c7dda6dc14c58e23b8214d23072e1251679836fa5728db9b1cc142b59f538a99

Analysis

max time kernel
105s
max time network
100s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADInfoFreeInstaller.exe
Size

2.0MB
MD5

a134b68cf1d197a141eccfdfc8453c88
SHA1

eb518df5c8dab8415829b5c5a1a6d3beb41e4c8b
SHA256

de88c4800ee0747acd61b218fbe54387d4e92dff66169604bba8506066db1675
SHA512

43b8c8090fad0bedd9be06419ca3eeb1ac11c7cc6080315f3a4509d94db0c1ba339e6a58eae27f81441c50d997b2af5b7ce0d1b813d2fdc4cbe3b90e8fbfc0ea
SSDEEP

49152:hjLr1XqMj1RyE9QY5A4Rn5BIjkXCiOY5AFRn5BIjk1y2RkAyMBAnktW:hrxqMjj2Y5A4RnzI/Y5AFRnzImyBMHW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
348	ADInfo.exe

Loads dropped DLL 9 IoCs

pid	Process
1588	MsiExec.exe
1588	MsiExec.exe
1588	MsiExec.exe
1588	MsiExec.exe
388	MsiExec.exe
388	MsiExec.exe
388	MsiExec.exe
388	MsiExec.exe
388	MsiExec.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2136	msiexec.exe
5	2136	msiexec.exe
7	2136	msiexec.exe
9	2136	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Cjwdev\AD Info Free Edition\ADInfo.exe	msiexec.exe
File created	C:\Program Files\Cjwdev\AD Info Free Edition\ADInfoLibrary.dll	msiexec.exe
File created	C:\Program Files\Cjwdev\AD Info Free Edition\Cjwdev.ActiveDirectory.dll	msiexec.exe
File created	C:\Program Files\Cjwdev\AD Info Free Edition\Cjwdev.WindowsApi.dll	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76699f.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76699c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D68.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D88.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E36.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6B73.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BF1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76699c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A78.tmp	msiexec.exe
File created	C:\Windows\Installer\f76699d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76699d.ipi	msiexec.exe
File created	C:\Windows\Installer\{EF97B3B4-6B04-49C1-965D-2FA3354AB19B}\organigram_zoom_48.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{EF97B3B4-6B04-49C1-965D-2FA3354AB19B}\organigram_zoom_48.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\Version = "17236060"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15FD3840EDA4BCE41A1E67467F542B86	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Cjwdev\\AD Info Free Edition 1.7.92\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4B3B79FE40B61C9469D5F23A53A41BB9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4B3B79FE40B61C9469D5F23A53A41BB9\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\PackageCode = "0ED599D5F59764A4180297857A28B950"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15FD3840EDA4BCE41A1E67467F542B86\4B3B79FE40B61C9469D5F23A53A41BB9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\SourceList\PackageName = "ADInfoFreeInstaller.x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Cjwdev\\AD Info Free Edition 1.7.92\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\ProductName = "AD Info Free Edition"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\Language = "2057"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4B3B79FE40B61C9469D5F23A53A41BB9\ProductIcon = "C:\\Windows\\Installer\\{EF97B3B4-6B04-49C1-965D-2FA3354AB19B}\\organigram_zoom_48.exe"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2556	msiexec.exe
2556	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
348	ADInfo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeSecurityPrivilege	2556	msiexec.exe
Token: SeCreateTokenPrivilege	2136	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2136	msiexec.exe
Token: SeLockMemoryPrivilege	2136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2136	msiexec.exe
Token: SeMachineAccountPrivilege	2136	msiexec.exe
Token: SeTcbPrivilege	2136	msiexec.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeLoadDriverPrivilege	2136	msiexec.exe
Token: SeSystemProfilePrivilege	2136	msiexec.exe
Token: SeSystemtimePrivilege	2136	msiexec.exe
Token: SeProfSingleProcessPrivilege	2136	msiexec.exe
Token: SeIncBasePriorityPrivilege	2136	msiexec.exe
Token: SeCreatePagefilePrivilege	2136	msiexec.exe
Token: SeCreatePermanentPrivilege	2136	msiexec.exe
Token: SeBackupPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeShutdownPrivilege	2136	msiexec.exe
Token: SeDebugPrivilege	2136	msiexec.exe
Token: SeAuditPrivilege	2136	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2136	msiexec.exe
Token: SeChangeNotifyPrivilege	2136	msiexec.exe
Token: SeRemoteShutdownPrivilege	2136	msiexec.exe
Token: SeUndockPrivilege	2136	msiexec.exe
Token: SeSyncAgentPrivilege	2136	msiexec.exe
Token: SeEnableDelegationPrivilege	2136	msiexec.exe
Token: SeManageVolumePrivilege	2136	msiexec.exe
Token: SeImpersonatePrivilege	2136	msiexec.exe
Token: SeCreateGlobalPrivilege	2136	msiexec.exe
Token: SeCreateTokenPrivilege	2136	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2136	msiexec.exe
Token: SeLockMemoryPrivilege	2136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2136	msiexec.exe
Token: SeMachineAccountPrivilege	2136	msiexec.exe
Token: SeTcbPrivilege	2136	msiexec.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeLoadDriverPrivilege	2136	msiexec.exe
Token: SeSystemProfilePrivilege	2136	msiexec.exe
Token: SeSystemtimePrivilege	2136	msiexec.exe
Token: SeProfSingleProcessPrivilege	2136	msiexec.exe
Token: SeIncBasePriorityPrivilege	2136	msiexec.exe
Token: SeCreatePagefilePrivilege	2136	msiexec.exe
Token: SeCreatePermanentPrivilege	2136	msiexec.exe
Token: SeBackupPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeShutdownPrivilege	2136	msiexec.exe
Token: SeDebugPrivilege	2136	msiexec.exe
Token: SeAuditPrivilege	2136	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2136	msiexec.exe
Token: SeChangeNotifyPrivilege	2136	msiexec.exe
Token: SeRemoteShutdownPrivilege	2136	msiexec.exe
Token: SeUndockPrivilege	2136	msiexec.exe
Token: SeSyncAgentPrivilege	2136	msiexec.exe
Token: SeEnableDelegationPrivilege	2136	msiexec.exe
Token: SeManageVolumePrivilege	2136	msiexec.exe
Token: SeImpersonatePrivilege	2136	msiexec.exe
Token: SeCreateGlobalPrivilege	2136	msiexec.exe
Token: SeCreateTokenPrivilege	2136	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1796	ADInfoFreeInstaller.exe
2136	msiexec.exe
2136	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2136	1796	ADInfoFreeInstaller.exe	28
PID 1796 wrote to memory of 2136	1796	ADInfoFreeInstaller.exe	28
PID 1796 wrote to memory of 2136	1796	ADInfoFreeInstaller.exe	28
PID 1796 wrote to memory of 2136	1796	ADInfoFreeInstaller.exe	28
PID 1796 wrote to memory of 2136	1796	ADInfoFreeInstaller.exe	28
PID 1796 wrote to memory of 2136	1796	ADInfoFreeInstaller.exe	28
PID 1796 wrote to memory of 2136	1796	ADInfoFreeInstaller.exe	28
PID 2556 wrote to memory of 1588	2556	msiexec.exe	30
PID 2556 wrote to memory of 1588	2556	msiexec.exe	30
PID 2556 wrote to memory of 1588	2556	msiexec.exe	30
PID 2556 wrote to memory of 1588	2556	msiexec.exe	30
PID 2556 wrote to memory of 1588	2556	msiexec.exe	30
PID 2556 wrote to memory of 1588	2556	msiexec.exe	30
PID 2556 wrote to memory of 1588	2556	msiexec.exe	30
PID 2556 wrote to memory of 388	2556	msiexec.exe	34
PID 2556 wrote to memory of 388	2556	msiexec.exe	34
PID 2556 wrote to memory of 388	2556	msiexec.exe	34
PID 2556 wrote to memory of 388	2556	msiexec.exe	34
PID 2556 wrote to memory of 388	2556	msiexec.exe	34
PID 2556 wrote to memory of 388	2556	msiexec.exe	34
PID 2556 wrote to memory of 388	2556	msiexec.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ADInfoFreeInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ADInfoFreeInstaller.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\Cjwdev\AD Info Free Edition 1.7.92\install\ADInfoFreeInstaller.x64.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ADInfoFreeInstaller.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADAA12D0C23E515E0EB6CF15240E81DB C
  2⤵
  - Loads dropped DLL
  PID:1588
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C1B6EA12999229E1817B154DB0071E2
  2⤵
  - Loads dropped DLL
  PID:388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1712

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000059C" "0000000000000560"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2192

C:\Program Files\Cjwdev\AD Info Free Edition\ADInfo.exe
"C:\Program Files\Cjwdev\AD Info Free Edition\ADInfo.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76699e.rbs

Filesize
9KB

MD5
d3ead7b2543838d1afb83d6fd642f2e8

SHA1
6f14e9aafb0978721c313d9edf305e42451382ee

SHA256
f54a863aac2d67fb7ef27dfd620122127380a740724019b34f028ca57e77d963

SHA512
1b30e4cb17d08355f4e994e03ec229ec6947563c52f7bcec1ef74134ad59e5c2d818c2f0ab3ac4171cf4f9504b66e0257dcfdafbef8ba05665fbbf7e5c8f72ff

Download Submit
C:\Program Files\Cjwdev\AD Info Free Edition\ADInfo.exe

Filesize
924KB

MD5
852872561c66b7e450e18853c81a68e4

SHA1
e1bc60b3ece94212e7b4317863b7f7e45aa1a57a

SHA256
fea407d850b2a91d94efa64eb54e033fffadd984e13990c089b7d2b15ada91e6

SHA512
005ba46261e40beaed9a9b1416aeeab2fa64633dba0bda7cdfffe78400747bd53b4ee43a75af17bf7422582aec3185caf7083ea223bea111d6fc21c22e5ce6d7

Download Submit
C:\Program Files\Cjwdev\AD Info Free Edition\ADInfoLibrary.dll

Filesize
157KB

MD5
2501472b3c8d29796262edd5b3b3faa5

SHA1
4290c57da5542c7d8d82cfbb016db88ffaf7ac77

SHA256
9cd35ce82c1c6c3bdd1023899a262ca628f2e0ec704e1f0ad8e2028e4d6fc253

SHA512
b5f7ebb94f9bf458d4df3e8ec4065e6664d3ee445a158418c65fba1802beb423d6504f6c1056078345b927e2a24eebd6ce16c3c0731c34207bcb3581ce469973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
604B

MD5
fad26cf4b5ff9ce078f6924fdb2e033e

SHA1
89236938773cb3600622d4fc43074596cd688554

SHA256
c9b35141deca47383986c38073a08fee3a6cc7606ec0934b2cbdfc69eb455b2a

SHA512
c29850670047b3a32b275ca810a11d283203cd197eb86e9c8342e779219e6cc92eeff8ae475617bd2525c215af086286ce0577bdb448ddbf5243178eed1a66cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_29D70281C885CDDD5399E56DF7D4B8B7

Filesize
1KB

MD5
d387ff1edbaf7adb03b6c37ab914d01e

SHA1
8a208608aae465c34ef2ec80366c29e04b4401c0

SHA256
236329413b7b3cf41235ee0a314a0015b056985ce4ebcd2ee1b2489ad72280f8

SHA512
76494b8499e0c027a41c333812e2af86d3e08d7ebd39715c5ab77ed5c248b3b2322d60d9b395e3c01185c6798670ae382bf0025c1ebea15b28fdde151072b0bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
394B

MD5
f35142baab351f255c4455879d92fe7b

SHA1
dfe8d27e4e9935f388e9ef53b2ee01e4a0a521f6

SHA256
f161268fe935d4a23bab8d3a3d259b91cdf5a07c9f8f957bdfd6d9d292b94b0c

SHA512
9328f6aaf85e07fc2837b9b7db4d3b92cf65ffd1256d381f201daec01c5718fdd22b76ca002187dae6ffdfb35c28f9dfa9a36548ed2ceefe06daa625309be36f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
184B

MD5
b48b2cc6934bfa638ce5b53bcac749c6

SHA1
a2cc8d5066845e24bdb771f8b1e6ca77e0f517a2

SHA256
84e74f900df1061a6ad0746411b257f33fdc903d9f4e75f78ea4e581a6488da9

SHA512
a6e13086956a7b8a0ce495665439a1f16126d1e7fde328c8830e7a7acc0f6f112e86ddd2e5b5fc98f44776693a9f26b476c2476da00c5f9d54ac4f1969fa6462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_29D70281C885CDDD5399E56DF7D4B8B7

Filesize
402B

MD5
76599bf20ebb5481aba4c91bd7acbf6d

SHA1
1972c9ff44cf4675ea488d8afacb804f5b532b5d

SHA256
85b103719383074fa727608a95802d87e238af48fd23208bb0564d153427f5a3

SHA512
b5bd3dadbf4acfbf9ff03608d92bb8709acb5b242c8d666fd37cba7dc0b8d2780d5b93635bcb3a77cb7de2b899ee42ffc2ae665a469530dca276cd79d88fbe6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65126196f76a62a47fdaa21b61293cdc

SHA1
1abe4834b3715f460c8f650fb8522398033dd418

SHA256
da08cc3973360606adb84319713993314dc7d64d5f402e8596a287e7d3b4bf82

SHA512
4347ecf4220d992b240a9abf426083c4f09223885cfea4c41a34c857f2e15f83da16e1872bab41bdc009607caece0c8f14fa1ff94d52fd086239b440a38be915

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1B19.tmp

Filesize
77KB

MD5
7452f56af87d0912c3a06206dc77c0a6

SHA1
5ff38786b61d5061ef0a09a670b98e5d3b961b1d

SHA256
19989417f3f411c8a02aa09f1dd51a7febc530f0f27c8d3f7dd195ba224e6fba

SHA512
e07a612edeb6078f9ed639018a1e22e30dc4b8bf9820f1dadbf405722f32f5e2348ca5585c1d054e857b0644c9d824b44dd64ec4a8d424c2e78aeddc1bc351b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1BF6.tmp

Filesize
270KB

MD5
50a3d9c4c3b6afda98bd6b0c60363175

SHA1
d69ab1b8c51b0282c3b2a02e179bf27128905835

SHA256
4337cdfe01a45f6691cf883b57d5663788fda9a368a1eac989cb16e31f049ac0

SHA512
4824cd07d207608798b17210d196b8fd77ab3f75d3331449cea21c77dd3084deef67feeda029ab2e5f81bdbda1fdfbdb2af7fa753cdcf6292a5702454c232edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar18C5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Cjwdev\AD Info Free Edition 1.7.92\install\ADInfoFreeInstaller.x64.msi

Filesize
551KB

MD5
4d5954581ec2b0b188b980c5c90ccec1

SHA1
79dfbc96f13aef6e7b8b9d3cf8e34a0cde417a6e

SHA256
6b15e67cd01befb0e22133164d62ac6121d050173f83732292db3b4432a48bb1

SHA512
9df918c699be202c60dd6180e367ad5146ed673cb169cbd68446d65ee6d38f2d263e750f988f9565772ec5918fff2ade84db46a7cc7480a6039f54dbf5ba6faa

Download Submit
C:\Users\Admin\AppData\Roaming\Cjwdev\AD Info Free Edition 1.7.92\install\disk1.cab

Filesize
523KB

MD5
b27742d09ec3987b2b3cdf57e2a0fb49

SHA1
6b2ce8070a163b97c19515f010b9a663d45135e8

SHA256
bb04fde34f5ab06fa4d2558ac5ceff2c88a52948907ff8656610ca8831f1ffbd

SHA512
efc633493866917d086407316033ee1e5277e803b10c500b715189f3b7f42c0fb0dc72fec0d261fc6d15775d39806f7238885394e9da9f17cb598c3ebfc6d226

Download Submit
memory/348-152-0x0000000001380000-0x000000000146C000-memory.dmp

Filesize
944KB

Download
memory/348-154-0x0000000000590000-0x00000000005BE000-memory.dmp

Filesize
184KB

Download
memory/1796-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1796-148-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download