Analysis
-
max time kernel
163s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 11:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
CncSimProSetup3_2.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
20 signatures
600 seconds
General
-
Target
CncSimProSetup3_2.exe
-
Size
118.0MB
-
MD5
b37448f063619a786605e964d1f7aa23
-
SHA1
78f41f9513d21c37d7fabc3a722ecc72a220c89a
-
SHA256
75fe48123ecf5b2710630f93490d5ed81f27b02239c84fe03ea8ed747b6263ad
-
SHA512
10f2de05fce245ec4362b6bb73f7080e96c6ad26d2d652bdfc32ae513bd27df9ee9d141f33b3e7c7b5e84f430786f7c97d2fa7b1d3b228a599d62a458f293e4b
-
SSDEEP
3145728:PcCOv2JvF+rEoQC8CcgJq6K1Ghq9Nzfd0IZ979omO:ECekvF+rEoQC8CcZl59PZ9pomO
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CNCSimulator.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CNCSimulator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CNCSimulator.exe -
Executes dropped EXE 1 IoCs
pid Process 4648 CNCSimulator.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine CNCSimulator.exe -
Loads dropped DLL 14 IoCs
pid Process 5100 MsiExec.exe 5100 MsiExec.exe 5100 MsiExec.exe 5100 MsiExec.exe 5100 MsiExec.exe 1500 MsiExec.exe 1500 MsiExec.exe 1500 MsiExec.exe 1500 MsiExec.exe 5100 MsiExec.exe 4648 CNCSimulator.exe 4648 CNCSimulator.exe 4648 CNCSimulator.exe 4648 CNCSimulator.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4648 CNCSimulator.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Machines\Milling\DesktopRouter.cMachine msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Images\heart.png msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Mm\Mill\Uno\Sample1_uno_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Mm\Mill\Unlimited\Sample11_AbsCircleCenters_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Tutorials\TutorialMachines\UnlimitedLathe.cMachine msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Mm\Lathe\Sample8_SimCam_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SimCam\Turning\Millimeters\SimCamTurningTutorial1_mm.simcam msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Fonts\GOTHITT.CHR msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Machines\Milling\Nora.cMachine msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\Sample13_SideCuts_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\Unlimited\Sample11_AbsCircleCenters_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Lathe\Unlimited\Sample9_MacroExample_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Mm\Mill\Sample4_3D_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\LatheTools\ToolDefs.png msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Machines\Milling\XYZ.cMachine msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SWE\Svarv\Exempel7_G70_G71_G75_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SWE\Fräs\KitMaskin\Exempel1_kitmaskin_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\it\CNCSimEXE.resources.dll msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\Sample23_AltG92method_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\Unlimited\Sample9_SimCam_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\DXF\lathe.dxf msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Mm\Lathe\Unlimited\Sample5_G70G71internal_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SimCam\Milling\Millimeters\CADCAM_Example_1.png msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Mm\Mill\C_axis\Sample1_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Mm\Lathe\Sample6_G75_Grooving_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\Unlimited\Sample26_AutoColoring_inch.CNC msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Machines\Cutting\waterjet.png msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\SmallMills\Sample4_3D_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SimCam\Turning\Millimeters\CAD_Example_Lathe_2.png msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Fonts\SCRIPTS.CHR msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SimCam\Turning\Millimeters\Demo2_mm.png msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SWE\Svarv\HobbySvarv\Exempel1_Hobbysvarv_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Machines\Turning\harrisonl5.png msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Vises\50 mm small vise horizontal.component msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Fonts\NBBJ-BLD.CHR msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Images\penguin.png msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Mm\Mill\KitMill\Sample1_kit_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\SimCam\Menus\ITA\shortcut.mnu msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\Unlimited\Sample6_Commands_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Tutorials\MillTutorial9_Incremental.tutorial msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Translators\TranslatorLIB.dll msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SWE\Fräs\Exempel16_G68G69_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Mm\Mill\Unlimited\Sample4_3D_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Scripting.dll msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\Unlimited\Sample25_PolarCoords_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\Sample19_UVW_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SimCam\Milling\Millimeters\CAD_Example_5.png msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\Unlimited\Sample17_colorcmd_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SWE\3DPrinter\Gree.gcode msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Fonts\ROMANT.CHR msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SimCam\Milling\Millimeters\CAD_Example_3.simcam msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SWE\Fräs\Exempel9_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\DXF\demopart.dxf msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Mm\Lathe\Sample3_G70_G71_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Vises\250 mm horizontal vise.component msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SimCam\Milling\Millimeters\CADCAM Example_1_mm.simcam msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SimCam\Milling\Millimeters\YouTube.png msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SWE\Fräs\Exempel12_HelixTest_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Machines\Cutting\LaserK40.cMachine msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\Inch\Mill\Sample14_PCB_inch.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SimCam\Milling\Millimeters\CAD_Example_4.simcam msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Samples\SWE\Fräs\Exempel6_Kommandon_mm.cnc msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Fonts\HAND4.CHR msiexec.exe File created C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\Fonts\Font68i.chr msiexec.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIE5B0.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{5664EBD1-0EFF-4546-8D30-2E94B9ACED90} msiexec.exe File opened for modification C:\Windows\Installer\{5664EBD1-0EFF-4546-8D30-2E94B9ACED90}\CNCSimProgIcon_1.exe msiexec.exe File created C:\Windows\Installer\e57e447.msi msiexec.exe File created C:\Windows\Installer\e57e445.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE580.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\{5664EBD1-0EFF-4546-8D30-2E94B9ACED90}\CNCSimProgIcon_1.exe msiexec.exe File opened for modification C:\Windows\Installer\{5664EBD1-0EFF-4546-8D30-2E94B9ACED90}\ext.exe msiexec.exe File opened for modification C:\Windows\Installer\e57e445.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE493.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE550.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEBEA.tmp msiexec.exe File created C:\Windows\Installer\{5664EBD1-0EFF-4546-8D30-2E94B9ACED90}\ext.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000043e29724379355490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000043e297240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090043e29724000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d43e29724000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000043e2972400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe -
Modifies registry class 39 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc\shell\ = "&Open" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.*.cnc\CNCSimulator.com.CNCSimulator Pro.*.cnc\ShellNew msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc\DefaultIcon\ = "C:\\Windows\\Installer\\{5664EBD1-0EFF-4546-8D30-2E94B9ACED90}\\ext.exe,0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\Language = "1033" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.*.cnc\CNCSimulator.com.CNCSimulator Pro.*.cnc msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\ProductName = "CNCSimulator Pro" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\CNCSimulator.com\\CNCSimulator Pro 3.2.0.0\\install\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\SourceList\Media\1 = "Disk1;Disk1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc\shell\&Open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc\shell\&Open\command\ = "\"C:\\Program Files (x86)\\CNCSimulator.com\\CNCSimulator Pro\\CNCSimulator.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1DBE4665FFE06454D803E2499BCADE09\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\ProductIcon = "C:\\Windows\\Installer\\{5664EBD1-0EFF-4546-8D30-2E94B9ACED90}\\CNCSimProgIcon_1.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\256B6D45A304C9644BF7FE3FDD407F67\1DBE4665FFE06454D803E2499BCADE09 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc\shell\&Open msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc\shell\&Open\command\command = 4b00560034006a0043006d006c0050003d003d00530061002d005e005700630030004000590056003e007100610043005d0026003300630075005b003d004a0069004c00320033007200660041003f0024002000220025003100220000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1DBE4665FFE06454D803E2499BCADE09 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\SourceList\PackageName = "CNCSimProSetup3_2.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.*.cnc msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\PackageCode = "40DCF72855C993F48AD0CE591151791C" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\Version = "50462720" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc\ = "CNC File" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.*.cnc\ = "CNCSimulator.com.CNCSimulator Pro.*.cnc" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\256B6D45A304C9644BF7FE3FDD407F67 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\CNCSimulator.com\\CNCSimulator Pro 3.2.0.0\\install\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CNCSimulator.com.CNCSimulator Pro.*.cnc\shell\&Open\ = "&Open" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DBE4665FFE06454D803E2499BCADE09\AdvertiseFlags = "388" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3420 msiexec.exe 3420 msiexec.exe 4648 CNCSimulator.exe 4648 CNCSimulator.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2744 msiexec.exe Token: SeIncreaseQuotaPrivilege 2744 msiexec.exe Token: SeSecurityPrivilege 3420 msiexec.exe Token: SeCreateTokenPrivilege 2744 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2744 msiexec.exe Token: SeLockMemoryPrivilege 2744 msiexec.exe Token: SeIncreaseQuotaPrivilege 2744 msiexec.exe Token: SeMachineAccountPrivilege 2744 msiexec.exe Token: SeTcbPrivilege 2744 msiexec.exe Token: SeSecurityPrivilege 2744 msiexec.exe Token: SeTakeOwnershipPrivilege 2744 msiexec.exe Token: SeLoadDriverPrivilege 2744 msiexec.exe Token: SeSystemProfilePrivilege 2744 msiexec.exe Token: SeSystemtimePrivilege 2744 msiexec.exe Token: SeProfSingleProcessPrivilege 2744 msiexec.exe Token: SeIncBasePriorityPrivilege 2744 msiexec.exe Token: SeCreatePagefilePrivilege 2744 msiexec.exe Token: SeCreatePermanentPrivilege 2744 msiexec.exe Token: SeBackupPrivilege 2744 msiexec.exe Token: SeRestorePrivilege 2744 msiexec.exe Token: SeShutdownPrivilege 2744 msiexec.exe Token: SeDebugPrivilege 2744 msiexec.exe Token: SeAuditPrivilege 2744 msiexec.exe Token: SeSystemEnvironmentPrivilege 2744 msiexec.exe Token: SeChangeNotifyPrivilege 2744 msiexec.exe Token: SeRemoteShutdownPrivilege 2744 msiexec.exe Token: SeUndockPrivilege 2744 msiexec.exe Token: SeSyncAgentPrivilege 2744 msiexec.exe Token: SeEnableDelegationPrivilege 2744 msiexec.exe Token: SeManageVolumePrivilege 2744 msiexec.exe Token: SeImpersonatePrivilege 2744 msiexec.exe Token: SeCreateGlobalPrivilege 2744 msiexec.exe Token: SeCreateTokenPrivilege 2744 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2744 msiexec.exe Token: SeLockMemoryPrivilege 2744 msiexec.exe Token: SeIncreaseQuotaPrivilege 2744 msiexec.exe Token: SeMachineAccountPrivilege 2744 msiexec.exe Token: SeTcbPrivilege 2744 msiexec.exe Token: SeSecurityPrivilege 2744 msiexec.exe Token: SeTakeOwnershipPrivilege 2744 msiexec.exe Token: SeLoadDriverPrivilege 2744 msiexec.exe Token: SeSystemProfilePrivilege 2744 msiexec.exe Token: SeSystemtimePrivilege 2744 msiexec.exe Token: SeProfSingleProcessPrivilege 2744 msiexec.exe Token: SeIncBasePriorityPrivilege 2744 msiexec.exe Token: SeCreatePagefilePrivilege 2744 msiexec.exe Token: SeCreatePermanentPrivilege 2744 msiexec.exe Token: SeBackupPrivilege 2744 msiexec.exe Token: SeRestorePrivilege 2744 msiexec.exe Token: SeShutdownPrivilege 2744 msiexec.exe Token: SeDebugPrivilege 2744 msiexec.exe Token: SeAuditPrivilege 2744 msiexec.exe Token: SeSystemEnvironmentPrivilege 2744 msiexec.exe Token: SeChangeNotifyPrivilege 2744 msiexec.exe Token: SeRemoteShutdownPrivilege 2744 msiexec.exe Token: SeUndockPrivilege 2744 msiexec.exe Token: SeSyncAgentPrivilege 2744 msiexec.exe Token: SeEnableDelegationPrivilege 2744 msiexec.exe Token: SeManageVolumePrivilege 2744 msiexec.exe Token: SeImpersonatePrivilege 2744 msiexec.exe Token: SeCreateGlobalPrivilege 2744 msiexec.exe Token: SeCreateTokenPrivilege 2744 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2744 msiexec.exe Token: SeLockMemoryPrivilege 2744 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3660 CncSimProSetup3_2.exe 2744 msiexec.exe 2744 msiexec.exe 4648 CNCSimulator.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4648 CNCSimulator.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4648 CNCSimulator.exe 4648 CNCSimulator.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3660 wrote to memory of 2744 3660 CncSimProSetup3_2.exe 87 PID 3660 wrote to memory of 2744 3660 CncSimProSetup3_2.exe 87 PID 3420 wrote to memory of 5100 3420 msiexec.exe 90 PID 3420 wrote to memory of 5100 3420 msiexec.exe 90 PID 3420 wrote to memory of 5100 3420 msiexec.exe 90 PID 3420 wrote to memory of 2188 3420 msiexec.exe 105 PID 3420 wrote to memory of 2188 3420 msiexec.exe 105 PID 3420 wrote to memory of 1500 3420 msiexec.exe 107 PID 3420 wrote to memory of 1500 3420 msiexec.exe 107 PID 3420 wrote to memory of 1500 3420 msiexec.exe 107 PID 5100 wrote to memory of 4648 5100 MsiExec.exe 111 PID 5100 wrote to memory of 4648 5100 MsiExec.exe 111 PID 5100 wrote to memory of 4648 5100 MsiExec.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CncSimProSetup3_2.exe"C:\Users\Admin\AppData\Local\Temp\CncSimProSetup3_2.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\system32\msiexec.exe/i "C:\Users\Admin\AppData\Roaming\CNCSimulator.com\CNCSimulator Pro 3.2.0.0\install\CNCSimProSetup3_2.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\CncSimProSetup3_2.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2744
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A86D3DDA84C394AB286197D2E0838C35 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\CNCSimulator.exe"C:\Program Files (x86)\CNCSimulator.com\CNCSimulator Pro\CNCSimulator.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2188
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4BF83BD334EB8F4F910CEA7DCA05D63F2⤵
- Loads dropped DLL
PID:1500
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5c13559db00013831de97c98e0700c683
SHA1038a72d5d111f66cb9b0edd278fdbaccfb72b3f3
SHA25650ad68f72b604e8ea4c237f85aa2a840eaed2ce137e18e2b8529a9dc97cb6769
SHA512ec34b1d003e0585e2bb49c18a02936e5c05ede8e11d0d1a24c4c7fd5c9843b61bffdbb3c374dcb1fecfcc96ad22276b52341875608b352f9bf7be7cc816de24c
-
Filesize
412KB
MD5605a72ba6f7a72ddc59c60c407c03292
SHA174aa9038e61101294ca85f96ad099efd329d88ad
SHA2561bb0cc0c0c1e82c4f757e1caae3191d33e07fbb65915ad09b94a7da7279eb81a
SHA512b8c2917115c46c878d5b36c5fb5e57810f0aa0e574f4aa5525e7c7a394b28366447a06deb2792f73b7838f59d557affbdc89d4f35033a09917b384e6f9013d5f
-
Filesize
23.4MB
MD568f5d9a1802b0b26bae6f4b62980be87
SHA1197c795b1e33f1ca50610f87be491c52e956cf5f
SHA25603f8b2c389b98aa0bf8e3548a45d86964b3a0a8345f8494226d0d6406c8b89fb
SHA5122810636807b43bb096ddbff005ab5878521fda4681bc80438f9186e15035747ceb490d2203f8b55125d6ff433ff47405b8bbe187eb467e400e3520e4ee28388d
-
Filesize
52KB
MD5827900d9204c3ab0a63bb3600fe1087d
SHA105ad5eacbe4755b0b5a27b3da3c22309784e126a
SHA256934decb6730191bcedd1fc9811129484f33fa4ba9e74baa5e8ccc4a004536154
SHA5128144212748162d3c20306391af68332f4c245d53eac7341fb9eabcfc71bfaba17554b0d364441ca6765d07d87cdf4b1eb360cda875f0f84f893f6d9230bab4be
-
Filesize
2KB
MD560545cb036db79cfd9c616cd889866a5
SHA18f047b4eb5da9fda92a126bc6a5ebd0842b9caab
SHA256792355723a91e94cd0868f68637e99018470066a7cf3fc3fa82d4e09946c9cd5
SHA51210945d8fc5911113511312d1eeeb09475c16077033089d0dd54b7df1e8e9780e0b3a84657d894942493fdec7a5e134562d076feee7642c61c2d8f911a60af271
-
Filesize
328KB
MD5906d7ee527adc8f3ea539e3bfab3e9af
SHA1bdd18cf7945574760b7f1e9c1cb41567c855560f
SHA256d1bb262dabfbf85515bef48ba08d4bc482ddbdb585d57f905c636c28788f4058
SHA512ab029b474bfedb1cb984e222b4759ba85e01b7cdaf05b8ecc7368c17961ad20df48dc74cd1db063c22c5422dc6e5644a839098a615a6b7d05bb3aacc334053d6
-
C:\ProgramData\IsolatedStorage\hdrokpd0.imq\nvvn3mvo.wp3\StrongName.grtodwwjivz0qvyei05pa5gmrvobafpc\identity.dat
Filesize516B
MD5b8022ba3cd19a563183e3f38c45cf6e1
SHA1fa6f1c0cca84ce2abfb2dc0f2ad947106b4f5e35
SHA256cef30736d4bb592484be891f24e50fa812d3df1122521a4f482947bb22d997bc
SHA512a9586b9afae4ca330a708904cbf462bf9ab88dee6e2a96d2bf8dbae89ded7572e5250f4a5fea9d7626f14ea6e19cdfa8a4b79325286dff4fcc079a94d1950d2f
-
C:\Users\Admin\AppData\Local\CNCSimulator.com\CNCSimulator.exe_StrongName_k0pezz2pb0o02mipejfbza32bg1u2gl0\3.2.0.0\user.config
Filesize1KB
MD5af6151bb31d68f2a3ef5859773a5fec4
SHA1aacb88223aa131bbfeac4046f920bd1a4189ae79
SHA2569655a40f9f5cbe85222e89095c71c22ec726dfb03648bc62a1907ad8b7748450
SHA5120f5495b0a8ed7c76b18cec1a4c206f15fe5b8c69ed59875e86c8f358f07c959cae99fbd4e0d738f99d8442bc8807d18d434bba60fbe3101ebad0cfa0022e41f2
-
C:\Users\Admin\AppData\Local\CNCSimulator.com\CNCSimulator.exe_StrongName_k0pezz2pb0o02mipejfbza32bg1u2gl0\3.2.0.0\user.config
Filesize1KB
MD5eecdab44e28bba8561aaab759b16d3b4
SHA16fb957edda43474ec5d0fb36161d232d56f711af
SHA256ac9fe1e2d9f85c1aa42857bba7293da4b6ccdf944d26b65324c8bdd7241077dd
SHA512858a8f8b98a0fa10302b7a19ca4327c519dde5d1eae3121d257cb9c8d1102161c5839652574d7c920cde90c2a76c206fb849b322944d15775370932435328df9
-
Filesize
69KB
MD5dcdec2468aa75959f674ccc8dc048c67
SHA135a7c0e2a8343a30b6962e73b6c8a6deeff91a9b
SHA2565964196cc4374474b0c8b1d664bd661816f3094c5f93dd9c830a542252e4672e
SHA51282851ae0e64dcf70da02b6e0f60cf1e30aa0e20a4b0e9f8721645430af897baf4392944432b54247ff06ab90ec231250679c3f61a8f49fed8d89d3083139a127
-
Filesize
264KB
MD53634df76c7dc74c8736391fb6ae01dcf
SHA14059c792d8777c9c4b04f7d2b9f7e69d90e70b61
SHA25682c01150821e8274141e77e5dc5926e33d19e12f195e679fc4dd51b07e508eb1
SHA512fbba4a43a5b8eba8a4d0730ea4014f720c3cae92860fea2a9698dafaefd7319358a48501d6363b320e539550a3f897e0e5d23a5a0e5a0925b846e4488d9ce808
-
C:\Users\Admin\AppData\Roaming\CNCSimulator.com\CNCSimulator Pro 3.2.0.0\install\CNCSimProSetup3_2.msi
Filesize751KB
MD5bd4c301ca43735305c739fe69d9bb90b
SHA138a311dfe30357fe6db76d2761e058f397c00497
SHA256981ae8ac08144e3ec90e6b462efb5de71d240fdfa362ae502dac21a41d26a307
SHA5128b6c05060db1aa0119c932885dcb43d116cf1abedb139cf00ecf23304ec722299bf56dfb4dac0e1b20443b0a1fdf78026fcf4cac9a54a2e2b196744fddbc1c31
-
Filesize
23.7MB
MD5097494d4095eb83cd8acf2f11cd93b57
SHA1aaf7cd614b6f382cfa0bed8521f2a7ac497d137f
SHA25659ee32ad1076aca6c43100008ff14fb36e29a3834478de33f4ce5c850461bd4f
SHA51252e5543ea3e8332770128cf23c4cdb55abca2421183c2caabc3345bd108189991ff286fe4b6043c43d41fd376708f32131a17fc95e7b08578d4edc2df94b3355
-
\??\Volume{2497e243-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{00da9a7c-aa5e-4f90-af9c-183152cdd6c8}_OnDiskSnapshotProp
Filesize6KB
MD52dee4c22e3efac6bbe001b5ae0529f81
SHA1fddaff1f7a0f170b547190de2a107dbf22448c73
SHA256091967c66aba593b03a2037e4b105aeca4192707b1ef0bbe3e0aaca9d90726fa
SHA5124f929579b2f9f59c14a4cbacdcf75a634d7cf8686bfce36a8074988f68c8869b3332b6a2757086f31a1e77b5aa609bfe59be51170fd9ab5431ea451d2c78ccfd