01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e

General

Target

01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Size

8.3MB
MD5

6471750f3b9a2935080da97fabd69154
SHA1

f1a0202d073d357da613bf01c3d822a9c56ee0fc
SHA256

01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e
SHA512

7a35521edfebe584dbf99a6ccd4578cdcc94f632d2c87e92937a8bb6ba61e7bd8ad29fd42a977747aea5e6ee39b4568faa15be3fa28d254328b35aefd734f6e6
SSDEEP

98304:7yDQkeSLhuba4o3r0fCjABzZ1ZTimIO2sHrZbJpJJ9uVahC8FFbtBIofsbg8t1fB:CQTSLXg6IbFtZvJJiahCulz18t15ekF

Score

9^/10

oss_ak

Malware Config

Signatures

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe	detect_ak_stuff

Executes dropped EXE 4 IoCs

Processes:

MSI4F8E.tmpDeepL_x64.exeMSI507A.tmpWindowsProgramInstaller.exe

pid process

3760 MSI4F8E.tmp
1376 DeepL_x64.exe
4748 MSI507A.tmp
1148 WindowsProgramInstaller.exe
Loads dropped DLL 8 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

5108 MsiExec.exe
5108 MsiExec.exe
4708 MsiExec.exe
4708 MsiExec.exe
4708 MsiExec.exe
4708 MsiExec.exe
4708 MsiExec.exe
4708 MsiExec.exe

pid	process
3760	MSI4F8E.tmp
1376	DeepL_x64.exe
4748	MSI507A.tmp
1148	WindowsProgramInstaller.exe

pid	process
5108	MsiExec.exe
5108	MsiExec.exe
4708	MsiExec.exe
4708	MsiExec.exe
4708	MsiExec.exe
4708	MsiExec.exe
4708	MsiExec.exe
4708	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\M:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\U:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\Z:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\X:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\L:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\O:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\R:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\S:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\V:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\P:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\T:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e574ad4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CBC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CCD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e574ad4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F8E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A5BBA976-4B07-4766-95EA-8521D8C0711D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E55.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI507A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B32.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C00.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BCF.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe

Modifies registry class 1 IoCs

Processes:

WindowsProgramInstaller.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings WindowsProgramInstaller.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3980 msiexec.exe
3980 msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	WindowsProgramInstaller.exe

pid	process
3980	msiexec.exe
3980	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exe01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe

description	pid	process
Token: SeSecurityPrivilege	3980	msiexec.exe
Token: SeCreateTokenPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeAssignPrimaryTokenPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeLockMemoryPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeIncreaseQuotaPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeMachineAccountPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeTcbPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSecurityPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeTakeOwnershipPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeLoadDriverPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemProfilePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemtimePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeProfSingleProcessPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeIncBasePriorityPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreatePagefilePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreatePermanentPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeBackupPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeRestorePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeShutdownPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeDebugPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeAuditPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemEnvironmentPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeChangeNotifyPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeRemoteShutdownPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeUndockPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSyncAgentPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeEnableDelegationPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeManageVolumePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeImpersonatePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreateGlobalPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreateTokenPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeAssignPrimaryTokenPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeLockMemoryPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeIncreaseQuotaPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeMachineAccountPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeTcbPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSecurityPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeTakeOwnershipPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeLoadDriverPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemProfilePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemtimePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeProfSingleProcessPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeIncBasePriorityPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreatePagefilePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreatePermanentPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeBackupPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeRestorePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeShutdownPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeDebugPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeAuditPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSystemEnvironmentPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeChangeNotifyPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeRemoteShutdownPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeUndockPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeSyncAgentPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeEnableDelegationPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeManageVolumePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeImpersonatePrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreateGlobalPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeCreateTokenPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeAssignPrimaryTokenPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeLockMemoryPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeIncreaseQuotaPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
Token: SeMachineAccountPrivilege	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exemsiexec.exeDeepL_x64.exe

pid process

5032 01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
4008 msiexec.exe
4008 msiexec.exe
1376 DeepL_x64.exe

pid	process
5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
4008	msiexec.exe
4008	msiexec.exe
1376	DeepL_x64.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exe01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe

description	pid	process	target process
PID 3980 wrote to memory of 5108	3980	msiexec.exe	MsiExec.exe
PID 3980 wrote to memory of 5108	3980	msiexec.exe	MsiExec.exe
PID 3980 wrote to memory of 5108	3980	msiexec.exe	MsiExec.exe
PID 5032 wrote to memory of 4008	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe	msiexec.exe
PID 5032 wrote to memory of 4008	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe	msiexec.exe
PID 5032 wrote to memory of 4008	5032	01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe	msiexec.exe
PID 3980 wrote to memory of 4708	3980	msiexec.exe	MsiExec.exe
PID 3980 wrote to memory of 4708	3980	msiexec.exe	MsiExec.exe
PID 3980 wrote to memory of 4708	3980	msiexec.exe	MsiExec.exe
PID 3980 wrote to memory of 3760	3980	msiexec.exe	MSI4F8E.tmp
PID 3980 wrote to memory of 3760	3980	msiexec.exe	MSI4F8E.tmp
PID 3980 wrote to memory of 3760	3980	msiexec.exe	MSI4F8E.tmp
PID 3980 wrote to memory of 4748	3980	msiexec.exe	MSI507A.tmp
PID 3980 wrote to memory of 4748	3980	msiexec.exe	MSI507A.tmp
PID 3980 wrote to memory of 4748	3980	msiexec.exe	MSI507A.tmp

C:\Users\Admin\AppData\Local\Temp\01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe
"C:\Users\Admin\AppData\Local\Temp\01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DeepLSetup\DeepLSetup 1.0.0.0\install\DeepL_Setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\01bf8b7817a9965e2497b953a0d5a4c4431bded1e98172cd7afff9520640663e.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1715722692 " AI_EUIMSI=""
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 20C0D83214A997B60C2D1EF6C5ECE460 C
2⤵
- Loads dropped DLL
PID:5108

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4F0FB3F94B1E9AE4681089E5C6C76CB1
2⤵
- Loads dropped DLL
PID:4708

C:\Windows\Installer\MSI4F8E.tmp
"C:\Windows\Installer\MSI4F8E.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe"
2⤵
- Executes dropped EXE
PID:3760

C:\Windows\Installer\MSI507A.tmp
"C:\Windows\Installer\MSI507A.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe"
2⤵
- Executes dropped EXE
PID:4748

C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe
"C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1376

C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e574ad7.rbs
Filesize
421KB

MD5
c44967ab9db56db475eb9bcf10c9d3c0

SHA1
b9f77b4c749d834070410646964b1221e0906e04

SHA256
433cd21e93bf51dc26776f96f322938d0eb2bbfadf80180aadb80ef3423032d0

SHA512
81a7fa3477b7d2d9683a5a2455d7a04b24127cccd0b7513a35cbe784a3d93477f63205072631ae60bc86e14f5aca89fdbeb6bd05576fea762a044e0df712116d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe
Filesize
4.2MB

MD5
90d0a198ebd84ab18ed372dab02b5862

SHA1
d4f39b9a647ae6ad7c981c7acb4a6ff06025094d

SHA256
0037c9895723fb712b57b144cbb429f319ab5a3c1e4c44a3ffefa351486bcdaf

SHA512
056c0300b2f9beb88a83711d94082fd3c8a86d7d9f73de37dd1f63795a1c1cb780fa4e984a2a2416d0ea489750622633402586e98e72799031f6c933379df84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48A3.tmp
Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe
Filesize
3.6MB

MD5
c3dca8a1bd0bc7e3016ae4a2d8cff1af

SHA1
df6047d4caa7ebde25735edea25d2b1d0fd03737

SHA256
ba42b868a8618ca9ef05a27031c483d9306b944927cde7e9dd54c833447e9e91

SHA512
81516d6cdce85316671b12c3e7e3cf73220f17a5a5df90070af56f83895a6f618f819d35b6b8a02eb18763e232e9904f527229ec3500ec62a9780b79c8341f49

Download Submit
C:\Users\Admin\AppData\Roaming\DeepLSetup\DeepLSetup 1.0.0.0\install\DeepL_Setup.msi
Filesize
2.2MB

MD5
ed011ae5bd9b187f623680a99a82a8c3

SHA1
b26c7b62c90a5e20627fec65df61eb605dd1c30b

SHA256
d22ddab47c5ba6fdc5f2b4c4d41644597d832a56bc91a2074092a55923bf3843

SHA512
ff8cf2ebd6fdabdc16f31150ce48cab43202769d83a2d86c8c42265c99b337c4d036fdd49393e1bc651df33fbf3dd527bc2b14e9598123d4e4e86cf72222f925

Download Submit
C:\Users\Admin\AppData\Roaming\DeepLSetup\DeepLSetup 1.0.0.0\install\DeepL_Setup1.cab
Filesize
2.9MB

MD5
45d1b6fe6265012304efded3b68b514b

SHA1
81f730fa79f79c3a414dbc440212082d941904be

SHA256
f00693121cb98dd585afcc1718256b2f29179812a8ca91168a48c247d8f4d384

SHA512
b0f204639ddf896d0abf147cac679457b280af9ffe0815ccc4b6c55415355b02b32c52e5774f1974522e6fb5b991a37c04c1f5d92826f0778a7d8333b07032ac

Download Submit
C:\Windows\Installer\MSI4CCD.tmp
Filesize
709KB

MD5
89136bfd28a2e1ec6b6d841214e1e670

SHA1
4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab

SHA256
1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec

SHA512
22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

Download Submit
C:\Windows\Installer\MSI4F8E.tmp
Filesize
419KB

MD5
cac0eaeb267d81cf3fa968ee23a6af9d

SHA1
cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

SHA256
f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

SHA512
8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

Download Submit
memory/1376-69-0x0000000000F20000-0x0000000001358000-memory.dmp

Filesize
4.2MB

Download
memory/1376-77-0x0000000001C70000-0x0000000001C8A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads