Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 14:44
Static task
static1
Behavioral task
behavioral1
Sample
e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi
Resource
win7-20240221-en
General
-
Target
e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi
-
Size
6.5MB
-
MD5
9e2b456c62b027c89b36dc9109e50f01
-
SHA1
617fddb80de29bc455c0ecfd4b64d194fe911541
-
SHA256
e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909
-
SHA512
18ee2debeac010286291d3af38b46cb29d2503e8056b5ab74120e6934e4b16396d894e323dc11eb5cd1902ea0c30fbac75f03dbda74ea670d3828d7b6318bf59
-
SSDEEP
98304:5p4wd88KSX2ylsm84rfq/03ZUVaxNv3DiPF1D/lAd3YR77vhBLAbRGH1oVda3WHx:Iwe8B21mNfq/0+IxgP5sE77vfLe04rs
Malware Config
Signatures
-
Babadeda Crypter 2 IoCs
resource yara_rule behavioral1/files/0x0006000000015ca6-65.dat family_babadeda behavioral1/files/0x0006000000015d8f-964.dat family_babadeda -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1064 ICACLS.EXE 2636 ICACLS.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\m: csvhelper.exe File opened (read-only) \??\u: csvhelper.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\e: csvhelper.exe File opened (read-only) \??\v: csvhelper.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\a: csvhelper.exe File opened (read-only) \??\b: csvhelper.exe File opened (read-only) \??\s: csvhelper.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\w: csvhelper.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\k: csvhelper.exe File opened (read-only) \??\l: csvhelper.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\i: csvhelper.exe File opened (read-only) \??\x: csvhelper.exe File opened (read-only) \??\y: csvhelper.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\o: csvhelper.exe File opened (read-only) \??\p: csvhelper.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\j: csvhelper.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\q: csvhelper.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\r: csvhelper.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\h: csvhelper.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\z: csvhelper.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2792-985-0x00000000002F0000-0x0000000000A2F000-memory.dmp autoit_exe behavioral1/memory/2792-987-0x00000000002F0000-0x0000000000A2F000-memory.dmp autoit_exe behavioral1/memory/2792-989-0x00000000002F0000-0x0000000000A2F000-memory.dmp autoit_exe behavioral1/memory/2792-991-0x00000000002F0000-0x0000000000A2F000-memory.dmp autoit_exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\f76447f.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI455A.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f764480.ipi msiexec.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\f764480.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5938.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5939.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76447f.msi msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE -
Executes dropped EXE 2 IoCs
pid Process 1616 se1.exe 2792 csvhelper.exe -
Loads dropped DLL 8 IoCs
pid Process 2024 MsiExec.exe 2024 MsiExec.exe 2024 MsiExec.exe 2024 MsiExec.exe 2024 MsiExec.exe 1616 se1.exe 2792 csvhelper.exe 2024 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2348 msiexec.exe 2348 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeShutdownPrivilege 2512 msiexec.exe Token: SeIncreaseQuotaPrivilege 2512 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeSecurityPrivilege 2348 msiexec.exe Token: SeCreateTokenPrivilege 2512 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2512 msiexec.exe Token: SeLockMemoryPrivilege 2512 msiexec.exe Token: SeIncreaseQuotaPrivilege 2512 msiexec.exe Token: SeMachineAccountPrivilege 2512 msiexec.exe Token: SeTcbPrivilege 2512 msiexec.exe Token: SeSecurityPrivilege 2512 msiexec.exe Token: SeTakeOwnershipPrivilege 2512 msiexec.exe Token: SeLoadDriverPrivilege 2512 msiexec.exe Token: SeSystemProfilePrivilege 2512 msiexec.exe Token: SeSystemtimePrivilege 2512 msiexec.exe Token: SeProfSingleProcessPrivilege 2512 msiexec.exe Token: SeIncBasePriorityPrivilege 2512 msiexec.exe Token: SeCreatePagefilePrivilege 2512 msiexec.exe Token: SeCreatePermanentPrivilege 2512 msiexec.exe Token: SeBackupPrivilege 2512 msiexec.exe Token: SeRestorePrivilege 2512 msiexec.exe Token: SeShutdownPrivilege 2512 msiexec.exe Token: SeDebugPrivilege 2512 msiexec.exe Token: SeAuditPrivilege 2512 msiexec.exe Token: SeSystemEnvironmentPrivilege 2512 msiexec.exe Token: SeChangeNotifyPrivilege 2512 msiexec.exe Token: SeRemoteShutdownPrivilege 2512 msiexec.exe Token: SeUndockPrivilege 2512 msiexec.exe Token: SeSyncAgentPrivilege 2512 msiexec.exe Token: SeEnableDelegationPrivilege 2512 msiexec.exe Token: SeManageVolumePrivilege 2512 msiexec.exe Token: SeImpersonatePrivilege 2512 msiexec.exe Token: SeCreateGlobalPrivilege 2512 msiexec.exe Token: SeBackupPrivilege 1244 vssvc.exe Token: SeRestorePrivilege 1244 vssvc.exe Token: SeAuditPrivilege 1244 vssvc.exe Token: SeBackupPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 3028 DrvInst.exe Token: SeLoadDriverPrivilege 3028 DrvInst.exe Token: SeLoadDriverPrivilege 3028 DrvInst.exe Token: SeLoadDriverPrivilege 3028 DrvInst.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2512 msiexec.exe 2512 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2024 2348 msiexec.exe 32 PID 2348 wrote to memory of 2024 2348 msiexec.exe 32 PID 2348 wrote to memory of 2024 2348 msiexec.exe 32 PID 2348 wrote to memory of 2024 2348 msiexec.exe 32 PID 2348 wrote to memory of 2024 2348 msiexec.exe 32 PID 2348 wrote to memory of 2024 2348 msiexec.exe 32 PID 2348 wrote to memory of 2024 2348 msiexec.exe 32 PID 2024 wrote to memory of 1064 2024 MsiExec.exe 33 PID 2024 wrote to memory of 1064 2024 MsiExec.exe 33 PID 2024 wrote to memory of 1064 2024 MsiExec.exe 33 PID 2024 wrote to memory of 1064 2024 MsiExec.exe 33 PID 2024 wrote to memory of 1652 2024 MsiExec.exe 35 PID 2024 wrote to memory of 1652 2024 MsiExec.exe 35 PID 2024 wrote to memory of 1652 2024 MsiExec.exe 35 PID 2024 wrote to memory of 1652 2024 MsiExec.exe 35 PID 2024 wrote to memory of 1616 2024 MsiExec.exe 37 PID 2024 wrote to memory of 1616 2024 MsiExec.exe 37 PID 2024 wrote to memory of 1616 2024 MsiExec.exe 37 PID 2024 wrote to memory of 1616 2024 MsiExec.exe 37 PID 2024 wrote to memory of 1616 2024 MsiExec.exe 37 PID 2024 wrote to memory of 1616 2024 MsiExec.exe 37 PID 2024 wrote to memory of 1616 2024 MsiExec.exe 37 PID 1616 wrote to memory of 2792 1616 se1.exe 38 PID 1616 wrote to memory of 2792 1616 se1.exe 38 PID 1616 wrote to memory of 2792 1616 se1.exe 38 PID 1616 wrote to memory of 2792 1616 se1.exe 38 PID 2024 wrote to memory of 2636 2024 MsiExec.exe 39 PID 2024 wrote to memory of 2636 2024 MsiExec.exe 39 PID 2024 wrote to memory of 2636 2024 MsiExec.exe 39 PID 2024 wrote to memory of 2636 2024 MsiExec.exe 39 PID 2792 wrote to memory of 2844 2792 csvhelper.exe 44 PID 2792 wrote to memory of 2844 2792 csvhelper.exe 44 PID 2792 wrote to memory of 2844 2792 csvhelper.exe 44 PID 2792 wrote to memory of 2844 2792 csvhelper.exe 44 PID 2792 wrote to memory of 848 2792 csvhelper.exe 46 PID 2792 wrote to memory of 848 2792 csvhelper.exe 46 PID 2792 wrote to memory of 848 2792 csvhelper.exe 46 PID 2792 wrote to memory of 848 2792 csvhelper.exe 46 PID 2792 wrote to memory of 1712 2792 csvhelper.exe 48 PID 2792 wrote to memory of 1712 2792 csvhelper.exe 48 PID 2792 wrote to memory of 1712 2792 csvhelper.exe 48 PID 2792 wrote to memory of 1712 2792 csvhelper.exe 48 PID 2792 wrote to memory of 1324 2792 csvhelper.exe 50 PID 2792 wrote to memory of 1324 2792 csvhelper.exe 50 PID 2792 wrote to memory of 1324 2792 csvhelper.exe 50 PID 2792 wrote to memory of 1324 2792 csvhelper.exe 50 PID 2792 wrote to memory of 936 2792 csvhelper.exe 52 PID 2792 wrote to memory of 936 2792 csvhelper.exe 52 PID 2792 wrote to memory of 936 2792 csvhelper.exe 52 PID 2792 wrote to memory of 936 2792 csvhelper.exe 52 PID 2792 wrote to memory of 2136 2792 csvhelper.exe 54 PID 2792 wrote to memory of 2136 2792 csvhelper.exe 54 PID 2792 wrote to memory of 2136 2792 csvhelper.exe 54 PID 2792 wrote to memory of 2136 2792 csvhelper.exe 54 PID 2792 wrote to memory of 624 2792 csvhelper.exe 56 PID 2792 wrote to memory of 624 2792 csvhelper.exe 56 PID 2792 wrote to memory of 624 2792 csvhelper.exe 56 PID 2792 wrote to memory of 624 2792 csvhelper.exe 56 PID 2792 wrote to memory of 2192 2792 csvhelper.exe 58 PID 2792 wrote to memory of 2192 2792 csvhelper.exe 58 PID 2792 wrote to memory of 2192 2792 csvhelper.exe 58 PID 2792 wrote to memory of 2192 2792 csvhelper.exe 58 PID 2792 wrote to memory of 1944 2792 csvhelper.exe 60 PID 2792 wrote to memory of 1944 2792 csvhelper.exe 60 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2512
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C15203D9BA38D081398EBB2EB6C75E742⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:1064
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\files\se1.exe"C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\files\se1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"4⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A5⤵PID:2844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A5⤵PID:848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A5⤵PID:1712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A5⤵PID:1324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A5⤵PID:936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A5⤵PID:2136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A5⤵PID:624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A5⤵PID:2192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A5⤵PID:1944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A5⤵PID:1516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A5⤵PID:764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A5⤵PID:1996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A5⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A5⤵PID:2728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A5⤵PID:1780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A5⤵PID:2588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A5⤵PID:2596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A5⤵PID:2480
-
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:2636
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A4" "00000000000005B8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD56f7c8bbe4e94980ca7c1b878c048be94
SHA12ee86ce71bd986ff8e92f5a2b876098ccbab42dc
SHA256f7d0e68a4513d8de00698dda1aecfb5ca4efa1871c9141764ce641a0d1d034ae
SHA5124c811c848621873d871246ac654257954d569747653dbfaad40b434be155435590573699cd4b89eac5de1cab446571b8ac1ea1ec0d068b04bb769f983913983b
-
Filesize
16.5MB
MD5e3ffe9b1db336ca7f34e0f26215d4ee4
SHA13ec434df80529311342401ac7a7acd066e19c90f
SHA256700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901
SHA51271168c55f1c159d48b11f951fae2c8686fc66e4e1ba57f5bc2904cc06af71d096ebc60220745133c83c5a06682621736c6f73261658af5ab086b5831f91c9a8b
-
Filesize
370B
MD51f828ebcc6e5cd2a5ac53647f113e3f0
SHA1d4d09f5b27806593c40f9946d667fef15fc62e05
SHA256b91602781fd052150b933f821d3dcc1f3aa54292ce2992ebd230ba923cdc9b1c
SHA51278b47da3343d3a0b64f37af9cefcf4b7d3a8c3665fcc9a429a77d1113408dcd53351472a69adf1060376b7b88b7bf2af91980031df4dd95cc887da403bbae2cd
-
Filesize
1012B
MD54ae0d5ecdb522602d02203df3669c86e
SHA117e78aa3fa85c88eed1520b64a27495bff0954d5
SHA25644ad1bb81f49b29e1f6ad0c984cde640eb84b05b1ea3a3230f5cdb9c8acc1353
SHA5125acaea126ee04a594e04285241461a2d16ebc5eee411950da8da6e2d3ed6bd11f7baf14f3bc8fe2ddd2b3c8b3e09f19773dc23d5089d186a12e4e705bb1de1b7
-
Filesize
1KB
MD59691b94a172d1a85cd7c0480374dce8d
SHA17876e66e3b7fe6a0901702701783322f256d9f47
SHA256e4af041724a180d517ca7b892d8754c9d8df263d355dd7ab6e166e50a5670a4a
SHA5121bb2b2061f977254dec7eed5803c49863e0b05a81e57aaa6c3eed7ba947234e16f773837ab0eb5d2e1ec4b4c5bab9e9fc9adcbbf08cd20d3f7652f605815e75e
-
Filesize
1KB
MD51a3bda6748819be0f045d7cada621b26
SHA16beaa019acc9aa0739154d8cf8f1d8110140ad82
SHA25653b40697ca818f8bbe75579027cd7e805dfc1f9e762dc874bd2727d8479e0e53
SHA512b0d246f846348bcab9f22591d25fbb9c79bd6f788ee72e6655232960aa3f459ba62755984fcd1e678ab0e2e2c2bec934ae74d3000eba7a83a21a03c268fd8827
-
Filesize
2.0MB
MD5349a1d8bb00ae11bbf535cd909838c65
SHA1c7b9d73580d6c733fbd5875bbccfbf3b792018e2
SHA25693e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4
SHA512f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
Filesize2KB
MD544018e1779270b083ad90da3dffe9b15
SHA1e09c06b564abe26bcf91ecb7632d761c3234b30d
SHA25671bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c
SHA512ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
Filesize4KB
MD5b3c74bb5250effad46ce11a96c9468c2
SHA13a339e244a29fe41d13fa4cc951a7e0a2862e299
SHA2565a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825
SHA512a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
Filesize4KB
MD53272be2da53b6d5271111431f7d90d28
SHA17ec382eee6282454d5b0b03751f3d14c568bbfa5
SHA2564e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982
SHA51245dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
Filesize2KB
MD5228d4bd899577ed16ad3ac74b592a0e6
SHA1baf99e34e126d6c41b7aa39caabc2376358bab70
SHA256fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5
SHA512285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
Filesize2KB
MD52719683b8dba819f2e6bd9e9b7307f1c
SHA16cbac17ebf8b56489ad8b8c458dd618b2788512a
SHA256316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a
SHA51296ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee
-
Filesize
6.9MB
MD5f5de326683df44d71ed1b986fd836e0b
SHA133bc899da6afd2b82b27d59acd0844b521e57079
SHA25617c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f
SHA51212ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a
-
Filesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
Filesize
3.9MB
MD51bf457ea201a3374f7c37f43d5c3ffdb
SHA1bf693ad6b3070cfb60902eeeb3a290bad531bbd0
SHA2569107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08
SHA512c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074