01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e

General

Target

01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Size

8.3MB
MD5

6471750f3b9a2935080da97fabd69154
SHA1

f1a0202d073d357da613bf01c3d822a9c56ee0fc
SHA256

01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e
SHA512

7a35521edfebe584dbf99a6ccd4578cdcc94f632d2c87e92937a8bb6ba61e7bd8ad29fd42a977747aea5e6ee39b4568faa15be3fa28d254328b35aefd734f6e6
SSDEEP

98304:7yDQkeSLhuba4o3r0fCjABzZ1ZTimIO2sHrZbJpJJ9uVahC8FFbtBIofsbg8t1fB:CQTSLXg6IbFtZvJJiahCulz18t15ekF

Score

9^/10

oss_ak

Malware Config

Signatures

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe	detect_ak_stuff

Executes dropped EXE 4 IoCs

Processes:

MSIFA0.tmpDeepL_x64.exeMSI106D.tmpWindowsProgramInstaller.exe

pid process

1428 MSIFA0.tmp
472 DeepL_x64.exe
2708 MSI106D.tmp
292 WindowsProgramInstaller.exe
Loads dropped DLL 5 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

2792 MsiExec.exe
2772 MsiExec.exe
2772 MsiExec.exe
2772 MsiExec.exe
2772 MsiExec.exe

pid	process
1428	MSIFA0.tmp
472	DeepL_x64.exe
2708	MSI106D.tmp
292	WindowsProgramInstaller.exe

pid	process
2792	MsiExec.exe
2772	MsiExec.exe
2772	MsiExec.exe
2772	MsiExec.exe
2772	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\Y:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\Z:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\O:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\V:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\L:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\J:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\Q:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\R:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\A:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\S:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\W:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\M:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\H:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\I:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSICDD.tmp	msiexec.exe
File created	C:\Windows\Installer\f760c34.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI106D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f760c31.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f760c34.ipi	msiexec.exe
File created	C:\Windows\Installer\f760c31.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2204 msiexec.exe
2204 msiexec.exe

pid	process
2204	msiexec.exe
2204	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exe01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe

description	pid	process
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeSecurityPrivilege	2204	msiexec.exe
Token: SeCreateTokenPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeAssignPrimaryTokenPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeLockMemoryPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeIncreaseQuotaPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeMachineAccountPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeTcbPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSecurityPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeTakeOwnershipPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeLoadDriverPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemProfilePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemtimePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeProfSingleProcessPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeIncBasePriorityPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreatePagefilePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreatePermanentPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeBackupPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeRestorePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeShutdownPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeDebugPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeAuditPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemEnvironmentPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeChangeNotifyPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeRemoteShutdownPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeUndockPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSyncAgentPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeEnableDelegationPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeManageVolumePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeImpersonatePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreateGlobalPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreateTokenPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeAssignPrimaryTokenPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeLockMemoryPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeIncreaseQuotaPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeMachineAccountPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeTcbPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSecurityPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeTakeOwnershipPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeLoadDriverPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemProfilePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemtimePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeProfSingleProcessPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeIncBasePriorityPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreatePagefilePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreatePermanentPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeBackupPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeRestorePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeShutdownPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeDebugPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeAuditPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemEnvironmentPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeChangeNotifyPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeRemoteShutdownPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeUndockPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSyncAgentPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeEnableDelegationPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeManageVolumePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeImpersonatePrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreateGlobalPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreateTokenPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeAssignPrimaryTokenPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeLockMemoryPrivilege	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exemsiexec.exeDeepL_x64.exe

pid process

3068 01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
2428 msiexec.exe
2428 msiexec.exe
472 DeepL_x64.exe

pid	process
3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
2428	msiexec.exe
2428	msiexec.exe
472	DeepL_x64.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

msiexec.exe01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe

description	pid	process	target process
PID 2204 wrote to memory of 2792	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2792	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2792	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2792	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2792	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2792	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2792	2204	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 2428	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe	msiexec.exe
PID 3068 wrote to memory of 2428	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe	msiexec.exe
PID 3068 wrote to memory of 2428	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe	msiexec.exe
PID 3068 wrote to memory of 2428	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe	msiexec.exe
PID 3068 wrote to memory of 2428	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe	msiexec.exe
PID 3068 wrote to memory of 2428	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe	msiexec.exe
PID 3068 wrote to memory of 2428	3068	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe	msiexec.exe
PID 2204 wrote to memory of 2772	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2772	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2772	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2772	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2772	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2772	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 2772	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 1428	2204	msiexec.exe	MSIFA0.tmp
PID 2204 wrote to memory of 1428	2204	msiexec.exe	MSIFA0.tmp
PID 2204 wrote to memory of 1428	2204	msiexec.exe	MSIFA0.tmp
PID 2204 wrote to memory of 1428	2204	msiexec.exe	MSIFA0.tmp
PID 2204 wrote to memory of 1428	2204	msiexec.exe	MSIFA0.tmp
PID 2204 wrote to memory of 1428	2204	msiexec.exe	MSIFA0.tmp
PID 2204 wrote to memory of 1428	2204	msiexec.exe	MSIFA0.tmp
PID 2204 wrote to memory of 2708	2204	msiexec.exe	MSI106D.tmp
PID 2204 wrote to memory of 2708	2204	msiexec.exe	MSI106D.tmp
PID 2204 wrote to memory of 2708	2204	msiexec.exe	MSI106D.tmp
PID 2204 wrote to memory of 2708	2204	msiexec.exe	MSI106D.tmp
PID 2204 wrote to memory of 2708	2204	msiexec.exe	MSI106D.tmp
PID 2204 wrote to memory of 2708	2204	msiexec.exe	MSI106D.tmp
PID 2204 wrote to memory of 2708	2204	msiexec.exe	MSI106D.tmp

C:\Users\Admin\AppData\Local\Temp\01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
"C:\Users\Admin\AppData\Local\Temp\01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DeepLSetup\DeepLSetup 1.0.0.0\install\DeepL_Setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1715703898 " AI_EUIMSI=""
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2428

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 85E15EAD54FC7122C93CA7D79685B6B2 C
2⤵
- Loads dropped DLL
PID:2792

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DCAAAF31A429174E468176E953D071C1
2⤵
- Loads dropped DLL
PID:2772

C:\Windows\Installer\MSIFA0.tmp
"C:\Windows\Installer\MSIFA0.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe"
2⤵
- Executes dropped EXE
PID:1428

C:\Windows\Installer\MSI106D.tmp
"C:\Windows\Installer\MSI106D.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe"
2⤵
- Executes dropped EXE
PID:2708

C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe
"C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:472

C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe"
1⤵
- Executes dropped EXE
PID:292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f760c35.rbs
Filesize
421KB

MD5
0b81cbb6f0928a056dbc22fae9c8e59d

SHA1
fc59717b6b33b6f78dea16622ea4c511e812b346

SHA256
716c80a24cc36a77d6c4dcda0c2f0f8f952f9663bf1947826dc1dfa55330778f

SHA512
1e3fa09ff379728df843ded4ae15f3988fde8d43654bffe8e7e4bd91d9464e39c1b0096772ed72b2b997d945cdcffee364ab8bafa677a80bf4b78cccb63c7e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe
Filesize
4.2MB

MD5
90d0a198ebd84ab18ed372dab02b5862

SHA1
d4f39b9a647ae6ad7c981c7acb4a6ff06025094d

SHA256
0037c9895723fb712b57b144cbb429f319ab5a3c1e4c44a3ffefa351486bcdaf

SHA512
056c0300b2f9beb88a83711d94082fd3c8a86d7d9f73de37dd1f63795a1c1cb780fa4e984a2a2416d0ea489750622633402586e98e72799031f6c933379df84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAE9.tmp
Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe
Filesize
3.6MB

MD5
c3dca8a1bd0bc7e3016ae4a2d8cff1af

SHA1
df6047d4caa7ebde25735edea25d2b1d0fd03737

SHA256
ba42b868a8618ca9ef05a27031c483d9306b944927cde7e9dd54c833447e9e91

SHA512
81516d6cdce85316671b12c3e7e3cf73220f17a5a5df90070af56f83895a6f618f819d35b6b8a02eb18763e232e9904f527229ec3500ec62a9780b79c8341f49

Download Submit
C:\Users\Admin\AppData\Roaming\DeepLSetup\DeepLSetup 1.0.0.0\install\DeepL_Setup.msi
Filesize
2.2MB

MD5
ed011ae5bd9b187f623680a99a82a8c3

SHA1
b26c7b62c90a5e20627fec65df61eb605dd1c30b

SHA256
d22ddab47c5ba6fdc5f2b4c4d41644597d832a56bc91a2074092a55923bf3843

SHA512
ff8cf2ebd6fdabdc16f31150ce48cab43202769d83a2d86c8c42265c99b337c4d036fdd49393e1bc651df33fbf3dd527bc2b14e9598123d4e4e86cf72222f925

Download Submit
C:\Users\Admin\AppData\Roaming\DeepLSetup\DeepLSetup 1.0.0.0\install\DeepL_Setup1.cab
Filesize
2.9MB

MD5
45d1b6fe6265012304efded3b68b514b

SHA1
81f730fa79f79c3a414dbc440212082d941904be

SHA256
f00693121cb98dd585afcc1718256b2f29179812a8ca91168a48c247d8f4d384

SHA512
b0f204639ddf896d0abf147cac679457b280af9ffe0815ccc4b6c55415355b02b32c52e5774f1974522e6fb5b991a37c04c1f5d92826f0778a7d8333b07032ac

Download Submit
C:\Windows\Installer\MSIDBA.tmp
Filesize
709KB

MD5
89136bfd28a2e1ec6b6d841214e1e670

SHA1
4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab

SHA256
1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec

SHA512
22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

Download Submit
C:\Windows\Installer\MSIFA0.tmp
Filesize
419KB

MD5
cac0eaeb267d81cf3fa968ee23a6af9d

SHA1
cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

SHA256
f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

SHA512
8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

Download Submit
memory/472-63-0x0000000000FE0000-0x0000000001418000-memory.dmp

Filesize
4.2MB

Download
memory/472-70-0x0000000000310000-0x000000000032A000-memory.dmp

Filesize
104KB

Download
memory/1428-50-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2708-58-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/3068-0-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads