Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 14:58
Static task
static1
Behavioral task
behavioral1
Sample
finalshell_install.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
finalshell_install.msi
Resource
win10v2004-20240508-en
General
-
Target
finalshell_install.msi
-
Size
114.0MB
-
MD5
513c6f171a71ade9e117a08345cd589d
-
SHA1
57a4a508e5d7d76aa1cfe883af4f0a1c3bdd47ca
-
SHA256
9861a44622f62ea87dd8ce53ef752d5af92dc60f8e012f72f1873fd462b4e0e0
-
SHA512
0287bc684c4947b79e4f80629bbe7fb5850bc2659f04d6dbfc15116bafa2d10eb362ace9cb581147b6f5ae09491f4ad63c3bf2f115f09ce9cba89209bfbfc1c9
-
SSDEEP
1572864:OMNdS0K7cM0Smj/NP6r32RVzpMqHzjlZiuFp0SB3P/pL/lA5jY5/GA+Y13LJyPOZ:OMNdxoONP6r32HGOzJpLdA5+zrpm3r6
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Program Files directory 6 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process File created C:\Program Files\Windows Defenderr\librdkafka.dll msiexec.exe File created C:\Program Files\Windows Defenderr\1 msiexec.exe File created C:\Program Files\Windows Defenderr\TrackerUI.sys MsiExec.exe File opened for modification C:\Program Files\Windows Defenderr\TrackerUI.sys MsiExec.exe File created C:\Program Files\Windows Defenderr\Phone.exe MsiExec.exe File created C:\Program Files\Windows Defenderr\2 msiexec.exe -
Drops file in Windows directory 22 IoCs
Processes:
DrvInst.exemsiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f769ea0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9F1D.tmp msiexec.exe File opened for modification C:\Windows\Installer\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\finalshell2001.exe msiexec.exe File opened for modification C:\Windows\Installer\f769ea1.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f769ea1.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f769ea3.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f769ea4.msi msiexec.exe File created C:\Windows\Installer\f769ea7.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC2B7.tmp msiexec.exe File created C:\Windows\Installer\f769ea9.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f769ea4.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f769ea0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA036.tmp msiexec.exe File created C:\Windows\Installer\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\finalshell2001.exe msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f769ea7.ipi msiexec.exe -
Executes dropped EXE 3 IoCs
Processes:
Phone.exePhone.exePhone.exepid process 2780 Phone.exe 948 Phone.exe 1960 Phone.exe -
Loads dropped DLL 17 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exePhone.exeWerFault.exepid process 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 2168 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 2100 MsiExec.exe 2100 MsiExec.exe 2780 Phone.exe 2656 WerFault.exe 2656 WerFault.exe 2656 WerFault.exe 2656 WerFault.exe 2656 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2656 2780 WerFault.exe Phone.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\FinalShell\Finalshell\finalshell.exe nsis_installer_1 C:\Users\Admin\AppData\Local\FinalShell\Finalshell\finalshell.exe nsis_installer_2 -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exeDrvInst.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe -
Modifies registry class 24 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2613129C24CE43458177D2F46601180 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2613129C24CE43458177D2F46601180\5E649081D8F82F94F8CAEACB1569FBE9 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E649081D8F82F94F8CAEACB1569FBE9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E649081D8F82F94F8CAEACB1569FBE9\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\ProductName = "FinalShell" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\PackageCode = "1035B3F7A8404EF48BDE65DC9EC88B15" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Version = "67305482" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\PackageName = "finalshell_install.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Language = "2052" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\ProductIcon = "C:\\Windows\\Installer\\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\\finalshell2001.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
msiexec.exePhone.exepid process 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2780 Phone.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 108 msiexec.exe Token: SeIncreaseQuotaPrivilege 108 msiexec.exe Token: SeRestorePrivilege 2416 msiexec.exe Token: SeTakeOwnershipPrivilege 2416 msiexec.exe Token: SeSecurityPrivilege 2416 msiexec.exe Token: SeCreateTokenPrivilege 108 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 108 msiexec.exe Token: SeLockMemoryPrivilege 108 msiexec.exe Token: SeIncreaseQuotaPrivilege 108 msiexec.exe Token: SeMachineAccountPrivilege 108 msiexec.exe Token: SeTcbPrivilege 108 msiexec.exe Token: SeSecurityPrivilege 108 msiexec.exe Token: SeTakeOwnershipPrivilege 108 msiexec.exe Token: SeLoadDriverPrivilege 108 msiexec.exe Token: SeSystemProfilePrivilege 108 msiexec.exe Token: SeSystemtimePrivilege 108 msiexec.exe Token: SeProfSingleProcessPrivilege 108 msiexec.exe Token: SeIncBasePriorityPrivilege 108 msiexec.exe Token: SeCreatePagefilePrivilege 108 msiexec.exe Token: SeCreatePermanentPrivilege 108 msiexec.exe Token: SeBackupPrivilege 108 msiexec.exe Token: SeRestorePrivilege 108 msiexec.exe Token: SeShutdownPrivilege 108 msiexec.exe Token: SeDebugPrivilege 108 msiexec.exe Token: SeAuditPrivilege 108 msiexec.exe Token: SeSystemEnvironmentPrivilege 108 msiexec.exe Token: SeChangeNotifyPrivilege 108 msiexec.exe Token: SeRemoteShutdownPrivilege 108 msiexec.exe Token: SeUndockPrivilege 108 msiexec.exe Token: SeSyncAgentPrivilege 108 msiexec.exe Token: SeEnableDelegationPrivilege 108 msiexec.exe Token: SeManageVolumePrivilege 108 msiexec.exe Token: SeImpersonatePrivilege 108 msiexec.exe Token: SeCreateGlobalPrivilege 108 msiexec.exe Token: SeCreateTokenPrivilege 108 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 108 msiexec.exe Token: SeLockMemoryPrivilege 108 msiexec.exe Token: SeIncreaseQuotaPrivilege 108 msiexec.exe Token: SeMachineAccountPrivilege 108 msiexec.exe Token: SeTcbPrivilege 108 msiexec.exe Token: SeSecurityPrivilege 108 msiexec.exe Token: SeTakeOwnershipPrivilege 108 msiexec.exe Token: SeLoadDriverPrivilege 108 msiexec.exe Token: SeSystemProfilePrivilege 108 msiexec.exe Token: SeSystemtimePrivilege 108 msiexec.exe Token: SeProfSingleProcessPrivilege 108 msiexec.exe Token: SeIncBasePriorityPrivilege 108 msiexec.exe Token: SeCreatePagefilePrivilege 108 msiexec.exe Token: SeCreatePermanentPrivilege 108 msiexec.exe Token: SeBackupPrivilege 108 msiexec.exe Token: SeRestorePrivilege 108 msiexec.exe Token: SeShutdownPrivilege 108 msiexec.exe Token: SeDebugPrivilege 108 msiexec.exe Token: SeAuditPrivilege 108 msiexec.exe Token: SeSystemEnvironmentPrivilege 108 msiexec.exe Token: SeChangeNotifyPrivilege 108 msiexec.exe Token: SeRemoteShutdownPrivilege 108 msiexec.exe Token: SeUndockPrivilege 108 msiexec.exe Token: SeSyncAgentPrivilege 108 msiexec.exe Token: SeEnableDelegationPrivilege 108 msiexec.exe Token: SeManageVolumePrivilege 108 msiexec.exe Token: SeImpersonatePrivilege 108 msiexec.exe Token: SeCreateGlobalPrivilege 108 msiexec.exe Token: SeCreateTokenPrivilege 108 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exemsiexec.exepid process 108 msiexec.exe 2552 msiexec.exe 108 msiexec.exe 2552 msiexec.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
msiexec.exeMsiExec.exePhone.exetaskeng.exedescription pid process target process PID 2416 wrote to memory of 3020 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 3020 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 3020 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 3020 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 3020 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 3020 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 3020 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2168 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2168 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2168 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2168 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2168 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2168 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2168 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2100 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2100 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2100 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2100 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2100 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2100 2416 msiexec.exe MsiExec.exe PID 2416 wrote to memory of 2100 2416 msiexec.exe MsiExec.exe PID 2100 wrote to memory of 2780 2100 MsiExec.exe Phone.exe PID 2100 wrote to memory of 2780 2100 MsiExec.exe Phone.exe PID 2100 wrote to memory of 2780 2100 MsiExec.exe Phone.exe PID 2100 wrote to memory of 2780 2100 MsiExec.exe Phone.exe PID 2780 wrote to memory of 2656 2780 Phone.exe WerFault.exe PID 2780 wrote to memory of 2656 2780 Phone.exe WerFault.exe PID 2780 wrote to memory of 2656 2780 Phone.exe WerFault.exe PID 2780 wrote to memory of 2656 2780 Phone.exe WerFault.exe PID 1632 wrote to memory of 948 1632 taskeng.exe Phone.exe PID 1632 wrote to memory of 948 1632 taskeng.exe Phone.exe PID 1632 wrote to memory of 948 1632 taskeng.exe Phone.exe PID 1632 wrote to memory of 948 1632 taskeng.exe Phone.exe PID 1632 wrote to memory of 1960 1632 taskeng.exe Phone.exe PID 1632 wrote to memory of 1960 1632 taskeng.exe Phone.exe PID 1632 wrote to memory of 1960 1632 taskeng.exe Phone.exe PID 1632 wrote to memory of 1960 1632 taskeng.exe Phone.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\finalshell_install.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A5E1C7F10E63ADD0D9E931768EDCDE27 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DB032785993C818CC9960F73A8C0D9A12⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 57B26C51C01BF424E65E7215FC54B2472⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Defenderr\Phone.exe"C:\Program Files\Windows Defenderr\Phone.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1764⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000003D4" "00000000000005AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000544" "0000000000000530"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\taskeng.exetaskeng.exe {3D965777-3E24-47D1-9490-8787365DC536} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exeC:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe2⤵
- Executes dropped EXE
-
C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exeC:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f769ea2.rbsFilesize
39KB
MD5b870dd2509003ee77d9483926a65fdbd
SHA15e6b23ef36a51db74d19271d65344859ffd73131
SHA256fa482a42f8885fa7fd650897c9eeddeb8335086bf362561f8ae067e62c239ef1
SHA5125b9eb5929ee36c11ed23956e944ab146fad603b982da0e202438e476d7d3da356c6b238416111b45e3038a59225924f22e605bf2a106303ce703ac660d22f3ac
-
C:\Config.Msi\f769ea8.rbsFilesize
7KB
MD5ef00698b55c79980dadc6a9df1f4e820
SHA1d45e661787283a83029d6b3b618264c9c860c79e
SHA2564eae406fb5af1acf65d7dbf88e253253812446e19867990b2a1220f13f235e23
SHA51203b71ec72a02be88ca8987c36ac90794c35c4e77193cb82fd9bb2ddcf3b616faadaa367d5813ffc232741a78f1035ad557d11d7e13208c642a1836a893418975
-
C:\Program Files\Windows Defenderr\1Filesize
978KB
MD5a8a5c802a0ba7779cd378a4ed88a1645
SHA1c78967d9cf1fa6017757b93891b423854952b4ef
SHA256b7247f59f232b373c2473f869c8269a7ef46ad29bbc64403a29c697313b6ae74
SHA512329b43bbf38ac5b547c69f1301c8899ae24a044009051236df2678911cd636961731a4f274cd55381a86cab3dd74dabee2cb25d8968361991d516cdf7d945709
-
C:\Program Files\Windows Defenderr\2Filesize
135KB
MD5de5b9a4e125ac870b304a80fc829f888
SHA1d82d45dbeb3c2d702b6bb6b4c28a95d357b86316
SHA256992d22609eb21b384ac3965d18cca4fa620e2a743451db60d19794eafe553362
SHA512471249934c2560ccd166ca559e9d73622a4653a7226a2e7ff3c0225dcd882d9d78e8676342938c6c6e56d6167a37d8e96423b2de6f6a5f9740424191481fb725
-
C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F3F305A2-E5E7-488d-A947-75xvA2w51D0B}.exeFilesize
1.0MB
MD5d96a742899aeab9eaba691861908e316
SHA1777f988457a9265431e8119bd2d579f264f565f5
SHA2561d8b0d810d826574637041cc56c5532139eccff5064195bfea0d65ac0c3624d3
SHA512cc3f75a0d2abe5860acefebda2d44dba7259d7f28e32dfd41d3d7361df7f4195deb49e8c7f7d74f09bffdd8a39fde5a0eeee222a92bdef3f773379284aadf582
-
C:\Users\Admin\AppData\Local\FinalShell\Finalshell\finalshell.exeFilesize
101KB
MD5c1c11656f36a5b2b7bf514a6cf4ddf54
SHA11b99cfe6a5c16c88b3a4efb3874127ea2bb0d420
SHA25647600daab17337f9c268426027ffd9ed2cf1a1774ff84cb81e24ed61b7c7407b
SHA512b546d7b59706b02cffd1ed3927981ff85e6f992afe0f69261780d6c40636b0ce3782954497dfeefea058d196a6e62e2f568da28a90961357b4fe39f3d52a0eae
-
C:\Users\Admin\AppData\Local\FinalShell\Finalshell\jre\legal\java.naming\COPYRIGHTFilesize
35B
MD54586c3797f538d41b7b2e30e8afebbc9
SHA13419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA2567afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3
-
C:\Users\Admin\AppData\Local\FinalShell\Finalshell\jre\legal\java.naming\LICENSEFilesize
33B
MD516989bab922811e28b64ac30449a5d05
SHA151ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA25686e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA51286571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608
-
C:\Users\Admin\AppData\Local\Temp\MSI2E41.tmpFilesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msiFilesize
1.2MB
MD57813c15b89e15b8af723338db9bd5936
SHA12308be3f8f1c3f46cd2eb14189c19c0e2deef8c5
SHA25617fcf1aacf2981cff65f7d0f3f03029c15eebfd7f71790cdf0f03553895d4152
SHA512ef1b63b1b8b670610bcc5b461457d5b58fca57577b7cf8442183c921ed516b7a87f48b4fde9d325dcc087cb090d7f8992f1eec2a68d1c06c263b6ea93470faeb
-
memory/948-334-0x0000000000BB0000-0x0000000000CAE000-memory.dmpFilesize
1016KB
-
memory/1960-353-0x0000000000100000-0x00000000001FE000-memory.dmpFilesize
1016KB
-
memory/2780-314-0x0000000000240000-0x000000000033E000-memory.dmpFilesize
1016KB
-
memory/2780-335-0x0000000000240000-0x000000000033E000-memory.dmpFilesize
1016KB
-
memory/3020-264-0x0000000000290000-0x0000000000292000-memory.dmpFilesize
8KB