Analysis
-
max time kernel
25s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:39
Static task
static1
General
-
Target
-
Size
860KB
-
MD5
b3dce5c3f95a18fd076fad0f73bb9e39
-
SHA1
e80cc285a77302ee221f47e4e94823d4b2eba368
-
SHA256
df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff
-
SHA512
c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c
-
SSDEEP
24576:TkRBL2LYcyvue73Ze+RrM31N0vhMN0T4+ZI:TkRBLgiue73Ze+SWI+Z
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\delrstrui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KEOJFMRIICVIUAHYG.bat" MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\pcdef.exe\"" MsiExec.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\prockill32.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\uninstall.bat msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f764402.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe msiexec.exe File opened for modification C:\Windows\Installer\f764405.ipi msiexec.exe File created C:\Windows\Installer\f764405.ipi msiexec.exe File opened for modification C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe msiexec.exe File opened for modification C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe msiexec.exe File created C:\Windows\Installer\f764407.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f764402.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI44DD.tmp msiexec.exe File created C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe msiexec.exe -
Executes dropped EXE 6 IoCs
pid Process 3040 rundelay.exe 1284 rundelay.exe 2876 pcdef.exe 2128 prockill64.exe 1804 prockill64.exe 2000 proccheck.exe -
Loads dropped DLL 6 IoCs
pid Process 2832 MsiExec.exe 2832 MsiExec.exe 2876 pcdef.exe 1796 Process not Found 2876 pcdef.exe 2876 pcdef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main pcdef.exe -
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" rundelay.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundelay.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" rundelay.exe -
Modifies registry class 44 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9E6DD28BF81ED654F84A0E1B229F9D5B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\PackageName = "[email protected]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\PackageCode = "793E8A3EDC915D546911442ABED08716" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21B3A6546EF8EA14E9C5E5550F17C290\DefaultFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\ProductName = "PC Defender" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Version = "33554432" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Language = "1033" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\PackageCode = "793E8A3EDC915D546911442ABED08716" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9E6DD28BF81ED654F84A0E1B229F9D5B\21B3A6546EF8EA14E9C5E5550F17C290 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "[email protected]" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21B3A6546EF8EA14E9C5E5550F17C290 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1" reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Clients = 3a0000000000 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\InstanceType = "0" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2328 msiexec.exe 2328 msiexec.exe 2876 pcdef.exe 2876 pcdef.exe 2128 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 1804 prockill64.exe 1804 prockill64.exe 1804 prockill64.exe 1804 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 1804 prockill64.exe 1804 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 1804 prockill64.exe 1804 prockill64.exe 2876 pcdef.exe 2876 pcdef.exe 2128 prockill64.exe 2128 prockill64.exe 2000 proccheck.exe 2000 proccheck.exe 1804 prockill64.exe 1804 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 1804 prockill64.exe 1804 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 2876 pcdef.exe 2876 pcdef.exe 2000 proccheck.exe 2000 proccheck.exe 1804 prockill64.exe 1804 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 1804 prockill64.exe 1804 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe 1804 prockill64.exe 1804 prockill64.exe 2876 pcdef.exe 2876 pcdef.exe 2128 prockill64.exe 2128 prockill64.exe 2000 proccheck.exe 2000 proccheck.exe 1804 prockill64.exe 1804 prockill64.exe 2128 prockill64.exe 2128 prockill64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2088 msiexec.exe Token: SeIncreaseQuotaPrivilege 2088 msiexec.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeTakeOwnershipPrivilege 2328 msiexec.exe Token: SeSecurityPrivilege 2328 msiexec.exe Token: SeCreateTokenPrivilege 2088 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2088 msiexec.exe Token: SeLockMemoryPrivilege 2088 msiexec.exe Token: SeIncreaseQuotaPrivilege 2088 msiexec.exe Token: SeMachineAccountPrivilege 2088 msiexec.exe Token: SeTcbPrivilege 2088 msiexec.exe Token: SeSecurityPrivilege 2088 msiexec.exe Token: SeTakeOwnershipPrivilege 2088 msiexec.exe Token: SeLoadDriverPrivilege 2088 msiexec.exe Token: SeSystemProfilePrivilege 2088 msiexec.exe Token: SeSystemtimePrivilege 2088 msiexec.exe Token: SeProfSingleProcessPrivilege 2088 msiexec.exe Token: SeIncBasePriorityPrivilege 2088 msiexec.exe Token: SeCreatePagefilePrivilege 2088 msiexec.exe Token: SeCreatePermanentPrivilege 2088 msiexec.exe Token: SeBackupPrivilege 2088 msiexec.exe Token: SeRestorePrivilege 2088 msiexec.exe Token: SeShutdownPrivilege 2088 msiexec.exe Token: SeDebugPrivilege 2088 msiexec.exe Token: SeAuditPrivilege 2088 msiexec.exe Token: SeSystemEnvironmentPrivilege 2088 msiexec.exe Token: SeChangeNotifyPrivilege 2088 msiexec.exe Token: SeRemoteShutdownPrivilege 2088 msiexec.exe Token: SeUndockPrivilege 2088 msiexec.exe Token: SeSyncAgentPrivilege 2088 msiexec.exe Token: SeEnableDelegationPrivilege 2088 msiexec.exe Token: SeManageVolumePrivilege 2088 msiexec.exe Token: SeImpersonatePrivilege 2088 msiexec.exe Token: SeCreateGlobalPrivilege 2088 msiexec.exe Token: SeBackupPrivilege 2120 vssvc.exe Token: SeRestorePrivilege 2120 vssvc.exe Token: SeAuditPrivilege 2120 vssvc.exe Token: SeBackupPrivilege 2328 msiexec.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeLoadDriverPrivilege 2464 DrvInst.exe Token: SeLoadDriverPrivilege 2464 DrvInst.exe Token: SeLoadDriverPrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeTakeOwnershipPrivilege 2328 msiexec.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeTakeOwnershipPrivilege 2328 msiexec.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeTakeOwnershipPrivilege 2328 msiexec.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeTakeOwnershipPrivilege 2328 msiexec.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeTakeOwnershipPrivilege 2328 msiexec.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeTakeOwnershipPrivilege 2328 msiexec.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeTakeOwnershipPrivilege 2328 msiexec.exe Token: SeRestorePrivilege 2328 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2088 msiexec.exe 2088 msiexec.exe 2876 pcdef.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2876 pcdef.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2876 pcdef.exe 2876 pcdef.exe 2876 pcdef.exe 2876 pcdef.exe 2876 pcdef.exe 2876 pcdef.exe 2876 pcdef.exe 2876 pcdef.exe 2876 pcdef.exe 2876 pcdef.exe 2876 pcdef.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2832 2328 msiexec.exe 32 PID 2328 wrote to memory of 2832 2328 msiexec.exe 32 PID 2328 wrote to memory of 2832 2328 msiexec.exe 32 PID 2328 wrote to memory of 2832 2328 msiexec.exe 32 PID 2328 wrote to memory of 2832 2328 msiexec.exe 32 PID 2328 wrote to memory of 2832 2328 msiexec.exe 32 PID 2328 wrote to memory of 2832 2328 msiexec.exe 32 PID 2832 wrote to memory of 600 2832 MsiExec.exe 35 PID 2832 wrote to memory of 600 2832 MsiExec.exe 35 PID 2832 wrote to memory of 600 2832 MsiExec.exe 35 PID 2832 wrote to memory of 600 2832 MsiExec.exe 35 PID 2832 wrote to memory of 1520 2832 MsiExec.exe 37 PID 2832 wrote to memory of 1520 2832 MsiExec.exe 37 PID 2832 wrote to memory of 1520 2832 MsiExec.exe 37 PID 2832 wrote to memory of 1520 2832 MsiExec.exe 37 PID 2832 wrote to memory of 1552 2832 MsiExec.exe 39 PID 2832 wrote to memory of 1552 2832 MsiExec.exe 39 PID 2832 wrote to memory of 1552 2832 MsiExec.exe 39 PID 2832 wrote to memory of 1552 2832 MsiExec.exe 39 PID 2832 wrote to memory of 632 2832 MsiExec.exe 41 PID 2832 wrote to memory of 632 2832 MsiExec.exe 41 PID 2832 wrote to memory of 632 2832 MsiExec.exe 41 PID 2832 wrote to memory of 632 2832 MsiExec.exe 41 PID 2832 wrote to memory of 1916 2832 MsiExec.exe 43 PID 2832 wrote to memory of 1916 2832 MsiExec.exe 43 PID 2832 wrote to memory of 1916 2832 MsiExec.exe 43 PID 2832 wrote to memory of 1916 2832 MsiExec.exe 43 PID 2832 wrote to memory of 3040 2832 MsiExec.exe 45 PID 2832 wrote to memory of 3040 2832 MsiExec.exe 45 PID 2832 wrote to memory of 3040 2832 MsiExec.exe 45 PID 2832 wrote to memory of 3040 2832 MsiExec.exe 45 PID 3040 wrote to memory of 1284 3040 rundelay.exe 47 PID 3040 wrote to memory of 1284 3040 rundelay.exe 47 PID 3040 wrote to memory of 1284 3040 rundelay.exe 47 PID 3040 wrote to memory of 1284 3040 rundelay.exe 47 PID 2876 wrote to memory of 2128 2876 pcdef.exe 50 PID 2876 wrote to memory of 2128 2876 pcdef.exe 50 PID 2876 wrote to memory of 2128 2876 pcdef.exe 50 PID 2876 wrote to memory of 2128 2876 pcdef.exe 50 PID 2128 wrote to memory of 1804 2128 prockill64.exe 52 PID 2128 wrote to memory of 1804 2128 prockill64.exe 52 PID 2128 wrote to memory of 1804 2128 prockill64.exe 52 PID 2876 wrote to memory of 2000 2876 pcdef.exe 54 PID 2876 wrote to memory of 2000 2876 pcdef.exe 54 PID 2876 wrote to memory of 2000 2876 pcdef.exe 54 PID 2876 wrote to memory of 2000 2876 pcdef.exe 54 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2088
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1CA0AD245359E96357DBF35FBBD452D9 M Global\MSI00002⤵
- Adds Run key to start application
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f3⤵PID:600
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f3⤵PID:1520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f3⤵
- Modifies registry class
PID:1552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 /f3⤵
- Modifies registry class
PID:632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /C "DEL /F /Q C:\Windows\Prefetch\pcdef*"3⤵PID:1916
-
-
C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe"C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe"C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0" 14⤵
- Executes dropped EXE
PID:1284
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000048C" "00000000000005A8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe"C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe"C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe"C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1804
-
-
-
C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe"C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" pcdef.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5649c88dd120aa4261771978ccac4bc24
SHA1a9a2573b4acd6b61abfdf58a03711b5fefe63080
SHA25618031a3ce68b8ad3fd7f7343aab29d4940bf2b9353e3ff72b743b8c6397377b7
SHA512e797dcdc9366dc65ac2a8ef17e0a6afc052cca4b17ab5a70e13a0623b19da9abd56f8fa439ba0d4616906dea8c311a50585ecb350803855f78db2be3f700c252
-
Filesize
1.2MB
MD5f37c2e31bd57905b90de048c58221dd4
SHA195d3972a5c6cf223e70d01e11e04a798eea59f8a
SHA256352492ae2be4b4fcfe97a76f5318abe2351d9c4d33d6438a8f2fc87ed6601a06
SHA5128bb6548c9a8ab47e9380ef0d01fd824c84a12469b29f5874de2969359a81d122aa379973608592ccee556b6639bfe85f920346e2f2c104ba5c333c57ce091680
-
Filesize
93KB
MD5d96a5175eecd752ca22f41bad80870c0
SHA100f68eee206c2a6b07dd86e1cbf008c082a8032f
SHA256c3ab412d3ea0232bb891319fe9ac79b1ed0a61d9251a574c9502a6cef0b1f5b5
SHA512918db6e7728d2890fbd3afd8a9f4da2636d6eabe0cbeaeacb379db9ea779d7ba6133ed4b367725487bf18c10874f5700be5d252d527116ccf879842afadbe13c
-
Filesize
86KB
MD546b816356a5e05f65bfaed216106e7a0
SHA1e7c55d7b4d2887a93ea55e55ed45ee57f8fbe9fa
SHA2567eb8eecdf4654171f721a58a44d19ba2a1f35d8bbdabf38bff9f1c3c31fc1d19
SHA51254cc8b6e56bba14608c95e5c678c00ed363e7e0cff77f9799ed3654022e13c883136b6477e2aa4b753c7ef8331033369168900f61bd36b35384dc72c4e60e3be
-
Filesize
43KB
MD5c05ccc260692e8bfb5b6ba7238dbb943
SHA14ad185a7acb1c4ffcb3c03daa77cc77a833ae7e6
SHA2560d58d2b03e3f6d5f32216e74badae8ad0d7f94cc4f207d06883ba953a1594cba
SHA5127707d1c3f9085a710527e2d1559c8268ca3a1fb70fca9f1cf391a02cd81002193c6971cefd7b00b371e14adf5ae7b83b63206b88ead13b04a20ad08c7154ac22
-
Filesize
860KB
MD5b3dce5c3f95a18fd076fad0f73bb9e39
SHA1e80cc285a77302ee221f47e4e94823d4b2eba368
SHA256df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff
SHA512c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c