4299b542be0fbc40cecc010755783f855a1548f99d870dd21a33ec22a60a5f71

Analysis

max time kernel
32s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 06:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

RUN.bat
Size

828B
MD5

d4dcacb2d8247368193696f5bacff810
SHA1

ee2ec8d85a98d415d2aa30623a37ab01011407f5
SHA256

c615c922a29d2083f6c9ef68cbfe110a3c0e315947eda9dcee74da8c35e84401
SHA512

84f551d54ed1cc1df7361eb4092032665a87dcefa59c9b814fb28e76431133127ce109075f24d09327ffa3874f9ff12969bdafb1167942502166cb1028545547

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
3520	ISBEW64.exe
2880	ISBEW64.exe
448	ISBEW64.exe
3764	ISBEW64.exe
2420	ISBEW64.exe
3292	ISBEW64.exe
3536	ISBEW64.exe
4272	ISBEW64.exe
5084	ISBEW64.exe
4360	ISBEW64.exe

Loads dropped DLL 4 IoCs

pid	Process
1876	MsiExec.exe
1876	MsiExec.exe
1876	MsiExec.exe
1876	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xfs_supp.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msxfs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\xfs_conf.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E3D.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}	msiexec.exe
File created	C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\NewShortcut7_D201188D5C8A440A8812E37A9CBD6C21.exe	msiexec.exe
File created	C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\NewShortcut7_D201188D5C8A440A8812E37A9CBD6C21.exe	msiexec.exe
File created	C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\NewShortcut9_756C47E0E3B94DC78905D63DC82B77B2.exe	msiexec.exe
File created	C:\Windows\Installer\e575dcf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e575dcf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64A6.tmp	msiexec.exe
File created	C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\NewShortcut8_57AD504CE715408B8DA018FFBC24196E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\NewShortcut6_36ECA247210A4B9690D19E617720D82E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\NewShortcut9_756C47E0E3B94DC78905D63DC82B77B2.exe	msiexec.exe
File created	C:\Windows\Installer\e575dd3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\NewShortcut8_57AD504CE715408B8DA018FFBC24196E.exe	msiexec.exe
File created	C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\NewShortcut6_36ECA247210A4B9690D19E617720D82E.exe	msiexec.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "95"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2B97711-2734-4209-8CDD-3B7FC060F6AB}\TypeLib\ = "{4EDF9CDE-B628-48D4-A6E3-156AF6180F04}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7CF2DCB-571C-4C9C-BAD2-D9CAAF4B95C3}\InprocServer32	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5298FFAA-3DF8-432D-9DC7-BF9CFF743CED}\InprocServer32\InprocServer32 = 60007300210039002e0051004c002800420040005e0031004e0046004c00750052005000720059004e006500780074007700610072006500330030005f004d006900640064006c00650077006100720065003e00720053005400630043005500520058007600380040003600250066004d00740029005e004d005b0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64DC907D-D54B-48B6-B858-48AFE0531147}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{166ED18D-640D-482D-A7FB-325B0DA77392}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{3E1538CE-4809-4AFD-98C1-EEA99A52DAA7}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9CCCAD23-9FA9-46C3-8EC2-131A0C9EECCA}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95C62AB6-9013-4514-A0A6-45026C927C6E}\ = "NXCardDispenserX Control"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3275E28A-8A6B-4E9A-A0B9-A2C00AE705C3}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B98CEC7-D543-4A2F-A15A-D258E2525A27}\Implemented Categories	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD985B2B-7206-4FAD-B90A-256FBED2B781}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8FCFC091-BC17-489D-9E0A-1B80D9A16C22}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{2C0659DC-B69C-4BED-8B2E-DD266D2BF7DF}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBA92754-1E86-4ACE-A0C0-DD45D6F78339}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBA92754-1E86-4ACE-A0C0-DD45D6F78339}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AEAF7029-4EB8-4601-BEED-637DC2B4EB9A}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{024392D2-A383-4937-AADF-D368182195C2}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{AD7E2E3B-093E-4B80-B63C-33A2112A63BA}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{699D23B4-619A-44E3-933D-DC4AE8B9C6C5}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9D068CE-5DA4-4241-8DC0-384B190A20B9}\InprocServer32\ = "C:\\Hyosung\\Nextware\\ActiveX\\NXDepository30.ocx"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95C62AB6-9013-4514-A0A6-45026C927C6E}\InprocServer32\ = "C:\\Hyosung\\Nextware\\ActiveX\\NXCardDispenser31_2.ocx"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NXCardReaderX.NXIDReaderXCtrl.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{222BBB5D-E9FC-4EB6-9ED0-41102C95C03A}\Version\ = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{98F489C1-DF88-48D0-BBAD-D70C9D8A8C31}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2B97711-2734-4209-8CDD-3B7FC060F6AB}\ToolboxBitmap32\ = "C:\\Hyosung\\Nextware\\ActiveX\\NXIDRE~1.OCX, 1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NXCoinAcceptorX.Positions\ = "Positions Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{91AC8FB1-2EBE-4AF4-BF6A-43531A9884AC}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5D59EF224EDA0AB46ADFF117C9EE52B9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95C62AB6-9013-4514-A0A6-45026C927C6E}\MiscStatus\ = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34D6E0D5-D6F4-41F9-AF73-1A17277D983E}\1.0\0\win32	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CB4D5AB-5785-4975-9F5D-8C769321E799}\InprocServer32\InprocServer32 = 60007300210039002e0051004c002800420040005e0031004e0046004c00750052005000720059004e006500780074007700610072006500330030005f004d006900640064006c00650077006100720065003e007d0060002a00560048007b007b005e00650040005f0058004c0037004c0049004000690048004e0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CC5C44C-95D5-4D67-A874-DA94F1AD3456}\ProgID\ = "NXCashDispenserX.NXCashDispenserXCtrl.2"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NXTicketPrinterX.NXTicketPrinterXCtrl.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CC5C44C-95D5-4D67-A874-DA94F1AD3456}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{17023BCC-5BEC-405F-85FD-F0BB5950EF7F}\MiscStatus\1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{964AE6BF-A45D-4C10-9325-2A04128544F4}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD2001D3-1C32-4C02-8895-6F6747EFD843}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B396A39-73C5-4A89-8D50-61475F56C5D6}\1.0\FLAGS\ = "2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3275E28A-8A6B-4E9A-A0B9-A2C00AE705C3}\ = "_DNXIDScannerPrinterX"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{309A7F8F-30B2-4F36-A8BC-B037C9CB2B7B}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{AE395B67-3E75-4BD2-8CC2-D91FA575ED51}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64DC907D-D54B-48B6-B858-48AFE0531147}\Control\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4460EAF1-CCB2-4C5B-A8C3-524F93BA9C9B}\TypeLib\ = "{E9D4C052-F514-4013-906A-9BB27CB509FC}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82D7739A-A3B7-470A-8155-FD27627809DD}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{276D92EE-DE52-44C7-ADCB-3BEDA71F0250}\MiscStatus	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D2EAF156-6C86-463B-BAE5-365DF2FFE341}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C1461BF-21EB-41EC-9510-906776F804C7}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF220809-0530-4656-8845-7EE79F029674}\InprocServer32\ = "C:\\Hyosung\\Nextware\\ActiveX\\NXCashAcceptor30_3.ocx"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CFB5E4A-8673-45A2-A2C3-3550AB2FCF4E}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{630662E6-3120-4DE9-A7FC-216F8B1673FD}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D2EAF156-6C86-463B-BAE5-365DF2FFE341}\ToolboxBitmap32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232A3AC7-48F3-47D9-A90B-0BA0F16EF193}\Control\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09527F66-41DC-47F3-A665-0D9E5DE85ED9}\MiscStatus\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9DBFAEF0-6E3D-446F-A1BE-8B1E3A6777F4}\1.0\FLAGS\ = "2"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F53190A5-6106-44DE-B16B-CA881FA243AB}\Version	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3A07BB6-76C5-4B99-AA4F-6828C8807819}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACF775A9-6391-4077-ACE8-B8D04D624410}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{58F4B1A7-B56C-4578-977B-C887D73C1344}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{AD615CA8-B509-44FC-9267-BC661B29BA03}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9275230-58E9-47E2-8F89-DDFA9BAA860F}\TypeLib\ = "{06C9F926-23AB-443A-B1D3-5E41A5293843}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0D1759C8-F68F-450D-AEC5-19CAADF88FCF}\MiscStatus	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9C786E9F-F213-4121-97D5-9E068FC03F5F}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{17023BCC-5BEC-405F-85FD-F0BB5950EF7F}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DDF7D417-FB61-44A0-8023-06FC57ABA9CF}\TypeLib	msiexec.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3416	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5076	msiexec.exe
5076	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3608	WMIC.exe
Token: SeSecurityPrivilege	3608	WMIC.exe
Token: SeTakeOwnershipPrivilege	3608	WMIC.exe
Token: SeLoadDriverPrivilege	3608	WMIC.exe
Token: SeSystemProfilePrivilege	3608	WMIC.exe
Token: SeSystemtimePrivilege	3608	WMIC.exe
Token: SeProfSingleProcessPrivilege	3608	WMIC.exe
Token: SeIncBasePriorityPrivilege	3608	WMIC.exe
Token: SeCreatePagefilePrivilege	3608	WMIC.exe
Token: SeBackupPrivilege	3608	WMIC.exe
Token: SeRestorePrivilege	3608	WMIC.exe
Token: SeShutdownPrivilege	3608	WMIC.exe
Token: SeDebugPrivilege	3608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3608	WMIC.exe
Token: SeRemoteShutdownPrivilege	3608	WMIC.exe
Token: SeUndockPrivilege	3608	WMIC.exe
Token: SeManageVolumePrivilege	3608	WMIC.exe
Token: 33	3608	WMIC.exe
Token: 34	3608	WMIC.exe
Token: 35	3608	WMIC.exe
Token: 36	3608	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3608	WMIC.exe
Token: SeSecurityPrivilege	3608	WMIC.exe
Token: SeTakeOwnershipPrivilege	3608	WMIC.exe
Token: SeLoadDriverPrivilege	3608	WMIC.exe
Token: SeSystemProfilePrivilege	3608	WMIC.exe
Token: SeSystemtimePrivilege	3608	WMIC.exe
Token: SeProfSingleProcessPrivilege	3608	WMIC.exe
Token: SeIncBasePriorityPrivilege	3608	WMIC.exe
Token: SeCreatePagefilePrivilege	3608	WMIC.exe
Token: SeBackupPrivilege	3608	WMIC.exe
Token: SeRestorePrivilege	3608	WMIC.exe
Token: SeShutdownPrivilege	3608	WMIC.exe
Token: SeDebugPrivilege	3608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3608	WMIC.exe
Token: SeRemoteShutdownPrivilege	3608	WMIC.exe
Token: SeUndockPrivilege	3608	WMIC.exe
Token: SeManageVolumePrivilege	3608	WMIC.exe
Token: 33	3608	WMIC.exe
Token: 34	3608	WMIC.exe
Token: 35	3608	WMIC.exe
Token: 36	3608	WMIC.exe
Token: SeSecurityPrivilege	5076	msiexec.exe
Token: SeShutdownPrivilege	4452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4452	msiexec.exe
Token: SeCreateTokenPrivilege	4452	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4452	msiexec.exe
Token: SeLockMemoryPrivilege	4452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4452	msiexec.exe
Token: SeMachineAccountPrivilege	4452	msiexec.exe
Token: SeTcbPrivilege	4452	msiexec.exe
Token: SeSecurityPrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeLoadDriverPrivilege	4452	msiexec.exe
Token: SeSystemProfilePrivilege	4452	msiexec.exe
Token: SeSystemtimePrivilege	4452	msiexec.exe
Token: SeProfSingleProcessPrivilege	4452	msiexec.exe
Token: SeIncBasePriorityPrivilege	4452	msiexec.exe
Token: SeCreatePagefilePrivilege	4452	msiexec.exe
Token: SeCreatePermanentPrivilege	4452	msiexec.exe
Token: SeBackupPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeShutdownPrivilege	4452	msiexec.exe
Token: SeDebugPrivilege	4452	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3604	LogonUI.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 4640	1684	cmd.exe	82
PID 1684 wrote to memory of 4640	1684	cmd.exe	82
PID 4640 wrote to memory of 2396	4640	net.exe	83
PID 4640 wrote to memory of 2396	4640	net.exe	83
PID 1684 wrote to memory of 3608	1684	cmd.exe	84
PID 1684 wrote to memory of 3608	1684	cmd.exe	84
PID 1684 wrote to memory of 4452	1684	cmd.exe	88
PID 1684 wrote to memory of 4452	1684	cmd.exe	88
PID 5076 wrote to memory of 1876	5076	msiexec.exe	89
PID 5076 wrote to memory of 1876	5076	msiexec.exe	89
PID 5076 wrote to memory of 1876	5076	msiexec.exe	89
PID 1876 wrote to memory of 3520	1876	MsiExec.exe	90
PID 1876 wrote to memory of 3520	1876	MsiExec.exe	90
PID 1876 wrote to memory of 2880	1876	MsiExec.exe	91
PID 1876 wrote to memory of 2880	1876	MsiExec.exe	91
PID 1876 wrote to memory of 448	1876	MsiExec.exe	92
PID 1876 wrote to memory of 448	1876	MsiExec.exe	92
PID 1876 wrote to memory of 3764	1876	MsiExec.exe	93
PID 1876 wrote to memory of 3764	1876	MsiExec.exe	93
PID 1876 wrote to memory of 2420	1876	MsiExec.exe	94
PID 1876 wrote to memory of 2420	1876	MsiExec.exe	94
PID 1876 wrote to memory of 3292	1876	MsiExec.exe	95
PID 1876 wrote to memory of 3292	1876	MsiExec.exe	95
PID 1876 wrote to memory of 3536	1876	MsiExec.exe	96
PID 1876 wrote to memory of 3536	1876	MsiExec.exe	96
PID 1876 wrote to memory of 4272	1876	MsiExec.exe	97
PID 1876 wrote to memory of 4272	1876	MsiExec.exe	97
PID 1876 wrote to memory of 5084	1876	MsiExec.exe	98
PID 1876 wrote to memory of 5084	1876	MsiExec.exe	98
PID 1876 wrote to memory of 4360	1876	MsiExec.exe	99
PID 1876 wrote to memory of 4360	1876	MsiExec.exe	99
PID 1684 wrote to memory of 3416	1684	cmd.exe	108
PID 1684 wrote to memory of 3416	1684	cmd.exe	108
PID 1684 wrote to memory of 4632	1684	cmd.exe	109
PID 1684 wrote to memory of 4632	1684	cmd.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RUN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2396
- C:\Windows\System32\Wbem\WMIC.exe
  wmic product where "name='Nextware_V032932'" call uninstall /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\system32\msiexec.exe
  msiexec /i "Nextware_V033048.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 2
  2⤵
  - Runs ping.exe
  PID:3416
- C:\Windows\system32\shutdown.exe
  shutdown -r -f -t 15
  2⤵
  PID:4632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 16AFEE753C306B9ACA76548108248F58
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F893FF7-254F-4E24-8EFC-7714490BD047}
    3⤵
    - Executes dropped EXE
    PID:3520
- - C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{07A6F4BB-8482-4EE5-93AA-C32F2EBD77DD}
    3⤵
    - Executes dropped EXE
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5008B21-AC0E-4FF2-9605-D90D20361B4A}
    3⤵
    - Executes dropped EXE
    PID:448
- - C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{720800CB-AE68-4375-AB1B-3A58A7C9251F}
    3⤵
    - Executes dropped EXE
    PID:3764
- - C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8EB778AE-B617-4F31-96BB-C50B61BC59AB}
    3⤵
    - Executes dropped EXE
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CCBB6925-BCBC-487C-AD01-6F0A612CBA19}
    3⤵
    - Executes dropped EXE
    PID:3292
- - C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F3438648-F8B7-4FA0-BE3D-FD1A179F6F56}
    3⤵
    - Executes dropped EXE
    PID:3536
- - C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{80B400CA-7CA4-4884-A33D-3ABB28470BAB}
    3⤵
    - Executes dropped EXE
    PID:4272
- - C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C89BFAF4-E2A8-4FA4-BA82-A3BCCAB9318B}
    3⤵
    - Executes dropped EXE
    PID:5084
- - C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5CF27DE3-1442-4080-9743-5002CD364092}
    3⤵
    - Executes dropped EXE
    PID:4360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395e055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575dd2.rbs

Filesize
654KB

MD5
53fe3b025e7234410938118fdba506c7

SHA1
a3d1e897e541bb07a2f652a4a9dd3205685424b8

SHA256
13e69115dc57ff7be5f21accec0c37a1ab46935107d04977b206cf9545e80a57

SHA512
2afe5da131bd0234676455b091ff7f0d70baa781704272e0498d33cb4d5ec438932bc490143c1e4823f4836547da5ab1e083dc6bb4a96a0d8dcc46b05b8dcb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISBEW64.exe

Filesize
177KB

MD5
7eb57876ff781f17adce41ffc70d1f31

SHA1
3a358773608e315d8e1ec97476e670802e9f1ec6

SHA256
1f0d8dfbd8b2b9c0ceb8a827ffdd1559d1fb26e86836a9080dfd168759c03bbe

SHA512
d967395f5ddb5df40949a737ec9b4c5e675c0355733938d9a17801f98aad9af2fd2e6660786c13ebb2f2a66fcb76fc99ee064acd87796a7931e21a973772576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\ISRT.dll

Filesize
422KB

MD5
77f4ad122b04f2e11d3841b611596785

SHA1
133d1935811929e5aa5bc0c97c826d0fe7c6b4fb

SHA256
eefcb7fb1ce56e30a8b6c82ba8afc4ecbbaaa50028104e5873de620fc3803982

SHA512
a4c10caa98887b158bd7513c6115ded655602bf5f129c2738c3428444a73a650fda69193c3e76d76c6a684d6c5977a7e0f69bbf3cc08d078b96fb4531d8ae901

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB2F5AC0-7878-493D-B5B8-64AFDD374BBB}\_isres_0x0409.dll

Filesize
1.8MB

MD5
16113c70b9d149484530e8e71096d454

SHA1
bc04da8a76927ac88a77b6eafdfdbd0e8371f8d0

SHA256
a948907b44d23cf4797f984a875f7eecd3b8c4a81218d7b124708ec8d0f26062

SHA512
1d69d1342ef27c1508f8cf84750178037a17c00b6392be006fb2bb107420c32173dfc500047ef921158ccd0452daad7158a2641eae89925a85389b681c1a194a

Download Submit
C:\Windows\Installer\MSI5E3D.tmp

Filesize
2.5MB

MD5
a050535fc7f71f6f92ae4a989b737ad1

SHA1
c5ba2b9178187e033f1cf27781000605e74d343f

SHA256
399aed01b905ef1a5b2f8def5d1b2f2c258b7ccc0be2fa90853f63a39d7bd3c3

SHA512
7480f330670e955eca6e93a951e4bfab69dc137ff5e29c1c36bf6f045db163a0c8ec2800a86317558604366576a9229259ae35ed834965bf624add81cccd0261

Download Submit
C:\Windows\Installer\e575dcf.msi

Filesize
9.8MB

MD5
e67579e51e9a5853c34c08565ac6d37a

SHA1
8419a63958537c050f84694faa9f92098dd07180

SHA256
e2ae290e8a74a1864369730e469f2245c223149ad392a82b8a23314940c316a2

SHA512
d9ba71bb9a707b3e01c173c261a0e5fad5df26593645d167be6bb2fa07a9de05c3c653112a67426055858c7b71c2e454e20696e008e71a7191abc0548deeb6a3

Download Submit
C:\Windows\Installer\{22FE95D5-ADE4-4BA0-A6FD-1F719CEE259B}\NewShortcut7_D201188D5C8A440A8812E37A9CBD6C21.exe

Filesize
44KB

MD5
463a689b634c44592a75c22751ccfe81

SHA1
28720ed46b1949b9a3abbb0b6874a0ac42af004b

SHA256
ce0f66b53b7b6b68acb8010418cbdec1d819dc660cd8c3816771d051c14ea2b5

SHA512
0b9a83ee8f7faf8cd3f63743ca1fdb7bce357f634d98cfb247921378b8eeaad171a9217f71cb33974daef9ea546597b24e4f9381e1aeaff9d680d1510defce26

Download Submit
memory/1876-24-0x0000000010000000-0x0000000010112000-memory.dmp

Filesize
1.1MB

Download
memory/1876-31-0x0000000002C20000-0x0000000002DE7000-memory.dmp

Filesize
1.8MB

Download