Analysis
-
max time kernel
66s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 06:48
Static task
static1
Behavioral task
behavioral1
Sample
oxc.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
oxc.msi
Resource
win10v2004-20240426-en
General
-
Target
oxc.msi
-
Size
3.4MB
-
MD5
b1ae202dc4e66b9a125d28fe4680fe42
-
SHA1
f87422fa9ac8c2b52eb99f3616335c1484db8857
-
SHA256
c6de06a61756dc3b5d4ee71674d4132971fb7ed8db7b2e504905f23571ed7bf2
-
SHA512
dede0c88db06c4912d0e57fcba472b522eb6a2d2bbca62f8616bfa3df6c93301486172b03992a6dfefda77f4a89711c70dcc89c1d78e79574a7122f1c57b5ac1
-
SSDEEP
98304:DpkchD0ow0KHR8h/YM9dWhX+Rdx42lfyZc4vOKl4:ecFBw00R8h/YMauRr42lY2
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
ICACLS.EXEICACLS.EXEpid process 2272 ICACLS.EXE 4812 ICACLS.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HomeDLL = "C:\\Windows\\SysWOW64\\rundll32 /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}" reg.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4340 set thread context of 1684 4340 rundll32.exe WINDBVERS.EXE -
Drops file in Windows directory 9 IoCs
Processes:
EXPAND.EXEmsiexec.exedescription ioc process File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\e57687e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File created C:\Windows\Installer\e57687e.msi msiexec.exe File created C:\Windows\Installer\SourceHash{BF404E7F-A682-4382-9E50-E66CD71B54AD} msiexec.exe File opened for modification C:\Windows\Installer\MSI692A.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
elevate.exeWINDBVERS.EXEpid process 916 elevate.exe 1684 WINDBVERS.EXE -
Loads dropped DLL 5 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 3384 MsiExec.exe 2064 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\InprocServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\WMProjectFiles\\soundtrack.ocx" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\InprocServer32\ThreadingModel = "Apartment" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4508 2064 WerFault.exe rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f9c3b1b881b13bb50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f9c3b1b80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f9c3b1b8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df9c3b1b8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9c3b1b800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies registry class 13 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\Implemented Categories reg.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\VERSION reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\ = "functions.under_review" reg.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} reg.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\ProgID reg.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\TypeLib reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\WMProjectFiles\\soundtrack.ocx" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\InprocServer32\ThreadingModel = "Apartment" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\ProgID\ = "functions.under_review" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\VERSION\ = "1.0" reg.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4} reg.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\InprocServer32 reg.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{AAE802DB-FB67-4407-A175-61223EFF30D4}\Programmable reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3220 msiexec.exe 3220 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 1760 msiexec.exe Token: SeIncreaseQuotaPrivilege 1760 msiexec.exe Token: SeSecurityPrivilege 3220 msiexec.exe Token: SeCreateTokenPrivilege 1760 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1760 msiexec.exe Token: SeLockMemoryPrivilege 1760 msiexec.exe Token: SeIncreaseQuotaPrivilege 1760 msiexec.exe Token: SeMachineAccountPrivilege 1760 msiexec.exe Token: SeTcbPrivilege 1760 msiexec.exe Token: SeSecurityPrivilege 1760 msiexec.exe Token: SeTakeOwnershipPrivilege 1760 msiexec.exe Token: SeLoadDriverPrivilege 1760 msiexec.exe Token: SeSystemProfilePrivilege 1760 msiexec.exe Token: SeSystemtimePrivilege 1760 msiexec.exe Token: SeProfSingleProcessPrivilege 1760 msiexec.exe Token: SeIncBasePriorityPrivilege 1760 msiexec.exe Token: SeCreatePagefilePrivilege 1760 msiexec.exe Token: SeCreatePermanentPrivilege 1760 msiexec.exe Token: SeBackupPrivilege 1760 msiexec.exe Token: SeRestorePrivilege 1760 msiexec.exe Token: SeShutdownPrivilege 1760 msiexec.exe Token: SeDebugPrivilege 1760 msiexec.exe Token: SeAuditPrivilege 1760 msiexec.exe Token: SeSystemEnvironmentPrivilege 1760 msiexec.exe Token: SeChangeNotifyPrivilege 1760 msiexec.exe Token: SeRemoteShutdownPrivilege 1760 msiexec.exe Token: SeUndockPrivilege 1760 msiexec.exe Token: SeSyncAgentPrivilege 1760 msiexec.exe Token: SeEnableDelegationPrivilege 1760 msiexec.exe Token: SeManageVolumePrivilege 1760 msiexec.exe Token: SeImpersonatePrivilege 1760 msiexec.exe Token: SeCreateGlobalPrivilege 1760 msiexec.exe Token: SeBackupPrivilege 624 vssvc.exe Token: SeRestorePrivilege 624 vssvc.exe Token: SeAuditPrivilege 624 vssvc.exe Token: SeBackupPrivilege 3220 msiexec.exe Token: SeRestorePrivilege 3220 msiexec.exe Token: SeRestorePrivilege 3220 msiexec.exe Token: SeTakeOwnershipPrivilege 3220 msiexec.exe Token: SeRestorePrivilege 3220 msiexec.exe Token: SeTakeOwnershipPrivilege 3220 msiexec.exe Token: SeBackupPrivilege 4212 srtasks.exe Token: SeRestorePrivilege 4212 srtasks.exe Token: SeSecurityPrivilege 4212 srtasks.exe Token: SeTakeOwnershipPrivilege 4212 srtasks.exe Token: SeBackupPrivilege 4212 srtasks.exe Token: SeRestorePrivilege 4212 srtasks.exe Token: SeSecurityPrivilege 4212 srtasks.exe Token: SeTakeOwnershipPrivilege 4212 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1760 msiexec.exe 1760 msiexec.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
rundll32.exerundll32.exeWINDBVERS.EXEpid process 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 4340 rundll32.exe 1684 WINDBVERS.EXE -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.execmd.exerundll32.exedescription pid process target process PID 3220 wrote to memory of 4212 3220 msiexec.exe srtasks.exe PID 3220 wrote to memory of 4212 3220 msiexec.exe srtasks.exe PID 3220 wrote to memory of 3384 3220 msiexec.exe MsiExec.exe PID 3220 wrote to memory of 3384 3220 msiexec.exe MsiExec.exe PID 3220 wrote to memory of 3384 3220 msiexec.exe MsiExec.exe PID 3384 wrote to memory of 4812 3384 MsiExec.exe ICACLS.EXE PID 3384 wrote to memory of 4812 3384 MsiExec.exe ICACLS.EXE PID 3384 wrote to memory of 4812 3384 MsiExec.exe ICACLS.EXE PID 3384 wrote to memory of 3108 3384 MsiExec.exe EXPAND.EXE PID 3384 wrote to memory of 3108 3384 MsiExec.exe EXPAND.EXE PID 3384 wrote to memory of 3108 3384 MsiExec.exe EXPAND.EXE PID 3384 wrote to memory of 3688 3384 MsiExec.exe reg.exe PID 3384 wrote to memory of 3688 3384 MsiExec.exe reg.exe PID 3384 wrote to memory of 3688 3384 MsiExec.exe reg.exe PID 3384 wrote to memory of 916 3384 MsiExec.exe elevate.exe PID 3384 wrote to memory of 916 3384 MsiExec.exe elevate.exe PID 3384 wrote to memory of 916 3384 MsiExec.exe elevate.exe PID 3384 wrote to memory of 2064 3384 MsiExec.exe rundll32.exe PID 3384 wrote to memory of 2064 3384 MsiExec.exe rundll32.exe PID 3384 wrote to memory of 2064 3384 MsiExec.exe rundll32.exe PID 2064 wrote to memory of 1628 2064 rundll32.exe cmd.exe PID 2064 wrote to memory of 1628 2064 rundll32.exe cmd.exe PID 2064 wrote to memory of 1628 2064 rundll32.exe cmd.exe PID 1628 wrote to memory of 4636 1628 cmd.exe reg.exe PID 1628 wrote to memory of 4636 1628 cmd.exe reg.exe PID 1628 wrote to memory of 4636 1628 cmd.exe reg.exe PID 2064 wrote to memory of 4340 2064 rundll32.exe rundll32.exe PID 2064 wrote to memory of 4340 2064 rundll32.exe rundll32.exe PID 2064 wrote to memory of 4340 2064 rundll32.exe rundll32.exe PID 4340 wrote to memory of 1684 4340 rundll32.exe WINDBVERS.EXE PID 4340 wrote to memory of 1684 4340 rundll32.exe WINDBVERS.EXE PID 4340 wrote to memory of 1684 4340 rundll32.exe WINDBVERS.EXE PID 4340 wrote to memory of 1684 4340 rundll32.exe WINDBVERS.EXE PID 4340 wrote to memory of 1684 4340 rundll32.exe WINDBVERS.EXE PID 4340 wrote to memory of 1684 4340 rundll32.exe WINDBVERS.EXE PID 4340 wrote to memory of 1684 4340 rundll32.exe WINDBVERS.EXE PID 4340 wrote to memory of 1684 4340 rundll32.exe WINDBVERS.EXE PID 3384 wrote to memory of 4320 3384 MsiExec.exe cmd.exe PID 3384 wrote to memory of 4320 3384 MsiExec.exe cmd.exe PID 3384 wrote to memory of 4320 3384 MsiExec.exe cmd.exe PID 3384 wrote to memory of 2272 3384 MsiExec.exe ICACLS.EXE PID 3384 wrote to memory of 2272 3384 MsiExec.exe ICACLS.EXE PID 3384 wrote to memory of 2272 3384 MsiExec.exe ICACLS.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\oxc.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1760
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AB5C6B21AF2D33BF471444240A3915C92⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:4812 -
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:3108 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "HomeDLL" /t REG_SZ /F /D "C:\Windows\SysWOW64\rundll32 /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}"3⤵
- Adds Run key to start application
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files\elevate.exe"C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files\elevate.exe"3⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" MAFWIKFNMUI9430.ocx, RunDllEntryPointW3⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\AppData\Roaming\WMProjectFiles&®.exe import info.txt4⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\reg.exereg.exe import info.txt5⤵
- Registers COM server for autorun
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}4⤵
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Roaming\ProductConfigurations\WINDBVERS.EXEC:\Users\Admin\AppData\Roaming\ProductConfigurations\WINDBVERS.EXE5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 13724⤵
- Program crash
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files"3⤵PID:4320
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:2272
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2064 -ip 20641⤵PID:4692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD52f807297f7a507ae395dbad419499fe7
SHA1f6c3d7eb4ce30ac36ea14805a35c5d0e131af7a6
SHA256f2894b5e9cc70bdadd842ea5cce47539b9ebfbe7f1873626477168a698468978
SHA5129bc9e7a70a41c502833317506ddab8c723e76690346036da175e965ec85b72511b284e3cf1505be9a8ab8a6dc93834cacc8d1a26f5831846ab2bc4a9248c4d31
-
Filesize
3.1MB
MD57a969fb05e6382aa56fe5754e82fc179
SHA19f81731e391fadc79c170b4da2f01b21727e67be
SHA2561cbb6ed84195d88da51de5ecf1fd06815d10b582942fb92266b34ceb5f77e826
SHA512bc9926d8b073e0069caba3aba30302835ea90bc54d3cd7c284bacc08ad18f9523b13869c13b7e1861a77562a4e456f385067193fda5400eb79cfb9d3ac026069
-
Filesize
13.0MB
MD53cc34d74677bcf9088c5c4666923476e
SHA1429543d90147dd60525a3f76513eb1b22194bf56
SHA2569c0e4999fcc2629ff921cc903b4bb3718f5983698b1c82826ac8b4a78117180b
SHA5125162f8a100bb0a3d43da77e3393994907dbc7e332d5a57f535729ab7332ee15482508e13273bc649c043a8aca5465aaec2cdd6e5c227f45f1baa7afe01d7b3b5
-
Filesize
7.9MB
MD5bd21b0b1a2448fe8017532d94561f4d9
SHA13a046d4893f0fe702fdd0023cb4366368afcfd40
SHA256759ae83bce7475dba576953992075942bcd6e1055e18555c9f9dfc81524107a2
SHA512dd97d88b422be7c6b89ee5aceee59b72996367564b00eadcd04d6fe9ca03265ecae016c5205f43448b76496ac154f61de9856f2c4eca408c034a8d521b64f00b
-
Filesize
116KB
MD5beeb28be4600b914647ef7cb8dbdda87
SHA1d36ce53c3703a2a438a253c9c90f71696fd0f909
SHA25625f473f312de5dab2f6f8959d46da75f0e9d14ce8741d5cdcc29b29889cc14b1
SHA51213de0290739236714b84c74f026e4a2614cf6cf2ab45c62397587eb7e56c2075f40c5a0d3ec4294b46b80582d623afd431b28e29b3a441bf4fa40892c2e5a05c
-
Filesize
382B
MD5eade41273099d6e0dd25d39a8f0f5466
SHA12e5e5ac18f772f387ec3df79f940932a98461c92
SHA256ab91d60bc7f404ec87efc9b979e530867a80e31a564ff30e63345e6c4cd8e3f3
SHA512fed11b4233778981f5913efb51529632bd52d854a47024b3061f619ab5580e4ad528bae6c1c42442c836acbb6a921c5dde2d10bb9376261e904b7a35e33c0c70
-
Filesize
1022B
MD5e0c056d8454b68c5a83a95a844792245
SHA19c26eb8978d0d31aac1441027f9e9d36e44c0dd7
SHA25693d79c1044f6c6b1c17f99e6346b6e598852b4c16dacdfef614f240ae4a178df
SHA5123e201cd612ba262f2499a7fe7aaef4caa86f7b2063f6fcb5068c5036666c916108a7dfb9f321fb4d62dc778b1c04ff790f90c629d0bfd704408dde66e4213052
-
Filesize
1KB
MD5ed19d042f9a8381905c9a0290acd1843
SHA12d8940fda28d07cb80799bdd4ba410efbc77d431
SHA2568d938a29b6b76f48f27edcff4c40660e9c3699487ee304f95d5adade578cde3e
SHA512e897f664d83a83d1b638d5a92e00f77afec857b735d3a3a18051711f9857b34bd97bc08a202b4645e726cf0ea3a252a2feaaa31c70ffd5921e15bd21419e3b0e
-
Filesize
45KB
MD5f3260efd0b21dde6a808319149614ac7
SHA1c7aff49218b38624937742ac31854d77b086a55f
SHA2563c55e3e41d4b12815dc543ca653d3d22dd3466c604f47498f8661a29d4c0c44f
SHA5128d0602f072f12fe6a8fa73eabcc57712e95c72a4e32c144778b86d7b577b2cc1424e7dbf0e31bf6dc50787b25169dbe394d8c7d11e4fbffc96852dbb976e76cc
-
Filesize
1KB
MD556a1ad1818fb3bd63db9c8c86d40884e
SHA189a599219c4017b88b097ddef64939c1ea2083a3
SHA256c8cb3dca3d91579f88e729e2a001869f0b4064246206a5be934834d77a831d56
SHA512757b4323be249c5b1196a4c75c4de4af91f0ae06e8a4a03d20b86db1f2f607ee756dcd04f8f55949948178685b586fe64c488e9bd72080d62bc84497fb415764
-
Filesize
1000B
MD5c63bd4cff6dd7c34e32c46d372fde002
SHA14590da674e9f87ba109ec64ebc18fe4e24c65032
SHA25601df3b4a70230a8eddd6334399f19864e218945adf2c42ce0c47f2be37482f18
SHA512d19a40a55bb39f25af4ea967083fbf721387a504bc10badab8c95ce890ab2102101732359b3d51ef48042712799628a63407f7856de6c4b04fa03d79cd0f7981
-
Filesize
1.3MB
MD5ecedc82a044dd6cce5e8dc1c811ea471
SHA111488750da5a36ca9bb531505fa55f789efc232a
SHA2568f4c32cfe1a449fd8bdb929025f61522c574e82a3667c936a306f35976efe2de
SHA512193c94332d49ba728a738e15b72a8c32bac2dca8909ff800bfa1f3136d91c9f0c9dee0cab748b4f3ad920d1c15ca62db5e50e313f99d1b8d580cc016a24ecf3d
-
Filesize
7.9MB
MD5b818d9388d7e8da45758e5a479ff8cc5
SHA1d273dd3d22285821eb3263e2c0d61300cfddea24
SHA2569254ba70d1139214015fbe3dee7edc1c68aeb0993fec0bd6cb14c30aff318f5c
SHA51211322b5dac590f8812ba0217e096588aaf6c9c2a5ca52b52e92b4be99554437a96ad0afd6a942a075d840fe2cbb800a6d5f2c42793217bbc4aeb28755554a516
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
23.7MB
MD506603f668d4ce46211f8caeb7ee18547
SHA12c5634b284d109e26be8a50620e8bf4060df1c72
SHA256b0a9baf02de24ba24cf534dea9211678cf4654c6318b68a29b3943646e407f34
SHA51266c443bbceffe0e1c4289b5f43df9cb7c49a3673708b628c2a88c5406c398f57a10b80749bb057fef8b07dfaa5ae074843a0899c26a669e7855544fbdc00feed
-
\??\Volume{b8b1c3f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3b598c5f-6f8d-4590-96ec-9f7b4f572f28}_OnDiskSnapshotProp
Filesize6KB
MD503a35439976ccf4a92d6aa2b5e0bdfd5
SHA14a1e7d936b160dc4369327f824832586ebd7b05c
SHA2565d779b2528e25816a85c28f70eb181a6a5a7fdbcad539d5873bde4cfa83df4bc
SHA5122dbc9c70fa0c7e0e7afce4750434932a991ca4cb730ed002b4913c777d56eb6bf4bf659f7cc622056819babbe5542da8012c4e5ccb751d35203c04016d2fe838