2cbf59c93f795175f3c729ac37a25ca3d7482ab50b6475f4647ae8a39abf394f

Analysis

max time kernel
96s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Flash8-en.exe
Size

107.8MB
MD5

4366b8abb6c5cf54239954a2e89c4e97
SHA1

2b769067954561da9b91b87773fe9f1e2483e296
SHA256

2cbf59c93f795175f3c729ac37a25ca3d7482ab50b6475f4647ae8a39abf394f
SHA512

ddf30dbfb6504f4ebe6cf7a6cb6280a54bfd98bbd69a246757901b9c3e8d575c90b7a848413e018e6e1006524efd4c0c525094191e489b1f33f05b1a9e3c20b0
SSDEEP

3145728:JyDSUW50GQiwf64O298IydrvzjxyKGrVKgVl:JcSD50Piwip298IYrL1yKGsgT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3292	FL_Client_Installer.exe
1636	IDriver.exe
2652	IDriver.exe

Loads dropped DLL 21 IoCs

pid	Process
4468	MsiExec.exe
3808	regsvr32.exe
3088	regsvr32.exe
4716	regsvr32.exe
1964	regsvr32.exe
3340	regsvr32.exe
820	regsvr32.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
2652	IDriver.exe
2652	IDriver.exe
2652	IDriver.exe
2652	IDriver.exe
2652	IDriver.exe
2652	IDriver.exe
2652	IDriver.exe
2652	IDriver.exe
2652	IDriver.exe
4468	MsiExec.exe
4468	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	FL_Client_Installer.exe
File opened (read-only)	\??\M:	FL_Client_Installer.exe
File opened (read-only)	\??\Q:	FL_Client_Installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	FL_Client_Installer.exe
File opened (read-only)	\??\O:	FL_Client_Installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	FL_Client_Installer.exe
File opened (read-only)	\??\N:	FL_Client_Installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	FL_Client_Installer.exe
File opened (read-only)	\??\J:	FL_Client_Installer.exe
File opened (read-only)	\??\P:	FL_Client_Installer.exe
File opened (read-only)	\??\T:	FL_Client_Installer.exe
File opened (read-only)	\??\V:	FL_Client_Installer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	FL_Client_Installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	FL_Client_Installer.exe
File opened (read-only)	\??\U:	FL_Client_Installer.exe
File opened (read-only)	\??\W:	FL_Client_Installer.exe
File opened (read-only)	\??\X:	FL_Client_Installer.exe
File opened (read-only)	\??\Y:	FL_Client_Installer.exe
File opened (read-only)	\??\Z:	FL_Client_Installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	FL_Client_Installer.exe
File opened (read-only)	\??\R:	FL_Client_Installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	FL_Client_Installer.exe
File opened (read-only)	\??\S:	FL_Client_Installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\_ISRES1033.dll	MsiExec.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\temp.000	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IUserCnv.dll	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\ISRT.dll	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\objpscnv.dll	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IScrCnv.dll	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\iGdiCnv.dll	MsiExec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Installations\Macromedia Flash 8\Data1.cab	Flash8-en.exe
File created	C:\Windows\Downloaded Installations\Macromedia Flash 8\Data1.cab	Flash8-en.exe
File opened for modification	C:\Windows\Downloaded Installations\Macromedia Flash 8\FL_Client_Installer.exe	Flash8-en.exe
File created	C:\Windows\Downloaded Installations\Macromedia Flash 8\FL_Client_Installer.exe	Flash8-en.exe
File opened for modification	C:\Windows\Downloaded Installations\Macromedia Flash 8\Macromedia Flash 8.msi	Flash8-en.exe
File created	C:\Windows\Downloaded Installations\Macromedia Flash 8\Macromedia Flash 8.msi	Flash8-en.exe
File opened for modification	C:\Windows\Downloaded Installations\Macromedia Flash 8\WindowsInstaller-KB884016-v2-x86.exe	Flash8-en.exe
File created	C:\Windows\Downloaded Installations\Macromedia Flash 8\WindowsInstaller-KB884016-v2-x86.exe	Flash8-en.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2408	2652	WerFault.exe	92

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF2062B2-540A-4B48-A2C7-ABA0B49D44B9}\TypeLib\Version = "1.0"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE238E7E-00DB-4349-9949-2A10E52A6F68}\ = "ISetupShellLink2"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DBBC99EB-259B-4CD3-B167-3D75539D9E9C}\TypeLib\Version = "1.0"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85D3BD85-0A91-438D-B2F9-BC4E31A5DB34}\TypeLib\Version = "1.0"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A485A16F-1011-42A0-A5B6-48336907A783}	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAFAF854-1BF8-4DE1-8F96-752839422F73}\ = "ISetupFileErrorInfo"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E8176B8-C130-49DA-AB56-F3378E54ADFD}\TypeLib\Version = "1.0"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F43DC703-046B-4FB0-8AC2-0CB24623994D}\ProxyStubClsid32	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{566BECBB-A8DF-43EA-8D44-77BCC7B72F21}\ProxyStubClsid32	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2057FC3B-B6A8-4669-B49B-393B0B0193A9}\ = "ISetupPropertyBag"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D3EF9D-0157-4C5F-A74B-BAEE5D6ED3AE}	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DED5FE20-27D3-4F38-8DF3-93659038C417}\TypeLib	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C514B88-F041-4813-82C0-C6BB0627BC3E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD889BE8-F7D6-415F-84B6-B17CCCB29A6D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DBBC99EB-259B-4CD3-B167-3D75539D9E9C}\ProxyStubClsid32	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F814097-CE38-493E-BFCC-CB3599998D05}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7DC20AA-E26E-4FC9-9DBE-FAFDE6C5CCCD}\ = "ISetupProgress"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8919C3B9-E8FF-43A7-86B3-FA09E0201947}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2665F812-8C0D-46F5-91A3-E70E8F4E0417}\ProxyStubClsid32	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED3EBE1C-E2BF-460F-870E-F17D6EC454F8}\TypeLib\Version = "1.0"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1F45426-4ECC-4E2F-A2AD-3424A424B336}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3392A51F-A498-421A-A02A-6804C4270A21}\TypeLib	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF2062B2-540A-4B48-A2C7-ABA0B49D44B9}\ = "ISetupFileErrors"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90FFDCC6-889E-4394-B60A-36EB3A32CED7}\TypeLib\Version = "1.0"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D3EF9D-0157-4C5F-A74B-BAEE5D6ED3AE}	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F43DC703-046B-4FB0-8AC2-0CB24623994D}	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F43DC703-046B-4FB0-8AC2-0CB24623994D}\TypeLib	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FB74205-04B5-4683-B5B5-492FCFDE9ADF}\TypeLib\Version = "1.0"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{184C53CC-8D6D-4A58-8108-90167678B84C}\ProxyStubClsid32	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7DC20AA-E26E-4FC9-9DBE-FAFDE6C5CCCD}\TypeLib\Version = "1.0"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BB7CE443-5294-42A0-8BC6-C3584A0E9E5E}\ = "ISetupRegistry3"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65CD17AF-CCEE-4CD6-B304-A3BD48237B67}\TypeLib\Version = "1.0"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5886B1FD-4C9E-41DF-9098-9A1AB8F02AA9}\ = "ISetupFeatureLog"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F26F1EB5-850C-4AF9-BAFD-F388686C21B5}	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90FFDCC6-889E-4394-B60A-36EB3A32CED7}\TypeLib\Version = "1.0"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C0BA3C1-2B67-45EB-BF69-BED9658D28D2}\ProgID\ = "ISInstallDriver.InstallDriver.1"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D68E56-4A11-4C14-806B-083FFA62767C}\TypeLib	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22E4EB97-C4B0-4EE7-88AE-5E3502EA7831}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7DC20AA-E26E-4FC9-9DBE-FAFDE6C5CCCD}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF9F015D-973A-47E9-8857-EFBD6C08A318}\TypeLib\Version = "1.0"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39BB147B-55CC-424B-9B10-C5052E5939B9}\TypeLib	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8E161B8-9B5A-4DD2-9B93-1F558A7FAD69}\ProxyStubClsid32	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D32D517-C668-44B4-97AE-8ECC0CE064FB}\ = "ISetupRebootable"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D3EF9D-0157-4C5F-A74B-BAEE5D6ED3AE}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D86AEAFD-A3AD-4F9D-BDA5-D70696A1FEAB}\ProxyStubClsid32	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FC8AC65-FD78-4439-90A2-291175681698}\ProxyStubClsid32	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10A6F82A-09E1-4BD1-8231-4B9120AEDAFA}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISInstallDriver.InstallDriver\CLSID	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44D68E56-4A11-4C14-806B-083FFA62767C}	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65A707C4-67DA-4A26-830B-5898BDEFC31D}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F4F8765-2131-46E5-8621-08517089ACE6}\ = "ISetupComponents"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FB74205-04B5-4683-B5B5-492FCFDE9ADF}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46715E70-0B7D-45BA-A447-AA0951073C78}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22E4EB97-C4B0-4EE7-88AE-5E3502EA7831}\ = "ISetupDriver"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F653E7D-0010-4751-BD83-92EA472E641F}	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5CDB19F-95A7-4DFC-A65F-D01CB17BDAA2}\ = "ISetupInfo"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{566BECBB-A8DF-43EA-8D44-77BCC7B72F21}\TypeLib	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D32D517-C668-44B4-97AE-8ECC0CE064FB}\TypeLib\ = "{01F6AFCB-2AFF-4A6F-8681-E51C4AC277B7}"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CBF197F-754C-4011-9019-1C632FD2897A}\TypeLib	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{738891D7-3A18-4839-A5E7-EFD2E7DE002A}\TypeLib	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF9F015D-973A-47E9-8857-EFBD6C08A318}\TypeLib\Version = "1.0"	IDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79B85C96-90FF-4595-8C7C-918FFC07F09D}	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B23DEBC2-3C5C-47A6-8FF8-148132D193F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDriver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAFAF854-1BF8-4DE1-8F96-752839422F73}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDriver.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	FL_Client_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	FL_Client_Installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3292	FL_Client_Installer.exe
Token: SeIncreaseQuotaPrivilege	3292	FL_Client_Installer.exe
Token: SeSecurityPrivilege	4640	msiexec.exe
Token: SeCreateTokenPrivilege	3292	FL_Client_Installer.exe
Token: SeAssignPrimaryTokenPrivilege	3292	FL_Client_Installer.exe
Token: SeLockMemoryPrivilege	3292	FL_Client_Installer.exe
Token: SeIncreaseQuotaPrivilege	3292	FL_Client_Installer.exe
Token: SeMachineAccountPrivilege	3292	FL_Client_Installer.exe
Token: SeTcbPrivilege	3292	FL_Client_Installer.exe
Token: SeSecurityPrivilege	3292	FL_Client_Installer.exe
Token: SeTakeOwnershipPrivilege	3292	FL_Client_Installer.exe
Token: SeLoadDriverPrivilege	3292	FL_Client_Installer.exe
Token: SeSystemProfilePrivilege	3292	FL_Client_Installer.exe
Token: SeSystemtimePrivilege	3292	FL_Client_Installer.exe
Token: SeProfSingleProcessPrivilege	3292	FL_Client_Installer.exe
Token: SeIncBasePriorityPrivilege	3292	FL_Client_Installer.exe
Token: SeCreatePagefilePrivilege	3292	FL_Client_Installer.exe
Token: SeCreatePermanentPrivilege	3292	FL_Client_Installer.exe
Token: SeBackupPrivilege	3292	FL_Client_Installer.exe
Token: SeRestorePrivilege	3292	FL_Client_Installer.exe
Token: SeShutdownPrivilege	3292	FL_Client_Installer.exe
Token: SeDebugPrivilege	3292	FL_Client_Installer.exe
Token: SeAuditPrivilege	3292	FL_Client_Installer.exe
Token: SeSystemEnvironmentPrivilege	3292	FL_Client_Installer.exe
Token: SeChangeNotifyPrivilege	3292	FL_Client_Installer.exe
Token: SeRemoteShutdownPrivilege	3292	FL_Client_Installer.exe
Token: SeUndockPrivilege	3292	FL_Client_Installer.exe
Token: SeSyncAgentPrivilege	3292	FL_Client_Installer.exe
Token: SeEnableDelegationPrivilege	3292	FL_Client_Installer.exe
Token: SeManageVolumePrivilege	3292	FL_Client_Installer.exe
Token: SeImpersonatePrivilege	3292	FL_Client_Installer.exe
Token: SeCreateGlobalPrivilege	3292	FL_Client_Installer.exe
Token: SeCreateTokenPrivilege	3292	FL_Client_Installer.exe
Token: SeAssignPrimaryTokenPrivilege	3292	FL_Client_Installer.exe
Token: SeLockMemoryPrivilege	3292	FL_Client_Installer.exe
Token: SeIncreaseQuotaPrivilege	3292	FL_Client_Installer.exe
Token: SeMachineAccountPrivilege	3292	FL_Client_Installer.exe
Token: SeTcbPrivilege	3292	FL_Client_Installer.exe
Token: SeSecurityPrivilege	3292	FL_Client_Installer.exe
Token: SeTakeOwnershipPrivilege	3292	FL_Client_Installer.exe
Token: SeLoadDriverPrivilege	3292	FL_Client_Installer.exe
Token: SeSystemProfilePrivilege	3292	FL_Client_Installer.exe
Token: SeSystemtimePrivilege	3292	FL_Client_Installer.exe
Token: SeProfSingleProcessPrivilege	3292	FL_Client_Installer.exe
Token: SeIncBasePriorityPrivilege	3292	FL_Client_Installer.exe
Token: SeCreatePagefilePrivilege	3292	FL_Client_Installer.exe
Token: SeCreatePermanentPrivilege	3292	FL_Client_Installer.exe
Token: SeBackupPrivilege	3292	FL_Client_Installer.exe
Token: SeRestorePrivilege	3292	FL_Client_Installer.exe
Token: SeShutdownPrivilege	3292	FL_Client_Installer.exe
Token: SeDebugPrivilege	3292	FL_Client_Installer.exe
Token: SeAuditPrivilege	3292	FL_Client_Installer.exe
Token: SeSystemEnvironmentPrivilege	3292	FL_Client_Installer.exe
Token: SeChangeNotifyPrivilege	3292	FL_Client_Installer.exe
Token: SeRemoteShutdownPrivilege	3292	FL_Client_Installer.exe
Token: SeUndockPrivilege	3292	FL_Client_Installer.exe
Token: SeSyncAgentPrivilege	3292	FL_Client_Installer.exe
Token: SeEnableDelegationPrivilege	3292	FL_Client_Installer.exe
Token: SeManageVolumePrivilege	3292	FL_Client_Installer.exe
Token: SeImpersonatePrivilege	3292	FL_Client_Installer.exe
Token: SeCreateGlobalPrivilege	3292	FL_Client_Installer.exe
Token: SeCreateTokenPrivilege	3292	FL_Client_Installer.exe
Token: SeAssignPrimaryTokenPrivilege	3292	FL_Client_Installer.exe
Token: SeLockMemoryPrivilege	3292	FL_Client_Installer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3292	FL_Client_Installer.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 3292	932	Flash8-en.exe	81
PID 932 wrote to memory of 3292	932	Flash8-en.exe	81
PID 932 wrote to memory of 3292	932	Flash8-en.exe	81
PID 4640 wrote to memory of 4468	4640	msiexec.exe	84
PID 4640 wrote to memory of 4468	4640	msiexec.exe	84
PID 4640 wrote to memory of 4468	4640	msiexec.exe	84
PID 4468 wrote to memory of 3808	4468	MsiExec.exe	85
PID 4468 wrote to memory of 3808	4468	MsiExec.exe	85
PID 4468 wrote to memory of 3808	4468	MsiExec.exe	85
PID 4468 wrote to memory of 1636	4468	MsiExec.exe	86
PID 4468 wrote to memory of 1636	4468	MsiExec.exe	86
PID 4468 wrote to memory of 1636	4468	MsiExec.exe	86
PID 4468 wrote to memory of 3088	4468	MsiExec.exe	87
PID 4468 wrote to memory of 3088	4468	MsiExec.exe	87
PID 4468 wrote to memory of 3088	4468	MsiExec.exe	87
PID 4468 wrote to memory of 4716	4468	MsiExec.exe	88
PID 4468 wrote to memory of 4716	4468	MsiExec.exe	88
PID 4468 wrote to memory of 4716	4468	MsiExec.exe	88
PID 4468 wrote to memory of 1964	4468	MsiExec.exe	89
PID 4468 wrote to memory of 1964	4468	MsiExec.exe	89
PID 4468 wrote to memory of 1964	4468	MsiExec.exe	89
PID 4468 wrote to memory of 3340	4468	MsiExec.exe	90
PID 4468 wrote to memory of 3340	4468	MsiExec.exe	90
PID 4468 wrote to memory of 3340	4468	MsiExec.exe	90
PID 4468 wrote to memory of 820	4468	MsiExec.exe	91
PID 4468 wrote to memory of 820	4468	MsiExec.exe	91
PID 4468 wrote to memory of 820	4468	MsiExec.exe	91

C:\Users\Admin\AppData\Local\Temp\Flash8-en.exe
"C:\Users\Admin\AppData\Local\Temp\Flash8-en.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\Downloaded Installations\Macromedia Flash 8\FL_Client_Installer.exe
  "C:\Windows\Downloaded Installations\Macromedia Flash 8\FL_Client_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0CDB6A831350EC75BF0B7B8D3B881D9C C
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\_ISRES~1.DLL"
    3⤵
    - Loads dropped DLL
    PID:3808
- - C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe
    "C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1636
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IUserCnv.dll"
    3⤵
    - Loads dropped DLL
    PID:3088
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\ISRT.dll"
    3⤵
    - Loads dropped DLL
    PID:4716
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\objpscnv.dll"
    3⤵
    - Loads dropped DLL
    PID:1964
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IScrCnv.dll"
    3⤵
    - Loads dropped DLL
    PID:3340
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\iGdiCnv.dll"
    3⤵
    - Loads dropped DLL
    PID:820

C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 1176
  2⤵
  - Program crash
  PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2652 -ip 2652
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIDA33.tmp

Filesize
76KB

MD5
de19ccdac19f2e454719f3f59e51169c

SHA1
0479204efaa2076d5c12dca17ea2c37154aeb1fe

SHA256
83cc9b0d75ce4a843f28f79fe9471aac8e34ae3683484c9cb024e2292d432662

SHA512
c4f09a76e60ebdfb13ecc3f5e07c4440259514ad130e9aef70d844097988d8f010d64c818d74c56e2fd56696bf118e5a81e7e0726f9f879070972b75f3de8f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDE1C.tmp

Filesize
108KB

MD5
9478ddb628b317ce7e95097511cd898b

SHA1
1edc57f15628fbd5bc86d0a480f89b027984be4a

SHA256
970d8dbed67b3fd79e20077ab80650f9851985c6179d8d71f9108526c9303cf4

SHA512
794a9659d929390c15aff8e72f2b241f75c463dd17a3783530b1590ddf8a857e8335d81e9e2ca63bb32fb5e7fefa96848d6fa240d563fb50b02a8fb925cafd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE487.tmp

Filesize
48KB

MD5
fa13aa9996fe8d85aa680e9f5e4f23e8

SHA1
cbc23243a9a595b6d91431c4c275c1ab2adc6642

SHA256
8f40c1dc28323a3c5310bf21372b9756ca547c20c7cf63197e071a9e1e66b31b

SHA512
9f4bd08583dbaadaec281d05d79c11a1dc1651d2d96cc4ecddd68e74178c3eec843e43bea14c546ba18b371177684dde0c21211e8fdb0369bbeeb5e31fdbe87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\plf7CC1.tmp

Filesize
5KB

MD5
9efcc61a0baa38a6d7c67a05a97c7b87

SHA1
72b713a72ef7e972dfd5be5f79da8e9aacedb296

SHA256
7ccb3a50ca08c66a220e4da614cbaba1d05157359edd174223c788b86d929edf

SHA512
ac57100b76826af9f7650417dd765c23b522e31a1f3b44bfe9e70ed520bf6c6eb1978118a8147c99487b05a7a4c4afc964f457b79f921ff8236e4d60561b1238

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2BD5C305-1B27-4D41-B690-7A61172D2FEB}\String1033.txt

Filesize
95KB

MD5
f546ab518190982e7b91367f3606d3ad

SHA1
9abe582e10a1fb3b2dbde084e7aea785ff6a23ac

SHA256
cdc1fae9e2d849f46110f4561f1698bcd5b557a8cf573bc08cad6e08b6dea55f

SHA512
d4a36a0f71fa862857fb1553cde41c1c61245494938d1f24feded2159db3472e50442a50ec3d56f07271ab6941fa5caffbd2ea70bd67cef97a12b17ed3be4dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2BD5C305-1B27-4D41-B690-7A61172D2FEB}\setup.inx

Filesize
287KB

MD5
20b1f50b5760bd1c3510690a350a5432

SHA1
8a0289cb8ccee48b0c259106c5b50ea09cf8ae02

SHA256
2b69e53eaa83a483d8b2ab80f88a396f050a34dda0a84bd75b03f1d2ad840094

SHA512
6df7f078fae20699f3c0221835a99fd039cfcf08dc3ee2ec899025e562e38401ff5a709872134c9b47d35bdbd2cec2215676909a4a007b9af75e9b6d602fa4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA04D4DC-8DB9-414B-9FBD-C7B4EFFF9D43}\IDriver.exe

Filesize
744KB

MD5
a9d3658c5be72816812a5a32e4560ba3

SHA1
649003292ee74d2407fae441fb92b605a0d91f90

SHA256
b2527d1e2297506796f898e90907fb4c8c7e063f2898194e74152fa9ca21923f

SHA512
b80283aafbe8cd59720979d51a5524a1d53b001e59c6fe9693c754b238101ac6058122130e0be97ce22dc4f7edce9cd84aa4fde869bf728cff8fba1733638c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA04D4DC-8DB9-414B-9FBD-C7B4EFFF9D43}\ISRT.dll

Filesize
400KB

MD5
db28ca3ba3c2045aa7b6e59aa9831c68

SHA1
55b44ea55f3a04b916339c81e1cc3f3db62d54cc

SHA256
ca41725fb64338211a9f9740f45f1b0c4d80e6c7e84a1d2e5580dcecbf87e489

SHA512
82c409611e61acad6b2986372ff72682e611b7ee5a88e74fec9c7864ce50c7494adba4165a44f2cc99b93daee33ad67320aed4fd5f85ef2fbc4779bf69f55efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA04D4DC-8DB9-414B-9FBD-C7B4EFFF9D43}\IScrCnv.dll

Filesize
260KB

MD5
f6aabdf85821a9c61c61dec9408f40cc

SHA1
ddac695de73be7a67357aea89c7b9c2ca21fc4e1

SHA256
9ee23586d456db53d59fbaa8669e817461aeaf94f81237ead3f2c23cac8c40fa

SHA512
73d2e4352c4055c8d08ad5499fc4495ff6fa7613970f9c0a3cf73dae645fc9102e62cf9c7dd046d6bc3c909cbafd06a30812d1d9bcf8f34c4a253c09d628b538

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA04D4DC-8DB9-414B-9FBD-C7B4EFFF9D43}\IUserCnv.dll

Filesize
168KB

MD5
197c2ce7cf2a98ae895ece98d88b8245

SHA1
f734d8dc508138501e79b384fe1a689920c6ba93

SHA256
260924991dff4fbd2f691913007aee1f3136708671ef3309b4f9ec8687da6f1e

SHA512
a7ff5f0d56a13d340d9ec1b977f9e995bf7dc61f6bf4b8ecd7369793d39032a43e587146e6b9a9084be5a9cc709876bf971983a218c2af631d3950cd3391cd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA04D4DC-8DB9-414B-9FBD-C7B4EFFF9D43}\_ISRES1033.dll

Filesize
528KB

MD5
1c1332bf83f505cb60e06c76fe111cdd

SHA1
3c80e9bd5a41ac3f8fa129d61261ea07db29f801

SHA256
9602fafb7de17b14a3474c64944db928ef6c23e20935c0e82e918fa2447cc979

SHA512
bd7cb4113f5b6067c55e7df1f6dac6b4058a0bdc9b0e7d6875f1718bdcc84d315ea8a2d373a45c47c82326a74cbce41a508f493eac59db99f7cd5e4f33ac575f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA04D4DC-8DB9-414B-9FBD-C7B4EFFF9D43}\iGdiCnv.dll

Filesize
176KB

MD5
afdfec6679ce99596261ff182afbe9e6

SHA1
3289711e3ce8bb72bd84bb0bc33f95d958648f4c

SHA256
81b931aaf908e1e372802db04dfbe5256209d488bfe88d58841fc13acadedfd6

SHA512
c8ce4617d03084f37b8766f0505922a8f380e0d2745658864197535c43c3b2f985c4a2bac2228752857782181cd41167bfa4b784c7ce3e8a94932d58d099753a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA04D4DC-8DB9-414B-9FBD-C7B4EFFF9D43}\objpscnv.dll

Filesize
32KB

MD5
aba70b81a5811e7b140271595d66f06f

SHA1
42ef824151e67cf921d861d83872c9ef13b500e6

SHA256
26d4765c2461fccd669e455d33659397d6f82fe261ece256c3f19b831dcfa0ba

SHA512
8780d68124e309b8ec2dbbbac18be3291fefabfd6ed9154645eddfb4dd8076e2fda97168d7c5ea9b378b54ee900f75bd409736cfc1262e0d167e0ff62078de0a

Download Submit
C:\Windows\Downloaded Installations\Macromedia Flash 8\FL_Client_Installer.exe

Filesize
117KB

MD5
7c7f6ecbea0a9efa788a1721a97ed3c1

SHA1
9c57fbad160dc7e79fa238b0381a17e993ac2d3a

SHA256
76c7b68a7406763ddf348e0adcf69d1224f2344574022178ac0b01402aeaf5a0

SHA512
491fbc1cdfa68796402b57606782e189edea57749dcfae8c764f15a41886777fb363d6ce04f2ef3a3cd58d27c418d1f3c69ecf8d119c59acf2e244f985d359a3

Download Submit
C:\Windows\Downloaded Installations\Macromedia Flash 8\Macromedia Flash 8.msi

Filesize
22.8MB

MD5
76f5202cc91e743aca5fcd8406d3b822

SHA1
3db06724cbb8846befc7e5160e38a77076258226

SHA256
94c3625c061675d69cef758d7269e108867b39566fc678b03a9a70cc39caea46

SHA512
a449fb5eead86390fb1326c2f69afbeb300c7419aa512726581106bc1f9e4f9e85c676e72988a5ee2b468983c1698357b64a6d599b51c3449e9a4b0da6c5b171

Download Submit
memory/2652-133-0x00000000032A0000-0x0000000003306000-memory.dmp

Filesize
408KB

Download
memory/2652-137-0x0000000003390000-0x00000000033BC000-memory.dmp

Filesize
176KB

Download
memory/2652-143-0x0000000003540000-0x000000000356E000-memory.dmp

Filesize
184KB

Download
memory/4468-123-0x0000000002990000-0x00000000029AD000-memory.dmp

Filesize
116KB

Download
memory/4468-150-0x0000000002990000-0x000000000299D000-memory.dmp

Filesize
52KB

Download