rhadamanthys | 395c44cce9624a5750c97c313b5ede45ea36dd623bc71f7d1bf2e4964492dcd4

Analysis

max time kernel
50s
max time network
52s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01-09-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer-master-BlackMythWukong.msi
Size

43.8MB
MD5

4cbea3318f7107adb73e10fd8de96abf
SHA1

c6db50f856e92e5b0fa2f4b3855cbd58aa408fc1
SHA256

395c44cce9624a5750c97c313b5ede45ea36dd623bc71f7d1bf2e4964492dcd4
SHA512

724291101a4859c8e700ff762e48f6e2ded60fed23bfd64be7c438552c885b22d35b693ec03c2d234afe60d9defdc39ada77fedd9d3c881710935aa4e4f9b931
SSDEEP

786432:H8JJ5v6bZ0no3r27KIvSOcaVWfoyI4aEK0Gpqq++mFIjqEKrdLi9VMkryQs:HC5i10noy7KS/RVLCqpP++mF+gLBf

Score

10^/10

rhadamanthys discovery persistence privilege_escalation stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 836 created 2628	836	visapro.exe	44

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3996	ICACLS.EXE
3400	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DFCFEDFC01A2D3FD18.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Installer\e57b9da.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1B1242C43A3D051C.TMP	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\SystemTemp\~DF12A26B7E15BA6061.TMP	msiexec.exe
File created	C:\Windows\Installer\e57b9da.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D2331EC5-01E6-4564-8DF3-B5D283A6767A}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB70.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF77C9ED1F312A6FC5.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
836	visapro.exe

Loads dropped DLL 1 IoCs

pid	Process
1032	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2412	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4472	836	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPAND.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	visapro.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006586dee215ef0e8b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006586dee20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006586dee2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6586dee2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006586dee200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696532188333718"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3424	msiexec.exe
3424	msiexec.exe
836	visapro.exe
836	visapro.exe
4360	openwith.exe
4360	openwith.exe
4360	openwith.exe
4360	openwith.exe
2512	chrome.exe
2512	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2412	msiexec.exe
Token: SeSecurityPrivilege	3424	msiexec.exe
Token: SeCreateTokenPrivilege	2412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2412	msiexec.exe
Token: SeLockMemoryPrivilege	2412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2412	msiexec.exe
Token: SeMachineAccountPrivilege	2412	msiexec.exe
Token: SeTcbPrivilege	2412	msiexec.exe
Token: SeSecurityPrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeLoadDriverPrivilege	2412	msiexec.exe
Token: SeSystemProfilePrivilege	2412	msiexec.exe
Token: SeSystemtimePrivilege	2412	msiexec.exe
Token: SeProfSingleProcessPrivilege	2412	msiexec.exe
Token: SeIncBasePriorityPrivilege	2412	msiexec.exe
Token: SeCreatePagefilePrivilege	2412	msiexec.exe
Token: SeCreatePermanentPrivilege	2412	msiexec.exe
Token: SeBackupPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeShutdownPrivilege	2412	msiexec.exe
Token: SeDebugPrivilege	2412	msiexec.exe
Token: SeAuditPrivilege	2412	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2412	msiexec.exe
Token: SeChangeNotifyPrivilege	2412	msiexec.exe
Token: SeRemoteShutdownPrivilege	2412	msiexec.exe
Token: SeUndockPrivilege	2412	msiexec.exe
Token: SeSyncAgentPrivilege	2412	msiexec.exe
Token: SeEnableDelegationPrivilege	2412	msiexec.exe
Token: SeManageVolumePrivilege	2412	msiexec.exe
Token: SeImpersonatePrivilege	2412	msiexec.exe
Token: SeCreateGlobalPrivilege	2412	msiexec.exe
Token: SeBackupPrivilege	1036	vssvc.exe
Token: SeRestorePrivilege	1036	vssvc.exe
Token: SeAuditPrivilege	1036	vssvc.exe
Token: SeBackupPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeBackupPrivilege	3312	srtasks.exe
Token: SeRestorePrivilege	3312	srtasks.exe
Token: SeSecurityPrivilege	3312	srtasks.exe
Token: SeTakeOwnershipPrivilege	3312	srtasks.exe
Token: SeBackupPrivilege	3312	srtasks.exe
Token: SeRestorePrivilege	3312	srtasks.exe
Token: SeSecurityPrivilege	3312	srtasks.exe
Token: SeTakeOwnershipPrivilege	3312	srtasks.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2412	msiexec.exe
2412	msiexec.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
836	visapro.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 3312	3424	msiexec.exe	88
PID 3424 wrote to memory of 3312	3424	msiexec.exe	88
PID 3424 wrote to memory of 1032	3424	msiexec.exe	90
PID 3424 wrote to memory of 1032	3424	msiexec.exe	90
PID 3424 wrote to memory of 1032	3424	msiexec.exe	90
PID 1032 wrote to memory of 3996	1032	MsiExec.exe	91
PID 1032 wrote to memory of 3996	1032	MsiExec.exe	91
PID 1032 wrote to memory of 3996	1032	MsiExec.exe	91
PID 1032 wrote to memory of 2680	1032	MsiExec.exe	93
PID 1032 wrote to memory of 2680	1032	MsiExec.exe	93
PID 1032 wrote to memory of 2680	1032	MsiExec.exe	93
PID 1032 wrote to memory of 836	1032	MsiExec.exe	95
PID 1032 wrote to memory of 836	1032	MsiExec.exe	95
PID 1032 wrote to memory of 836	1032	MsiExec.exe	95
PID 836 wrote to memory of 4360	836	visapro.exe	96
PID 836 wrote to memory of 4360	836	visapro.exe	96
PID 836 wrote to memory of 4360	836	visapro.exe	96
PID 836 wrote to memory of 4360	836	visapro.exe	96
PID 836 wrote to memory of 4360	836	visapro.exe	96
PID 1032 wrote to memory of 880	1032	MsiExec.exe	100
PID 1032 wrote to memory of 880	1032	MsiExec.exe	100
PID 1032 wrote to memory of 880	1032	MsiExec.exe	100
PID 1032 wrote to memory of 3400	1032	MsiExec.exe	102
PID 1032 wrote to memory of 3400	1032	MsiExec.exe	102
PID 1032 wrote to memory of 3400	1032	MsiExec.exe	102
PID 2512 wrote to memory of 4516	2512	chrome.exe	112
PID 2512 wrote to memory of 4516	2512	chrome.exe	112
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4780	2512	chrome.exe	113
PID 2512 wrote to memory of 4464	2512	chrome.exe	114
PID 2512 wrote to memory of 4464	2512	chrome.exe	114
PID 2512 wrote to memory of 4776	2512	chrome.exe	115
PID 2512 wrote to memory of 4776	2512	chrome.exe	115
PID 2512 wrote to memory of 4776	2512	chrome.exe	115
PID 2512 wrote to memory of 4776	2512	chrome.exe	115
PID 2512 wrote to memory of 4776	2512	chrome.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2628
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4360

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Installer-master-BlackMythWukong.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2412

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 52745EB9E7927E5A6298F098322A7525
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a5a33860-4ac5-48a4-b455-87ecf1818b3a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3996
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\MW-a5a33860-4ac5-48a4-b455-87ecf1818b3a\files\visapro.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-a5a33860-4ac5-48a4-b455-87ecf1818b3a\files\visapro.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 712
      4⤵
      Program crash
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-a5a33860-4ac5-48a4-b455-87ecf1818b3a\files"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:880
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a5a33860-4ac5-48a4-b455-87ecf1818b3a\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 836 -ip 836
1⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2b7ecc40,0x7fff2b7ecc4c,0x7fff2b7ecc58
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,4082357597190104817,15389710467339361217,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1436,i,4082357597190104817,15389710467339361217,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,4082357597190104817,15389710467339361217,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,4082357597190104817,15389710467339361217,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,4082357597190104817,15389710467339361217,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,4082357597190104817,15389710467339361217,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,4082357597190104817,15389710467339361217,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,4082357597190104817,15389710467339361217,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:4076

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

File and Directory Permissions Modification

T1222

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a8918f4891baabbd5a02a84e7a998b57

SHA1
31a2ad09aacef792879cb8f66b3423af14f315ac

SHA256
7cfa00ecaca39b6b2ff52c7b5639ec87468c84973d8c4524b089161f17e6bad5

SHA512
233d261e85c5e20327b57dec27e81f4ec902e6fd766e66caec3b19be171ebfb2acbf18f6c774eef0501964d8080d980dbc9cbddd898444d469587831a317aeb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5d693c00-a1dc-4fe6-8c2b-40910ea6f256.tmp

Filesize
1KB

MD5
630d13efce7bb460667c90a5220453d9

SHA1
02ff20136c4efcd0ad8c1806ce00972477e8ed0f

SHA256
ef575d5a15f3754d08cf3ea9945625cceb8bf49e34bad0ee384ce542b8ba0ea5

SHA512
eb00eec5b32a58fdeccebcfe4438b6b2e99c5dcbe6812cff7c488d8069d04450f4f700c4d0f12a6b486e09d73551ae883b64cab4e3934e87931f0cf919ddaf5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9064752681a2c8711f1173d2842e0744

SHA1
2018a02ede8f8d1a52d1b474cdf6d30d43a5e9ab

SHA256
dfde77436585935016ecf8421b7e5d221b2e6b0394aead524f65ccfbd6fd5f6c

SHA512
51a29b11b641636114c6bc601215b54a175a8c3953fb78b3c4563403e413ba371e907b0f7df22806a5ea3f0b828d63400c7b920741547f9ec43dd516f2c17c51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9a816dde022e214b07701bdd8f3538de

SHA1
395e663b6c4b8193707d9fa09657700e6c947f34

SHA256
65a2c1e287c65f3ccb74d60121abc5fcb89f0f4298e9445465e7308199fe02ca

SHA512
a736ca4432e7fac79e9837cd5686197b28407172c9f5f6f9ac915d6797b8660ad97c483f4e619ecd5d07370fe79c6c57c3edb37c6ebfa8c12f56f520c8138010

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8996326c66770a8d3b0f3c7f4336df51

SHA1
d6f34278d674f46d96e1abbc12e9fcecfc91ca48

SHA256
ed34c5ba22824e88dbc93af0ba1a9b7ad849c30a3d8c2db143af404efcce1b6d

SHA512
56c2fcf764c9e84bf52ed09f1021924e59566dfe59c52b4559d02fb6ce5ea7ec6e3d8f5acf86ce9e5e4d346e20334c8bcb08c44ae0a53d09fe037d200e9e0118

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
47188b9f9120c5c27da76d0b1d508c73

SHA1
e1c3675a43cdf905b502512d7fb8f975336858ff

SHA256
c6544c2773d4e646e6a76efd307fdaae5c05136710e65f363bdf0972d32be29e

SHA512
e65f7352616782d7b0177a8f25a687432eab2cbe58651fcec31d1705bd35d14edd59fae58b925620fe04402751e5e0e7b978cbcc35df29063751c6db2a76a6f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
3b3f975d62cfab1ed589f0d127d807b1

SHA1
46eb1d6765ad1ad185d3f628e7147ab28d231dff

SHA256
a61a59fc247193ecb61e5f30e8704db965bfb58ab989b3ddd95a5303a72890df

SHA512
3177ebe16570c6fa6db469adea907ee796212dd86b065aea785af8c6f01f9aaa52398f304b81b0c6cf544a7bc7304e9dfae1bd03b1a6b92427583eed7b7178d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a5a33860-4ac5-48a4-b455-87ecf1818b3a\files.cab

Filesize
43.4MB

MD5
9f1ce12a6a16d2755d486fdbd2c0f506

SHA1
8082354009566d640b028f1266e0e3bfd2fc333d

SHA256
0bd8fb2d6b28c93dcf4c3badffae9041287221a2db276ff872a78221ac1e0f31

SHA512
bd8d0308e4504c92f9e59f46bafe90ff278218ad858736e32ade76c9d48ff9db83572d972dbd7f269a2d11913c2b2c0e2b6a2c7f37dc5f27d7be45dc323cdbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a5a33860-4ac5-48a4-b455-87ecf1818b3a\files\visapro.exe

Filesize
49.6MB

MD5
53a23a0592e5aab08e0fa996497337f4

SHA1
7c843871ef5debb284915c6c7628d96563e3693e

SHA256
d3f7809ae8ccc194787198cc370952ab22a9b74bcae1e249f840c18798205bc1

SHA512
d21aaae60d62b2c9a1bf52fa4464cefc777ca81e9122aca8989afcf0676f81e39af8f3df405c4cc3b8c68f8a1bcb94adcb60a718f80d63084bb79323f775d321

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a5a33860-4ac5-48a4-b455-87ecf1818b3a\msiwrapper.ini

Filesize
320B

MD5
f6e141c9abf764aa8a670a43902d01ed

SHA1
f86e2c492c1f8a40b38a62900eedc5dd482a637e

SHA256
30dc97b07f1a027ae8c8910743625963f477110ee365e59ed93dda536c822d76

SHA512
3b00819567693510cdbeb144801ee27b7a4d3cc87099c9bc1c99d16b027c0dcb1b822915d03766bea9222d2144eab7c9abf0f599d3ba6a295f1ae18c1503cfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a5a33860-4ac5-48a4-b455-87ecf1818b3a\msiwrapper.ini

Filesize
1KB

MD5
a43d25e2ba6779065510decf13501ddc

SHA1
44b620b168a4ee9adfee537c4f14213011959f23

SHA256
ad41d3cbd31a97ec878f705ec64ef86e90277e3d0df82ed31dd62ebbcec02278

SHA512
74887d2d412a142293ba417904af8ca362de1c5ddffb6eabead243d8feb51961c53aee7b0904385c0cbbac04d64df8a728f59988f77b9351832033c9efdc0dfb

Download Submit
C:\Windows\Installer\MSIBB70.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
e6dffd79ab70740c8e74b38e4c91a964

SHA1
60bca1b66726450c6d562473247bba59f48c0098

SHA256
1095a673e0b9b6a14c9e7dc2c181a62414f0689637da496995da09afdbc6590a

SHA512
7357496f27168b9b339baac91bd14d177f4bcf0da712cd52163af0d6136ab27534ee12b72b79ab0fdd1126c9edcf7e6c976cb6da4805c75dfe0381418f962f38

Download Submit
\??\Volume{e2de8665-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2f47973b-9c9e-48ce-88b7-a11cead0acf3}_OnDiskSnapshotProp

Filesize
6KB

MD5
a9e0bd98fb5da6ee431bca0a90ec007a

SHA1
e7a395b47b9b61adc9a19b2b1ec34ff1f6ac5078

SHA256
100594dfa511dd851122b7848c90b28a8f1b3ee4c8e5efcd24b5f3dcd2b19dca

SHA512
64a9fb1adefec6e5cc7ecd37a2a124770ea7ed612113b8b0e44196349569ec77b2f51d63e2dfef4cb2a2cb2b267fe5a08e9c129afba0a963787992dd14f2cc38

Download Submit
memory/836-74-0x0000000076A40000-0x0000000076C92000-memory.dmp

Filesize
2.3MB

Download
memory/836-72-0x00007FFF4DBC0000-0x00007FFF4DDC9000-memory.dmp

Filesize
2.0MB

Download
memory/836-71-0x00000000038C0000-0x0000000003CC0000-memory.dmp

Filesize
4.0MB

Download
memory/836-70-0x00000000038C0000-0x0000000003CC0000-memory.dmp

Filesize
4.0MB

Download
memory/4360-80-0x0000000076A40000-0x0000000076C92000-memory.dmp

Filesize
2.3MB

Download
memory/4360-78-0x00007FFF4DBC0000-0x00007FFF4DDC9000-memory.dmp

Filesize
2.0MB

Download
memory/4360-77-0x0000000002A70000-0x0000000002E70000-memory.dmp

Filesize
4.0MB

Download
memory/4360-75-0x0000000000E20000-0x0000000000E29000-memory.dmp

Filesize
36KB

Download