4889bfd701e275aae36ff9005b4e94fa1e9e6edbc263fa7c8a50040e1d78ca83

Resubmissions

29/07/2024, 01:17

240729-bnjljszdlc 9

Analysis

max time kernel
87s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
29/07/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mping_3.exe
Size

6.8MB
MD5

6bb0e7ab216ce0bfc7e50281845e819a
SHA1

171f20d07a5aa2e0e55b9e0a05a39cf935a33410
SHA256

4889bfd701e275aae36ff9005b4e94fa1e9e6edbc263fa7c8a50040e1d78ca83
SHA512

0a122ffb342197d30a063995687aa32edb3da6abd8dbc1736861a47aafce651ef5fe64bff0c1c34f6abc0ab80e3e6826d293d66c6e0fafb6a5d11040bfe7df9f
SSDEEP

196608:oXPxoWDeuKoJMC0loFRLQwhH6OJxxXK7/hw+:qJo2tOliQwhH1JxxXK7/hz

Score

9^/10

discovery evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MultiPing.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MultiPing.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MultiPing.exe

Executes dropped EXE 1 IoCs

pid	Process
4520	MultiPing.exe

Loads dropped DLL 18 IoCs

pid	Process
5016	mping_3.exe
1436	MsiExec.exe
1436	MsiExec.exe
1436	MsiExec.exe
1436	MsiExec.exe
1436	MsiExec.exe
1436	MsiExec.exe
1436	MsiExec.exe
1436	MsiExec.exe
1436	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
3720	MsiExec.exe
3720	MsiExec.exe
560	MsiExec.exe
3720	MsiExec.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MultiPing.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	mping_3.exe
File opened (read-only)	\??\E:	mping_3.exe
File opened (read-only)	\??\Q:	mping_3.exe
File opened (read-only)	\??\X:	mping_3.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	mping_3.exe
File opened (read-only)	\??\N:	mping_3.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	mping_3.exe
File opened (read-only)	\??\T:	mping_3.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	mping_3.exe
File opened (read-only)	\??\R:	mping_3.exe
File opened (read-only)	\??\U:	mping_3.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	mping_3.exe
File opened (read-only)	\??\J:	mping_3.exe
File opened (read-only)	\??\K:	mping_3.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	mping_3.exe
File opened (read-only)	\??\P:	mping_3.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	mping_3.exe
File opened (read-only)	\??\V:	mping_3.exe
File opened (read-only)	\??\W:	mping_3.exe
File opened (read-only)	\??\Y:	mping_3.exe
File opened (read-only)	\??\Z:	mping_3.exe
File opened (read-only)	\??\H:	mping_3.exe
File opened (read-only)	\??\I:	mping_3.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ResourceCleaner.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\tmp\ResourceCleaner.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\symbols\tmp\ResourceCleaner.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wntdll.pdb	MsiExec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4520	MultiPing.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MultiPing\libeay32.dll	msiexec.exe
File created	C:\Program Files (x86)\MultiPing\MultiPing.ini	msiexec.exe
File created	C:\Program Files (x86)\MultiPing\ssleay32.dll	msiexec.exe
File created	C:\Program Files (x86)\MultiPing\Alert Audio\buzzer.mp3	msiexec.exe
File created	C:\Program Files (x86)\MultiPing\Sample Alerts.ini	msiexec.exe
File created	C:\Program Files (x86)\76741077.tmp	MultiPing.exe
File created	C:\Program Files (x86)\MultiPing\MultiPing.chm	msiexec.exe
File created	C:\Program Files (x86)\MultiPing\MultiPing.exe	msiexec.exe
File created	C:\Program Files (x86)\MultiPing\Alert Audio\sonar.mp3	msiexec.exe
File created	C:\Program Files (x86)\MultiPing\Alert Audio\goblet-ping.mp3	msiexec.exe
File created	C:\Program Files (x86)\MultiPing\Alert Audio\tibetan-bell.mp3	msiexec.exe
File opened for modification	C:\Program Files (x86)\76741077.tmp	MultiPing.exe
File created	C:\Program Files (x86)\MultiPing\Alert Audio\dark-church-bell.mp3	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67A2.tmp	msiexec.exe
File created	C:\Windows\Installer\{17968687-DFE4-45F1-BE7C-0AC7C666CCCC}\MultiPing.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9148.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF180931D0E00A7831.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6369.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{17968687-DFE4-45F1-BE7C-0AC7C666CCCC}\MultiPing.exe	msiexec.exe
File created	C:\Windows\Installer\e585c94.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{17968687-DFE4-45F1-BE7C-0AC7C666CCCC}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e585c92.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B9B.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF93243278CCC37BEC.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6116.tmp	msiexec.exe
File created	C:\Windows\Installer\{17968687-DFE4-45F1-BE7C-0AC7C666CCCC}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DF007279EBC46B3D97.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{17968687-DFE4-45F1-BE7C-0AC7C666CCCC}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB15F4BF1B6FBAD77.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DEA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI900E.tmp	msiexec.exe
File created	C:\Windows\Installer\e585c92.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MultiPing.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mping_3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5016	mping_3.exe
4520	MultiPing.exe
3364	MultiPing.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001aaccdaf60c91fbe0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001aaccdaf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001aaccdaf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1aaccdaf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001aaccdaf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\ProductName = "MultiPing 3.23.0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\786869714EFD1F54EBC7A07C6C66CCCC\MainMultiPingInstall	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{17968687-DFE4-45F1-BE7C-0AC7C666CCCC}\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\SourceList\PackageName = "{19C7BE49-C761-4E1D-95C1-315F70D9654D}.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{17968687-DFE4-45F1-BE7C-0AC7C666CCCC}\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\Version = "51838976"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\562E6E9B4D6181844AA41E3B2BF9C465\786869714EFD1F54EBC7A07C6C66CCCC	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\786869714EFD1F54EBC7A07C6C66CCCC\LicenseKey	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\562E6E9B4D6181844AA41E3B2BF9C465	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\786869714EFD1F54EBC7A07C6C66CCCC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\PackageCode = "94EB7C91167CD1E4591C13F5079D56D4"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\786869714EFD1F54EBC7A07C6C66CCCC\ProductIcon = "C:\\Windows\\Installer\\{17968687-DFE4-45F1-BE7C-0AC7C666CCCC}\\MultiPing.exe"	msiexec.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mping_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mping_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	mping_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	mping_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	mping_3.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	mping_3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	mping_3.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3044	msiexec.exe
3044	msiexec.exe
3720	MsiExec.exe
3720	MsiExec.exe
4520	MultiPing.exe
4520	MultiPing.exe
4520	MultiPing.exe
4520	MultiPing.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5016	mping_3.exe
Token: SeIncreaseQuotaPrivilege	5016	mping_3.exe
Token: SeSecurityPrivilege	3044	msiexec.exe
Token: SeCreateTokenPrivilege	5016	mping_3.exe
Token: SeAssignPrimaryTokenPrivilege	5016	mping_3.exe
Token: SeLockMemoryPrivilege	5016	mping_3.exe
Token: SeIncreaseQuotaPrivilege	5016	mping_3.exe
Token: SeMachineAccountPrivilege	5016	mping_3.exe
Token: SeTcbPrivilege	5016	mping_3.exe
Token: SeSecurityPrivilege	5016	mping_3.exe
Token: SeTakeOwnershipPrivilege	5016	mping_3.exe
Token: SeLoadDriverPrivilege	5016	mping_3.exe
Token: SeSystemProfilePrivilege	5016	mping_3.exe
Token: SeSystemtimePrivilege	5016	mping_3.exe
Token: SeProfSingleProcessPrivilege	5016	mping_3.exe
Token: SeIncBasePriorityPrivilege	5016	mping_3.exe
Token: SeCreatePagefilePrivilege	5016	mping_3.exe
Token: SeCreatePermanentPrivilege	5016	mping_3.exe
Token: SeBackupPrivilege	5016	mping_3.exe
Token: SeRestorePrivilege	5016	mping_3.exe
Token: SeShutdownPrivilege	5016	mping_3.exe
Token: SeDebugPrivilege	5016	mping_3.exe
Token: SeAuditPrivilege	5016	mping_3.exe
Token: SeSystemEnvironmentPrivilege	5016	mping_3.exe
Token: SeChangeNotifyPrivilege	5016	mping_3.exe
Token: SeRemoteShutdownPrivilege	5016	mping_3.exe
Token: SeUndockPrivilege	5016	mping_3.exe
Token: SeSyncAgentPrivilege	5016	mping_3.exe
Token: SeEnableDelegationPrivilege	5016	mping_3.exe
Token: SeManageVolumePrivilege	5016	mping_3.exe
Token: SeImpersonatePrivilege	5016	mping_3.exe
Token: SeCreateGlobalPrivilege	5016	mping_3.exe
Token: SeCreateTokenPrivilege	5016	mping_3.exe
Token: SeAssignPrimaryTokenPrivilege	5016	mping_3.exe
Token: SeLockMemoryPrivilege	5016	mping_3.exe
Token: SeIncreaseQuotaPrivilege	5016	mping_3.exe
Token: SeMachineAccountPrivilege	5016	mping_3.exe
Token: SeTcbPrivilege	5016	mping_3.exe
Token: SeSecurityPrivilege	5016	mping_3.exe
Token: SeTakeOwnershipPrivilege	5016	mping_3.exe
Token: SeLoadDriverPrivilege	5016	mping_3.exe
Token: SeSystemProfilePrivilege	5016	mping_3.exe
Token: SeSystemtimePrivilege	5016	mping_3.exe
Token: SeProfSingleProcessPrivilege	5016	mping_3.exe
Token: SeIncBasePriorityPrivilege	5016	mping_3.exe
Token: SeCreatePagefilePrivilege	5016	mping_3.exe
Token: SeCreatePermanentPrivilege	5016	mping_3.exe
Token: SeBackupPrivilege	5016	mping_3.exe
Token: SeRestorePrivilege	5016	mping_3.exe
Token: SeShutdownPrivilege	5016	mping_3.exe
Token: SeDebugPrivilege	5016	mping_3.exe
Token: SeAuditPrivilege	5016	mping_3.exe
Token: SeSystemEnvironmentPrivilege	5016	mping_3.exe
Token: SeChangeNotifyPrivilege	5016	mping_3.exe
Token: SeRemoteShutdownPrivilege	5016	mping_3.exe
Token: SeUndockPrivilege	5016	mping_3.exe
Token: SeSyncAgentPrivilege	5016	mping_3.exe
Token: SeEnableDelegationPrivilege	5016	mping_3.exe
Token: SeManageVolumePrivilege	5016	mping_3.exe
Token: SeImpersonatePrivilege	5016	mping_3.exe
Token: SeCreateGlobalPrivilege	5016	mping_3.exe
Token: SeCreateTokenPrivilege	5016	mping_3.exe
Token: SeAssignPrimaryTokenPrivilege	5016	mping_3.exe
Token: SeLockMemoryPrivilege	5016	mping_3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5016	mping_3.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1436	3044	msiexec.exe	86
PID 3044 wrote to memory of 1436	3044	msiexec.exe	86
PID 3044 wrote to memory of 1436	3044	msiexec.exe	86
PID 3044 wrote to memory of 4044	3044	msiexec.exe	90
PID 3044 wrote to memory of 4044	3044	msiexec.exe	90
PID 3044 wrote to memory of 560	3044	msiexec.exe	92
PID 3044 wrote to memory of 560	3044	msiexec.exe	92
PID 3044 wrote to memory of 560	3044	msiexec.exe	92
PID 3044 wrote to memory of 3720	3044	msiexec.exe	93
PID 3044 wrote to memory of 3720	3044	msiexec.exe	93
PID 3044 wrote to memory of 3720	3044	msiexec.exe	93
PID 3720 wrote to memory of 4052	3720	MsiExec.exe	94
PID 3720 wrote to memory of 4052	3720	MsiExec.exe	94
PID 3720 wrote to memory of 4052	3720	MsiExec.exe	94
PID 4052 wrote to memory of 3340	4052	cmd.exe	96
PID 4052 wrote to memory of 3340	4052	cmd.exe	96
PID 4052 wrote to memory of 3340	4052	cmd.exe	96
PID 3720 wrote to memory of 4780	3720	MsiExec.exe	97
PID 3720 wrote to memory of 4780	3720	MsiExec.exe	97
PID 3720 wrote to memory of 4780	3720	MsiExec.exe	97
PID 3044 wrote to memory of 4520	3044	msiexec.exe	99
PID 3044 wrote to memory of 4520	3044	msiexec.exe	99
PID 3044 wrote to memory of 4520	3044	msiexec.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\mping_3.exe
"C:\Users\Admin\AppData\Local\Temp\mping_3.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5016
- C:\Program Files (x86)\MultiPing\MultiPing.exe
  "C:\Program Files (x86)\MultiPing\MultiPing.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8EC2C42CF3F1D2EA7F692864A87DD1DE C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1436
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4860D0002080B70ABB2BE0C20013CD55
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:560
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B569791C793A58447ABE5913FDA9D532 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Local\Temp\{77C1F481-162A-433E-8209-F72DA1E6ED29}.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Local\Temp\{77C1F481-162A-433E-8209-F72DA1E6ED29}.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4780
- C:\Program Files (x86)\MultiPing\MultiPing.exe
  "C:\Program Files (x86)\MultiPing\MultiPing.exe" /REGSERVER /QUIET
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585c93.rbs

Filesize
2.5MB

MD5
8392914c3a55a60c1257d010a0af8013

SHA1
52c11749001d4d4bdceac34cdd003e1c3ff3f55a

SHA256
4732468f6cb5b17d7543d69b2116c0528e0cdec063daed902c1523be50dd798e

SHA512
7e935dc8eab8b9f13a7031455342da728e9bdfa4e874cde0b0754a8179d920644fe4bf5728396b831b16833f50e688f15d1960a9af088db692f7138ba2a5df06

Download Submit
C:\Config.Msi\e585c95.rbs

Filesize
563B

MD5
73bff737a18162ab97636723c5d98fdc

SHA1
f0be782491957c83112e16356e4eb14089c4cd17

SHA256
f0c29e551f9cae465d15a94d6892de8cd96ee75c3fd1f480f1ccd5709b6d284f

SHA512
b87d885154610f391db39d75e93f773adb5f7540dead08a9ecdd9c468ddaa58cbb7ff3d0741308f988c2fa01993c3210f0eb35eb08e8a97fba4524cf16c3cfe5

Download Submit
C:\Program Files (x86)\76741077.tmp

Filesize
40B

MD5
90dd92de77f3bf3075555dad68beebe1

SHA1
3f273ec790f19e1a972587391617e8a5ee1d1c59

SHA256
a2328338e3dd35784d30a4a7f7ad19d515bea4f373a8f6141b165ea48175d995

SHA512
b9f0a57ab7ad26f8a6fab5768ed1617fd5817adafabc685f2470a1a15e9a5a9570b9241efa589e98d276829bc05739624c0cb810f1c053a2aa583e22347d6016

Download Submit
C:\Program Files (x86)\MultiPing\MultiPing.exe

Filesize
8.3MB

MD5
69c398afedf4845219f1e0fe86179d9b

SHA1
f3a6a08aeb6755188cb48d25e86cf0dbd323de4f

SHA256
31098601d60e5e9854950fed9530bf256893a3f57608f255e6c66eac6337db8d

SHA512
830756248642a8b673befb456786f4a6433561144d059efcda165b3607c2d6da1182fb709ed6949595e8ab2604c8c7b05513aebb06f10ad6bfbdfb864bf96f8f

Download Submit
C:\Program Files (x86)\MultiPing\MultiPing.ini

Filesize
284B

MD5
d02857011cb3f5f5dd52cd190aaf67c4

SHA1
14d0b9aff040670f9d5363f3bbb731316cc02658

SHA256
63ab3fa6418a36ff09d7ab8574bcc4b92887a9f4a432d6c27a812edca03620a6

SHA512
708457a4593c5093620bcc5f2eaf6ee3c919245ef187698bd37b02e2424a4167201f4bef40cbc5dea5279a773d41cd7ab221e706ec48932840f4e3d179032ad0

Download Submit
C:\Program Files (x86)\MultiPing\MultiPing.ini

Filesize
377B

MD5
e7debdf09dfd457406001f6cb1aaa0d0

SHA1
8cb3ea25fef833f73439ff234aa371706269f13e

SHA256
5f9a1c42714aa0f907336b9bcb42e03dbcfa2ba6ff13074118a801d7473c6115

SHA512
eb6942e4be6a7eb467efcfd2ec861bf826232d20d65d9182db813faf06162bd98dedcb67e52a742601a9707a53e6509940d5b2b332bacff7b449035d746523eb

Download Submit
C:\Program Files (x86)\MultiPing\Sample Alerts.ini

Filesize
1KB

MD5
c2cbba5d32dbc7c21d45010870b1df9f

SHA1
0e7d321575b4231287b1af4008e63b98bd926af9

SHA256
0e8225834659783199716a3c36905d784bee0ec276f17d11945ee0f009e2736c

SHA512
f16b64a2bbd4ae85d6f00f574290ea3f9f214845e2ae05c1ca51ced60705794cdf59cfd869c855de3a7611c517a53841fc4e20cc0b9b21afdda8e13b288cfff9

Download Submit
C:\Program Files (x86)\MultiPing\libeay32.dll

Filesize
1.2MB

MD5
445329ac62452841c4e7e0a72d9c1d41

SHA1
bd031b175bfdd2b01ce0245a7ab08628abdacb4c

SHA256
e7005a53343604b6198d8c4a3ea711ed7c90f7280c15d6cee714e8ff22110bda

SHA512
52d6d51b9ac05598a57e12560c4c9a07eebb722ca0287bd9102c4eedc2e004b10ef900846a04da694fdec9f5e98a1d602cd2b415f9384c2b6d2c46cca7ed8952

Download Submit
C:\Program Files (x86)\MultiPing\ssleay32.dll

Filesize
332KB

MD5
b5baca3d9da826f3a30fb6f0f1c0ee9c

SHA1
7729a7634c89944440e28b3dfa3ccc9443bc23cc

SHA256
389731549d6e3aed3f0920730068f1f0fc8c9d96423a2440c350027c5635e091

SHA512
5253e5a3d9eb09dbb58a43e42bd90678fa0c9120923dd43632816a2e5305ced0dc78c4968cdeacfb46be71effdfa20d850830d1281fe60738d1160aff2e77fd3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MultiPing\Uninstall or modify installation.lnk

Filesize
1KB

MD5
f251fb722440b82474cfa2a1ed0f5d0d

SHA1
bb767a78b99c009a2e52227857bbf016698202f7

SHA256
c8fd5e2c25d87b6475f9009aa7b758645475d8b302d798593aebc8c4f4dbf938

SHA512
2f62033cc9bab179f9d41b2340c32fc1aed45d968e8cfa38ed7b33d375e76d2b2d8920bd7e0549f930406761e706521926dde2b98c7857baba58de0f1e9ef997

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MultiPing\Uninstall or modify installation.lnk

Filesize
1KB

MD5
deadbc09852964582e1f3ee7cd8024c8

SHA1
c5bfaf706e2a727bc92ef8c7eb9b04439ed5b881

SHA256
07240fe6b5e8355857a95ff06b206f34a7352571bfb6ef1d880da7112c15f2ea

SHA512
4682c89da57db97667e9016804d2dc7ee48c0541b2904215c6d4ede5bf7dab4386c37421029d3530e2cda7053a277e6632cdb806863bc77c0fef947badda6402

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MultiPing\Uninstall or modify installation.lnk~RFe588b91.TMP

Filesize
1KB

MD5
bb6ee812615f6a30f53984faac9d8a5a

SHA1
df537a41a2b131ad49b6e5e6b5145d7a0717d2fc

SHA256
f7498b17257d2801195b650136a0bac927d353642415a399aea4567207b8ab0c

SHA512
63ef5f8faaeb3870bb426b83233d74ca2077a458e402303a12dc7e1f60dc8e41f3935b2368716990e4a74d27c8c3cd5c4701aa9988e4d392febdd36939a46a4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2

Filesize
727B

MD5
651ba571cb55ce32b084006016c69ecd

SHA1
cefa55df700f6e89a3a96549a9b38b2014131cf0

SHA256
bbc020a4a7400e179a2148c9bcbbedc724e30785f10012e2dc971b00bbe7ce6b

SHA512
e3423af2a7c2dd13b750234a8dec6150e56e4fc9f689420b5466f6f07d80fc615696813bcee239a4571c3ede1431b38def2c16fc87319e019a3edf4a99118841

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
a972544953b3f0272c08e7f3c4d83626

SHA1
3e84ca5a9eb6c9aba16d4f2360f951d632be71f3

SHA256
969e2973348d2a3bb570747d4abadcc847da865a075d937e3f785948206eb308

SHA512
beddfb0df9c2dc3508446d4f672e3a768e303c5274ce538113f19cf20577c141c018eae1b9e7e5cdc62e80d7d53aa046b9002b648c877f40cbd80aac698b3929

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_B5408224970389A1C2D228B1F06E63F2

Filesize
408B

MD5
df6a826e25d58106b2125ec29acb1cd6

SHA1
83b3cec51f24a5a724743b58b1a9bbb509fd1411

SHA256
ae96f33bd05a57af2d6afb066bcaf2bc4a990428309583cdb3ba5ec55d1e9517

SHA512
eb9a5cce930443c6c3eaf90c499ca4bc1d2d51cd0b4a55c2698af75fbf1ae4b9bba8dd94e36aa0cb77baf507277984964360da2ef4721e66cad32d031b1eaa02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
7ec7f255913a60f8de63eef8e2f82355

SHA1
b551312f928c3389ffdd3a8b82272a5b73acce39

SHA256
df12f14c33249e32dfc779a910160d7356220ee2baf3684371269381bb6ca574

SHA512
c190e605b382e87c994bc305b128174fec67d6b355930a8eb58ed1f23f8607facbe6a7ae726477f5769b79cf638d06c48e3c423d712577bf6bf8d8a35067ea7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\42c215c8.tmp

Filesize
40B

MD5
81285baf673711d78e5d4cf6580e9ffb

SHA1
0bf5195de403cb993b4a972d54d85bd830816fef

SHA256
17d3e6ba228993a12988f75ccc85337708cfe771eaa5421ba4a8c2fcbeb0d8bf

SHA512
288fb7fe8306789abdbf2080526c8898ad6cfd12ccdede524e6fb2305ff4fb462360471e8c123670b7778efc8dd2b2efbf9d149ec2e7cfc3396cdd626dfa0cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICC0D.tmp

Filesize
380KB

MD5
2160822ba37161cbacff695771afa2ed

SHA1
87b5fd899791d245b1ed7eb5a7f0f0e8ec5cf79f

SHA256
6c7fa74530bb1140309ba0803cb240bc3e54e507c4abd790cf2dd49834435bcb

SHA512
061454ee65ad95f19890f7336278a72538a805f565ae80a0fe5eabca546d401eae18cf08c2274733ccc755439b7c8d8925919d0131ec0a28789e6c3bc2614011

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID6A1.tmp

Filesize
85KB

MD5
d6886121671fd85181af0adfbd1cecbc

SHA1
3d3d65a4d3111449f66a0e61f9b1c8c9c17d1c78

SHA256
d49bebdb46e9588a38199c7f1302808c43862f3727f88b1cf12264bf29dc7515

SHA512
03dc0b198832ff15af70cba917c2de23ad442113dfe27dd9d43c45f0dc6dc03403ed8c870027a5dea1736dcf1d82b71ed06d7306cf0086d5df5326c507f08e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\{77C1F481-162A-433E-8209-F72DA1E6ED29}.bat

Filesize
104B

MD5
4f50a604090e5d6fd08cf19f73d785cf

SHA1
1377f48652446ca8afd7a73b7f007f700ead3e84

SHA256
b0a07811dfca7434ee415454955501f5850254148a5b9f6730216b9370773162

SHA512
0686b02dc5b351e73a9e7974016bbffb39c469b7827f57e5f526fabcc3b490e59198804932f106c07c4ef313bb8aa932fdc3c68feaf28ad269b324448e31f36e

Download Submit
C:\Users\Admin\AppData\Roaming\Downloaded Installations\{17968687-DFE4-45F1-BE7C-0AC7C666CCCC}\{19C7BE49-C761-4E1D-95C1-315F70D9654D}.msi

Filesize
12.9MB

MD5
fd476441bcfc1a7baee0af3b0a01b983

SHA1
7e94daaa95fe287e30af998541345ebc346131cc

SHA256
afb2f5dc7f728bd2cccca131cee5c8e11e3c8eea5536f185646df571862af5d0

SHA512
156ff9bbef3a60aa95c8c3d8d7a9c45217437f2854afae5cd3c1787d52e6617c9a9bb059905998ad10a6df70236c25520e7f0f7bdc641005c471656cf85fab9d

Download Submit
C:\Windows\Installer\MSI64E1.tmp

Filesize
850KB

MD5
3c8b918b23de1dab7de8e823e62e3be4

SHA1
0895364f613a14270a0754cfd6aa5b4bfba1a64a

SHA256
7025bc4b79c9bd487f4a79b814930d9125322ae67215532557133bfe575e3a01

SHA512
ddb201dbbfeff42a23087934acb794494e886edc53faaa973a132e18ec5f5dabd6e040f59d49812b0bda3eb497d0e96be20a00aaa89dd40900288f66c3fa2ad9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
f7ee74d9c91bfc427e1d5954f327c610

SHA1
ce5a71d112dc8f6e343589d49420338e749c14f1

SHA256
26962106cd61825627ff02548c9d64c7eea8d87ee1bcf2a19456d753f79ab479

SHA512
9375c9b000ea9d87eff385082c802d6de77976d32fa6c4854238a36bd283027f82f3a132bf02feaf16726f867231aa8a498c25e336c609f170f46cf3376410a9

Download Submit
\??\Volume{afcdac1a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ca70d521-c38c-49d5-95be-0ca90b841cdc}_OnDiskSnapshotProp

Filesize
6KB

MD5
d618b060fb7da2fa68c797a47aa8cfee

SHA1
e89380e09df1225670cb279fe0657659d9e70af0

SHA256
f0c15c0f6e53338573e51d7eb73a3f064b17455d26071b1934b6ca94be420fd0

SHA512
6ffbc6488f5cbd44291c23b2819d3a9237485646f7de7468cfc2033513ee96b36151f9f60fc1389779d4955875437040e886c991dcd6052fac9ea9108be21695

Download Submit
memory/1436-55-0x0000000002660000-0x000000000267F000-memory.dmp

Filesize
124KB

Download
memory/3364-204-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-226-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-202-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-203-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-249-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-205-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-206-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-207-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-208-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-209-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-243-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-236-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/3364-228-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/4520-119-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/4520-118-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/4520-117-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/4520-128-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/4520-120-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/4520-116-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/4520-121-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/4520-122-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download
memory/4520-115-0x0000000000E10000-0x0000000001E1F000-memory.dmp

Filesize
16.1MB

Download