hxxps://drive[.]google[.]com/file/d/1-m_JuUMXABmwUlM2EEwmLDxWJBn17WTD/view

Analysis

max time kernel
305s
max time network
317s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1-m_JuUMXABmwUlM2EEwmLDxWJBn17WTD/view

Score

6^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
78	1740	msiexec.exe
80	1740	msiexec.exe
82	1740	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com
9	drive.google.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f7abda4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7abda4.msi	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2728	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1524	7zG.exe
2856	7zG.exe
2540	7zG.exe
1740	msiexec.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1968	1200	chrome.exe	28
PID 1200 wrote to memory of 1968	1200	chrome.exe	28
PID 1200 wrote to memory of 1968	1200	chrome.exe	28
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2568	1200	chrome.exe	30
PID 1200 wrote to memory of 2732	1200	chrome.exe	31
PID 1200 wrote to memory of 2732	1200	chrome.exe	31
PID 1200 wrote to memory of 2732	1200	chrome.exe	31
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32
PID 1200 wrote to memory of 2148	1200	chrome.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1-m_JuUMXABmwUlM2EEwmLDxWJBn17WTD/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef67b9758,0x7fef67b9768,0x7fef67b9778
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1140 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:2
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3228 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:1
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3752 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4008 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1164 --field-trial-handle=1380,i,1216623065057897684,17076656836461075161,131072 /prefetch:8
  2⤵
  PID:1552

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2512

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" t -an -ai#7zMap9101:100:7zEvent9759
1⤵
- Suspicious use of FindShellTrayWindow
PID:1524

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\x64__x32__installer\" -spe -an -ai#7zMap30295:100:7zEvent3844
1⤵
- Suspicious use of FindShellTrayWindow
PID:2856

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d4
1⤵
PID:2528

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\x64__x32__installer\x64__x32___setup\" -spe -an -ai#7zMap11881:134:7zEvent12404
1⤵
- Suspicious use of FindShellTrayWindow
PID:2540

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\x64__x32__installer\x64__x32___setup\setup.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:3048
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F35C816EC78624A0F8DC7026FCCF8903
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssC304.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiC301.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrC302.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrC303.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7abda8.rbs

Filesize
18KB

MD5
0947a78f47df79f393eb219f85aba043

SHA1
f13ba94800353ee0ed49771b72eaa6a94701eba6

SHA256
793db8f851d69884eb3eea93cfe0e15cb587af376e8e9ad289d43d3114cc446e

SHA512
f831a293ac894209cf6d1c6b1e52ce607cc5f920976c25b74facfd432a8808d4ced5b1fbfd282241fd0be594c255eb009795c425af2851feee0fb3052ebae07c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Filesize
1KB

MD5
e94fb54871208c00df70f708ac47085b

SHA1
4efc31460c619ecae59c1bce2c008036d94c84b8

SHA256
7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

SHA512
2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
886396f39f555a38253c4b553db6598d

SHA1
ff8ae7e59afa69fdd9906dab9dada96f95115dd8

SHA256
031b7d21f515c315d65cb9942110aab4aa650249b1ead6baa864c42bcc2d6a9b

SHA512
74229fc20c4913753da88366f3a6669e224dbfd6f2d37070bee2c55d4537ec506c6ef0e8233802ab060618a233c5c2c83fce71f68df8bc14946296d7adeb6231

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Filesize
264B

MD5
eb4ebc00021299c2a4944422780b742f

SHA1
d8d4e4329f3904fb7fbabec5df11cc6d57e072a8

SHA256
f1784e0199626908b28110cd996524c338753dfecdf144251cb4db8bb899de64

SHA512
9c016133c133075654970d2548fc6417346e87f89e38358d5750226b80287a8132be4e4c1f9a412bc516fd837f117c7f8d70593c247aa7c96d37637662152a1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ed4dd7320f73fe0a33b4d7f0976705c3

SHA1
e30f40db82c6ff2a2bb80968ddc6dedc68b52b4f

SHA256
107ee4a11b8074dbc67aa1003232cf3f753482a4551968b1be49238373bf6dc4

SHA512
5e35402cb5702855065df247e31fe9b4fdae32f14b12fc00b616c912bdb3934760783662669ca340e354db82505c19d2db942d8ba8c544d2a3aa7fe1b85a1d36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
eb8866375bd74987bed69da40238503d

SHA1
9083d845d2b6dc6c83a49a2d7986b0d556647865

SHA256
3b745ccf4d8a1d9232ec42b4427f577563419eabd97cc0bf8e884149e48ebadf

SHA512
9ac2d560953ae2e85b8c2afedd18c682298771c3827b96d1c76dcba8a389655e91706fd54f980f1501ec61de3a95001b11939d9e78976ffd9a794073acd32d66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3dae8dfc351556cb347765eac19a9ce1

SHA1
58d84dfe5cc7a52d0e35b0b1810a42a4068c196b

SHA256
385b8590f2a5616f40809a85e0830a586241d077eab4eb15a5ded91d7f8c5a68

SHA512
fb9b8111c45dc1f1e1d6f43a6bf819aedeba24b7efaaac09c756cf71683cecdf1f6a8492a4fba9a0fef40c08ec414312a216a3e488c1a3379d9e8392b377563f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b0b91a2ede04407d86b4179a78402317

SHA1
9f636ddf263a11be9c413a683bcbfd02b44f5fd4

SHA256
e5eb47504145ca52f712dd6722ad5da0400a08e895b80f593ff4470463a1e302

SHA512
c018ba27d204e32d52ddd558be79c0243f14feec6c67c14221c45e9c9db3db443828b11a296feffb13596e9841b34d21e72cb604a11f63bbea96702ec3996f0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
98a630d65216887f378b817687146dc9

SHA1
c0b33bf93f1c2b9a7bee46c563d0831b9a55769f

SHA256
03bf35cb5d98e20803406d9e5ffc34c9e80705630beb55655d998f9fc57b2f24

SHA512
7fc084382bea54083e54de78334e515e580aba483a92833b2aef25280830a2246e84121cc24eebcb88c77d5116b9c6113ff996d41987ea5b36b0e64947873108

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7e6b889c237f93d8176404e1ddb4a3a2

SHA1
1ed10ea8d2c5eff6044ac3d396b98cc74a8297f2

SHA256
0e40080fdac8a936b588af7bfdcb3485f44c8af99941fcd0038083b0954c0e9e

SHA512
953f2805882f8ed39ca9a18e7d5f6fdc6ec10833f3c4d382b77ffa083de16a4ca71164713273910da86b8d4a540105bf53eea957403bfefd33ed9585fdc2652e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
d9037bb40d8bff4521ca942db25497ea

SHA1
113aa5ad1834405dd826190bc0eefb622bac4645

SHA256
ce14a85d6a25283aa71282a3b4abd5d77fbe58aeab9cbc1eea915ca6c209b210

SHA512
645e542d40b3fa2fd1db83ffdddd2ddc5ddb0a7d32f0585798bf4166e2ad4348bf03afaa1d6dbdaa250e25500639a8b6bf1a05e389dee98b4797f65a5cb31fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
77KB

MD5
1fd7f05e553ae73c762e053f533d6def

SHA1
693edfee33cd6d08d906e3ec0b71e08f2d73bc9d

SHA256
9a277dde24ce8c38b2407094d5534f0ba85d865e9ba6fe3ab81248342e688a9c

SHA512
8682b48e8754ddac34aadac3fd0cb837a9e0ab81198c21a646c464c1be3a668889c257c72d2d6f85e0ec13309a020bf3b20e72a8b2ca329e627d1da1dcb3bfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBBE7.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiC301.txt

Filesize
54B

MD5
db420131f396adc6189eb74ccab4ef61

SHA1
f7a0653289e00ae8a37836e4bb0c484a5434f4db

SHA256
20712a091c0903c153ec0394f349e4e687fc16980c77434fab8af6c768b4de22

SHA512
8f29ec5eae268faa330bc71859bada8e36b6f53e27d819dff04451de2cb644307c80f64f71b5768906a6c5eb28e5e77f4a1b23dde01bbfa0e6b9575c4fd92f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssC304.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrC302.ps1

Filesize
558B

MD5
32aaf95e81f7c25950c11c53615c753a

SHA1
603ae202e859261d2ea09ac44f84d98a44007316

SHA256
e523cdefc4d381fd0bb040f80f8ebcba9a022c7b731d1e3fba27ef0ad8643a58

SHA512
4076c6b5a77ebc5c5e02c28269cf4751644a508c9661806e7560664e9c9379c808ca8c0860e6efd4ea3c837edbcbc4b20060413012e5f446f17a44efcef517db

Download Submit
C:\Users\Admin\AppData\Roaming\Vuis Queue\AppQue\libgcrypt-20.dll

Filesize
975KB

MD5
24dac6152c216a1b7b1afef7c36e2b65

SHA1
a832467931f07b3f41772d89feb194a90be4119b

SHA256
784af4a0d287a6611d5ee4fda32e31d7b3d5afcd14bca75d2564bb9f0045b449

SHA512
b4da7fe3e32fe1dc89197ec4f0a84c1cb38ff4d872f842f4692d1520e2b39efd2d7e3b928a8e225d2504aadf72a923ed7ee7e3552988c6365b9b30358912d6ce

Download Submit
C:\Users\Admin\Downloads\x64__x32__installer.zip

Filesize
36.3MB

MD5
9e6bbfff1e770efdbe71020ff09732ae

SHA1
a38f07325cc3e2ab5d297c24365100e1f1058eff

SHA256
6555de8b241917104e0bc51ed9d4f7dbe255018568ce8973e7e6f5b180f5a19b

SHA512
792ff5dbfce1e1c414acb0e4c74964571bf24638b67b5227f2f5224f6ef3f4f89bb819bfe9e48e8fe657b0522bc44fe96b3730711297330361a5eda8503e0e9e

Download Submit
C:\Users\Admin\Downloads\x64__x32__installer\x64__x32___setup.zip

Filesize
36.3MB

MD5
88b66087c9eaac29881962be4b715086

SHA1
551145170293df218158121851c0e4ab88d26b98

SHA256
20955d369d2fdd099fbffef2860d77734b1d68bfe88734bff0ae34f26005f2fe

SHA512
c14516a76b88ea020772f626d8017c09858b5326656511983e8992180240e672d907827d4fc34c33199e7ec87b0e92bd2cd3f1369068bf9c8fa2f5947b22e1e9

Download Submit
C:\Users\Admin\Downloads\x64__x32__installer\x64__x32___setup\setup.msi

Filesize
35.0MB

MD5
f21f1b608d45926927f6178511bdd579

SHA1
a1a251359d7cea7dfeb52d1314bc460144533eca

SHA256
b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a

SHA512
66521db47efc6a6f82693330af0e612886e7f0f13c7737da6459c0abb937ad1cbcd1376dc9fbddd6d78af551bc38913871e2e21e48e8d5ed630377b523e8f276

Download Submit
C:\Windows\Installer\MSIC063.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSIC249.tmp

Filesize
758KB

MD5
fb4665320c9da54598321c59cc5ed623

SHA1
89e87b3cc569edd26b5805244cfacb2f9c892bc7

SHA256
9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59

SHA512
b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

Download Submit