Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 10:50
Static task
static1
Behavioral task
behavioral1
Sample
954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe
Resource
win10v2004-20240419-en
General
-
Target
954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe
-
Size
5.6MB
-
MD5
aca988c85ad99e04a19d22dbe2d656c0
-
SHA1
cbde122beac4511f498da602d7639043e17d9a1b
-
SHA256
954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca
-
SHA512
7c0bde6fa75cec75a06812c185aff74403d169f72557ea95293a58626a2c05763ffbecfd68a0f30b52950cdf00379fdcc4c8f057889f9bbf9b9dfce06d833ccb
-
SSDEEP
98304:jImZBk8XXSSRr2aVFuHIxrNMV37rq+T8yA9Y+ENNaDfOMKfx3:j/Z0YrYrwY+z9Kf1
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\Q: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\R: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\T: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\G: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\I: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\X: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\S: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\M: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\U: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\W: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\Z: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\Y: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\L: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\N: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\V: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Loads dropped DLL 8 IoCs
pid Process 2588 MsiExec.exe 2588 MsiExec.exe 2588 MsiExec.exe 2588 MsiExec.exe 2588 MsiExec.exe 2588 MsiExec.exe 2588 MsiExec.exe 2588 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2632 msiexec.exe Token: SeTakeOwnershipPrivilege 2632 msiexec.exe Token: SeSecurityPrivilege 2632 msiexec.exe Token: SeCreateTokenPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeAssignPrimaryTokenPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeLockMemoryPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeIncreaseQuotaPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeMachineAccountPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeTcbPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeSecurityPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeTakeOwnershipPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeLoadDriverPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeSystemProfilePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeSystemtimePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeProfSingleProcessPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeIncBasePriorityPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeCreatePagefilePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeCreatePermanentPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeBackupPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeRestorePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeShutdownPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeDebugPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeAuditPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeSystemEnvironmentPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeChangeNotifyPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeRemoteShutdownPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeUndockPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeSyncAgentPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeEnableDelegationPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeManageVolumePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeImpersonatePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeCreateGlobalPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeCreateTokenPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeAssignPrimaryTokenPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeLockMemoryPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeIncreaseQuotaPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeMachineAccountPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeTcbPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeSecurityPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeTakeOwnershipPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeLoadDriverPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeSystemProfilePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeSystemtimePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeProfSingleProcessPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeIncBasePriorityPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeCreatePagefilePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeCreatePermanentPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeBackupPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeRestorePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeShutdownPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeDebugPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeAuditPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeSystemEnvironmentPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeChangeNotifyPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeRemoteShutdownPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeUndockPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeSyncAgentPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeEnableDelegationPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeManageVolumePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeImpersonatePrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeCreateGlobalPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeCreateTokenPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeAssignPrimaryTokenPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe Token: SeLockMemoryPrivilege 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2432 954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2588 2632 msiexec.exe 29 PID 2632 wrote to memory of 2588 2632 msiexec.exe 29 PID 2632 wrote to memory of 2588 2632 msiexec.exe 29 PID 2632 wrote to memory of 2588 2632 msiexec.exe 29 PID 2632 wrote to memory of 2588 2632 msiexec.exe 29 PID 2632 wrote to memory of 2588 2632 msiexec.exe 29 PID 2632 wrote to memory of 2588 2632 msiexec.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe"C:\Users\Admin\AppData\Local\Temp\954b3293316a106631a71f73ff652d45282cfbd5ad4986ed6e8be0e201c584ca.exe"1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2432
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7C924FC9FD781D024DCBA6E18468C5E C2⤵
- Loads dropped DLL
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
889B
MD5e14d2cc6c1ebcab8952e2768e9bd9859
SHA1cce93d98149155d5568fcabe7652efaeebe0fd74
SHA256e90f72001588feed45717da6d4c6d0c9367ad151d635af7f1d0da10eede642cf
SHA512fef085cbb131c1f898258c24da4c7a4c4baafd797a5bd9d28b2986137248c2dd7f0c19aaa06b3e15b29e684d0815cece30403e70b9855a75cd44179eb6222c7c
-
Filesize
19KB
MD5ca67b0328517b019f15d1a4ea4facfd5
SHA13f4dbe7542fb24947b1992bb09b946bc6d43d8f5
SHA25687fc50657f21c99ca8e4a6023148a1d710d6de5bfe96ad26de65867126a78e4e
SHA512188004f42f5612e604dbfbed8927d449e69e8316b338166263af43fc4a4bf788b7723f749287c7c61de46bf08a7fe545b64587ef843906110d573123878258bf
-
Filesize
391B
MD59f61b086ae93580bce1b68026e470d00
SHA19bf4d1885fa192c411edb76d60fcd237f8480ee5
SHA2563c2f67e3a08cbcf11bc76aac5f08ded5d62bdd63e5d10df9e20c6c465bb73e99
SHA51285b12f0c8bb1b9b7a455f9b85489d808b0e4c8465b70d667187bad8db4cf494482786dd3878a7d418b570eac07ad1b85195a2cf953c1bad729ae0ec4ecdc0821
-
Filesize
154B
MD58fd875cdc559ad66e0a94c64fdb762c3
SHA179111743f1ef8da31688f1644f9568a42fbd3ed5
SHA256fe7c2d4c244139591b0b716a410a1d8af38084cdc560a2beb265bdb8578e4eb3
SHA5120985a7456bd94e21d62428368c8e52ef7021fe78966dd967b96ecbbf05542abba4f8c85ef3d56bc0f5f9500e0d0828d4b54feaeef9768f85ff754ca8a1b5af3b
-
Filesize
258B
MD55ebdf501735de47292e2496400b237ad
SHA144e150c13c7e0c26c17d6513b8e32351f6f9e813
SHA2561eebb2bc8591a8d9387328fe6bcb2a191d1fb009967261f15f6a81bd0a76e674
SHA5120a3adfbb96eb608d084aef45eff0542c56a5f886204cabfadab333aee9e0fbd939a6f1227b50e0637c4b5636c4001d47b5a00b16339fa67bcab350a860f34447
-
Filesize
788B
MD5f629b0ad1e3ff50a742569db0ce4c961
SHA1ee1d0f4a2ea6a55b635815d64b2131bce9cecf44
SHA256cca2e4ac112b43db989c865c2adb9e11833528c9d3e740fc584c425448e6e70c
SHA512e64894b41546c5b628024d8ba5223d6aea870ba0f0809f3dc0a5909d32e248e24a067ba72b803671505c73e74833fa0a9ca662821b7fc537c27cb5d530a2e496
-
Filesize
66B
MD51fb3755fe9676fca35b8d3c6a8e80b45
SHA17c60375472c2757650afbe045c1c97059ca66884
SHA256384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21
SHA512dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3
-
Filesize
66B
MD571fa2730c42ae45c8b373053cc504731
SHA1ef523fc56f6566fbc41c7d51d29943e6be976d5e
SHA256205209facdebf400319dbcb1020f0545d7564b9415c47497528593e344795afd
SHA512ea4415619720cc1d9fb1bb89a14903bfd1471b89f9c4847df4839084aae573d49b4969d3799ad30ff25b71f6e31f8d9f30701e1240d3cd6a063819c04873f21f
-
Filesize
66B
MD50e1ab770f8d8f8768b66e7de087087c9
SHA136ad69f719f035d0c040db6d611611552a387b41
SHA2563e57878d7e1c0d2fe4db1dd47b803a363188114520ff5d7a4f50fab47c0ee992
SHA5122c5a627fba9ce1b35397d1dc4ae7b6954bd7b39a402689f3c12f2dc314ca5133f553da0411cad0a6d556f1787f2b2fce585f76d4b73bb2cff98732aaf808fdc1
-
Filesize
66B
MD530384472ae83ff8a7336b987292d8349
SHA185d3e6cffe47f5a0a4e1a87ac9da729537783cd0
SHA256f545ec56bc9b690a6b952471669a8316e18274d64e2ebc9e365fcf44363a125a
SHA5127611f930a0a1089cc5004203ec128c916f0c2aedae3a6fcc2eaffa8cd004dcbf154714e401947921a06896ca77c77daec7f9bda82369aacd3bb666f8a0331963
-
Filesize
66B
MD54b84f29fbce81aab5af97a311d0e51e2
SHA160723cf4b91c139661db5ecb0964deca1fc196ea
SHA256c93be5a7c979c534274fc1a965d26c126efa5d58c14066b14937e5aba3b9eb55
SHA512775eadccc44fddbd1e0d4231bc90d222f0a9749199e1963449ad20285ea92941a5685cdc12c0cd8c0ef0a21e10bdacaf139e5c69cd5e402cc110679323c23df1
-
Filesize
154B
MD51966f4308086a013b8837dddf88f67ad
SHA11b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190
SHA25617b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741
SHA512ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17
-
Filesize
66B
MD54e0ac65606b6aacd85e11c470ceb4e54
SHA13f321e3bbde641b7733b806b9ef262243fb8af3b
SHA2561d59fe11b3f1951c104f279c1338fc307940268971d016ebe929a9998a5038ee
SHA5127b28bcb4e76af3b863a7c3390b6cd3316c4631434e1d1e2df8d6e0eb9987a61a4f1a24de59567394e346d45e332403a0817ed0b0b64d7a624dbe48e30db9bb64
-
Filesize
541B
MD576c1a5be2d21e77597d35d7c3a73c59e
SHA15bc6aa58563e536a757743460fc3f41b88287375
SHA25645d4e2389c122dc27be4fc2d89ebb6ff192f40ba897afa71526553e1b265b06a
SHA512221742f6204fba77d2b1ac4ce36f5179d54b416ff942de73c92ae4c988fcb291f54beaf6e2ef5ede69ce6f48b7b5dee397965bf2014f4a3988bc2f14b8d9b29c
-
Filesize
391B
MD5cfa8cf18fefccac32046d7cfb2f63170
SHA1f52da2c3d60fe1447256fb35d95f045ba3ddd0fe
SHA256312d3a70c69ffea1adb00a5fbf27f5b3fe715c5b49e30ef38f933968c2525637
SHA512c54018ceefd1c75f2f6e5589b896eb84ae464dc1320c2cbdeec4acc5e6bcf6d60cea1431ac391b1027c566b892fb2e63d5bb49f12e945a8d65ab24f505625597
-
Filesize
225B
MD58ba33e929eb0c016036968b6f137c5fa
SHA1b563d786bddd6f1c30924da25b71891696346e15
SHA256bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5
SHA512ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e
-
Filesize
377KB
MD58b03c31b6d87a2103405ea8c5f337799
SHA15cc2be39a0f1f4bb3cfb561c77f5ae7e96eca6fa
SHA25675741fff4c3726689be3329dfc16d45becbd6937d3e5b8211fc7997d8d4695ec
SHA512c38226b1c86eb9c661204b94e2455c608749f2a4d80686c18681a2577446afff9edd6aeaf85ef253ffe509a2a5cfa715bd2ada573d44d4e31271868707ede143
-
C:\Users\Admin\AppData\Roaming\Xsens Technologies B.V\Xsens MVN Developer Toolkit 1.2.0 1.2.0\install\xsens_mvn_developer_toolkit1.2.0_setup.msi
Filesize2.0MB
MD513dc292f4d62105792704b69f1b77b03
SHA1ab9dd5d09c9b899451a7384898cade5c17960d73
SHA2569b60959b2b89eedf51995e9f653f8c07911ccae6b202e19020a4770c679ddd37
SHA5128fe60ed0c3cc80646b93a070b7cddc6c65dec5e2bc2c10bd407eca813ec1b242adebbf31c20df600008f793c9f671a89bbddf2696412c4332c4098064bab643f