Analysis
-
max time kernel
140s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
02f7524fbcca9e5fb197f47eabc66bbe.exe
Resource
win7-20240508-en
General
-
Target
02f7524fbcca9e5fb197f47eabc66bbe.exe
-
Size
10.1MB
-
MD5
02f7524fbcca9e5fb197f47eabc66bbe
-
SHA1
b172f6a0890fae6d85fca58b47f961693f55843a
-
SHA256
349838094cda907d089098bfc3a0839a63959b36f40344e4023cec7218acf92e
-
SHA512
c5d8ec163852a3c993825c9d898234d41f7dfae132d62bb64c412ceb67e0982adfa5235a676f7f2c981758c2ca33b1ce409c52e11f98634c8467ae822a35f2a0
-
SSDEEP
196608:Pdad4T0xcsSB5orrcbSsi0s/lmPJ7N3VvXWrqufezvq:FadCoXrlAJ7N3pXW2uGzy
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
lite_installer.exeseederexe.exesender.exepid process 2352 lite_installer.exe 1996 seederexe.exe 6248 sender.exe -
Loads dropped DLL 10 IoCs
Processes:
MsiExec.exepid process 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
02f7524fbcca9e5fb197f47eabc66bbe.exemsiexec.exedescription ioc process File opened (read-only) \??\S: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\T: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\Y: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\U: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\L: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\R: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\X: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\P: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\Q: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\I: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\V: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\W: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\O: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\Z: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\E: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\J: 02f7524fbcca9e5fb197f47eabc66bbe.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 17 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI1ADC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1BC8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1C18.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1CA5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1902.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI19FE.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1A8D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1B3B.tmp msiexec.exe File created C:\Windows\Installer\e5816b0.msi msiexec.exe File opened for modification C:\Windows\Installer\e5816b0.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI1990.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A} msiexec.exe File opened for modification C:\Windows\Installer\MSI1827.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1A3E.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
seederexe.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\SearchScopes seederexe.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main seederexe.exe -
Processes:
02f7524fbcca9e5fb197f47eabc66bbe.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E 02f7524fbcca9e5fb197f47eabc66bbe.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd 02f7524fbcca9e5fb197f47eabc66bbe.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd 02f7524fbcca9e5fb197f47eabc66bbe.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd 02f7524fbcca9e5fb197f47eabc66bbe.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
02f7524fbcca9e5fb197f47eabc66bbe.exemsiexec.exelite_installer.exeseederexe.exesender.exepid process 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe 4136 msiexec.exe 4136 msiexec.exe 2352 lite_installer.exe 2352 lite_installer.exe 1996 seederexe.exe 1996 seederexe.exe 6248 sender.exe 6248 sender.exe 2352 lite_installer.exe 2352 lite_installer.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
Processes:
02f7524fbcca9e5fb197f47eabc66bbe.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeIncreaseQuotaPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeSecurityPrivilege 4136 msiexec.exe Token: SeCreateTokenPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeAssignPrimaryTokenPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeLockMemoryPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeIncreaseQuotaPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeMachineAccountPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeTcbPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeSecurityPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeTakeOwnershipPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeLoadDriverPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeSystemProfilePrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeSystemtimePrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeProfSingleProcessPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeIncBasePriorityPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeCreatePagefilePrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeCreatePermanentPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeBackupPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeRestorePrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeShutdownPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeDebugPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeAuditPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeSystemEnvironmentPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeChangeNotifyPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeRemoteShutdownPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeUndockPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeSyncAgentPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeEnableDelegationPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeManageVolumePrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeImpersonatePrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeCreateGlobalPrivilege 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe Token: SeRestorePrivilege 4136 msiexec.exe Token: SeTakeOwnershipPrivilege 4136 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
02f7524fbcca9e5fb197f47eabc66bbe.exepid process 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe 1320 02f7524fbcca9e5fb197f47eabc66bbe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
msiexec.exeMsiExec.exeseederexe.exedescription pid process target process PID 4136 wrote to memory of 4504 4136 msiexec.exe MsiExec.exe PID 4136 wrote to memory of 4504 4136 msiexec.exe MsiExec.exe PID 4136 wrote to memory of 4504 4136 msiexec.exe MsiExec.exe PID 4504 wrote to memory of 2352 4504 MsiExec.exe lite_installer.exe PID 4504 wrote to memory of 2352 4504 MsiExec.exe lite_installer.exe PID 4504 wrote to memory of 2352 4504 MsiExec.exe lite_installer.exe PID 4504 wrote to memory of 1996 4504 MsiExec.exe seederexe.exe PID 4504 wrote to memory of 1996 4504 MsiExec.exe seederexe.exe PID 4504 wrote to memory of 1996 4504 MsiExec.exe seederexe.exe PID 1996 wrote to memory of 6248 1996 seederexe.exe sender.exe PID 1996 wrote to memory of 6248 1996 seederexe.exe sender.exe PID 1996 wrote to memory of 6248 1996 seederexe.exe sender.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe"C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe"1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1320
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 13D396AAD6C5018467648A3BFC7E01332⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe"C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe"C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exeC:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe --send "/status.xml?clid=2382047&uuid=58e02dc9-3ebe-4afc-95ae-02113ed8679e&vnt=Windows 10x64&file-no=8%0A15%0A25%0A45%0A57%0A59%0A102%0A111%0A125%0A129%0A"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:81⤵PID:5372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
575B
MD5a35c70c22e6dee45fd6dda010bdffa47
SHA10584d1072758f4079da8711f14126f2565af1120
SHA25606832d5c941f85c638b497732ccf0b0948ddaf5d72c9ae96ed64c606e8bda224
SHA5122b6c3f33f5a959e4a0e35f6d6365cb8922881ef8f4cc80cf5104aa963ac2a0d6d715981e0092da86d0ac1faeb679e1494a43c045aa20b26a70a75a5ce72ea11f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7
Filesize1KB
MD526c0bbd19631c66b3462943385c2d590
SHA1294b3b59a34d9f12655f4c6582042ddf0a0c4ab5
SHA256b5ad09be1935bcd6ea92903252458d36a437d558bd958298c3bb9f4b45e95d03
SHA5123fdcc2124c26da841925091869110b7a4610f2580bcd77c320bd8e96105d100c87d50b850669b524971b080d4eb3178b5ffa2bf851bc3e185059252c46b69b79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD517c39322c6b0ea6ec6b2a3ccee05b3e0
SHA1f9048f67f15595e6eb9b38ab3aa7ec373d350bc9
SHA256d1b45b42156a70fe4dbfdf64a3aec54f064ef9daec17a92be7ad87ab457ab4f8
SHA512a84253f51e5776daaf479598e99caa9084c887c939515a55581cb479c06abdac958cd8949f3a0ffb454b908d2befbdd0f3c283b27afc03a316551135110185a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7
Filesize536B
MD5923e6cc53e302c56adbcc7e64f538c49
SHA182a77bc69abe3a198ae951c53987c215e8016091
SHA2565b28449d7d0288da7d026d87482404d0d75f0e84e01a51c8d3ba1143b45d680b
SHA512d8672572b332a4de2139c028d349529a6e5e8801d9d9316a089c0091dea6de55feef423d9f3770fb6c38938439f4dee2114500491ddba125ae5f00afb03031a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD55f8854a0897fb754b531571e19cc07fd
SHA1c6459441361335dbabd58ce8b774f2c621514ad8
SHA256ac3d7128235e7aad8c9bb130ad69b546da3973721e8120fc2c7ff3011c364c58
SHA5125a09cba998b8784de3ad9b8118db84968d1428ee5a9157d19d48e2b6bf219dfe5b3fc95bc67d3f32be953ec0d7702c304a8908e04b2c28af4471edf1546464d7
-
Filesize
260KB
MD5f1a8f60c018647902e70cf3869e1563f
SHA13caf9c51dfd75206d944d4c536f5f5ff8e225ae9
SHA25636022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577
SHA512c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e
-
Filesize
419KB
MD5aafdfaa7a989ddb216510fc9ae5b877f
SHA141cf94692968a7d511b6051b7fe2b15c784770cb
SHA256688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc
SHA5126e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44
-
Filesize
8.6MB
MD5225ba20fa3edd13c9c72f600ff90e6cb
SHA15f1a9baa85c2afe29619e7cc848036d9174701e4
SHA25635585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797
SHA51297e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3
-
Filesize
34KB
MD55087cf6d27cd1d262c9d7026d99570a4
SHA1f5939eef20513cf63d86c6b9c0f77b7f2c37db5b
SHA256c2819e8b353a44047aba048d2ed6d004fc5fa7d107055c96e83038690a4c8597
SHA5124f650a6aadaf6d090bdff9e7d21a868365505dabc41de28afe18c651ebc9d5cb391d8f76b51416a4a42d50f5d28a3c0c46eae5c2c549ba3f6f676b3e18b40c3d
-
Filesize
530B
MD5751ba1f9a431ddb7dd5ad2693a642423
SHA17952264c1bd9d32a73fb17039662f147fe0cf09b
SHA256e9ff2ac66c6736f7e1c64aa828f8eb522f73d715a6870ed6a39f77fc858c81fc
SHA51257cbc62a53b701dd7f86525389fa736f952aa7f7271137bcde86a59012347899e97c86e888d9a879a1e27fe113b860dcf4f9f2820b7e5a19d199fc13c446bbc1
-
Filesize
40.8MB
MD5dc5128fcb8d7f6b849f1166532db2dc8
SHA18427501d440d5edbbb2662294bc5650d2bc8aab5
SHA25636e682f419c2b5d8e7c285d36088b56d59df3869dbd181943280696d4ca391ca
SHA512bcf0d463ed4f01a313b8e6be745ad55b42108be84cc5850c411dec19aa7c6d996782da49fc208559f1188941bdd1082d954cfa316f08c0ad2efcf0662952e524
-
Filesize
509B
MD5281e659e73e029f83f4d70c3a4133593
SHA1ed83fa8543310d058e038b78285396c534c743d0
SHA256bb4f08a2684d5c9ea18b14f0febbaeef735aeee8c64c0bef827d8ea961930c25
SHA512d0b414ba69460b2ed72a1a937bb3f599ee74816ddbb25e5d894530b42005e8f3faf662b237a26aef500f627685e95e4996d4ab5c64e39e4102c22e0f5b99682a
-
Filesize
9.8MB
MD543937c99760d32c5bc1133505811d595
SHA1079ae507971b9c19dd6b4b4379defc3227edf978
SHA256af7328aabb530a997c5e8dd39b1ba7c6d28ed756bafc7afde1ae894c28cfd806
SHA512d6b19c9bfc431fba4dc981c09061a00856435736d21485a7d435b9ca132bb752b0cd272eb68f1a30172caf82b371001c626dec08d9a829566ab8a250f92d753f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\places.sqlite-20240604010041.025921.backup
Filesize68KB
MD5314cb7ffb31e3cc676847e03108378ba
SHA13667d2ade77624e79d9efa08a2f1d33104ac6343
SHA256b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1
SHA512dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5
-
Filesize
1KB
MD53adec702d4472e3252ca8b58af62247c
SHA135d1d2f90b80dca80ad398f411c93fe8aef07435
SHA2562b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335
SHA5127562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0
-
Filesize
313B
MD5af006f1bcc57b11c3478be8babc036a8
SHA1c3bb4fa8c905565ca6a1f218e39fe7494910891e
SHA256ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c
SHA5123d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af
-
Filesize
38B
MD5737dc0fb23bd24be3bdfece43877d2d1
SHA165d2c6fa8af7d6ddb14a97ef6ebd59e88f1d8fd1
SHA256507c01ac3f5e0bec05599eb0e1c89a00182fe6281340bab01788bcdb44d01f9d
SHA512e1910e39ba0b923513132fd133b04bf201a5b839f27533365d9d82393280bd286236d0d28aa04fd1e106094d528540c1728fcc0c610f6d081778245587187ffa
-
Filesize
181KB
MD50c80a997d37d930e7317d6dac8bb7ae1
SHA1018f13dfa43e103801a69a20b1fab0d609ace8a5
SHA256a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86
SHA512fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5
-
Filesize
189KB
MD5e6fd0e66cf3bfd3cc04a05647c3c7c54
SHA16a1b7f1a45fb578de6492af7e2fede15c866739f
SHA256669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2
SHA512fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb