e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Size

7.4MB
MD5

d56cb54eef3a7bd3cef8255585aa54d8
SHA1

4d3361ecb8864bc2c43c85ab2acea1a185a61e1c
SHA256

e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b
SHA512

34d71d5502f3214d1cba4e503b4ac3e230271b008fa72275f00843a09360fb77fa40c5ec93731f52f80e5d4214b0114f00bff85d5486443db96e448c2616ee99
SSDEEP

98304:7yDQkeSLhuba4o3r0fCjABAZ1ZTimIO2sHvZbJpJJ9uVahC8EOZ2:CQTSLXg6tbF9ZvJJiahCRy2

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WindowsProgramInstaller.exe

Executes dropped EXE 6 IoCs

pid	Process
4908	MSI81F8.tmp
2272	DeepL_x64.exe
4936	MSI82E4.tmp
4216	WindowsProgramInstaller.exe
4432	PXfwFdXd.exe
2732	PXfwFdXd.exe

Loads dropped DLL 8 IoCs

pid	Process
2936	MsiExec.exe
2936	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2732-97-0x0000000000700000-0x000000000070B000-memory.dmp	upx
behavioral2/memory/2732-98-0x0000000005D90000-0x0000000005D9B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\J:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\Z:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\K:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\W:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\Y:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\P:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\L:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\T:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\Q:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\R:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\E:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\V:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PXfwFdXd.exe	WindowsProgramInstaller.exe
File opened for modification	C:\Windows\SysWOW64\PXfwFdXd.exe	WindowsProgramInstaller.exe
File created	C:\Windows\system32\PXfwFdXd.exe	PXfwFdXd.exe
File opened for modification	C:\Windows\system32\PXfwFdXd.exe	PXfwFdXd.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7F72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FE1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8040.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8060.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A5BBA976-4B07-4766-95EA-8521D8C0711D}	msiexec.exe
File created	C:\Windows\Installer\e577ee4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F32.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FB1.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI812C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e577ee4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4408	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
812	msiexec.exe
812	msiexec.exe
4216	WindowsProgramInstaller.exe
4216	WindowsProgramInstaller.exe
4216	WindowsProgramInstaller.exe
4216	WindowsProgramInstaller.exe
4432	PXfwFdXd.exe
4432	PXfwFdXd.exe
4432	PXfwFdXd.exe
4432	PXfwFdXd.exe
4432	PXfwFdXd.exe
4432	PXfwFdXd.exe
4432	PXfwFdXd.exe
4432	PXfwFdXd.exe
4432	PXfwFdXd.exe
4432	PXfwFdXd.exe
2732	PXfwFdXd.exe
2732	PXfwFdXd.exe
2732	PXfwFdXd.exe
2732	PXfwFdXd.exe
2732	PXfwFdXd.exe
2732	PXfwFdXd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	812	msiexec.exe
Token: SeCreateTokenPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeAssignPrimaryTokenPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeLockMemoryPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeIncreaseQuotaPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeMachineAccountPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeTcbPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeSecurityPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeTakeOwnershipPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeLoadDriverPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeSystemProfilePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeSystemtimePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeProfSingleProcessPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeIncBasePriorityPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeCreatePagefilePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeCreatePermanentPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeBackupPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeRestorePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeShutdownPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeDebugPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeAuditPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeSystemEnvironmentPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeChangeNotifyPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeRemoteShutdownPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeUndockPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeSyncAgentPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeEnableDelegationPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeManageVolumePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeImpersonatePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeCreateGlobalPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeCreateTokenPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeAssignPrimaryTokenPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeLockMemoryPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeIncreaseQuotaPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeMachineAccountPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeTcbPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeSecurityPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeTakeOwnershipPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeLoadDriverPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeSystemProfilePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeSystemtimePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeProfSingleProcessPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeIncBasePriorityPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeCreatePagefilePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeCreatePermanentPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeBackupPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeRestorePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeShutdownPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeDebugPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeAuditPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeSystemEnvironmentPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeChangeNotifyPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeRemoteShutdownPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeUndockPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeSyncAgentPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeEnableDelegationPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeManageVolumePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeImpersonatePrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeCreateGlobalPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeCreateTokenPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeAssignPrimaryTokenPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeLockMemoryPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeIncreaseQuotaPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
Token: SeMachineAccountPrivilege	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
1636	msiexec.exe
1636	msiexec.exe
2272	DeepL_x64.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4216	WindowsProgramInstaller.exe
4216	WindowsProgramInstaller.exe
4432	PXfwFdXd.exe
2732	PXfwFdXd.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2936	812	msiexec.exe	89
PID 812 wrote to memory of 2936	812	msiexec.exe	89
PID 812 wrote to memory of 2936	812	msiexec.exe	89
PID 2228 wrote to memory of 1636	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe	91
PID 2228 wrote to memory of 1636	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe	91
PID 2228 wrote to memory of 1636	2228	e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe	91
PID 812 wrote to memory of 2816	812	msiexec.exe	92
PID 812 wrote to memory of 2816	812	msiexec.exe	92
PID 812 wrote to memory of 2816	812	msiexec.exe	92
PID 812 wrote to memory of 4908	812	msiexec.exe	93
PID 812 wrote to memory of 4908	812	msiexec.exe	93
PID 812 wrote to memory of 4908	812	msiexec.exe	93
PID 812 wrote to memory of 4936	812	msiexec.exe	95
PID 812 wrote to memory of 4936	812	msiexec.exe	95
PID 812 wrote to memory of 4936	812	msiexec.exe	95
PID 4216 wrote to memory of 4432	4216	WindowsProgramInstaller.exe	99
PID 4216 wrote to memory of 4432	4216	WindowsProgramInstaller.exe	99
PID 4216 wrote to memory of 4432	4216	WindowsProgramInstaller.exe	99
PID 4216 wrote to memory of 3880	4216	WindowsProgramInstaller.exe	100
PID 4216 wrote to memory of 3880	4216	WindowsProgramInstaller.exe	100
PID 4216 wrote to memory of 3880	4216	WindowsProgramInstaller.exe	100
PID 3880 wrote to memory of 4408	3880	cmd.exe	102
PID 3880 wrote to memory of 4408	3880	cmd.exe	102
PID 3880 wrote to memory of 4408	3880	cmd.exe	102
PID 4432 wrote to memory of 2732	4432	PXfwFdXd.exe	103
PID 4432 wrote to memory of 2732	4432	PXfwFdXd.exe	103
PID 4432 wrote to memory of 2732	4432	PXfwFdXd.exe	103

C:\Users\Admin\AppData\Local\Temp\e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe
"C:\Users\Admin\AppData\Local\Temp\e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DeepLSetup\DeepLSetup 1.0.0.0\install\DeepL_Setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\e2fd937c104cb1939a67633b504175747ba17a9c67bc593ed1fa16c07b50762b.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1716353354 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8376C788B91CC5C131C399AD573E8A6B C
  2⤵
  - Loads dropped DLL
  PID:2936
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 67E89C3F2E0D71CEB1EBF48D5C838562
  2⤵
  - Loads dropped DLL
  PID:2816
- C:\Windows\Installer\MSI81F8.tmp
  "C:\Windows\Installer\MSI81F8.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe"
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\Installer\MSI82E4.tmp
  "C:\Windows\Installer\MSI82E4.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe"
  2⤵
  - Executes dropped EXE
  PID:4936

C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe
"C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2272

C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\PXfwFdXd.exe
  -auto C:\Windows\system32\\PXfwFdXd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\system32\PXfwFdXd.exe
    -troj
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577ee7.rbs

Filesize
421KB

MD5
bdaeec7214dc3222bf8f3efee2f51080

SHA1
d00ba12a7cb2705a4049f7a6dc34a7def93c09a0

SHA256
edde59e248ba6c7609552715e44e5f5338f63e6257b9e4e94a40ecd3f5e96f71

SHA512
f3dbedb234ae8ac05fe6c990fd96331386d518a73880f485fe03441356133bcf0a9d5a0e50050b9bfb5bcc05f34026b83694db5fa02993217ad59fc07d42d7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeepL_x64.exe

Filesize
4.2MB

MD5
90d0a198ebd84ab18ed372dab02b5862

SHA1
d4f39b9a647ae6ad7c981c7acb4a6ff06025094d

SHA256
0037c9895723fb712b57b144cbb429f319ab5a3c1e4c44a3ffefa351486bcdaf

SHA512
056c0300b2f9beb88a83711d94082fd3c8a86d7d9f73de37dd1f63795a1c1cb780fa4e984a2a2416d0ea489750622633402586e98e72799031f6c933379df84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7D20.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsProgramInstaller.exe

Filesize
696KB

MD5
eb1f39c244792de5cb82ebf1a57b0430

SHA1
9cea849fa347b167c66392ac3e8ce943f0bbea61

SHA256
48e31ad6a3419f7b0b6a3521527c9d57aab6eb2340e3b46d1eafaa92e7dc0fbf

SHA512
d53708f2fecbc3c1c2c7802912082fe8c357b3b3a2e66049aa981f4c77d31e5818968c691995a6653ffdbfcebc7db0507f19fb3ae9c0fdc7629503222801055d

Download Submit
C:\Users\Admin\AppData\Roaming\DeepLSetup\DeepLSetup 1.0.0.0\install\DeepL_Setup.msi

Filesize
2.2MB

MD5
48e12031aaf9a6e7ae7c21ce2053fae9

SHA1
9e41a1ba82648fcd8fd8b28af96595fd26472349

SHA256
6a90f84d078ce3fb1aa63e774af0056c270aa38353fd77abb2aea99785906a7e

SHA512
e560eac802387d4b3e36e823478f7ceae2026c3095fcb29c2cb00c4d00b411285d955711a5bceb6d67a674b2571ab88d98b4d21b2c191dae6c85f70f0d933850

Download Submit
C:\Users\Admin\AppData\Roaming\DeepLSetup\DeepLSetup 1.0.0.0\install\DeepL_Setup1.cab

Filesize
2.0MB

MD5
0559e4728b0b2a12cfbbff324460f2ad

SHA1
5a7fd9b557c1a4e69849daff7e747a5fa174e734

SHA256
4c402df5a3af587d98288f0b660612d635c8814ff046d912c5aa761517267370

SHA512
f47ddd431b2c0394abe0ea420abca26fe605a79e9e26d53cba92131ea48c8153ff7de5333e64fd352e8d6d09f5ce295375014c3d60e33f1d6d04dcd08568299c

Download Submit
C:\Windows\Installer\MSI8060.tmp

Filesize
709KB

MD5
89136bfd28a2e1ec6b6d841214e1e670

SHA1
4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab

SHA256
1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec

SHA512
22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

Download Submit
C:\Windows\Installer\MSI81F8.tmp

Filesize
419KB

MD5
cac0eaeb267d81cf3fa968ee23a6af9d

SHA1
cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

SHA256
f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

SHA512
8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

Download Submit
memory/2272-66-0x0000000000CB0000-0x00000000010E8000-memory.dmp

Filesize
4.2MB

Download
memory/2272-77-0x00000000031B0000-0x00000000031CA000-memory.dmp

Filesize
104KB

Download
memory/2732-97-0x0000000000700000-0x000000000070B000-memory.dmp

Filesize
44KB

Download
memory/2732-96-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2732-98-0x0000000005D90000-0x0000000005D9B000-memory.dmp

Filesize
44KB

Download
memory/2732-99-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2732-126-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2732-140-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4216-90-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4216-80-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4432-88-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4432-94-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download