Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 08:02
Static task
static1
Behavioral task
behavioral1
Sample
7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi
Resource
win10v2004-20240226-en
General
-
Target
7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi
-
Size
2.2MB
-
MD5
3a89cbfce7da515333b8782597515329
-
SHA1
7c878ce7a17ac30498ec06fcc2cc0477a88a9243
-
SHA256
7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682
-
SHA512
b14222a1cec22e0b037491ff1f71d468f0455d262e65e18208096ecbb111f01cd61e7230aa614d6a29a27ad688e8e0ed9dd451120b6e83cad3bab5e09f385812
-
SSDEEP
49152:OzXYFfV5tQPGYzLFoc25e6+f/8y05wXIARgguIGUMBz5HxcIT:HlWPG6L8IGUA
Malware Config
Signatures
-
pid Process 1520 powershell.exe 852 powershell.exe 1676 powershell.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: vc.exe File opened (read-only) \??\H: vc.exe File opened (read-only) \??\I: vc.exe File opened (read-only) \??\L: vc.exe File opened (read-only) \??\R: vc.exe File opened (read-only) \??\Z: vc.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: vc.exe File opened (read-only) \??\V: vc.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: vc.exe File opened (read-only) \??\X: vc.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: vc.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: vc.exe File opened (read-only) \??\W: vc.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: vc.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: vc.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: vc.exe File opened (read-only) \??\U: vc.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: vc.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: vc.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: vc.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: vc.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: vc.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows Defenderr\vc.exe msiexec.exe File created C:\Program Files\Windows Defenderr\cc.xml msiexec.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI4CAF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5104.tmp msiexec.exe File opened for modification C:\Windows\SystemTemp\pss5238.ps1 MsiExec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f764885.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI48D3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4C6F.tmp msiexec.exe File created C:\Windows\SystemTemp\msi5235.txt MsiExec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI4C5F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5192.tmp msiexec.exe File created C:\Windows\SystemTemp\scr5236.ps1 MsiExec.exe File opened for modification C:\Windows\Installer\MSI4A4A.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\scr5237.txt MsiExec.exe File opened for modification C:\Windows\SystemTemp\Pro5239.tmp MsiExec.exe File opened for modification C:\Windows\Installer\f764888.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f764885.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4B06.tmp msiexec.exe File created C:\Windows\Installer\f764888.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 1644 vc.exe -
Loads dropped DLL 7 IoCs
pid Process 2064 MsiExec.exe 2064 MsiExec.exe 2064 MsiExec.exe 2064 MsiExec.exe 2064 MsiExec.exe 1900 MsiExec.exe 1900 MsiExec.exe -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 705295708cb5da01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2452 msiexec.exe 2452 msiexec.exe 1520 powershell.exe 852 powershell.exe 1676 powershell.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe 1644 vc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1644 vc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3056 msiexec.exe Token: SeIncreaseQuotaPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 2452 msiexec.exe Token: SeTakeOwnershipPrivilege 2452 msiexec.exe Token: SeSecurityPrivilege 2452 msiexec.exe Token: SeCreateTokenPrivilege 3056 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3056 msiexec.exe Token: SeLockMemoryPrivilege 3056 msiexec.exe Token: SeIncreaseQuotaPrivilege 3056 msiexec.exe Token: SeMachineAccountPrivilege 3056 msiexec.exe Token: SeTcbPrivilege 3056 msiexec.exe Token: SeSecurityPrivilege 3056 msiexec.exe Token: SeTakeOwnershipPrivilege 3056 msiexec.exe Token: SeLoadDriverPrivilege 3056 msiexec.exe Token: SeSystemProfilePrivilege 3056 msiexec.exe Token: SeSystemtimePrivilege 3056 msiexec.exe Token: SeProfSingleProcessPrivilege 3056 msiexec.exe Token: SeIncBasePriorityPrivilege 3056 msiexec.exe Token: SeCreatePagefilePrivilege 3056 msiexec.exe Token: SeCreatePermanentPrivilege 3056 msiexec.exe Token: SeBackupPrivilege 3056 msiexec.exe Token: SeRestorePrivilege 3056 msiexec.exe Token: SeShutdownPrivilege 3056 msiexec.exe Token: SeDebugPrivilege 3056 msiexec.exe Token: SeAuditPrivilege 3056 msiexec.exe Token: SeSystemEnvironmentPrivilege 3056 msiexec.exe Token: SeChangeNotifyPrivilege 3056 msiexec.exe Token: SeRemoteShutdownPrivilege 3056 msiexec.exe Token: SeUndockPrivilege 3056 msiexec.exe Token: SeSyncAgentPrivilege 3056 msiexec.exe Token: SeEnableDelegationPrivilege 3056 msiexec.exe Token: SeManageVolumePrivilege 3056 msiexec.exe Token: SeImpersonatePrivilege 3056 msiexec.exe Token: SeCreateGlobalPrivilege 3056 msiexec.exe Token: SeBackupPrivilege 2844 vssvc.exe Token: SeRestorePrivilege 2844 vssvc.exe Token: SeAuditPrivilege 2844 vssvc.exe Token: SeBackupPrivilege 2452 msiexec.exe Token: SeRestorePrivilege 2452 msiexec.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeLoadDriverPrivilege 2564 DrvInst.exe Token: SeLoadDriverPrivilege 2564 DrvInst.exe Token: SeLoadDriverPrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2452 msiexec.exe Token: SeTakeOwnershipPrivilege 2452 msiexec.exe Token: SeRestorePrivilege 2452 msiexec.exe Token: SeTakeOwnershipPrivilege 2452 msiexec.exe Token: SeRestorePrivilege 2452 msiexec.exe Token: SeTakeOwnershipPrivilege 2452 msiexec.exe Token: SeRestorePrivilege 2452 msiexec.exe Token: SeTakeOwnershipPrivilege 2452 msiexec.exe Token: SeRestorePrivilege 2452 msiexec.exe Token: SeTakeOwnershipPrivilege 2452 msiexec.exe Token: SeRestorePrivilege 2452 msiexec.exe Token: SeTakeOwnershipPrivilege 2452 msiexec.exe Token: SeRestorePrivilege 2452 msiexec.exe Token: SeTakeOwnershipPrivilege 2452 msiexec.exe Token: SeDebugPrivilege 1520 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3056 msiexec.exe 3056 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1644 vc.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2064 2452 msiexec.exe 32 PID 2452 wrote to memory of 2064 2452 msiexec.exe 32 PID 2452 wrote to memory of 2064 2452 msiexec.exe 32 PID 2452 wrote to memory of 2064 2452 msiexec.exe 32 PID 2452 wrote to memory of 2064 2452 msiexec.exe 32 PID 2452 wrote to memory of 2064 2452 msiexec.exe 32 PID 2452 wrote to memory of 2064 2452 msiexec.exe 32 PID 2064 wrote to memory of 1520 2064 MsiExec.exe 33 PID 2064 wrote to memory of 1520 2064 MsiExec.exe 33 PID 2064 wrote to memory of 1520 2064 MsiExec.exe 33 PID 2064 wrote to memory of 1520 2064 MsiExec.exe 33 PID 2452 wrote to memory of 1900 2452 msiexec.exe 35 PID 2452 wrote to memory of 1900 2452 msiexec.exe 35 PID 2452 wrote to memory of 1900 2452 msiexec.exe 35 PID 2452 wrote to memory of 1900 2452 msiexec.exe 35 PID 2452 wrote to memory of 1900 2452 msiexec.exe 35 PID 2452 wrote to memory of 1900 2452 msiexec.exe 35 PID 2452 wrote to memory of 1900 2452 msiexec.exe 35 PID 1900 wrote to memory of 852 1900 MsiExec.exe 37 PID 1900 wrote to memory of 852 1900 MsiExec.exe 37 PID 1900 wrote to memory of 852 1900 MsiExec.exe 37 PID 1900 wrote to memory of 852 1900 MsiExec.exe 37 PID 852 wrote to memory of 1676 852 powershell.exe 39 PID 852 wrote to memory of 1676 852 powershell.exe 39 PID 852 wrote to memory of 1676 852 powershell.exe 39 PID 852 wrote to memory of 1676 852 powershell.exe 39 PID 536 wrote to memory of 1644 536 taskeng.exe 42 PID 536 wrote to memory of 1644 536 taskeng.exe 42 PID 536 wrote to memory of 1644 536 taskeng.exe 42 PID 536 wrote to memory of 1644 536 taskeng.exe 42 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3056
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F3525796222729E933869F1B3843B2182⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4D77.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4D74.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4D75.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4D76.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DBC9D01589302793DFC0A8354E620EA4 M Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pss5238.ps1" -propFile "C:\Windows\SystemTemp\msi5235.txt" -scriptFile "C:\Windows\SystemTemp\scr5236.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scr5237.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath "C:\Program` Files\Windows` Defenderr"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "0000000000000598"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
C:\Windows\system32\taskeng.exetaskeng.exe {86084E34-9A18-450B-95AC-A5EB7FB48FF4} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Program Files\Windows Defenderr\vc.exe"C:\Program Files\Windows Defenderr\vc.exe"2⤵
- Enumerates connected drives
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217KB
MD5caf51b0902c06394629f5850987af191
SHA1970292035e324b78330b13c22bce5640f3fee087
SHA256eeeec7e199cc58f784f998cc7f68122a8d36513d0700a111cd7ca420ac65b2ec
SHA5126aa8091190bb873d8e5645b88126a6bd38e779334ae26ea71d30982f8f5efc80a743e2a0f46fa51b90ecc7617173059fd9f5b20ab11d21a03da170f5b884be0d
-
Filesize
2KB
MD577d8e23e5fa59f96e69b9d483d4a3a2c
SHA16c10cb3e89c8c1f925363e3f517129187b575cd3
SHA256693a4c081eb1f52d5eb0659701c289f6422344777d4f00270f75fa82166b04dc
SHA512b6ea21810586467f97af2d8e2d26aa12ad9e00283f619b768db836d705e548d309a6126ae1d036325dc903eb76f223de0ecbcbb0bdb6adaad627905fc43db7b9
-
Filesize
102KB
MD5c8de233601e5dd254517522a275b661c
SHA115eef70b3ada2b55aebd526446be9a32fd41a796
SHA256d3449e60c02258d03b42b06c5eb0a2f759dd7b1433b565d5cd9a6be7ccc523ea
SHA512a16d0a59029455b1b6d8d9d165b6ab10a9eb4cff2c7bdbf6738e9be6badbfa8ab12d39fa94b7b4f8705c69b56d89ea71a2c55e649f27e9c8baf35c7b50bc3cde
-
Filesize
6KB
MD530c30ef2cb47e35101d13402b5661179
SHA125696b2aab86a9233f19017539e2dd83b2f75d4e
SHA25653094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458
-
Filesize
134B
MD57ef79aff6608fd03a304a1a87344c576
SHA19c57ed39cec3a1c0278ff50d536da34d55f52162
SHA256a56cba74db063b4996549de89fec07432fb7470724ec292dab8b97e73c567c51
SHA51236c5fd4a6d3c875cb311b8b454c39952a36146f2f000926324e0cf16c162409f49c675c575479222a7c28ce26390f473474107859073b37a1813c6aae0e617e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y50LNP5532IB5UXB9PUO.temp
Filesize7KB
MD5197b1c46f2c2f1bb3100ebf1e65d49d1
SHA155a2bdf8779141a92a2de65853cd818ca03e32fd
SHA2569a10f90e465602ef3f155cebd896231e511d270ee1fe6310a327b2fd0baac431
SHA5129f70f70308b50de882a258fe3602744693c6740d02e2b813b0abda85d1bab85dd5bbd72818097e5795fd3ca298630aa143b1736f3bc4ac77abb39808c2181eff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f3b123a03bced7f45af1e67c078d127a
SHA1b45d2a55e6bb92b08d5baf4522ab3290ab112923
SHA256b8f03a256c54054edbaabcae77645b8daac1f1566d926fb1bc34cc559a816717
SHA512ff66b35c557e41c3a48562d4c67aa5f573a58773e31f44810016ff02097eeef52150e5c7dfa42bd0ef22f8772bcabe60107145db294dc1c2e4b8bab972372279
-
Filesize
738KB
MD5ee45c6dffaf86ed2a76d8f969c390c08
SHA1ff5b2942ffa7d28ed3f72208e8e76391b2991b5a
SHA256118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca
SHA512a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664
-
Filesize
215KB
MD5fa6cf27d72756d6a0794c65d1133befa
SHA190949a22d68347f6834c581abc88faf63e7cb8c0
SHA256d058a04e0b5550db64d816485d9d25411fba27d3b9a4ef1d2dfe47e98c4a054b
SHA5126ecc9b610325f015659c2a79deaac50f879f0261236a54c76468150f5194ae8c1a7ff284d13818908fae26ea2a2077f982e97ecc5d7264d7c77d74610ad1dede
-
Filesize
758KB
MD5743c67416aa1d2568679f45ef36e0179
SHA1dc7163deb7e0d0e493f0ced46fb2fd0b29e19910
SHA25658800c0b1f916f5ac032ab6e9410d2e5d687eebc95c2955bded68ac97dacd639
SHA512f35f5a19aa3fe6fc723b771e7199e35cff4de5ed26a5a0a86377288f9487875bbdb19231743f2a7a019642f59ab57ed7cc02e7b4b9a6ec3c11b595596aa6066c
-
Filesize
220B
MD50a4a4ecab6e633aa2b189c9fdca38f1f
SHA181d0d5e4f77de2c33cd72d812b7a5d3b7b02b2ad
SHA2563e51b88f2e7f6d26e2b6b1a6403044af1d8b6c1805affee19848bf0d1b3a03e5
SHA512ee53f855d8ca9cf72b76bde7f4cf5e674201f85095ee60f4f515e49ce12e08d5303932e364338be2d9206a37ec84e874f2f458afa36164fc7d1a35d460fd702e