ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf

General

Target

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Size

11.8MB
MD5

d704e453e065a23ed414927d9b203086
SHA1

352e4b98faebc35f5c8cfeaebb7bcb36d7c7fbfc
SHA256

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf
SHA512

0ec2c8cd14a7f4dfd704b19729239ee78e54fc1fb87ba1a2a80da4b7d595fd573861271ca220c3a7b264209ceed1ca96da12d6bdf2b34c35771790cd6337cf49
SSDEEP

196608:AAKBx4px+sN23RSEfvYfXf1v3j+FX3/yXg3Kf5T72gFUbUamFbSf4k5EBGUQ:AAK/4px/23bfvYvf1bI/8RfVGwdFbSfD

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\I:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\M:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\Y:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\G:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\H:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\O:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\S:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\V:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\W:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\Q:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\Z:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\L:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\U:	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
File opened (read-only)	\??\B:	msiexec.exe

Loads dropped DLL 15 IoCs

Processes:

MsiExec.exe

pid	process
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

Processes:

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Colors	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

description	pid	process
Token: SeSecurityPrivilege	3024	msiexec.exe
Token: SeCreateTokenPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeAssignPrimaryTokenPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeLockMemoryPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeIncreaseQuotaPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeMachineAccountPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeTcbPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSecurityPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeTakeOwnershipPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeLoadDriverPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemProfilePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemtimePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeProfSingleProcessPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeIncBasePriorityPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreatePagefilePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreatePermanentPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeBackupPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeRestorePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeShutdownPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeDebugPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeAuditPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemEnvironmentPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeChangeNotifyPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeRemoteShutdownPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeUndockPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSyncAgentPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeEnableDelegationPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeManageVolumePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeImpersonatePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreateGlobalPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreateTokenPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeAssignPrimaryTokenPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeLockMemoryPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeIncreaseQuotaPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeMachineAccountPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeTcbPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSecurityPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeTakeOwnershipPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeLoadDriverPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemProfilePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemtimePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeProfSingleProcessPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeIncBasePriorityPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreatePagefilePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreatePermanentPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeBackupPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeRestorePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeShutdownPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeDebugPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeAuditPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSystemEnvironmentPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeChangeNotifyPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeRemoteShutdownPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeUndockPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeSyncAgentPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeEnableDelegationPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeManageVolumePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeImpersonatePrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreateGlobalPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeCreateTokenPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeAssignPrimaryTokenPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeLockMemoryPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeIncreaseQuotaPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
Token: SeMachineAccountPrivilege	3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

pid process

3100 ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

pid	process
3100	ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 3024 wrote to memory of 1864	3024	msiexec.exe	MsiExec.exe
PID 3024 wrote to memory of 1864	3024	msiexec.exe	MsiExec.exe
PID 3024 wrote to memory of 1864	3024	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe
"C:\Users\Admin\AppData\Local\Temp\ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf.exe"
1⤵
- Enumerates connected drives
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 315E57A1F7CE762E215023118FFADFF3 C
2⤵
- Loads dropped DLL
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI7EB7.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8477.tmp
Filesize
1.1MB

MD5
25e52c5776a81e0c5ccb9bdd4c808c90

SHA1
e42104ef61ae4760a41552292091eb6a5089ced4

SHA256
0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

SHA512
746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

Download Submit
C:\Users\Admin\AppData\Local\Temp\upd6CA4.tmp
Filesize
822B

MD5
e750aa90012457a9c718ba564cc7c59d

SHA1
f2de0aebed40ab99ae10830a536b50282122102f

SHA256
9d48ea41da43018da9d980ffc26de5cb7601c5b8985985753bf0ea3a1e050e55

SHA512
fddadbfcc366af3aaa481d87bb5a1521f41090624048b39e4f77ba584eb161d6b19f32e22ec596e17b0f5792bbb353585a70b2b6455b5a4e59c3b810f515d818

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\TeraCopy.x64.msi
Filesize
5.6MB

MD5
9529d790607eca409b70c780f99e05a3

SHA1
c1852c6d0ce7ee0b424890a3d7e9c6ff338fd459

SHA256
c8077ad69802259fcb291e528c9be01eced4e7302c1dbd337d53bb879b6e7b02

SHA512
ab9debb175c7635ec3beb326c5a0f5486d7efb029872d6ddef4a64a9ba52cce4f2934f54e8b3bad6055d4277fca551a844cd1019239bf25fc7b7f6fa1e6779f4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads