80bad1c9b56ca2fdba3ddd127ae15f1

SHA256
a7a746f51494cc7d404d0d9718c0cb356ad26863858686cff3dbd90b32f86b10

SHA512
22919b44461dda9ec388c69ede3b4483af4df8984898a8122b8187414037d05bde80fc5d4d424db59ead667d2a63160416620933c753fb93cfc26ad628b6589e

Download Submit
memory/2988-0-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2988-231-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download