Analysis
-
max time kernel
27s -
max time network
36s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
20-08-2024 16:20
Static task
static1
General
-
Target
a1e5b6abdfff86723f005da754eef040N.exe
-
Size
722KB
-
MD5
a1e5b6abdfff86723f005da754eef040
-
SHA1
3e011e66fc70160342ec11cb33228965cb6463b1
-
SHA256
0305d2b6c0e5a97563a4c1099f4e6af9452bc102c37b5c9418f88da8991c5f64
-
SHA512
b3f069c1716f0480ccf3e20f14dd9fdeca629c630a5de75f91de29f5a9b7068937a8fe8dd7dae6ad78ab7029507a2b4687291b448554a9114079972cd06aeec3
-
SSDEEP
12288:6MrVy90RmQZAZq88kMXB03V+t0mU9aseTa8ADQoVO4s0e9t5VItDvHQcQawuKWBV:3yDbLMR2cRsUrore75yNvHVHBV
Malware Config
Extracted
redline
rota
77.91.124.73:19071
-
auth_value
320c7daa59eb9b82e20a15162392a756
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x000700000001aac6-48.dat mystic_family -
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000800000001aac5-26.dat healer behavioral1/memory/2308-28-0x0000000000C40000-0x0000000000C4A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8790443.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8790443.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8790443.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8790443.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8790443.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000700000001aac3-55.dat family_redline behavioral1/memory/4828-65-0x0000000000560000-0x0000000000590000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4820 v7804363.exe 3668 v4696654.exe 4580 v8661683.exe 2308 a8790443.exe 4864 b5770102.exe 4828 c7982580.exe -
Loads dropped DLL 20 IoCs
pid Process 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 4216 MsiExec.exe 4216 MsiExec.exe 4216 MsiExec.exe 4216 MsiExec.exe 4216 MsiExec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8790443.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a1e5b6abdfff86723f005da754eef040N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7804363.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4696654.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v8661683.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvcp100.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcr110.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp110.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vccorlib110.dll msiexec.exe File created C:\Windows\SysWOW64\Elevation.tmp MsiExec.exe File opened for modification C:\Windows\SysWOW64\msvcr100.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZX______.PFB msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\SY______.PFB msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ViewerPS.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-It.otf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-BoldOblique.otf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv58.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RDCNotificationClient.appx msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudt.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Bold.otf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Installer\e57fd48.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd45.HDR msiexec.exe File created C:\Windows\Installer\e57fd29.HDR msiexec.exe File created C:\Windows\Installer\e57fd34.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSI9D.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57fd3a.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd3b.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd3e.HDR msiexec.exe File created C:\Windows\Installer\e57fd44.HDR msiexec.exe File created C:\Windows\Installer\e57fd47.HDR msiexec.exe File created C:\Windows\Installer\e57fd2f.HDR msiexec.exe File created C:\Windows\Installer\e57fd3f.HDR msiexec.exe File created C:\Windows\Installer\e57fd43.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd33.HDR msiexec.exe File created C:\Windows\Installer\e57fd3c.HDR msiexec.exe File created C:\Windows\Installer\e57fd52.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSID93.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57fd3c.HDR msiexec.exe File created C:\Windows\Installer\e57fd40.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSI21D9.tmp msiexec.exe File created C:\Windows\Installer\e57fd2c.HDR msiexec.exe File created C:\Windows\Installer\e57fd2e.HDR msiexec.exe File created C:\Windows\Installer\e57fd23.HDR msiexec.exe File created C:\Windows\Installer\e57fd25.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSI3FA.tmp msiexec.exe File created C:\Windows\Installer\e57fd36.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd4e.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd53.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSI273E.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57fd26.HDR msiexec.exe File created C:\Windows\Installer\e57fd39.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIFC56.tmp msiexec.exe File created C:\Windows\Installer\e57fd21.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd21.HDR msiexec.exe File created C:\Windows\Installer\e57fd2a.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd4c.HDR msiexec.exe File created C:\Windows\Installer\e57fd53.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIF7FC.tmp msiexec.exe File created C:\Windows\Installer\e57fd27.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd2a.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd38.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd43.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd47.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd50.HDR msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\e57fd51.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSI2332.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57fd4d.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd2f.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd37.HDR msiexec.exe File created C:\Windows\Installer\e57fd38.HDR msiexec.exe File created C:\Windows\Installer\e57fd3b.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIFD41.tmp msiexec.exe File created C:\Windows\Installer\e57fd42.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd3d.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSI2633.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFBD8.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57fd42.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd29.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd28.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd39.HDR msiexec.exe File created C:\Windows\Installer\e57fd24.HDR msiexec.exe File opened for modification C:\Windows\Installer\e57fd32.HDR msiexec.exe File created C:\Windows\Installer\e57fd37.HDR msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7982580.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1e5b6abdfff86723f005da754eef040N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v7804363.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4696654.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v8661683.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5770102.exe -
Modifies registry class 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\CurVer msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\shell\Read\command msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\shell\Read msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\shell msiexec.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4364 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2308 a8790443.exe 2308 a8790443.exe 4216 MsiExec.exe 4216 MsiExec.exe 1628 mspaint.exe 1628 mspaint.exe 2680 PaintStudio.View.exe 2680 PaintStudio.View.exe 2680 PaintStudio.View.exe 2680 PaintStudio.View.exe 2680 PaintStudio.View.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2308 a8790443.exe Token: SeSecurityPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeDebugPrivilege 1088 MsiExec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe Token: SeRestorePrivilege 1172 msiexec.exe Token: SeTakeOwnershipPrivilege 1172 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4364 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1628 mspaint.exe 2680 PaintStudio.View.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4436 wrote to memory of 4820 4436 a1e5b6abdfff86723f005da754eef040N.exe 70 PID 4436 wrote to memory of 4820 4436 a1e5b6abdfff86723f005da754eef040N.exe 70 PID 4436 wrote to memory of 4820 4436 a1e5b6abdfff86723f005da754eef040N.exe 70 PID 4820 wrote to memory of 3668 4820 v7804363.exe 71 PID 4820 wrote to memory of 3668 4820 v7804363.exe 71 PID 4820 wrote to memory of 3668 4820 v7804363.exe 71 PID 3668 wrote to memory of 4580 3668 v4696654.exe 72 PID 3668 wrote to memory of 4580 3668 v4696654.exe 72 PID 3668 wrote to memory of 4580 3668 v4696654.exe 72 PID 4580 wrote to memory of 2308 4580 v8661683.exe 73 PID 4580 wrote to memory of 2308 4580 v8661683.exe 73 PID 1172 wrote to memory of 1088 1172 msiexec.exe 78 PID 1172 wrote to memory of 1088 1172 msiexec.exe 78 PID 1172 wrote to memory of 1088 1172 msiexec.exe 78 PID 4580 wrote to memory of 4864 4580 v8661683.exe 79 PID 4580 wrote to memory of 4864 4580 v8661683.exe 79 PID 4580 wrote to memory of 4864 4580 v8661683.exe 79 PID 3668 wrote to memory of 4828 3668 v4696654.exe 80 PID 3668 wrote to memory of 4828 3668 v4696654.exe 80 PID 3668 wrote to memory of 4828 3668 v4696654.exe 80 PID 1172 wrote to memory of 4216 1172 msiexec.exe 82 PID 1172 wrote to memory of 4216 1172 msiexec.exe 82 PID 1172 wrote to memory of 4216 1172 msiexec.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1e5b6abdfff86723f005da754eef040N.exe"C:\Users\Admin\AppData\Local\Temp\a1e5b6abdfff86723f005da754eef040N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7804363.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7804363.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4696654.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4696654.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8661683.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8661683.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8790443.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8790443.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5770102.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5770102.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7982580.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7982580.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4828
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 240CD0FEC6468ED5A4A8A6261C9B80D92⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 92E17DD4389AF5BF5244C093091C61C9 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4216
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FindResolve.ps1xml1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4364
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\OutConvert.jpg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1628
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2680
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize233B
MD5864fb58c3a5d6dd45fb5d579a7f5a604
SHA124e8be97a22fa942d755dbe00b9d6d1393f1471f
SHA25688bdf13a29680532d3fc169942a0c8ed6d277646e76152bb26d3bc1b556f3e00
SHA5128f2d032ddd048972be99b23868de089c0230c0ee3bd246021e449ed6594effd42d1f9cd3be96f30bad4fb832ba28a96bf26670d6e194f5e63f0417d906e51c91
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
Filesize2KB
MD5404a3ec24e3ebf45be65e77f75990825
SHA11e05647cf0a74cedfdeabfa3e8ee33b919780a61
SHA256cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2
SHA512a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5
-
Filesize
496KB
MD55c55825d204671d894dab7212e6b1288
SHA12d01b5597436465e40f3815d3a19aaee5246fc0a
SHA2561b338265a1532c07d3f445afe0f4fc507116afe3740d7322e61dfd4cf3ec4e0a
SHA5121fa4dccda60fbad260d9c82db2a5ef0d0862c140dd4acc9bfa4e7795c365e432b00d75024a60870a5703a79614fdddab2e62926b032ec1d050023a28043a3d4c
-
Filesize
372KB
MD5b35d6095193e86900770caa4186653dc
SHA1dca2023dea0d4a8e0091c3561ed8cb3274f8ab65
SHA2560fa3f28e5ba7bfb98c8b0c7147d9571ce5c5aa00ef502d0a08e0a91ab48b3a51
SHA512b5eb68e98fe8bf434d3307ca3077cc7455bd6e5137cb16f3f4de23384674e04ee088a812f3307793c1c37f090336a66924ee34797ac2a096b91991cc9fa889ef
-
Filesize
174KB
MD5130e19cca78b821d410a4985c3b1d417
SHA16925476d93dd4db88e4272d632e1cfe2f76bccf6
SHA256ebef9948acf9181dbd49c6be9b6d60b6b8fffc6b6f9e6a7a0440fd0a321884cd
SHA512f62e7c7d9fb13ee673118e79688a26d1d0a2ebcac225937d57b23928cc40db51a04d565cfc891afde9ce893937c853fdda34b0b99437faf8a7d8b72a92682bf3
-
Filesize
217KB
MD57482fc5fb45083a0d70bcf9ce53e3340
SHA12d3c0807403848bc4d061ab2e5c176bc2d218f7b
SHA256912eef92f243e311a628d62bfaaa98c0cbeec83fb2dd943590dc33e3a46deb85
SHA512f2c5235f6935ccd30b2869990566a6c609dc7a8e8d60d610b38e9a84cf7e9360e1adfb1aba7edf53b14c49296687ee11b6658a95356a3462502fc45f0d2c69ee
-
Filesize
12KB
MD53c8680d176e553231b3aa1456e551723
SHA13872cde2a32e6c9a28010e665dd0ea560bb2bbad
SHA25655d55a8fe96acff4290721503a14379da8485f205280c848b92a43210af1d127
SHA51248ad5a81909f46c059f3ad0348b051e4b5572575884d6303e8b27052c171f013e1597cd0fbe0d264c25b2dbe067fa83f25970762f6c0a7e3fd8dd6cbaa0c6aa3
-
Filesize
140KB
MD5b64a87e4a3be21ce357ae931675212c4
SHA101f4209e3bd93a9dd0abc630d1ea37f6e67ee0fb
SHA2564eb1f5a15815611fbd8318ae253bbcd384ffb233f9523082c0f76ca616b69165
SHA512710f4b355dda97612def624808499b575272bc1c6e367a70b9dc485634a08f1a6145afcbba4962eb4db245f95c8e3a4e375a2c9782b3fbdd2efcf7f7b255adb5
-
Filesize
271KB
MD5f88c6a79abbb5680ae8628fbc7a6915c
SHA16e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA2565ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA51233e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361
-
Filesize
57KB
MD5c23d4d5a87e08f8a822ad5a8dbd69592
SHA1317df555bc309dace46ae5c5589bec53ea8f137e
SHA2566d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b
-
Filesize
418KB
MD567f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
Filesize
209KB
MD50e91605ee2395145d077adb643609085
SHA1303263aa6889013ce889bd4ea0324acdf35f29f2
SHA2565472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA5123712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be
-
Filesize
340KB
MD5d07cea5fbf17f2ffa4fdcb38e395dbaf
SHA1c0218a4f53428d71f19f1121b8532b3fe0d178b9
SHA256c5ba5c23decaa64a9176f20f8b18a8c89b42ed54f55f3285bd400fd74051e37e
SHA51298ad990280e9db23ee91e23ee5d0ebc8e289eed7923cd07bb31b845af28ebe0a09bc49f9de2c7e81a49a041d9f87f089a4a67402e1182c41e0d41a3e47264d4f
-
Filesize
148KB
MD5be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b