1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
Size

2.2MB
MD5

144bfc7f77a9b0b57d39e75ffda71ae1
SHA1

77ca0a359058ccabe720d310ee729ecd3e66561f
SHA256

1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3
SHA512

6a4a82e59b21ede7ae722aef50ceecf264cadffe4bc61d9f94d88c96c8e1d76b86b16cdd93e9440dd1f3c905cb2a0915b8d851b73dfcbeaab6756a3d2bf1c9d0
SSDEEP

49152:19UJj87k/a4nQkh6ZISIyR7fJATyIeOgWfPfyDLmd/DIuJxThJqEB6ZmKYGCsWH5:m8D4nQkhSRtATyIe+fPf6Lmd/DI0xT5N

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
1144	MsiExec.exe
1144	MsiExec.exe
1144	MsiExec.exe
1144	MsiExec.exe
1144	MsiExec.exe
1144	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\FWAInstaller = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe\" -r"	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Msiexec.exe
File opened (read-only)	\??\I:	Msiexec.exe
File opened (read-only)	\??\R:	Msiexec.exe
File opened (read-only)	\??\S:	Msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	Msiexec.exe
File opened (read-only)	\??\G:	Msiexec.exe
File opened (read-only)	\??\H:	Msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	Msiexec.exe
File opened (read-only)	\??\U:	Msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	Msiexec.exe
File opened (read-only)	\??\O:	Msiexec.exe
File opened (read-only)	\??\V:	Msiexec.exe
File opened (read-only)	\??\W:	Msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	Msiexec.exe
File opened (read-only)	\??\P:	Msiexec.exe
File opened (read-only)	\??\Q:	Msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	Msiexec.exe
File opened (read-only)	\??\T:	Msiexec.exe
File opened (read-only)	\??\Z:	Msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	Msiexec.exe
File opened (read-only)	\??\N:	Msiexec.exe
File opened (read-only)	\??\X:	Msiexec.exe
File opened (read-only)	\??\Y:	Msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f765976.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CD3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D60.tmp	msiexec.exe
File opened for modification	C:\Windows\Products.ini	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
File opened for modification	C:\Windows\Installer\f765976.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A21.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BF6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E0D.tmp	msiexec.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	892	Msiexec.exe
Token: SeIncreaseQuotaPrivilege	892	Msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeSecurityPrivilege	2084	msiexec.exe
Token: SeCreateTokenPrivilege	892	Msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	892	Msiexec.exe
Token: SeLockMemoryPrivilege	892	Msiexec.exe
Token: SeIncreaseQuotaPrivilege	892	Msiexec.exe
Token: SeMachineAccountPrivilege	892	Msiexec.exe
Token: SeTcbPrivilege	892	Msiexec.exe
Token: SeSecurityPrivilege	892	Msiexec.exe
Token: SeTakeOwnershipPrivilege	892	Msiexec.exe
Token: SeLoadDriverPrivilege	892	Msiexec.exe
Token: SeSystemProfilePrivilege	892	Msiexec.exe
Token: SeSystemtimePrivilege	892	Msiexec.exe
Token: SeProfSingleProcessPrivilege	892	Msiexec.exe
Token: SeIncBasePriorityPrivilege	892	Msiexec.exe
Token: SeCreatePagefilePrivilege	892	Msiexec.exe
Token: SeCreatePermanentPrivilege	892	Msiexec.exe
Token: SeBackupPrivilege	892	Msiexec.exe
Token: SeRestorePrivilege	892	Msiexec.exe
Token: SeShutdownPrivilege	892	Msiexec.exe
Token: SeDebugPrivilege	892	Msiexec.exe
Token: SeAuditPrivilege	892	Msiexec.exe
Token: SeSystemEnvironmentPrivilege	892	Msiexec.exe
Token: SeChangeNotifyPrivilege	892	Msiexec.exe
Token: SeRemoteShutdownPrivilege	892	Msiexec.exe
Token: SeUndockPrivilege	892	Msiexec.exe
Token: SeSyncAgentPrivilege	892	Msiexec.exe
Token: SeEnableDelegationPrivilege	892	Msiexec.exe
Token: SeManageVolumePrivilege	892	Msiexec.exe
Token: SeImpersonatePrivilege	892	Msiexec.exe
Token: SeCreateGlobalPrivilege	892	Msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 892	2252	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe	28
PID 2252 wrote to memory of 892	2252	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe	28
PID 2252 wrote to memory of 892	2252	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe	28
PID 2252 wrote to memory of 892	2252	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe	28
PID 2252 wrote to memory of 892	2252	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe	28
PID 2252 wrote to memory of 892	2252	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe	28
PID 2252 wrote to memory of 892	2252	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe	28
PID 2084 wrote to memory of 1144	2084	msiexec.exe	30
PID 2084 wrote to memory of 1144	2084	msiexec.exe	30
PID 2084 wrote to memory of 1144	2084	msiexec.exe	30
PID 2084 wrote to memory of 1144	2084	msiexec.exe	30
PID 2084 wrote to memory of 1144	2084	msiexec.exe	30
PID 2084 wrote to memory of 1144	2084	msiexec.exe	30
PID 2084 wrote to memory of 1144	2084	msiexec.exe	30

C:\Users\Admin\AppData\Local\Temp\1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
"C:\Users\Admin\AppData\Local\Temp\1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\Msiexec.exe
  Msiexec /i "C:\Users\Admin\AppData\Local\Temp\ProductInstaller\Web Agent_C64.msi" /q REBOOT="ReallySuppress"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CBA174296037643315BA4A7B2DED029
  2⤵
  - Loads dropped DLL
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
8b04ac80767607e557b4bec1f99a5a0d

SHA1
b4a1d79ec966633ebf317ae9b1d8d20f2540d909

SHA256
ebd34a6bf3be75ccaab52b3dc1d98ac07b45de99bbfd7983b1b16f2d1e6ed9a6

SHA512
79c6b8e6dd45aee3b5b513501ef5a6cffab4f65e8c2110310972f41abc28a50055512fabeaf6314545434b45348c70744cf36d1bcae217686c862ed68bb2fe47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d77c9d7654d180cb9c12f02ff6c8981c

SHA1
ee1196f6052a17e500d10d378810cd6798c69bfe

SHA256
fda33caee6470521fba0d257ed3142bd78104992164b835937a91a4727f2f069

SHA512
9e4bc696189f9785961f9daa242d47596a46dbd898de9dd53d74fce37ebddd761af2af413008b6d9118c059acd1f0b48233fb813eac99e12fe9b7763cf984b9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc0972841efa791717456a43061cac34

SHA1
6b2f88bc15369ac9d1781225699a64fd1b671759

SHA256
15fd83cc1a08e363b43175d250a592f9e55779b256dc9d8188340101becf6cd2

SHA512
4e6fa1fe3ff0ce76e112881fc1cc876e43d1d772423f5f88f79cbf9a1b5f55aec7b1373774f5b4e715df1ab37c945591bbd6fc9dff99daf979450736ddb90648

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI657e0.LOG

Filesize
1KB

MD5
d831cc30be32d4f80a2052963dfc77ba

SHA1
1a31b52f332d9981460ba7d73d262fc62db22dfa

SHA256
9527d4e788f0d4e2d16fa367d8a74c83844406bbb1b7eee17eb59a03290549ec

SHA512
a0dc09adf09789d0a885b3ad92e7709da668473d2f205e16d1fc7070d7742399c5d2afe77f58be5bdbf5f86b2adcba634489175da1242320600304e9e3f8155b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProductInstaller\Web Agent_C64.msi

Filesize
8.3MB

MD5
57884e21683be7e663f23b16b19f702a

SHA1
1db4a2174a11d1474583cfd9a3e9991d3a4bc39c

SHA256
d52b08103a29dcdb4e65e32507ae35bd5505ce7953b20bdb3bfa49185fc3fa80

SHA512
ac38d48e4ec659ca24491385de6c509dca50a075243308d94b4b05bbd988d5e1954e136052b78ba0f6d292ebf87850f55ec2895da83f2bc74d8c26f44373d649

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3200.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\Installer\MSI5A21.tmp

Filesize
57KB

MD5
d480853146cffda8e468cc4d2751b405

SHA1
e0b9de6eb4e0f5a92411dfe12a2e498a39eb102b

SHA256
e1076225eafe4cca82c39a4a7db820e0fd44dd293c9847564346e4bb047214b3

SHA512
c22fe3996ea0eeaed9dc4f90e107a5e4b9c5e56fe1bf33b09db2bdc6ae52fc57fee70ca7d4b02d8f446257b2c46c5927a1961146588b7dbc0af4e6104a481f2f

Download Submit
C:\Windows\Installer\MSI5BF6.tmp

Filesize
138KB

MD5
b96cc173298220d17aa0932bf3047727

SHA1
38b81f2f69916d52d5d8c95185150c20586fe0ea

SHA256
69bdcb8dbad5145459bc64ee749e84d9e92171aeff5eea37f2145319c99bdf3e

SHA512
7357ea0a95b77c2bb51283e7859b2ac000804bed4aeedeea22b7e6b261a7fece110c13f244bc3458ddaaa6d9f94ebb0098ffb37c7b5d733db49aea17e04040ca

Download Submit
C:\Windows\Installer\MSI5C45.tmp

Filesize
1.1MB

MD5
9396a1f02189f0bf3dd56f92283ce5d6

SHA1
1ff6e8ce485a3b5eeacb89a5722587a56240e4a7

SHA256
0ae8d17046dfc3c41a55ec8dc80929cc38ea366e7e94f0b0a00c73515b984a85

SHA512
7398268870de492152856c6c28f0f799b8527de45e90939e16df25f8686dace2800d1beeb54232e24a7bae4ad663d76f49063779318746fd94ed10e5599f56be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads