Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2024, 22:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Resource
win7-20240221-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
-
Size
7.3MB
-
MD5
eaa9e76db93e9fb08f82f7efb39dabcd
-
SHA1
48b0965b735e3600deb6652b26873e01ec681408
-
SHA256
94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a
-
SHA512
b5ea15f76a340c0e1bc59861f77b1d47b7f6ac49ac7dcb271cf85573a45b7fe3661e8df74438a52bf0ba9a5a8c8759d654e65a03232e5936e6125f1a3bcda225
-
SSDEEP
98304:/yDQkeSLhuba4o3r0fCjA5DT08GHXngvuHEkvPj/zODZVWsikrdrn+oulLguUra0:mQTSLXg6r8G3n4uHNeVThrdrn+F+1
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4964 数据处理器4.7.exe 4652 svchost.exe -
Loads dropped DLL 11 IoCs
pid Process 3660 MsiExec.exe 3660 MsiExec.exe 3084 MsiExec.exe 3084 MsiExec.exe 3084 MsiExec.exe 3084 MsiExec.exe 3084 MsiExec.exe 3084 MsiExec.exe 3084 MsiExec.exe 4376 MsiExec.exe 4652 svchost.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\N: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\G: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\Q: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\S: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\R: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\X: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\W: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\U: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\V: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\MonKeyDu\zj\libcef.dll msiexec.exe File created C:\Program Files\MonKeyDu\zj\svchost.exe msiexec.exe File created C:\Program Files\MonKeyDu\zj\数据处理器4.7.exe msiexec.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File created C:\Windows\Installer\e57665b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI66B9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI69BD.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57665b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6787.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{8D7878F2-2AD6-4198-9CA8-333E6B22545E} msiexec.exe File opened for modification C:\Windows\Installer\MSI69BC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6A0C.tmp msiexec.exe File created C:\Windows\Installer\e57665f.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6756.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6776.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI67B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6815.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f9c3b1b881b13bb50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f9c3b1b80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f9c3b1b8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df9c3b1b8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9c3b1b800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe -
Modifies registry class 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2F8787D86DA28914C98A33E3B62245E5\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\MonKeyDu\\zj 1.0.0\\install\\B22545E\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2F8787D86DA28914C98A33E3B62245E5 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\PackageCode = "51EA08321159446489C11EACABB63F8D" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\PackageName = "zj.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\ProductName = "zj" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\Language = "2052" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\34585BE57E07F3B4899EEBFCC4E10679 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\34585BE57E07F3B4899EEBFCC4E10679\2F8787D86DA28914C98A33E3B62245E5 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\MonKeyDu\\zj 1.0.0\\install\\B22545E\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1936 msiexec.exe 1936 msiexec.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1936 msiexec.exe Token: SeCreateTokenPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeAssignPrimaryTokenPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeLockMemoryPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeIncreaseQuotaPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeMachineAccountPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeTcbPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeSecurityPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeTakeOwnershipPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeLoadDriverPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeSystemProfilePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeSystemtimePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeProfSingleProcessPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeIncBasePriorityPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeCreatePagefilePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeCreatePermanentPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeBackupPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeRestorePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeShutdownPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeDebugPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeAuditPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeSystemEnvironmentPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeChangeNotifyPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeRemoteShutdownPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeUndockPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeSyncAgentPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeEnableDelegationPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeManageVolumePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeImpersonatePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeCreateGlobalPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeCreateTokenPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeAssignPrimaryTokenPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeLockMemoryPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeIncreaseQuotaPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeMachineAccountPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeTcbPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeSecurityPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeTakeOwnershipPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeLoadDriverPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeSystemProfilePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeSystemtimePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeProfSingleProcessPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeIncBasePriorityPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeCreatePagefilePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeCreatePermanentPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeBackupPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeRestorePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeShutdownPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeDebugPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeAuditPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeSystemEnvironmentPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeChangeNotifyPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeRemoteShutdownPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeUndockPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeSyncAgentPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeEnableDelegationPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeManageVolumePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeImpersonatePrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeCreateGlobalPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeCreateTokenPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeAssignPrimaryTokenPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeLockMemoryPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeIncreaseQuotaPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe Token: SeMachineAccountPrivilege 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe 2240 msiexec.exe 2240 msiexec.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1936 wrote to memory of 3660 1936 msiexec.exe 88 PID 1936 wrote to memory of 3660 1936 msiexec.exe 88 PID 1936 wrote to memory of 3660 1936 msiexec.exe 88 PID 4472 wrote to memory of 2240 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe 90 PID 4472 wrote to memory of 2240 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe 90 PID 4472 wrote to memory of 2240 4472 94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe 90 PID 1936 wrote to memory of 2324 1936 msiexec.exe 103 PID 1936 wrote to memory of 2324 1936 msiexec.exe 103 PID 1936 wrote to memory of 3084 1936 msiexec.exe 105 PID 1936 wrote to memory of 3084 1936 msiexec.exe 105 PID 1936 wrote to memory of 3084 1936 msiexec.exe 105 PID 1936 wrote to memory of 4376 1936 msiexec.exe 106 PID 1936 wrote to memory of 4376 1936 msiexec.exe 106 PID 1936 wrote to memory of 4376 1936 msiexec.exe 106 PID 1936 wrote to memory of 4964 1936 msiexec.exe 107 PID 1936 wrote to memory of 4964 1936 msiexec.exe 107 PID 1936 wrote to memory of 4652 1936 msiexec.exe 108 PID 1936 wrote to memory of 4652 1936 msiexec.exe 108 PID 1936 wrote to memory of 4652 1936 msiexec.exe 108 PID 4652 wrote to memory of 1952 4652 svchost.exe 109 PID 4652 wrote to memory of 1952 4652 svchost.exe 109 PID 4652 wrote to memory of 1952 4652 svchost.exe 109 PID 4652 wrote to memory of 4296 4652 svchost.exe 111 PID 4652 wrote to memory of 4296 4652 svchost.exe 111 PID 4652 wrote to memory of 4296 4652 svchost.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe"C:\Users\Admin\AppData\Local\Temp\94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\MonKeyDu\zj 1.0.0\install\B22545E\zj.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1715916707 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2240
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 66ACB74A3683EB66ED09AA2C4E36033B C2⤵
- Loads dropped DLL
PID:3660
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2324
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6D9F391F08ED4AB9C9C1BB7DB86F50622⤵
- Loads dropped DLL
PID:3084
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 75098DC1A6935A18C7FDB65D3F8DD632 E Global\MSI00002⤵
- Loads dropped DLL
PID:4376
-
-
C:\Program Files\MonKeyDu\zj\数据处理器4.7.exe"C:\Program Files\MonKeyDu\zj\数据处理器4.7.exe" start2⤵
- Executes dropped EXE
PID:4964
-
-
C:\Program Files\MonKeyDu\zj\svchost.exe"C:\Program Files\MonKeyDu\zj\svchost.exe" start2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic cpu get processorid3⤵PID:1952
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic diskdrive get serialnumber3⤵PID:4296
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:5076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215KB
MD5cde9b66f4dda99793d497ce682233485
SHA162f31d1f79c86be4e8850929c83ff658ca821501
SHA2565c3d43db26f4d31ed14d38e6be56b56d157536c9263a680f790d2de0dff67dc7
SHA51257cf61ed10073cfb7ad25c07475c92821f6bc3e9399ae06e3ba85d2cad87b79c25abbf813ae8732ca1d25d8b3338822b2f7fd40cd560d4ac66507ab3f4aec194
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
5.6MB
MD5a02f756c1f46697a79855e1b307f07c6
SHA1d9bc053fe67f638dbfaed19323f8de4ca76e8013
SHA256d53875560cdd7144439812a4f948a9992ffc8d34c1d9545b0e27f55c47e20c8e
SHA512483355954218a486ca79cd72d2b4db437f1710ccc2670233bff8c2a4b4457db715ef83a826c79a70928266169b2054bb53be649643fd6115af7b564e59ce2958
-
Filesize
2.0MB
MD59037a40fb3c7b5948345acb3a9401c53
SHA12957d67dc98c7058e9e556f0690f86b22b1dbd5b
SHA25697b33e2b233b779dad59cecb75f8da31f7a197c278118452dffa94bb6e178aa3
SHA512b129e98fc7bc22186562d9b18f9236f1cc44ad8df657135029f4e1c577eb016d982ae7dce18eb06a3d207cf07a85f9c4986b765b6e918dad902c69ba3424f6cf
-
Filesize
2.0MB
MD5c6a0667438a9173ff5042a2247b5565a
SHA12a4df3785344f4e8f651f8344bcfb98be47eb64d
SHA2563acbf3783ad80d157c852e7156c64539d805806ff3d4f0867d3858a0dfb5b32b
SHA512acb3929f261b33e70f6d381832953ceef7ffd2b96c80143265b5cf814dc1001859c9c11b609216d50d28923282daab2a06aa077f3bfc295bc6ccdc97c061b23b
-
Filesize
356KB
MD5426bf2fd41c332bfae147c629409527b
SHA18481f6e0e4ac2dbab1cb4022f3b151de3a23b619
SHA25606a85f5f5fe77b9564e9cc4d795dfc926236788f0f63b2b25d7841190c822f9e
SHA512e42994581f833a98e385d90737952163c9777ef4d88eb25c2a6a80689193cbd244c3b27b28b48212c7d084c58a62e9c558c0e1b22b79a1b8d6ea2aa09fddf10f
-
Filesize
709KB
MD589136bfd28a2e1ec6b6d841214e1e670
SHA14c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA2561a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA51222237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812
-
Filesize
206KB
MD5385488c351d17ecfa075a763eb5fecee
SHA188cadb754000d467a5a6cdba1b77a8b2b38f905e
SHA256b3c88eddf3c6f36b0063fe0c4db62950643846c5c616dc2f255aa3a411cbbcff
SHA51264e4341316fa0d10be92720b92adb34e1ef3ca4d39797d97f84d97bca429dd3d46bd6d3849d92652a87cd938cef96166d0cb3f5a79be8fe3899dcb7a8db3a1e3
-
Filesize
23.7MB
MD5119613996fbc418de1c3e78780c8038a
SHA18f8548dac4a0b4161096fac7b33f4fb5af6ec035
SHA256d181c1076d1320b30c12a94f714c87916a0e9d506998798d68847f833b27f76e
SHA5125f0d6cebf4d0b4c852707e8f04458310e24a399e7e440cd1266013208bbbb01bd25b0c197d42b9feec0206706bbba09c43678739718f65dfed26b049b31ba756
-
\??\Volume{b8b1c3f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0d461d64-92bc-46c6-867d-1f45eacfc8b0}_OnDiskSnapshotProp
Filesize6KB
MD5a4370070a775164f108e2fc52879b919
SHA1285896ecd21fad391ded9113d54aeac6ed927c85
SHA25635b92bf82464b502e57b987243b223f0a52b563e586f8d03b2b3b9a27d0e5ff6
SHA512dcb3790fc429da50ab22dbc21ed51a00dab42f3e7946475b8e7d601ebb57e4acb4684976a3284d5b8de1129de841d38339786b66019b77cc6de9ee55cb09876e