97d7f0217cf9a1ed7232c0c0538cc6a6e6d2766f10166baf9a3fb03426dfc317

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 10:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Size

115.7MB
MD5

c6e0780d216ce2164645b5f997b8d069
SHA1

ed72be66384bb7ee8ad23a97728ec30acdfae75e
SHA256

5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5
SHA512

8a3e851d6419c1f837261d7c3a68327a4972cad6cb0d7ccf8fcbb27d0d8f01f17e19f4027c8dee53757d9689e947b5df55e8a0856a47059531f7fa8d091c9c5e
SSDEEP

3145728:5JGuB/L29NTR7IKF4IcAl61Y/XtSFosm+VxDZL2C8RFuu0:6Y/YNTdF4xK61Y/WJAjR8z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2956	MSI3B90.tmp
1920	ChromeStandaloneSetup64.exe
1236	MSI4E18.tmp
1784	Phone.exe

Loads dropped DLL 8 IoCs

pid	Process
3060	MsiExec.exe
2616	MsiExec.exe
2616	MsiExec.exe
2616	MsiExec.exe
2616	MsiExec.exe
572	MsiExec.exe
572	MsiExec.exe
1784	Phone.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\Y:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\M:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\P:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\N:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\V:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\T:	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defenderr\2	msiexec.exe
File created	C:\Program Files\Windows Defenderr\librdkafka.dll	msiexec.exe
File created	C:\Program Files\Windows Defenderr\1	msiexec.exe
File created	C:\Program Files\Windows Defenderr\TrackerUI.sys	MsiExec.exe
File opened for modification	C:\Program Files\Windows Defenderr\TrackerUI.sys	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\Phone.exe	MsiExec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7152.tmp	msiexec.exe
File created	C:\Windows\Installer\f7633f6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E18.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f7633f1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B90.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3526.tmp	msiexec.exe
File created	C:\Windows\Installer\f7633ef.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7633f4.ipi	msiexec.exe
File created	C:\Windows\Installer\f7633ec.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI343A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A75.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7633ef.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7633f1.msi	msiexec.exe
File created	C:\Windows\Installer\f7633f4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7633ec.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35B3.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1784	Phone.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeSecurityPrivilege	1996	msiexec.exe
Token: SeCreateTokenPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeAssignPrimaryTokenPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeLockMemoryPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeIncreaseQuotaPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeMachineAccountPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeTcbPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeSecurityPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeTakeOwnershipPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeLoadDriverPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeSystemProfilePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeSystemtimePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeProfSingleProcessPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeIncBasePriorityPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeCreatePagefilePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeCreatePermanentPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeBackupPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeRestorePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeShutdownPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeDebugPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeAuditPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeSystemEnvironmentPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeChangeNotifyPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeRemoteShutdownPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeUndockPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeSyncAgentPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeEnableDelegationPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeManageVolumePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeImpersonatePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeCreateGlobalPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeCreateTokenPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeAssignPrimaryTokenPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeLockMemoryPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeIncreaseQuotaPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeMachineAccountPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeTcbPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeSecurityPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeTakeOwnershipPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeLoadDriverPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeSystemProfilePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeSystemtimePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeProfSingleProcessPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeIncBasePriorityPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeCreatePagefilePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeCreatePermanentPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeBackupPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeRestorePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeShutdownPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeDebugPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeAuditPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeSystemEnvironmentPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeChangeNotifyPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeRemoteShutdownPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeUndockPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeSyncAgentPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeEnableDelegationPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeManageVolumePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeImpersonatePrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeCreateGlobalPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeCreateTokenPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeAssignPrimaryTokenPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
Token: SeLockMemoryPrivilege	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
2608	msiexec.exe
2608	msiexec.exe
1328	msiexec.exe
1328	msiexec.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 3060	1996	msiexec.exe	29
PID 1996 wrote to memory of 3060	1996	msiexec.exe	29
PID 1996 wrote to memory of 3060	1996	msiexec.exe	29
PID 1996 wrote to memory of 3060	1996	msiexec.exe	29
PID 1996 wrote to memory of 3060	1996	msiexec.exe	29
PID 1996 wrote to memory of 3060	1996	msiexec.exe	29
PID 1996 wrote to memory of 3060	1996	msiexec.exe	29
PID 2200 wrote to memory of 2608	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe	30
PID 2200 wrote to memory of 2608	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe	30
PID 2200 wrote to memory of 2608	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe	30
PID 2200 wrote to memory of 2608	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe	30
PID 2200 wrote to memory of 2608	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe	30
PID 2200 wrote to memory of 2608	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe	30
PID 2200 wrote to memory of 2608	2200	5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe	30
PID 1996 wrote to memory of 2616	1996	msiexec.exe	31
PID 1996 wrote to memory of 2616	1996	msiexec.exe	31
PID 1996 wrote to memory of 2616	1996	msiexec.exe	31
PID 1996 wrote to memory of 2616	1996	msiexec.exe	31
PID 1996 wrote to memory of 2616	1996	msiexec.exe	31
PID 1996 wrote to memory of 2616	1996	msiexec.exe	31
PID 1996 wrote to memory of 2616	1996	msiexec.exe	31
PID 1996 wrote to memory of 2956	1996	msiexec.exe	32
PID 1996 wrote to memory of 2956	1996	msiexec.exe	32
PID 1996 wrote to memory of 2956	1996	msiexec.exe	32
PID 1996 wrote to memory of 2956	1996	msiexec.exe	32
PID 1996 wrote to memory of 2956	1996	msiexec.exe	32
PID 1996 wrote to memory of 2956	1996	msiexec.exe	32
PID 1996 wrote to memory of 2956	1996	msiexec.exe	32
PID 1996 wrote to memory of 1236	1996	msiexec.exe	34
PID 1996 wrote to memory of 1236	1996	msiexec.exe	34
PID 1996 wrote to memory of 1236	1996	msiexec.exe	34
PID 1996 wrote to memory of 1236	1996	msiexec.exe	34
PID 1996 wrote to memory of 1236	1996	msiexec.exe	34
PID 1996 wrote to memory of 1236	1996	msiexec.exe	34
PID 1996 wrote to memory of 1236	1996	msiexec.exe	34
PID 1996 wrote to memory of 572	1996	msiexec.exe	39
PID 1996 wrote to memory of 572	1996	msiexec.exe	39
PID 1996 wrote to memory of 572	1996	msiexec.exe	39
PID 1996 wrote to memory of 572	1996	msiexec.exe	39
PID 1996 wrote to memory of 572	1996	msiexec.exe	39
PID 1996 wrote to memory of 572	1996	msiexec.exe	39
PID 1996 wrote to memory of 572	1996	msiexec.exe	39
PID 572 wrote to memory of 1784	572	MsiExec.exe	40
PID 572 wrote to memory of 1784	572	MsiExec.exe	40
PID 572 wrote to memory of 1784	572	MsiExec.exe	40
PID 572 wrote to memory of 1784	572	MsiExec.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe
"C:\Users\Admin\AppData\Local\Temp\5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Google LLC\Google Chrome 128.0.6537.0\install\ChromeSetup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\5086ebdd4c2027d8841fb0742eadf4b90d52f6f4cde6c2025c1b084722666bf5.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1719570259 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1CA0DD42BA2038513C5C7DC9D9C34E0F C
  2⤵
  - Loads dropped DLL
  PID:3060
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1528996F871D4A4DC47B118C28554DC
  2⤵
  - Loads dropped DLL
  PID:2616
- C:\Windows\Installer\MSI3B90.tmp
  "C:\Windows\Installer\MSI3B90.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\ChromeStandaloneSetup64.exe"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Installer\MSI4E18.tmp
  "C:\Windows\Installer\MSI4E18.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi"
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6BB9194ECFB5515074493BC73A59BB43
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Program Files\Windows Defenderr\Phone.exe
    "C:\Program Files\Windows Defenderr\Phone.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1784

C:\Users\Admin\AppData\Local\Temp\ChromeStandaloneSetup64.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeStandaloneSetup64.exe"
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2004

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "000000000000059C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7633f0.rbs

Filesize
421KB

MD5
c1e776c69050a3a2e176b1b62d66fa54

SHA1
7e992b2eb4b045e79fcc143e280c2b7da1168a64

SHA256
4e61d7ac0e761049081f82ad3a866d841fcc4dc145e9e74df9a97ce4be2b32bb

SHA512
0788cc32000cd57ea3dfc0fe723e774f809a91b580753eea2c0f7d23c806d30854367c04910aac99ad5d39298e64f4a1ccca512da866226282fdbda07f9ae76b

Download Submit
C:\Config.Msi\f7633f5.rbs

Filesize
7KB

MD5
057bb931a3f1d19dcab10abded778fda

SHA1
103c937de99e52c25f29f70d6bb67e0837aab794

SHA256
e187a9f7c1523ebf97a52df7204eff07c1091bb36da858df9e554265938743e3

SHA512
f2fadbaf75d621680ec57000f59e0902bd9e5e2b084fdc67d1e2c4c504f6e267430db5b6ce6048dc4a5d2a5eb62fae87c41f498f21869e4d9b63b1532b4f4518

Download Submit
C:\Program Files\Windows Defenderr\1

Filesize
483KB

MD5
778d517a9de9b93f02e92602f1cfcd6c

SHA1
9e373cbc1e1cf5e1553896485d7c5701a8e89804

SHA256
cad9fcfa069fc7de9f5d2b7c66bd5c4ca714777bf5db253418a664e7723026d1

SHA512
05ee9445263ee8312be7947a0b42684564a340f11052f4b2d7aa50681a74d6612675fdac8e973cb4cf84412711d4d087ffd0509e7a91f01b108253930425d5f9

Download Submit
C:\Program Files\Windows Defenderr\2

Filesize
359KB

MD5
fc6993a5498a7af0eab9899d86e393e5

SHA1
39bd7657b68677e74046b91393b965942de5f37f

SHA256
f066dba6245bdbf9b26884f811bc7facd9c13e299bc55f9fbe4005d45f80ff77

SHA512
a50f529e8639ff2cb22c8b118f3f5f5d38f1eb2248d9917cb1689f8bc0b24ce96056e91f62cb0c0cb7e8983715c0a58fe8183073dd3ef8347ee65bf3076c896d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3266.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi

Filesize
1.3MB

MD5
4bf494f15fcc172b98abeb5a02ecffed

SHA1
e158eb541843a67b11c39e93b2bfd8c1e67e9dce

SHA256
019f3f8c33408fcc884f9789ae6db493dc4b8757e12c02d753d3c58b52a2726c

SHA512
dde12c1cb3fd8069bced35cddeaa0ff4208056f3eefea4f16082413234cd2b667c16f238214856551aeda2203fda24437760a332aa657d63e17e957f4f0dc6f4

Download Submit
C:\Users\Admin\AppData\Roaming\Google LLC\Google Chrome 128.0.6537.0\install\ChromeSetup.msi

Filesize
2.2MB

MD5
37ec8d53174bc223bcc6a7921a0fd568

SHA1
76ee312d96cbecc7a1c1fef6ec780e07f18b40c1

SHA256
da9dcb075aff76282af16ea4151e577d12b2529b78a6f324fb053765c3c200e6

SHA512
451def2c901b74a9526163076d1de8706889b2b2f914634dfe3af0a1bf02f788a5a0c3cf90da001c949ecac41127523603c1af6c87b1d816c9f8d597d7dc0a60

Download Submit
C:\Windows\Installer\MSI35B3.tmp

Filesize
709KB

MD5
89136bfd28a2e1ec6b6d841214e1e670

SHA1
4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab

SHA256
1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec

SHA512
22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

Download Submit
C:\Windows\Installer\MSI3B90.tmp

Filesize
419KB

MD5
cac0eaeb267d81cf3fa968ee23a6af9d

SHA1
cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

SHA256
f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

SHA512
8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

Download Submit
memory/1236-57-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/1784-106-0x0000000001370000-0x00000000013F7000-memory.dmp

Filesize
540KB

Download
memory/2200-0-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2956-50-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download