Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 08:02
Static task
static1
Behavioral task
behavioral1
Sample
7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi
Resource
win10v2004-20240226-en
General
-
Target
7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi
-
Size
2.2MB
-
MD5
3a89cbfce7da515333b8782597515329
-
SHA1
7c878ce7a17ac30498ec06fcc2cc0477a88a9243
-
SHA256
7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682
-
SHA512
b14222a1cec22e0b037491ff1f71d468f0455d262e65e18208096ecbb111f01cd61e7230aa614d6a29a27ad688e8e0ed9dd451120b6e83cad3bab5e09f385812
-
SSDEEP
49152:OzXYFfV5tQPGYzLFoc25e6+f/8y05wXIARgguIGUMBz5HxcIT:HlWPG6L8IGUA
Malware Config
Signatures
-
pid Process 4444 powershell.exe 5312 powershell.exe 2716 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows Defenderr\vc.exe msiexec.exe File created C:\Program Files\Windows Defenderr\cc.xml msiexec.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI19F7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2506.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2D34.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{DA375318-4268-4282-8777-F02416BF21F8} msiexec.exe File opened for modification C:\Windows\Installer\MSI2EEC.tmp msiexec.exe File created C:\Windows\SystemTemp\scr5897.ps1 MsiExec.exe File created C:\Windows\SystemTemp\scr5898.txt MsiExec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI2EDB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2FD7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI53AC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI215A.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e59188f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI243A.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI54A7.tmp msiexec.exe File created C:\Windows\SystemTemp\msi5896.txt MsiExec.exe File opened for modification C:\Windows\SystemTemp\pss58A8.ps1 MsiExec.exe File opened for modification C:\Windows\SystemTemp\Pro58A9.tmp MsiExec.exe File opened for modification C:\Windows\Installer\e59188f.msi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 3452 vc.exe -
Loads dropped DLL 9 IoCs
pid Process 5184 MsiExec.exe 5184 MsiExec.exe 5184 MsiExec.exe 5184 MsiExec.exe 5184 MsiExec.exe 5184 MsiExec.exe 5184 MsiExec.exe 3040 MsiExec.exe 3040 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4112 msiexec.exe 4112 msiexec.exe 4444 powershell.exe 4444 powershell.exe 4444 powershell.exe 5312 powershell.exe 5312 powershell.exe 5312 powershell.exe 2716 powershell.exe 2716 powershell.exe 2716 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2260 msiexec.exe Token: SeIncreaseQuotaPrivilege 2260 msiexec.exe Token: SeSecurityPrivilege 4112 msiexec.exe Token: SeCreateTokenPrivilege 2260 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2260 msiexec.exe Token: SeLockMemoryPrivilege 2260 msiexec.exe Token: SeIncreaseQuotaPrivilege 2260 msiexec.exe Token: SeMachineAccountPrivilege 2260 msiexec.exe Token: SeTcbPrivilege 2260 msiexec.exe Token: SeSecurityPrivilege 2260 msiexec.exe Token: SeTakeOwnershipPrivilege 2260 msiexec.exe Token: SeLoadDriverPrivilege 2260 msiexec.exe Token: SeSystemProfilePrivilege 2260 msiexec.exe Token: SeSystemtimePrivilege 2260 msiexec.exe Token: SeProfSingleProcessPrivilege 2260 msiexec.exe Token: SeIncBasePriorityPrivilege 2260 msiexec.exe Token: SeCreatePagefilePrivilege 2260 msiexec.exe Token: SeCreatePermanentPrivilege 2260 msiexec.exe Token: SeBackupPrivilege 2260 msiexec.exe Token: SeRestorePrivilege 2260 msiexec.exe Token: SeShutdownPrivilege 2260 msiexec.exe Token: SeDebugPrivilege 2260 msiexec.exe Token: SeAuditPrivilege 2260 msiexec.exe Token: SeSystemEnvironmentPrivilege 2260 msiexec.exe Token: SeChangeNotifyPrivilege 2260 msiexec.exe Token: SeRemoteShutdownPrivilege 2260 msiexec.exe Token: SeUndockPrivilege 2260 msiexec.exe Token: SeSyncAgentPrivilege 2260 msiexec.exe Token: SeEnableDelegationPrivilege 2260 msiexec.exe Token: SeManageVolumePrivilege 2260 msiexec.exe Token: SeImpersonatePrivilege 2260 msiexec.exe Token: SeCreateGlobalPrivilege 2260 msiexec.exe Token: SeBackupPrivilege 4148 vssvc.exe Token: SeRestorePrivilege 4148 vssvc.exe Token: SeAuditPrivilege 4148 vssvc.exe Token: SeBackupPrivilege 4112 msiexec.exe Token: SeRestorePrivilege 4112 msiexec.exe Token: SeRestorePrivilege 4112 msiexec.exe Token: SeTakeOwnershipPrivilege 4112 msiexec.exe Token: SeRestorePrivilege 4112 msiexec.exe Token: SeTakeOwnershipPrivilege 4112 msiexec.exe Token: SeRestorePrivilege 4112 msiexec.exe Token: SeTakeOwnershipPrivilege 4112 msiexec.exe Token: SeRestorePrivilege 4112 msiexec.exe Token: SeTakeOwnershipPrivilege 4112 msiexec.exe Token: SeRestorePrivilege 4112 msiexec.exe Token: SeTakeOwnershipPrivilege 4112 msiexec.exe Token: SeRestorePrivilege 4112 msiexec.exe Token: SeTakeOwnershipPrivilege 4112 msiexec.exe Token: SeRestorePrivilege 4112 msiexec.exe Token: SeTakeOwnershipPrivilege 4112 msiexec.exe Token: SeRestorePrivilege 4112 msiexec.exe Token: SeTakeOwnershipPrivilege 4112 msiexec.exe Token: SeRestorePrivilege 4112 msiexec.exe Token: SeTakeOwnershipPrivilege 4112 msiexec.exe Token: SeDebugPrivilege 4444 powershell.exe Token: SeBackupPrivilege 5208 srtasks.exe Token: SeRestorePrivilege 5208 srtasks.exe Token: SeSecurityPrivilege 5208 srtasks.exe Token: SeTakeOwnershipPrivilege 5208 srtasks.exe Token: SeBackupPrivilege 5208 srtasks.exe Token: SeRestorePrivilege 5208 srtasks.exe Token: SeSecurityPrivilege 5208 srtasks.exe Token: SeTakeOwnershipPrivilege 5208 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2260 msiexec.exe 2260 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1588 OpenWith.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4112 wrote to memory of 5208 4112 msiexec.exe 105 PID 4112 wrote to memory of 5208 4112 msiexec.exe 105 PID 4112 wrote to memory of 5184 4112 msiexec.exe 107 PID 4112 wrote to memory of 5184 4112 msiexec.exe 107 PID 4112 wrote to memory of 5184 4112 msiexec.exe 107 PID 5184 wrote to memory of 4444 5184 MsiExec.exe 108 PID 5184 wrote to memory of 4444 5184 MsiExec.exe 108 PID 5184 wrote to memory of 4444 5184 MsiExec.exe 108 PID 4112 wrote to memory of 3040 4112 msiexec.exe 111 PID 4112 wrote to memory of 3040 4112 msiexec.exe 111 PID 4112 wrote to memory of 3040 4112 msiexec.exe 111 PID 3040 wrote to memory of 5312 3040 MsiExec.exe 112 PID 3040 wrote to memory of 5312 3040 MsiExec.exe 112 PID 3040 wrote to memory of 5312 3040 MsiExec.exe 112 PID 5312 wrote to memory of 2716 5312 powershell.exe 114 PID 5312 wrote to memory of 2716 5312 powershell.exe 114 PID 5312 wrote to memory of 2716 5312 powershell.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2260
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:5208
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0825493B5094780BF63B7BABB1C20E282⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5184 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3206.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi31F3.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr31F4.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr31F5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2DC89D01043D0260A9A0C99A2E9E5376 E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pss58A8.ps1" -propFile "C:\Windows\SystemTemp\msi5896.txt" -scriptFile "C:\Windows\SystemTemp\scr5897.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scr5898.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath "C:\Program` Files\Windows` Defenderr"4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3528 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:5116
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1588
-
C:\Program Files\Windows Defenderr\vc.exe"C:\Program Files\Windows Defenderr\vc.exe"1⤵
- Executes dropped EXE
PID:3452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217KB
MD54aff2c0816661d4afbeb64831a2e3377
SHA11ec24a65543534b2485d3d3356ec319d7956a726
SHA256939ac01d4d54a50943426375b518ff785e531a902cc673bb947e201251815df1
SHA512b6532fb3463c69a34fdaa3738a3abb0c0c8db697ed42c437d2fc2bb282af14ed59c9fcc760d4d32806c399d5d7b23e30ed8d98cbbc97683be9f20097110d714a
-
Filesize
2KB
MD577d8e23e5fa59f96e69b9d483d4a3a2c
SHA16c10cb3e89c8c1f925363e3f517129187b575cd3
SHA256693a4c081eb1f52d5eb0659701c289f6422344777d4f00270f75fa82166b04dc
SHA512b6ea21810586467f97af2d8e2d26aa12ad9e00283f619b768db836d705e548d309a6126ae1d036325dc903eb76f223de0ecbcbb0bdb6adaad627905fc43db7b9
-
Filesize
102KB
MD5c8de233601e5dd254517522a275b661c
SHA115eef70b3ada2b55aebd526446be9a32fd41a796
SHA256d3449e60c02258d03b42b06c5eb0a2f759dd7b1433b565d5cd9a6be7ccc523ea
SHA512a16d0a59029455b1b6d8d9d165b6ab10a9eb4cff2c7bdbf6738e9be6badbfa8ab12d39fa94b7b4f8705c69b56d89ea71a2c55e649f27e9c8baf35c7b50bc3cde
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
18KB
MD507f74388e3d933c937ec0765e85cd209
SHA10f4cf8fbb6ad53ab706c74580159ef08b45a2d88
SHA25688eb3cbe8f68b6954b6e6d50fbdbebc2a58ba61af2dcee4a0aa8fd886ff2743d
SHA512b2b9418ad5d7bfeadaec40cf47081084c935507d18a1c44f4be519b2e3496c9a79d70478929d5003d56e0e16533a7ae24cc512295c420de7b97d2af8400ea6c7
-
Filesize
17KB
MD50b2cf21debd247de77db3352db630054
SHA136edb0fbb5243be52215f21b1bfdd5718883930a
SHA256c75ef663195b9834e404872b51dff7bceb6185f0047b2097f0112b596829a773
SHA512b6f757deea3e41ad64ba946659968308375e139c6c90e683c29b4ad58653d4e0c5efe0d1eab7e63c6108847aaa6370e9a23bf28d941815ae3c3ee7539cf0062f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD530c30ef2cb47e35101d13402b5661179
SHA125696b2aab86a9233f19017539e2dd83b2f75d4e
SHA25653094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458
-
Filesize
134B
MD57ef79aff6608fd03a304a1a87344c576
SHA19c57ed39cec3a1c0278ff50d536da34d55f52162
SHA256a56cba74db063b4996549de89fec07432fb7470724ec292dab8b97e73c567c51
SHA51236c5fd4a6d3c875cb311b8b454c39952a36146f2f000926324e0cf16c162409f49c675c575479222a7c28ce26390f473474107859073b37a1813c6aae0e617e6
-
Filesize
738KB
MD5ee45c6dffaf86ed2a76d8f969c390c08
SHA1ff5b2942ffa7d28ed3f72208e8e76391b2991b5a
SHA256118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca
SHA512a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664
-
Filesize
215KB
MD5fa6cf27d72756d6a0794c65d1133befa
SHA190949a22d68347f6834c581abc88faf63e7cb8c0
SHA256d058a04e0b5550db64d816485d9d25411fba27d3b9a4ef1d2dfe47e98c4a054b
SHA5126ecc9b610325f015659c2a79deaac50f879f0261236a54c76468150f5194ae8c1a7ff284d13818908fae26ea2a2077f982e97ecc5d7264d7c77d74610ad1dede
-
Filesize
758KB
MD5743c67416aa1d2568679f45ef36e0179
SHA1dc7163deb7e0d0e493f0ced46fb2fd0b29e19910
SHA25658800c0b1f916f5ac032ab6e9410d2e5d687eebc95c2955bded68ac97dacd639
SHA512f35f5a19aa3fe6fc723b771e7199e35cff4de5ed26a5a0a86377288f9487875bbdb19231743f2a7a019642f59ab57ed7cc02e7b4b9a6ec3c11b595596aa6066c
-
Filesize
220B
MD50a4a4ecab6e633aa2b189c9fdca38f1f
SHA181d0d5e4f77de2c33cd72d812b7a5d3b7b02b2ad
SHA2563e51b88f2e7f6d26e2b6b1a6403044af1d8b6c1805affee19848bf0d1b3a03e5
SHA512ee53f855d8ca9cf72b76bde7f4cf5e674201f85095ee60f4f515e49ce12e08d5303932e364338be2d9206a37ec84e874f2f458afa36164fc7d1a35d460fd702e
-
Filesize
23.7MB
MD5909b24c42f684e9ae60a775a9b47e992
SHA143386bf54389e9682c76c94c8b739d3befc6647e
SHA25634410c42496d9a48f908dd08400cec08e46a7a8e264bf5fbfa85736a5ab87e08
SHA512bff31df8adbc303ebe1f57d1cd297804a00ccb57f6b0a778bb597c8145b13d51eea78663138b1060786cd72740baef07cb33d556b70ddac8c791e0a24355757e
-
\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1acd0ecb-f6fe-414f-a905-822cba6123b2}_OnDiskSnapshotProp
Filesize6KB
MD5c22f0ba074109b105e22ad8e547f976b
SHA1fe0fcc55cf0b3b379b349ff4102cefbe28d5dc42
SHA256acd9624f09a0a8f3839ac96031b98fb23ed13b591e155ab0dd0562bf3ec56e4b
SHA51267a55065117c8042d0977d750f90f90f5b82e4c6aa566a86be9092c99021ff04779aab538e156e9aefb6ec94dba5ab34973596c512dd88fbc49174458a87ce62