Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 14:58
Static task
static1
Behavioral task
behavioral1
Sample
finalshell_install.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
finalshell_install.msi
Resource
win10v2004-20240508-en
General
-
Target
finalshell_install.msi
-
Size
114.0MB
-
MD5
513c6f171a71ade9e117a08345cd589d
-
SHA1
57a4a508e5d7d76aa1cfe883af4f0a1c3bdd47ca
-
SHA256
9861a44622f62ea87dd8ce53ef752d5af92dc60f8e012f72f1873fd462b4e0e0
-
SHA512
0287bc684c4947b79e4f80629bbe7fb5850bc2659f04d6dbfc15116bafa2d10eb362ace9cb581147b6f5ae09491f4ad63c3bf2f115f09ce9cba89209bfbfc1c9
-
SSDEEP
1572864:OMNdS0K7cM0Smj/NP6r32RVzpMqHzjlZiuFp0SB3P/pL/lA5jY5/GA+Y13LJyPOZ:OMNdxoONP6r32HGOzJpLdA5+zrpm3r6
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1400-403-0x0000000010290000-0x000000001044A000-memory.dmp purplefox_rootkit behavioral2/memory/1400-405-0x0000000010290000-0x000000001044A000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1400-403-0x0000000010290000-0x000000001044A000-memory.dmp family_gh0strat behavioral2/memory/1400-405-0x0000000010290000-0x000000001044A000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exePhone.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: Phone.exe File opened (read-only) \??\Q: Phone.exe File opened (read-only) \??\W: Phone.exe File opened (read-only) \??\Z: Phone.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: Phone.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: Phone.exe File opened (read-only) \??\K: Phone.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: Phone.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: Phone.exe File opened (read-only) \??\T: Phone.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: Phone.exe File opened (read-only) \??\X: Phone.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: Phone.exe File opened (read-only) \??\H: Phone.exe File opened (read-only) \??\P: Phone.exe File opened (read-only) \??\S: Phone.exe File opened (read-only) \??\R: Phone.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: Phone.exe File opened (read-only) \??\E: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Phone.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Phone.exe -
Drops file in Program Files directory 6 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process File created C:\Program Files\Windows Defenderr\1 msiexec.exe File created C:\Program Files\Windows Defenderr\TrackerUI.sys MsiExec.exe File opened for modification C:\Program Files\Windows Defenderr\TrackerUI.sys MsiExec.exe File created C:\Program Files\Windows Defenderr\Phone.exe MsiExec.exe File created C:\Program Files\Windows Defenderr\2 msiexec.exe File created C:\Program Files\Windows Defenderr\librdkafka.dll msiexec.exe -
Drops file in Windows directory 18 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID455.tmp msiexec.exe File opened for modification C:\Windows\Installer\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\finalshell2001.exe msiexec.exe File created C:\Windows\Installer\e58cfe1.msi msiexec.exe File created C:\Windows\Installer\e58cfe5.msi msiexec.exe File created C:\Windows\Installer\e58cfde.msi msiexec.exe File created C:\Windows\Installer\SourceHash{3C963879-488B-4A1C-BB5D-DF7EFE72A13D} msiexec.exe File opened for modification C:\Windows\Installer\MSIDF72.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58cfe1.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSID099.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58cfde.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID176.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E} msiexec.exe File created C:\Windows\Installer\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\finalshell2001.exe msiexec.exe File created C:\Windows\Installer\e58cfe0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID165.tmp msiexec.exe -
Executes dropped EXE 3 IoCs
Processes:
Phone.exePhone.exePhone.exepid process 1544 Phone.exe 2700 Phone.exe 1400 Phone.exe -
Loads dropped DLL 13 IoCs
Processes:
MsiExec.exeMsiExec.exepid process 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 3004 MsiExec.exe 3004 MsiExec.exe 3004 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4748 1544 WerFault.exe Phone.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\FinalShell\Finalshell\finalshell.exe nsis_installer_1 C:\Users\Admin\AppData\Local\FinalShell\Finalshell\finalshell.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Phone.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Phone.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Phone.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 336 ipconfig.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe -
Modifies registry class 26 IoCs
Processes:
msiexec.exeMsiExec.exePhone.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2613129C24CE43458177D2F46601180\5E649081D8F82F94F8CAEACB1569FBE9 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E649081D8F82F94F8CAEACB1569FBE9 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2613129C24CE43458177D2F46601180 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\ProductName = "FinalShell" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\PackageCode = "1035B3F7A8404EF48BDE65DC9EC88B15" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\PackageName = "finalshell_install.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E649081D8F82F94F8CAEACB1569FBE9\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Language = "2052" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Version = "67305482" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Net msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings Phone.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\ProductIcon = "C:\\Windows\\Installer\\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\\finalshell2001.exe" msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exePhone.exePhone.exepid process 5056 msiexec.exe 5056 msiexec.exe 5056 msiexec.exe 5056 msiexec.exe 1544 Phone.exe 1544 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe 1400 Phone.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3992 msiexec.exe Token: SeIncreaseQuotaPrivilege 3992 msiexec.exe Token: SeSecurityPrivilege 5056 msiexec.exe Token: SeCreateTokenPrivilege 3992 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3992 msiexec.exe Token: SeLockMemoryPrivilege 3992 msiexec.exe Token: SeIncreaseQuotaPrivilege 3992 msiexec.exe Token: SeMachineAccountPrivilege 3992 msiexec.exe Token: SeTcbPrivilege 3992 msiexec.exe Token: SeSecurityPrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeLoadDriverPrivilege 3992 msiexec.exe Token: SeSystemProfilePrivilege 3992 msiexec.exe Token: SeSystemtimePrivilege 3992 msiexec.exe Token: SeProfSingleProcessPrivilege 3992 msiexec.exe Token: SeIncBasePriorityPrivilege 3992 msiexec.exe Token: SeCreatePagefilePrivilege 3992 msiexec.exe Token: SeCreatePermanentPrivilege 3992 msiexec.exe Token: SeBackupPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeShutdownPrivilege 3992 msiexec.exe Token: SeDebugPrivilege 3992 msiexec.exe Token: SeAuditPrivilege 3992 msiexec.exe Token: SeSystemEnvironmentPrivilege 3992 msiexec.exe Token: SeChangeNotifyPrivilege 3992 msiexec.exe Token: SeRemoteShutdownPrivilege 3992 msiexec.exe Token: SeUndockPrivilege 3992 msiexec.exe Token: SeSyncAgentPrivilege 3992 msiexec.exe Token: SeEnableDelegationPrivilege 3992 msiexec.exe Token: SeManageVolumePrivilege 3992 msiexec.exe Token: SeImpersonatePrivilege 3992 msiexec.exe Token: SeCreateGlobalPrivilege 3992 msiexec.exe Token: SeCreateTokenPrivilege 3992 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3992 msiexec.exe Token: SeLockMemoryPrivilege 3992 msiexec.exe Token: SeIncreaseQuotaPrivilege 3992 msiexec.exe Token: SeMachineAccountPrivilege 3992 msiexec.exe Token: SeTcbPrivilege 3992 msiexec.exe Token: SeSecurityPrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeLoadDriverPrivilege 3992 msiexec.exe Token: SeSystemProfilePrivilege 3992 msiexec.exe Token: SeSystemtimePrivilege 3992 msiexec.exe Token: SeProfSingleProcessPrivilege 3992 msiexec.exe Token: SeIncBasePriorityPrivilege 3992 msiexec.exe Token: SeCreatePagefilePrivilege 3992 msiexec.exe Token: SeCreatePermanentPrivilege 3992 msiexec.exe Token: SeBackupPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeShutdownPrivilege 3992 msiexec.exe Token: SeDebugPrivilege 3992 msiexec.exe Token: SeAuditPrivilege 3992 msiexec.exe Token: SeSystemEnvironmentPrivilege 3992 msiexec.exe Token: SeChangeNotifyPrivilege 3992 msiexec.exe Token: SeRemoteShutdownPrivilege 3992 msiexec.exe Token: SeUndockPrivilege 3992 msiexec.exe Token: SeSyncAgentPrivilege 3992 msiexec.exe Token: SeEnableDelegationPrivilege 3992 msiexec.exe Token: SeManageVolumePrivilege 3992 msiexec.exe Token: SeImpersonatePrivilege 3992 msiexec.exe Token: SeCreateGlobalPrivilege 3992 msiexec.exe Token: SeCreateTokenPrivilege 3992 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3992 msiexec.exe Token: SeLockMemoryPrivilege 3992 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exemsiexec.exepid process 3992 msiexec.exe 1668 msiexec.exe 3992 msiexec.exe 1668 msiexec.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
msiexec.exeMsiExec.exePhone.execmd.execmd.exedescription pid process target process PID 5056 wrote to memory of 1612 5056 msiexec.exe MsiExec.exe PID 5056 wrote to memory of 1612 5056 msiexec.exe MsiExec.exe PID 5056 wrote to memory of 1612 5056 msiexec.exe MsiExec.exe PID 5056 wrote to memory of 4392 5056 msiexec.exe srtasks.exe PID 5056 wrote to memory of 4392 5056 msiexec.exe srtasks.exe PID 5056 wrote to memory of 3004 5056 msiexec.exe MsiExec.exe PID 5056 wrote to memory of 3004 5056 msiexec.exe MsiExec.exe PID 5056 wrote to memory of 3004 5056 msiexec.exe MsiExec.exe PID 5056 wrote to memory of 1044 5056 msiexec.exe MsiExec.exe PID 5056 wrote to memory of 1044 5056 msiexec.exe MsiExec.exe PID 5056 wrote to memory of 1044 5056 msiexec.exe MsiExec.exe PID 1044 wrote to memory of 1544 1044 MsiExec.exe Phone.exe PID 1044 wrote to memory of 1544 1044 MsiExec.exe Phone.exe PID 1044 wrote to memory of 1544 1044 MsiExec.exe Phone.exe PID 1400 wrote to memory of 1616 1400 Phone.exe cmd.exe PID 1400 wrote to memory of 1616 1400 Phone.exe cmd.exe PID 1400 wrote to memory of 1616 1400 Phone.exe cmd.exe PID 1616 wrote to memory of 1548 1616 cmd.exe tasklist.exe PID 1616 wrote to memory of 1548 1616 cmd.exe tasklist.exe PID 1616 wrote to memory of 1548 1616 cmd.exe tasklist.exe PID 1616 wrote to memory of 1224 1616 cmd.exe findstr.exe PID 1616 wrote to memory of 1224 1616 cmd.exe findstr.exe PID 1616 wrote to memory of 1224 1616 cmd.exe findstr.exe PID 1400 wrote to memory of 4700 1400 Phone.exe cmd.exe PID 1400 wrote to memory of 4700 1400 Phone.exe cmd.exe PID 1400 wrote to memory of 4700 1400 Phone.exe cmd.exe PID 4700 wrote to memory of 336 4700 cmd.exe ipconfig.exe PID 4700 wrote to memory of 336 4700 cmd.exe ipconfig.exe PID 4700 wrote to memory of 336 4700 cmd.exe ipconfig.exe PID 1616 wrote to memory of 4396 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 4396 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 4396 1616 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\finalshell_install.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6CBE5EF477CFB9B004EAD60D7A0914B4 C2⤵
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1D6537D7ECC0F787185807ED7463F4702⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1B93FE0B6FA40D3A230B78F1FB1277FD2⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Defenderr\Phone.exe"C:\Program Files\Windows Defenderr\Phone.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 15844⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:81⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exeC:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1544 -ip 15441⤵
-
C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exeC:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe1⤵
- Enumerates connected drives
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\{6FDD4E84-A1CB-4a08-B7B1-E2xv8Ew59779}.cmd" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "PID eq 1400"3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\findstr.exefindstr /i "1400"3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 20 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e58cfdf.rbsFilesize
40KB
MD5f76c00f0810fe8beb1174f93ae33f3ab
SHA103b61a09b0cad7b8d5279889b99753a7eda4e359
SHA25638e29e1644440a57f2bce462b25e4c73048b049f35578a316208ad94b2cf9463
SHA512a746eb3371ba3c78d64440df5d7c538fa2dec12b0e4b953b4fd69e3ef937bb9fa1e176c63d20c85a467c48b9a03a12dd6c5ade8f750366594da5289481385f92
-
C:\Config.Msi\e58cfe4.rbsFilesize
8KB
MD57baa1650709da878468a41a635501cd4
SHA13b427389639f7eabb82103982e93d897075a0023
SHA25640ab9494aadec3f7396face8fce6b40a15bc3782b6e225fc6dc3497523d7fdd6
SHA512848ef8e9cb449b9b766e4d92245bfe102916bc6815f33b436c324ac60020c2c3a5852a1e08c03df411e5df6cd6da7bc44ad16773fd9c2ac11d6aea302d9e134a
-
C:\Program Files\Windows Defenderr\1Filesize
978KB
MD5a8a5c802a0ba7779cd378a4ed88a1645
SHA1c78967d9cf1fa6017757b93891b423854952b4ef
SHA256b7247f59f232b373c2473f869c8269a7ef46ad29bbc64403a29c697313b6ae74
SHA512329b43bbf38ac5b547c69f1301c8899ae24a044009051236df2678911cd636961731a4f274cd55381a86cab3dd74dabee2cb25d8968361991d516cdf7d945709
-
C:\Program Files\Windows Defenderr\2Filesize
135KB
MD5de5b9a4e125ac870b304a80fc829f888
SHA1d82d45dbeb3c2d702b6bb6b4c28a95d357b86316
SHA256992d22609eb21b384ac3965d18cca4fa620e2a743451db60d19794eafe553362
SHA512471249934c2560ccd166ca559e9d73622a4653a7226a2e7ff3c0225dcd882d9d78e8676342938c6c6e56d6167a37d8e96423b2de6f6a5f9740424191481fb725
-
C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{6D54FAA2-99A5-47e2-B101-E5xvCCw59D76}.exeFilesize
1.0MB
MD5d96a742899aeab9eaba691861908e316
SHA1777f988457a9265431e8119bd2d579f264f565f5
SHA2561d8b0d810d826574637041cc56c5532139eccff5064195bfea0d65ac0c3624d3
SHA512cc3f75a0d2abe5860acefebda2d44dba7259d7f28e32dfd41d3d7361df7f4195deb49e8c7f7d74f09bffdd8a39fde5a0eeee222a92bdef3f773379284aadf582
-
C:\ProgramData\{6FDD4E84-A1CB-4a08-B7B1-E2xv8Ew59779}.cmdFilesize
437B
MD52652de69af27cd85463fec04ef48eaba
SHA1e04ad0123527b4733e26c8c46fba8ced09bc06f9
SHA25645d30abfee01e6f3c4e10755dcff642103a26ea7b2d7381f0fbc90564e3f6c6a
SHA51286d933bb4bf605ec2a7ee1a6ac9b396e792593de18ab212045e980ca80fe014615c9281a8df25208451d9efeeaec63a2bd16b9f4ee8100dbb74acc00c0feb7a2
-
C:\Users\Admin\AppData\Local\FinalShell\Finalshell\finalshell.exeFilesize
101KB
MD5c1c11656f36a5b2b7bf514a6cf4ddf54
SHA11b99cfe6a5c16c88b3a4efb3874127ea2bb0d420
SHA25647600daab17337f9c268426027ffd9ed2cf1a1774ff84cb81e24ed61b7c7407b
SHA512b546d7b59706b02cffd1ed3927981ff85e6f992afe0f69261780d6c40636b0ce3782954497dfeefea058d196a6e62e2f568da28a90961357b4fe39f3d52a0eae
-
C:\Users\Admin\AppData\Local\FinalShell\Finalshell\jre\legal\java.naming\COPYRIGHTFilesize
35B
MD54586c3797f538d41b7b2e30e8afebbc9
SHA13419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA2567afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3
-
C:\Users\Admin\AppData\Local\FinalShell\Finalshell\jre\legal\java.naming\LICENSEFilesize
33B
MD516989bab922811e28b64ac30449a5d05
SHA151ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA25686e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA51286571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608
-
C:\Users\Admin\AppData\Local\Temp\MSI27C.tmpFilesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msiFilesize
1.2MB
MD57813c15b89e15b8af723338db9bd5936
SHA12308be3f8f1c3f46cd2eb14189c19c0e2deef8c5
SHA25617fcf1aacf2981cff65f7d0f3f03029c15eebfd7f71790cdf0f03553895d4152
SHA512ef1b63b1b8b670610bcc5b461457d5b58fca57577b7cf8442183c921ed516b7a87f48b4fde9d325dcc087cb090d7f8992f1eec2a68d1c06c263b6ea93470faeb
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD51acf5f3d3b194d6dbfa1e44de089c0b4
SHA1470f89dee065f0a213cd48675353c6be1a225c31
SHA256b41a87e96e8ed44d2ff0d0f4cf90578b7716114e235cea730f9494622f09fea2
SHA51295d85b621f6cd70900ad519521562c937e441a1e0b5213ff5d97566448780cfbc441af49891c0e241022eeebfb9c1beb7321d50bef628fab08528b2159954d02
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8d315ea7-8fa7-4ae3-bfd6-b6dc71ed14aa}_OnDiskSnapshotPropFilesize
6KB
MD52e2e5d4e468d0d85102740f0703c6bb6
SHA19818832fb444e1a85a3d18915649be6401b15dbe
SHA256d780fa9f08a295ef1c0975fc42d6451b37320571cdea953564dc47979a1fb21a
SHA51289d415ecc5d1daf1b0d613d81f47fdb8fc8530d00de9acf1efa30bded54562016a11f54974e5157704e493d6d552acb7e5d2d722ab91e5a3fc832f6cc44fdf37
-
memory/1400-405-0x0000000010290000-0x000000001044A000-memory.dmpFilesize
1.7MB
-
memory/1400-403-0x0000000010290000-0x000000001044A000-memory.dmpFilesize
1.7MB
-
memory/1544-376-0x0000000000F80000-0x000000000107E000-memory.dmpFilesize
1016KB
-
memory/1544-391-0x0000000000F80000-0x000000000107E000-memory.dmpFilesize
1016KB
-
memory/2700-390-0x0000000000DE0000-0x0000000000EDE000-memory.dmpFilesize
1016KB