Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 19:48 UTC
Static task
static1
Behavioral task
behavioral1
Sample
vcredist2005_x64.exe
Resource
win7-20240221-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
vcredist2005_x64.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
vcredist2005_x64.exe
-
Size
3.0MB
-
MD5
56eaf4e1237c974f6984edc93972c123
-
SHA1
ee916012783024dac67fc606457377932c826f05
-
SHA256
0551a61c85b718e1fa015b0c3e3f4c4eea0637055536c00e7969286b4fa663e0
-
SHA512
f8e15363e34db5b5445c41eea4dd80b2f682642cb8f1046f30ea4fb5f4f51b0b604f7bcb3000a35a7d3ba1d1bcc07df9b25e4533170c65640b2d137c19916736
-
SSDEEP
49152:+r67+stI6RWGTAdyvlADUrpTmcOgohwJpEM5grO3oc1OXZViFeRyDErkLUMHzkRN:AM9l8pUr9m30L5grOQXZKAsErkbQRN
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1080 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" vcredist2005_x64.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll msiexec.exe -
Drops file in Windows directory 59 IoCs
description ioc Process File created C:\Windows\WinSxS\InstallTemp\20240319195005048.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195005048.0\msvcp80.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240319195020461.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319194951975.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195005048.0\msvcr80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021678.0\8.0.50727.6195.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240319195021693.0 msiexec.exe File created C:\Windows\Installer\f76f089.ipi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\mfc80ENU.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021350.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.manifest msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240319194951975.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240319195021350.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240319195021506.0 msiexec.exe File created C:\Windows\Installer\f76f086.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195005048.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021506.0\8.0.50727.6195.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021693.0\8.0.50727.6195.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240319195019260.0 msiexec.exe File opened for modification C:\Windows\Installer\f76f086.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319194951975.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\mfc80CHS.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021350.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021350.0\vcomp.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240319195005048.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195019260.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195019260.0\mfcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\mfc80ESP.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\mfc80DEU.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\mfc80JPN.dll msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSIF807.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2197.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.cat msiexec.exe File created C:\Windows\Installer\f76f08b.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\mfc80ITA.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240319195021631.0 msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195019260.0\mfc80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\mfc80CHT.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\mfc80FRA.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021646.0\8.0.50727.6195.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021693.0\8.0.50727.6195.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195005048.0\msvcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195020461.0\mfc80KOR.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021646.0\8.0.50727.6195.policy msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021678.0\8.0.50727.6195.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240319195021678.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021631.0\8.0.50727.6195.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240319195021646.0 msiexec.exe File opened for modification C:\Windows\Installer\f76f089.ipi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319194951975.0\ATL80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195019260.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021506.0\8.0.50727.6195.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195019260.0\mfc80u.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195019260.0\mfcm80u.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240319195021631.0\8.0.50727.6195.cat msiexec.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe -
Modifies registry class 56 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\1af2a8da7e60d0b429d7e6453b3d0182 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\Servicing_Key msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Version = "134278728" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e005a00310021003d00520046007900460072005700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\PackageName = "vcredist.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\PackageCode = "C558A51006735C645AEE5A0FC6A310C9" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Language = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0069002a0048004e00530057007d0024007e005500650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007a0050005400310026006e0073004b0064007a00650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\VC_Redist msiexec.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2412 msiexec.exe 2412 msiexec.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2512 msiexec.exe Token: SeIncreaseQuotaPrivilege 2512 msiexec.exe Token: SeRestorePrivilege 2412 msiexec.exe Token: SeTakeOwnershipPrivilege 2412 msiexec.exe Token: SeSecurityPrivilege 2412 msiexec.exe Token: SeCreateTokenPrivilege 2512 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2512 msiexec.exe Token: SeLockMemoryPrivilege 2512 msiexec.exe Token: SeIncreaseQuotaPrivilege 2512 msiexec.exe Token: SeMachineAccountPrivilege 2512 msiexec.exe Token: SeTcbPrivilege 2512 msiexec.exe Token: SeSecurityPrivilege 2512 msiexec.exe Token: SeTakeOwnershipPrivilege 2512 msiexec.exe Token: SeLoadDriverPrivilege 2512 msiexec.exe Token: SeSystemProfilePrivilege 2512 msiexec.exe Token: SeSystemtimePrivilege 2512 msiexec.exe Token: SeProfSingleProcessPrivilege 2512 msiexec.exe Token: SeIncBasePriorityPrivilege 2512 msiexec.exe Token: SeCreatePagefilePrivilege 2512 msiexec.exe Token: SeCreatePermanentPrivilege 2512 msiexec.exe Token: SeBackupPrivilege 2512 msiexec.exe Token: SeRestorePrivilege 2512 msiexec.exe Token: SeShutdownPrivilege 2512 msiexec.exe Token: SeDebugPrivilege 2512 msiexec.exe Token: SeAuditPrivilege 2512 msiexec.exe Token: SeSystemEnvironmentPrivilege 2512 msiexec.exe Token: SeChangeNotifyPrivilege 2512 msiexec.exe Token: SeRemoteShutdownPrivilege 2512 msiexec.exe Token: SeUndockPrivilege 2512 msiexec.exe Token: SeSyncAgentPrivilege 2512 msiexec.exe Token: SeEnableDelegationPrivilege 2512 msiexec.exe Token: SeManageVolumePrivilege 2512 msiexec.exe Token: SeImpersonatePrivilege 2512 msiexec.exe Token: SeCreateGlobalPrivilege 2512 msiexec.exe Token: SeBackupPrivilege 2788 vssvc.exe Token: SeRestorePrivilege 2788 vssvc.exe Token: SeAuditPrivilege 2788 vssvc.exe Token: SeBackupPrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2060 DrvInst.exe Token: SeRestorePrivilege 2060 DrvInst.exe Token: SeRestorePrivilege 2060 DrvInst.exe Token: SeRestorePrivilege 2060 DrvInst.exe Token: SeRestorePrivilege 2060 DrvInst.exe Token: SeRestorePrivilege 2060 DrvInst.exe Token: SeRestorePrivilege 2060 DrvInst.exe Token: SeLoadDriverPrivilege 2060 DrvInst.exe Token: SeLoadDriverPrivilege 2060 DrvInst.exe Token: SeLoadDriverPrivilege 2060 DrvInst.exe Token: SeRestorePrivilege 2412 msiexec.exe Token: SeTakeOwnershipPrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2412 msiexec.exe Token: SeTakeOwnershipPrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2412 msiexec.exe Token: SeTakeOwnershipPrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2412 msiexec.exe Token: SeTakeOwnershipPrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2412 msiexec.exe Token: SeTakeOwnershipPrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2412 msiexec.exe Token: SeTakeOwnershipPrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2412 msiexec.exe Token: SeTakeOwnershipPrivilege 2412 msiexec.exe Token: SeRestorePrivilege 2412 msiexec.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2512 msiexec.exe 2512 msiexec.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe 608 taskmgr.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1088 wrote to memory of 2512 1088 vcredist2005_x64.exe 28 PID 1088 wrote to memory of 2512 1088 vcredist2005_x64.exe 28 PID 1088 wrote to memory of 2512 1088 vcredist2005_x64.exe 28 PID 1088 wrote to memory of 2512 1088 vcredist2005_x64.exe 28 PID 1088 wrote to memory of 2512 1088 vcredist2005_x64.exe 28 PID 1088 wrote to memory of 2512 1088 vcredist2005_x64.exe 28 PID 1088 wrote to memory of 2512 1088 vcredist2005_x64.exe 28 PID 2412 wrote to memory of 1080 2412 msiexec.exe 36 PID 2412 wrote to memory of 1080 2412 msiexec.exe 36 PID 2412 wrote to memory of 1080 2412 msiexec.exe 36 PID 2412 wrote to memory of 1080 2412 msiexec.exe 36 PID 2412 wrote to memory of 1080 2412 msiexec.exe 36 PID 2412 wrote to memory of 1080 2412 msiexec.exe 36 PID 2412 wrote to memory of 1080 2412 msiexec.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\vcredist2005_x64.exe"C:\Users\Admin\AppData\Local\Temp\vcredist2005_x64.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2512
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0AD058EAA8924A481E1201C380315DD2⤵
- Loads dropped DLL
PID:1080
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2388
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C0" "0000000000000274"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:608
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" SYSTEM1⤵PID:2068
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ec77844790b3db9d1b0c6b65c6d1a111
SHA120a3fe7541d804b768041b51dc9b1c572a0e782e
SHA256e4f714fbb236c3bb0efd3c177a137887ac960e9da94d333bfd538d41fcec8363
SHA512991bb6a8b05cc558d9e9beb3e7c8edc520a78b14a5ac471adcf10712a5975a095c9296640f8656363728ea979c4a3f1569c1974856b0c90bb84edeffe38340f6
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
312KB
MD577a9bff5af149160775741e204734d47
SHA17b5126af69b5a79593f39db94180f1ff11b0e39d
SHA25620a26ed9a1edf7763a9b515522c5e29720048a482c7fbc8b7ff6bbdd27e61038
SHA512bb0440f58f07e113bddd9a0afb5aab8af6493218784fe5fa6f4032e3a37088f91b7e766dee87cec4a9ea11d425d27b3b536430de3a52222e8bca3e0247d81e3b
-
Filesize
3.0MB
MD56dbdf338a0a25cdb236d43ea3ca2395e
SHA1685b6ea61e574e628392eaac8b10aff4309f1081
SHA256200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb
SHA5126b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a
-
Filesize
28KB
MD585221b3bcba8dbe4b4a46581aa49f760
SHA1746645c92594bfc739f77812d67cfd85f4b92474
SHA256f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d