hxxps://www[.]aescrypt[.]com/download/

Analysis

max time kernel
226s
max time network
238s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.aescrypt.com/download/

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4244	AESCrypt32.exe

Loads dropped DLL 7 IoCs

pid	Process
516	MsiExec.exe
516	MsiExec.exe
2384	MsiExec.exe
2384	MsiExec.exe
1844	MsiExec.exe
3544	Process not Found
4244	AESCrypt32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32\ = "C:\\Program Files\\AESCrypt\\AESCrypt.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\AESCrypt\AESCrypt32.exe	msiexec.exe
File created	C:\Program Files\AESCrypt\AESCrypt.dll	msiexec.exe
File created	C:\Program Files\AESCrypt\aescrypt.exe	msiexec.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_msvcr100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File created	C:\Windows\Installer\{562885D3-41A7-4211-822E-B1B1510069E5}\_853F67D554F05449430E7E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI190C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D73.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_atl100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File created	C:\Windows\Installer\{562885D3-41A7-4211-822E-B1B1510069E5}\_112D608FD02CD87FDC7735.exe	msiexec.exe
File created	C:\Windows\Installer\e5918c0.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{562885D3-41A7-4211-822E-B1B1510069E5}	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_msvcp100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_msvcp100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_msvcr100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File opened for modification	C:\Windows\Installer\{562885D3-41A7-4211-822E-B1B1510069E5}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\Installer\e5918be.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A36.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3D5882657A14112428E21B1B1500965E\3.10.0\F_CENTRAL_atl100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File opened for modification	C:\Windows\Installer\{562885D3-41A7-4211-822E-B1B1510069E5}\_112D608FD02CD87FDC7735.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e5918be.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AESCrypt.DLL\AppID = "{BACE464C-A450-46A7-BC98-F441BCE45CE9}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\AppID = "{BACE464C-A450-46A7-BC98-F441BCE45CE9}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\PackageCode = "EF46C65FDB9F863459E25F06C113CF59"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\Version = "50987008"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\PackageName = "AESCrypt.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\open\command\ = "\"C:\\Program Files\\AESCrypt\\AESCrypt32.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BACE464C-A450-46A7-BC98-F441BCE45CE9}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\open\ = "&Open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aes\ = "aesfile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aes\aesfile\ShellNew	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\ = "AES Crypt Encrypted Data File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aes\Content Type = "application/aes"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\InprocServer32\ = "C:\\Program Files\\AESCrypt\\AESCrypt.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D5882657A14112428E21B1B1500965E\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aes	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\DefaultIcon\ = "C:\\Windows\\Installer\\{562885D3-41A7-4211-822E-B1B1510069E5}\\_853F67D554F05449430E7E.exe,0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AESCrypt.DLL	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Desktop\\AESCrypt_v310_x64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\open\command\command = 55006300680063004300650054007400370039003800780045002c006200740065003700670072003e007e004700450056003d00650048007d00660045003400500059004000500077006f00440077007a002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aesfile\shell\ = "open"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AESCrypt	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D5882657A14112428E21B1B1500965E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\ProductIcon = "C:\\Windows\\Installer\\{562885D3-41A7-4211-822E-B1B1510069E5}\\_112D608FD02CD87FDC7735.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06E61D2961F138147AC880C670FC34A6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}\ = "AESCryptShellExtCom Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\Net\1 = "C:\\Users\\Admin\\Desktop\\AESCrypt_v310_x64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aes\aesfile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BACE464C-A450-46A7-BC98-F441BCE45CE9}\ = "AESCrypt"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AESCrypt\ = "{35872D53-3BD4-45FA-8DB5-FFC47D4235E7}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\ProductName = "AES Crypt"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D5882657A14112428E21B1B1500965E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06E61D2961F138147AC880C670FC34A6\3D5882657A14112428E21B1B1500965E	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4616	msiexec.exe
4616	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2132	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2132	msiexec.exe
Token: SeSecurityPrivilege	4616	msiexec.exe
Token: SeCreateTokenPrivilege	2132	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2132	msiexec.exe
Token: SeLockMemoryPrivilege	2132	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2132	msiexec.exe
Token: SeMachineAccountPrivilege	2132	msiexec.exe
Token: SeTcbPrivilege	2132	msiexec.exe
Token: SeSecurityPrivilege	2132	msiexec.exe
Token: SeTakeOwnershipPrivilege	2132	msiexec.exe
Token: SeLoadDriverPrivilege	2132	msiexec.exe
Token: SeSystemProfilePrivilege	2132	msiexec.exe
Token: SeSystemtimePrivilege	2132	msiexec.exe
Token: SeProfSingleProcessPrivilege	2132	msiexec.exe
Token: SeIncBasePriorityPrivilege	2132	msiexec.exe
Token: SeCreatePagefilePrivilege	2132	msiexec.exe
Token: SeCreatePermanentPrivilege	2132	msiexec.exe
Token: SeBackupPrivilege	2132	msiexec.exe
Token: SeRestorePrivilege	2132	msiexec.exe
Token: SeShutdownPrivilege	2132	msiexec.exe
Token: SeDebugPrivilege	2132	msiexec.exe
Token: SeAuditPrivilege	2132	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2132	msiexec.exe
Token: SeChangeNotifyPrivilege	2132	msiexec.exe
Token: SeRemoteShutdownPrivilege	2132	msiexec.exe
Token: SeUndockPrivilege	2132	msiexec.exe
Token: SeSyncAgentPrivilege	2132	msiexec.exe
Token: SeEnableDelegationPrivilege	2132	msiexec.exe
Token: SeManageVolumePrivilege	2132	msiexec.exe
Token: SeImpersonatePrivilege	2132	msiexec.exe
Token: SeCreateGlobalPrivilege	2132	msiexec.exe
Token: SeCreateTokenPrivilege	2132	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2132	msiexec.exe
Token: SeLockMemoryPrivilege	2132	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2132	msiexec.exe
Token: SeMachineAccountPrivilege	2132	msiexec.exe
Token: SeTcbPrivilege	2132	msiexec.exe
Token: SeSecurityPrivilege	2132	msiexec.exe
Token: SeTakeOwnershipPrivilege	2132	msiexec.exe
Token: SeLoadDriverPrivilege	2132	msiexec.exe
Token: SeSystemProfilePrivilege	2132	msiexec.exe
Token: SeSystemtimePrivilege	2132	msiexec.exe
Token: SeProfSingleProcessPrivilege	2132	msiexec.exe
Token: SeIncBasePriorityPrivilege	2132	msiexec.exe
Token: SeCreatePagefilePrivilege	2132	msiexec.exe
Token: SeCreatePermanentPrivilege	2132	msiexec.exe
Token: SeBackupPrivilege	2132	msiexec.exe
Token: SeRestorePrivilege	2132	msiexec.exe
Token: SeShutdownPrivilege	2132	msiexec.exe
Token: SeDebugPrivilege	2132	msiexec.exe
Token: SeAuditPrivilege	2132	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2132	msiexec.exe
Token: SeChangeNotifyPrivilege	2132	msiexec.exe
Token: SeRemoteShutdownPrivilege	2132	msiexec.exe
Token: SeUndockPrivilege	2132	msiexec.exe
Token: SeSyncAgentPrivilege	2132	msiexec.exe
Token: SeEnableDelegationPrivilege	2132	msiexec.exe
Token: SeManageVolumePrivilege	2132	msiexec.exe
Token: SeImpersonatePrivilege	2132	msiexec.exe
Token: SeCreateGlobalPrivilege	2132	msiexec.exe
Token: SeCreateTokenPrivilege	2132	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2132	msiexec.exe
Token: SeLockMemoryPrivilege	2132	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2132	msiexec.exe
2132	msiexec.exe
652	notepad.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe
2420	OpenWith.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 516	4616	msiexec.exe	123
PID 4616 wrote to memory of 516	4616	msiexec.exe	123
PID 4616 wrote to memory of 516	4616	msiexec.exe	123
PID 4616 wrote to memory of 736	4616	msiexec.exe	128
PID 4616 wrote to memory of 736	4616	msiexec.exe	128
PID 4616 wrote to memory of 2384	4616	msiexec.exe	130
PID 4616 wrote to memory of 2384	4616	msiexec.exe	130
PID 4616 wrote to memory of 2384	4616	msiexec.exe	130
PID 4616 wrote to memory of 1844	4616	msiexec.exe	131
PID 4616 wrote to memory of 1844	4616	msiexec.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.aescrypt.com/download/
1⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3808,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:1
1⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3820,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:1
1⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5264,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5280 /prefetch:1
1⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5420,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:8
1⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5444,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5516 /prefetch:8
1⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5952,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:1
1⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5464,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5932 /prefetch:8
1⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5948,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:1
1⤵
PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5036,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:1
1⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6544,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6456 /prefetch:1
1⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6556,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:1
1⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6400,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8
1⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6964,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6620 /prefetch:1
1⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6236,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=7152 /prefetch:8
1⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7336,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=7432 /prefetch:8
1⤵
PID:4640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2428

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AESCrypt_v310_x64\Install Notes.txt
1⤵
PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5660,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:8
1⤵
PID:1996

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AESCrypt_v310_x64\Install Notes.txt
1⤵
PID:2484

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\AESCrypt_v310_x64\AESCrypt.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2132

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8EA4FB74E909F53C3F638E3189FC3A48 C
  2⤵
  - Loads dropped DLL
  PID:516
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7993EDE2483279644D619FB3761CFAC9
  2⤵
  - Loads dropped DLL
  PID:2384
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\AESCrypt\AESCrypt.dll"
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:1844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:8
1⤵
PID:1856

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\top secret document.txt
1⤵
PID:1720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:652

C:\Program Files\AESCrypt\AESCrypt32.exe
"C:\Program Files\AESCrypt\AESCrypt32.exe" "C:\Users\Admin\Desktop\top secret document.txt.aes"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4244

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\top secret document.txt
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5918bf.rbs

Filesize
14KB

MD5
fb772fe59aa608250829e5d49f8ce428

SHA1
0333b4d8d9823c0d3d2334958cd66bcf36f6faa2

SHA256
be8c58ef15fadf1287a35c3f2ccf554f135aacaf7e9377dd2eb41558c645413c

SHA512
4adf2015a0ee0ab60339fb4316ddbfc9782e60a6f6b9c46127eba77cf166a85dcf7937cf897e399a87dd7a52119a26dfe502b7aa8128609fb7eee60b206d9725

Download Submit
C:\Program Files\AESCrypt\AESCrypt.dll

Filesize
136KB

MD5
ff91c1c5852c1b87a75d92070793dbf9

SHA1
e37c4873e1e11b6a38291a2fcea9710181e03d5a

SHA256
71020aa19597ac2d7ada376b244d71bda8e747c640735390804d1e163297ab07

SHA512
a3170a0685560e4d1f9d3b50b200475667f27d529c9fa0d2cb9757633e81c5af2ef4bbe6dd60bdac478cd7bd74e9cec7d000ed79a7e341eb851a6f733e965761

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID06A.tmp

Filesize
231KB

MD5
5494165b1384faeefdd3d5133df92f5a

SHA1
b7b82805f1a726c4eee39152d1a6a59031d7798c

SHA256
ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055

SHA512
ecd5012df2a060fa58664e856a84716f162d3420e7a7a1368612451ec65f2dcd674c7031d780a6c9d357700f6baeb31325748bc29270850ee4070079f15be613

Download Submit
C:\Users\Admin\Desktop\top secret document.txt

Filesize
25B

MD5
3144fee0689fce4e845810c025213241

SHA1
1cc38701a092cc234d295fb54d81d695b9c0e703

SHA256
71712bdabb9ac01054eae88ebbabe83209f598e5d26bfc8f126cf0acb3d135e4

SHA512
bc2af25599c0f4ac853e31d5a34385b02d43ba06eae4b192ee19edcd0cf9303ce4f3aa35b888895328e1375247c4bea0034bec44d6d9baa9b8711c79d93c5ce0

Download Submit
C:\Windows\Installer\e5918c0.msi

Filesize
1.2MB

MD5
e738da4ddde4ec6a45f0e5e64acc99aa

SHA1
bd7d7aab63690429eda5d715d7199fa1ea658fea

SHA256
aa96e7facf48235b091b01453ae6290860b1ff28889026e72936172875efe70c

SHA512
1bf3191ebca190d28750ba59aa0bb93d0006b8804c377764e7b6358acfdfcc6ea3676d3fd4033c2bb0dd0eb69ec35dc010ba761c3cf91f85d1a3ea765d1a854b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
5c61ef0b648be4643d2641bc76add5f5

SHA1
cb234580e4946f46aacb0527e11341389fd43cc8

SHA256
6ee865a04d6a10fae8d3335ac1cd1054a5f6f915ca3bea366f027fdc78f6302a

SHA512
4e44a90138bead661156ccc87526f0080ad4c5f6a1568ea1cae0e47d3802a2593a915e2a34585b670fb3905fd2fb2f7eb200fa9928c9afd50df41f737f9963a1

Download Submit
\??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2dc475b1-d933-4c17-9f4d-7c30e79b88bb}_OnDiskSnapshotProp

Filesize
6KB

MD5
a3f7a3ef5055c69e5f61da565ff7430c

SHA1
0dfd62038b26339478cf45bd88564c8d131ae45c

SHA256
82ba007c6446f44c9c442c6e3c7175586d0fdc9e6e4553bada9c32490db2aa64

SHA512
030269a46273af6b2115b342d0e09be5ea5aff2d3a5ff88188bfaf66c2bdc64ec3df6e7079d8bfa7d4ef35e21eaf49e6eb55160f9715975602f3e9995cad2f1d

Download Submit
\??\c:\program files\aescrypt\aescrypt32.exe

Filesize
59KB

MD5
6f4c900de98138dbaa20e27d707c8649

SHA1
32a06f040ca6556dbeb529c401e72c83ef7a8b58

SHA256
9e54ee322b12982c7164e9fa7120984c4d75546338569ceb3dd5e4b3dd0ec5ab

SHA512
a797582dc7e22f66924883b2e211a3e3d55c8809820b0e56c1631af302230d0aa0264108e9501a8326f9430a8832edee8ae589badc102ac8f8c8bd6b3c58aa2b

Download Submit