234cbc503fd155d1acf9671f8c522385307566a12c853f32f6705bc699bc3f73

Analysis

max time kernel
151s
max time network
139s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USBPratirodh_X64.exe
Size

4.8MB
MD5

b759f9974cd8c2425c4fef3e7f638e0f
SHA1

5df72bb0a7a216f3472a1e80ba6fc027f6c7a353
SHA256

234cbc503fd155d1acf9671f8c522385307566a12c853f32f6705bc699bc3f73
SHA512

f8c71f19f189450e396c6a491407b9caa374c1659f2d4a3c7993650a79dffc6854d30eb5543d999b4ace752e54998b75891ed192834a20630047c69a9e1e3ef2
SSDEEP

98304:rdgTLkSp57cWyIrdoU5qlKohzw95BZdqxLGAEpTbwslh/SBSlpYM:pOp57cAdoU5YNdw9X/SATbBX6k/

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2404	VC_redist.x64.exe
2880	VC_redist.x64.exe
1940	VC_redist.x64.exe

Loads dropped DLL 15 IoCs

pid	Process
2848	USBPratirodh_X64.exe
2404	VC_redist.x64.exe
2880	VC_redist.x64.exe
2880	VC_redist.x64.exe
3052	VC_redist.x64.exe
2848	USBPratirodh_X64.exe
2848	USBPratirodh_X64.exe
2244	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c649ede4-f16a-4486-a117-dcc2f2a35165} = "\"C:\\ProgramData\\Package Cache\\{c649ede4-f16a-4486-a117-dcc2f2a35165}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
11	548	msiexec.exe
13	548	msiexec.exe
15	548	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f776e58.msi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File opened for modification	C:\Windows\Installer\MSI91D0.tmp	msiexec.exe
File created	C:\Windows\Installer\f776e2e.msi	msiexec.exe
File created	C:\Windows\Installer\f776e31.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f776e42.msi	msiexec.exe
File created	C:\Windows\Installer\f776e45.ipi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File created	C:\Windows\Installer\f776e41.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f776e31.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E64.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f776e45.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FEE.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f776e2e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC1.tmp	msiexec.exe
File created	C:\Windows\Installer\f776e42.msi	msiexec.exe
File created	C:\Windows\Tasks\C__Users_Admin_AppData_Local_Temp_USBPratirodh_X64.exe.job	USBPratirodh_X64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{c649ede4-f16a-4486-a117-dcc2f2a35165}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.38.33135"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{c649ede4-f16a-4486-a117-dcc2f2a35165}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.38.33135"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\PackageCode = "F31F6C1FFC7AAFF4D8FF3C825AB567E9"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{19AFE054-CA83-45D5-A9DB-4108EF4BD391}v14.38.33135\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5BA8C0AA792764D40A9D8090F65EE964\VC_Runtime_Minimum	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33135"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\450EFA9138AC5D549ABD1480FEB43D19	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\450EFA9138AC5D549ABD1480FEB43D19\Servicing_Key	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Version = "237404527"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{AA0C8AB5-7297-4D46-A0D9-08096FE59E46}v14.38.33135\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Language = "1033"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{19AFE054-CA83-45D5-A9DB-4108EF4BD391}v14.38.33135\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\PackageCode = "1688782943A356649B2B29F7077E1BE1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{19AFE054-CA83-45D5-A9DB-4108EF4BD391}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\450EFA9138AC5D549ABD1480FEB43D19	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33135"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\ = "{c649ede4-f16a-4486-a117-dcc2f2a35165}"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5BA8C0AA792764D40A9D8090F65EE964	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{AA0C8AB5-7297-4D46-A0D9-08096FE59E46}v14.38.33135\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Version = "14.38.33135.0"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33135"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33135"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\Version = "237404527"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\InstanceType = "0"	msiexec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	USBPratirodh_X64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	USBPratirodh_X64.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
548	msiexec.exe
548	msiexec.exe
548	msiexec.exe
548	msiexec.exe
548	msiexec.exe
548	msiexec.exe
548	msiexec.exe
548	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1952	vssvc.exe
Token: SeRestorePrivilege	1952	vssvc.exe
Token: SeAuditPrivilege	1952	vssvc.exe
Token: SeRestorePrivilege	1688	DrvInst.exe
Token: SeRestorePrivilege	1688	DrvInst.exe
Token: SeRestorePrivilege	1688	DrvInst.exe
Token: SeRestorePrivilege	1688	DrvInst.exe
Token: SeRestorePrivilege	1688	DrvInst.exe
Token: SeRestorePrivilege	1688	DrvInst.exe
Token: SeRestorePrivilege	1688	DrvInst.exe
Token: SeLoadDriverPrivilege	1688	DrvInst.exe
Token: SeLoadDriverPrivilege	1688	DrvInst.exe
Token: SeLoadDriverPrivilege	1688	DrvInst.exe
Token: SeShutdownPrivilege	1940	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1940	VC_redist.x64.exe
Token: SeRestorePrivilege	548	msiexec.exe
Token: SeTakeOwnershipPrivilege	548	msiexec.exe
Token: SeSecurityPrivilege	548	msiexec.exe
Token: SeCreateTokenPrivilege	1940	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	1940	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	1940	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1940	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	1940	VC_redist.x64.exe
Token: SeTcbPrivilege	1940	VC_redist.x64.exe
Token: SeSecurityPrivilege	1940	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	1940	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	1940	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	1940	VC_redist.x64.exe
Token: SeSystemtimePrivilege	1940	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	1940	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	1940	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	1940	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	1940	VC_redist.x64.exe
Token: SeBackupPrivilege	1940	VC_redist.x64.exe
Token: SeRestorePrivilege	1940	VC_redist.x64.exe
Token: SeShutdownPrivilege	1940	VC_redist.x64.exe
Token: SeDebugPrivilege	1940	VC_redist.x64.exe
Token: SeAuditPrivilege	1940	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	1940	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	1940	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	1940	VC_redist.x64.exe
Token: SeUndockPrivilege	1940	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	1940	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	1940	VC_redist.x64.exe
Token: SeManageVolumePrivilege	1940	VC_redist.x64.exe
Token: SeImpersonatePrivilege	1940	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	1940	VC_redist.x64.exe
Token: SeRestorePrivilege	548	msiexec.exe
Token: SeTakeOwnershipPrivilege	548	msiexec.exe
Token: SeRestorePrivilege	548	msiexec.exe
Token: SeTakeOwnershipPrivilege	548	msiexec.exe
Token: SeRestorePrivilege	548	msiexec.exe
Token: SeTakeOwnershipPrivilege	548	msiexec.exe
Token: SeRestorePrivilege	548	msiexec.exe
Token: SeTakeOwnershipPrivilege	548	msiexec.exe
Token: SeRestorePrivilege	548	msiexec.exe
Token: SeTakeOwnershipPrivilege	548	msiexec.exe
Token: SeRestorePrivilege	548	msiexec.exe
Token: SeTakeOwnershipPrivilege	548	msiexec.exe
Token: SeRestorePrivilege	548	msiexec.exe
Token: SeTakeOwnershipPrivilege	548	msiexec.exe
Token: SeRestorePrivilege	548	msiexec.exe
Token: SeTakeOwnershipPrivilege	548	msiexec.exe
Token: SeRestorePrivilege	548	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2848	USBPratirodh_X64.exe
2880	VC_redist.x64.exe
2848	USBPratirodh_X64.exe
2860	msiexec.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2404	2848	USBPratirodh_X64.exe	31
PID 2848 wrote to memory of 2404	2848	USBPratirodh_X64.exe	31
PID 2848 wrote to memory of 2404	2848	USBPratirodh_X64.exe	31
PID 2848 wrote to memory of 2404	2848	USBPratirodh_X64.exe	31
PID 2848 wrote to memory of 2404	2848	USBPratirodh_X64.exe	31
PID 2848 wrote to memory of 2404	2848	USBPratirodh_X64.exe	31
PID 2848 wrote to memory of 2404	2848	USBPratirodh_X64.exe	31
PID 2404 wrote to memory of 2880	2404	VC_redist.x64.exe	33
PID 2404 wrote to memory of 2880	2404	VC_redist.x64.exe	33
PID 2404 wrote to memory of 2880	2404	VC_redist.x64.exe	33
PID 2404 wrote to memory of 2880	2404	VC_redist.x64.exe	33
PID 2404 wrote to memory of 2880	2404	VC_redist.x64.exe	33
PID 2404 wrote to memory of 2880	2404	VC_redist.x64.exe	33
PID 2404 wrote to memory of 2880	2404	VC_redist.x64.exe	33
PID 2880 wrote to memory of 1940	2880	VC_redist.x64.exe	34
PID 2880 wrote to memory of 1940	2880	VC_redist.x64.exe	34
PID 2880 wrote to memory of 1940	2880	VC_redist.x64.exe	34
PID 2880 wrote to memory of 1940	2880	VC_redist.x64.exe	34
PID 2880 wrote to memory of 1940	2880	VC_redist.x64.exe	34
PID 2880 wrote to memory of 1940	2880	VC_redist.x64.exe	34
PID 2880 wrote to memory of 1940	2880	VC_redist.x64.exe	34
PID 1940 wrote to memory of 2504	1940	VC_redist.x64.exe	40
PID 1940 wrote to memory of 2504	1940	VC_redist.x64.exe	40
PID 1940 wrote to memory of 2504	1940	VC_redist.x64.exe	40
PID 1940 wrote to memory of 2504	1940	VC_redist.x64.exe	40
PID 1940 wrote to memory of 2504	1940	VC_redist.x64.exe	40
PID 1940 wrote to memory of 2504	1940	VC_redist.x64.exe	40
PID 1940 wrote to memory of 2504	1940	VC_redist.x64.exe	40
PID 2504 wrote to memory of 3052	2504	VC_redist.x64.exe	41
PID 2504 wrote to memory of 3052	2504	VC_redist.x64.exe	41
PID 2504 wrote to memory of 3052	2504	VC_redist.x64.exe	41
PID 2504 wrote to memory of 3052	2504	VC_redist.x64.exe	41
PID 2504 wrote to memory of 3052	2504	VC_redist.x64.exe	41
PID 2504 wrote to memory of 3052	2504	VC_redist.x64.exe	41
PID 2504 wrote to memory of 3052	2504	VC_redist.x64.exe	41
PID 3052 wrote to memory of 2948	3052	VC_redist.x64.exe	42
PID 3052 wrote to memory of 2948	3052	VC_redist.x64.exe	42
PID 3052 wrote to memory of 2948	3052	VC_redist.x64.exe	42
PID 3052 wrote to memory of 2948	3052	VC_redist.x64.exe	42
PID 3052 wrote to memory of 2948	3052	VC_redist.x64.exe	42
PID 3052 wrote to memory of 2948	3052	VC_redist.x64.exe	42
PID 3052 wrote to memory of 2948	3052	VC_redist.x64.exe	42
PID 2848 wrote to memory of 2860	2848	USBPratirodh_X64.exe	43
PID 2848 wrote to memory of 2860	2848	USBPratirodh_X64.exe	43
PID 2848 wrote to memory of 2860	2848	USBPratirodh_X64.exe	43
PID 2848 wrote to memory of 2860	2848	USBPratirodh_X64.exe	43
PID 2848 wrote to memory of 2860	2848	USBPratirodh_X64.exe	43
PID 2848 wrote to memory of 2860	2848	USBPratirodh_X64.exe	43
PID 2848 wrote to memory of 2860	2848	USBPratirodh_X64.exe	43
PID 548 wrote to memory of 2244	548	msiexec.exe	44
PID 548 wrote to memory of 2244	548	msiexec.exe	44
PID 548 wrote to memory of 2244	548	msiexec.exe	44
PID 548 wrote to memory of 2244	548	msiexec.exe	44
PID 548 wrote to memory of 2244	548	msiexec.exe	44
PID 548 wrote to memory of 2244	548	msiexec.exe	44
PID 548 wrote to memory of 2244	548	msiexec.exe	44

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\USBPratirodh_X64.exe
"C:\Users\Admin\AppData\Local\Temp\USBPratirodh_X64.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Roaming\C-DAC Hyderabad\USBPratirodh Single PC Version\prerequisites\VC_redist.x64.exe
  "C:\Users\Admin\AppData\Roaming\C-DAC Hyderabad\USBPratirodh Single PC Version\prerequisites\VC_redist.x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\Temp\{3FAD2AC1-4F35-4F8F-966F-E3FC2E6FAA5B}\.cr\VC_redist.x64.exe
    "C:\Windows\Temp\{3FAD2AC1-4F35-4F8F-966F-E3FC2E6FAA5B}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\C-DAC Hyderabad\USBPratirodh Single PC Version\prerequisites\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\Temp\{CB82694B-2F68-4126-BA72-A187303DCD19}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{CB82694B-2F68-4126-BA72-A187303DCD19}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{D91459F0-A5AD-4FB7-BAC8-248D6AB11F38} {CEA34C0A-34DD-4269-BBE2-6A90B4596D07} 2880
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=512 -burn.embedded BurnPipe.{B26439BC-80D1-4A52-A1A3-13E3F779F4B5} {3DE9D76C-B891-48BF-BEB4-AB0097472DC2} 1940
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=512 -burn.embedded BurnPipe.{B26439BC-80D1-4A52-A1A3-13E3F779F4B5} {3DE9D76C-B891-48BF-BEB4-AB0097472DC2} 1940
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{11417D75-B692-4D04-867A-5A86D918A501} {96C371B5-A43C-43D9-8B26-A34580826FAE} 3052
        7⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2948
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\C-DAC Hyderabad\USBPratirodh Single PC Version 3.2\install\C999373\USBPratirodh_X64.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\USBPratirodh_X64.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D8" "00000000000005C0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 96339F1C24CF8A27001761F4B629F5E9 C
  2⤵
  - Loads dropped DLL
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f776e34.rbs

Filesize
17KB

MD5
00f65188b241c7cef07dcaa4d66798d2

SHA1
97cd5896ac31bdc031ba8627f2225bd3cb165857

SHA256
ecfe5b60e7e9d0f0b574be498c9b61fd7bdfe9e11e9de3fc5814ae7ca55ff595

SHA512
5dda9b5b23076dd0440e9b8c78c47ced5415ca2784ddc2ea10523782f9c3309e37c667cb02c48f12e876678de0f624dda5bf0e1996191d79308bdb8caa096658

Download Submit
C:\Config.Msi\f776e40.rbs

Filesize
16KB

MD5
9e12013bfd2d506214c69ed64c04c00b

SHA1
c49344acc1858a4b2fa6a5aa96db2c18b5c3cd39

SHA256
0c35677fc18ba7ab19962a589305b01d8ee640a1174a8ae46b54a01187d6419b

SHA512
94ffb95f6c5389e61ac94868dca7551b05a0d575159584d87f60721cc09ad8f10500c92516e77c9aab5d1fed29aa3e450a86f5f343027d445ff5333d643e1ecd

Download Submit
C:\Config.Msi\f776e48.rbs

Filesize
18KB

MD5
6e82f1d3ab9470a758a39ea67474436f

SHA1
5ff0b0e570c8a52f6372c23c3b1409f0eef5a536

SHA256
faf8e067b91a806f214432a5b477818a5d61a90365dc49d45042a6e458cc46c7

SHA512
3cf3e7a6a15f8d33b44b3075c897e741c77e80561a76172259cd858f5a38fced6caba91714e42bdbb032fa95e41b1f1d4b5ad3a96c1ed9e8b21d818f3497bc9b

Download Submit
C:\Config.Msi\f776e57.rbs

Filesize
17KB

MD5
a597dd585a3e4d982d0403199129d42f

SHA1
fa757fbbf585bb6a028ecc362a245a9f70dba3d8

SHA256
477f1016838a7fdfc9c0a4aa505fbd1c3321f94e037fdf2bd70d19962e26ea83

SHA512
e2bc598816e63e29f8c3bb4082834e8bdec43e535d74680d0b48d327334744218fe3aa14302c2e3e683be31561732a8a832d047dfa6f8b3ba066ac630c521806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2840743f16606f43d8477f36f9855f45

SHA1
dc892eb5b06860d5304657747c6660ce695d0413

SHA256
9f506161e53c8884ac1fb154c32c22d0f29e21a3b0ecc1650a2f87dc093a4b6b

SHA512
2ddd5ce8578ca39be09676aba7bad5a805d9cc8b46ff4a5ae3e7fa68bb7ba8f55b5f721de3476ccdbb2e317ea453bbd81a2f094f0ef2d8c484ce52b2c07bb443

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b27fa8dea981455dc29ab73d82b1778

SHA1
1fedaac441bca91d7c2e3999084da8dec0b22ad8

SHA256
f6a8901b99700f11a3ffbad8dfe200cf7a6bb8335016af3f0f9223e2cbe46f6b

SHA512
1657e209373dd515362553bdeba4edabd3c375af1a8af9a880df0cd6199e91860200a7f7700579282a96f7db01c384f747c9052740371874db30ca52a2bc6ff9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
19836bc40fcc5eb6715da2fc8de8bb7a

SHA1
1f598583322e17435bacfc907ca7f5c0763a1d6f

SHA256
60e7df445c3aab212e955db1b7853a8573f49f5f3b571a0ad9a8946eb7387896

SHA512
a7d648eb444b06e40b143a8e8b21fc57f1938c5c5ebedddf03317cbcc381dbeb06bac39189e204206b4b9570ad75403e1bc669f0d21e655e570d55a2c29a3640

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6E9B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4A0B.tmp

Filesize
90KB

MD5
1031a5104e788f0c61988df18c4f41b3

SHA1
c0e7bd3e6b396c716817ad4794529296d850ec4b

SHA256
c92712603239099ba51e519c57f1d11099732b934b595e6d527aaf1e151b11f4

SHA512
773a37e586e0e268b99b96b9ddf97510921f9e36e677b1fd847c971054a8257c6ba049c6e5a1996c817027978b063b2f16616c97689f9235476080adc6e7c4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4D68.tmp

Filesize
295KB

MD5
574849efb63075e6694868d7e6e7447e

SHA1
e2c2d4e6f753c418b34cf1f8ba9d3f43ed2721e0

SHA256
18e4651d53945d6e429d993615317b7fd649f6963891d5792e2a4b83383958ac

SHA512
aa9bda86251814bc906ed1b9836b1b5e2edf864dddb3c20581d0173ae7b893f9817f68eeab5b569fb2550049de47d9e2bdafe9cacbb3aecc9632cc3675b80ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar712D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar73F5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240529052652_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
2e678782c3590adfa1aead710a5dc49c

SHA1
a20977de592aa7709ff9cd3558f83c91ad449b9c

SHA256
e12c0a234c6ecf0fb3ee1136326a25609e2fba9143a78972cc4db4f24c296edc

SHA512
75fa72b35a149ac60f016aee3acaa30d881fcd9350d4d403605a10d43388986f8373afc6c286fe7251e624d1222ee58696a3cb7f6161072e44ed192680648546

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240529052652_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
258018dbe1197386ddd5c30e3e0d66da

SHA1
3cbb2b901059a516421695f35177ee3bff22c6a8

SHA256
798a80467acbe89419ea47c7f556c751875bf675b33b4755cc3a444b88948494

SHA512
7245ef802d85aa339ebc48c288d0bd590dcbbf2bb3b3c54714eb81d5b2e0742dd656faf8aa4297be3ce07f0eadadf4656aa9771c55ea3011b36c2cddd3df1a91

Download Submit
C:\Users\Admin\AppData\Roaming\C-DAC Hyderabad\USBPratirodh Single PC Version 3.2\install\C999373\USBPratirodh_X64.msi

Filesize
2.3MB

MD5
77e10d098a527c9b0f151521ef71924e

SHA1
d42ce7d4003096f9715dd9c92b1f3f9e8016cd90

SHA256
1ad709db3bb8e37db4c2a1a94c61725fa5fe4baf999f066ef3e039f506300eeb

SHA512
96bacb9dddb3323d125bf9b013ef8423d685a9df95653ecf52ebac2c85a42f35b4e50601dff9b5bc1f113aa6757945d2f37682ddf7ab71bc537034979a34c7b9

Download Submit
C:\Users\Admin\AppData\Roaming\C-DAC Hyderabad\USBPratirodh Single PC Version 3.2\install\decoder.dll

Filesize
125KB

MD5
ac667ab0e52d657805e7ae6b05bc5db4

SHA1
189f19498a1bfd6f2d65bda96a1f1db32fba8796

SHA256
41e888b4b20e2a062671da66c7eed67f30087f9c7049ccf9e437e44b709b5cb8

SHA512
ac406f623d59159a401995817038611e57dda1411bdfd40672b1087af2d818caf5b6261f1f649dec8e5c09bd6f10426fd7789335ec0373b6e204a2aaf8886386

Download Submit
C:\Users\Admin\AppData\Roaming\C-DAC Hyderabad\USBPratirodh Single PC Version\prerequisites\VC_redist.x64.exe

Filesize
24.2MB

MD5
a8a68bcc74b5022467f12587baf1ef93

SHA1
046f00c519900fcbf2e6e955fc155b11156a733b

SHA256
1ad7988c17663cc742b01bef1a6df2ed1741173009579ad50a94434e54f56073

SHA512
70a05bde549e5a973397cd77fe0c6380807cae768aa98454830f321a0de64bd0da30f31615ae6b4d9f0d244483a571e46024cf51b20fe813a6304a74bd8c0cc2

Download Submit
C:\Windows\Temp\{CB82694B-2F68-4126-BA72-A187303DCD19}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{CB82694B-2F68-4126-BA72-A187303DCD19}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
d0cbbe859fbb7c25dd5158e0f45d3682

SHA1
9c2f0b8379976fda1b46aa8c4a4a27b6f824b659

SHA256
97aef328363e120e786841903bb51a17547aa84f64d5d3525940ec5a69b9a627

SHA512
7ad84ae54668c07033ad100bc101fd0bf0b0783a1dd1f018d241097e167328b8e87cc15e4c0b45859e1946d41ef7528f46ca3c44deccd8859f11274d9e4189b6

Download Submit
C:\Windows\Temp\{CB82694B-2F68-4126-BA72-A187303DCD19}\cab5046A8AB272BF37297BB7928664C9503

Filesize
955KB

MD5
3d14b0e254ea96fef419e6da38eb25e4

SHA1
93341ef98a0e2ae2cccc7e467af23bcc477d9a5c

SHA256
8717dc81d0345d8b81aa85e776fd3e0e6010dba974bf0f5660071e6d680c4526

SHA512
64a656648c16aa78ed74196e327126f6a9eb5d89052cdcd8f83eb655842e41c4f42be7f61541371f36ce322d208d1d707f485e99a79aa799fad7fd2c51553811

Download Submit
C:\Windows\Temp\{CB82694B-2F68-4126-BA72-A187303DCD19}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
d5a907e3b279f26804af0c56b0c65d52

SHA1
63bf7f0afd12ef21781dc14dd3b14c59d9e66518

SHA256
401ffa2ef4f070e211ef3f6e4f8a2a7af2bc9ea0119bbacad040669ab6221bba

SHA512
8d23fed4d26f0e2d1e40d5993ab2f588be1e7873cbcbe2064351ca8ef705bf74535225e9d0c2adf93fabfd45691077c7abb3991a013c8b4b234b9751c991f327

Download Submit
C:\Windows\Temp\{CB82694B-2F68-4126-BA72-A187303DCD19}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
e312d6be7dee2b8f3737e0a1bc92e3aa

SHA1
72487572a3f8b8eff93489997c8a5041ea7a6867

SHA256
d48c8e848a219bceb638b2505132756cb908703fe75dee78bdf475435420dc49

SHA512
b39a0c18aa242887e3f9ae3d49bc9d6765ce15097718964cccd86b824d13481cbd53175105db29d17e3a08f74fe4d20dfb3f9989eca5276c3f5fbb255b80f8ae

Download Submit
C:\Windows\WindowsUpdate.log

Filesize
16KB

MD5
cbe92f7336130938b0ee3c8692bc4612

SHA1
c8c9f971be54e1796f79ede246f58ba48fce5c42

SHA256
ed754a43e3340b103c5797b1cd05d902d2f12c7967d632af184d8610f7543ff3

SHA512
08d08c6b201c108583df7b76a7403cf0529318206bfcc171cc0be32b35e6f264e18afd2ebef25e856f424f8c4283f8570dd23e9f8c96e3299fb3e280562a5a69

Download Submit
\Windows\Temp\{3FAD2AC1-4F35-4F8F-966F-E3FC2E6FAA5B}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
b73be38096eddc4d427fbbfdd8cf15bd

SHA1
534f605fd43cc7089e448e5fa1b1a2d56de14779

SHA256
ab1164dcaf6c7d7d4905881f332a7b6f854be46e36b860c44d9eedc96ab6607a

SHA512
5af779926d344bc7c4140725f90cddad5eb778f5ca4856d5a31a6084424964d205638815eab4454e0ea34ea56fafca19fadd1eb2779dc6b7f277e4e4ce4b1603

Download Submit
\Windows\Temp\{CB82694B-2F68-4126-BA72-A187303DCD19}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/2504-474-0x00000000008A0000-0x0000000000917000-memory.dmp

Filesize
476KB

Download
memory/2848-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2848-16-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2948-436-0x00000000008A0000-0x0000000000917000-memory.dmp

Filesize
476KB

Download
memory/3052-473-0x00000000008A0000-0x0000000000917000-memory.dmp

Filesize
476KB

Download