54fc27864211f75a83460de5faea593fa6fcde0254020057287d5b35d8724a03

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

汇博计件工资(2005-03-16-16-02)/Console/Msi/Hyper_CSalary.msi
Size

1.0MB
MD5

67a5074ca2b8464718a00c5f55f9743d
SHA1

1dd452c81ecacea06cf83a20bb4790f362d99a93
SHA256

e9dd12f517d4cd25638a0445056f8513780f07d716792f28637b68c48e9df4ac
SHA512

eb9941a73ca7ddadaddc56c1bc8cc309ee3855789c6d06c2c2f8aa5f379fed9f32e7cb498a58ae6fe2f295fbca37816be01398f9745c0b016742981c0d366aa3
SSDEEP

24576:INaXTzN9JSp2CfD49SSLyZGcvjSI/GZtSLLZaVk:INajznJC2CrPSeZtjstoZaW

Score

7^/10

aspackv2 discovery persistence privilege_escalation

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x0007000000023544-16.dat	aspack_v212_v242
behavioral4/files/0x0007000000023546-18.dat	aspack_v212_v242
behavioral4/files/0x0007000000023545-17.dat	aspack_v212_v242

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\APL67.tmp1	dllhost.exe
File created	C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\APL67.tmp	msiexec.exe
File created	C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\SMMgr.dll	msiexec.exe
File created	C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\GBMgr.dll	msiexec.exe
File created	C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\PSMgr.dll	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIEF80.tmp	msiexec.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Registration\_RegDBWrt.clb	dllhost.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2269F81A-030B-4694-B3F8-7F71366F672E}	msiexec.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1574E97A-84A8-4861-887D-96F03C5626F9}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1574E97A-84A8-4861-887D-96F03C5626F9}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\_RegDBWrt.clb	dllhost.exe
File created	C:\Windows\Installer\e57eee4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57eee4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
3192	RunDll32.exe
1420	RunDll32.exe
1420	RunDll32.exe
2312	RunDll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3372	msiexec.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1136	3192	WerFault.exe	103
3336	1420	WerFault.exe	107
2188	2312	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a54fc9f1d525247c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a54fc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a54fc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da54fc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a54fc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\ProgID\ = "SmMgr.CoSmMgr"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\AppID = "{146B8980-B363-4C2C-8E70-C2787CB050F5}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{146B8980-B363-4C2C-8E70-C2787CB050F5}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{146B8980-B363-4C2C-8E70-C2787CB050F5}\RemoteServerName = "ZDW"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\RemoteServer	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\ProgID\ = "GBMgr.CoGBMgr"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\ProgID\ = "PSMgr.CoPSMgr"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\RemoteServer\RemoteServer = 72006e00300028002e0067007e002c0063003d0071006a00630050004c0064002b006500760032003e0063003f00750045006e003800790062005e0040007e0043004100300061007e0024006c003f002c0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\RemoteServer\ = "C:\\PROGRA~2\\COMPLU~1\\{146B8~1\\PSMgr.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{146B8980-B363-4C2C-8E70-C2787CB050F5}\RunAs = "Interactive User"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\RemoteServer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\AppID = "{146B8980-B363-4C2C-8E70-C2787CB050F5}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\RemoteServer\ = "C:\\PROGRA~2\\COMPLU~1\\{146B8~1\\SMMgr.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\RemoteServer\ = "C:\\PROGRA~2\\COMPLU~1\\{146B8~1\\GBMgr.dll"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\RemoteServer\RemoteServer = 72006e00300028002e0067007e002c0063003d0071006a00630050004c0064002b006500760032003e00420041005e002500390065002a00340032003d006d0048006c003200770042005e007a007600580000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\RemoteServer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\AppID = "{146B8980-B363-4C2C-8E70-C2787CB050F5}"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\RemoteServer\RemoteServer = 72006e00300028002e0067007e002c0063003d0071006a00630050004c0064002b006500760032003e0052005d0024004f004c00500066007b002c003d00560065002d002c0021002d005700650039004c0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1380	msiexec.exe
1380	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3372	msiexec.exe
Token: SeSecurityPrivilege	1380	msiexec.exe
Token: SeCreateTokenPrivilege	3372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3372	msiexec.exe
Token: SeLockMemoryPrivilege	3372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3372	msiexec.exe
Token: SeMachineAccountPrivilege	3372	msiexec.exe
Token: SeTcbPrivilege	3372	msiexec.exe
Token: SeSecurityPrivilege	3372	msiexec.exe
Token: SeTakeOwnershipPrivilege	3372	msiexec.exe
Token: SeLoadDriverPrivilege	3372	msiexec.exe
Token: SeSystemProfilePrivilege	3372	msiexec.exe
Token: SeSystemtimePrivilege	3372	msiexec.exe
Token: SeProfSingleProcessPrivilege	3372	msiexec.exe
Token: SeIncBasePriorityPrivilege	3372	msiexec.exe
Token: SeCreatePagefilePrivilege	3372	msiexec.exe
Token: SeCreatePermanentPrivilege	3372	msiexec.exe
Token: SeBackupPrivilege	3372	msiexec.exe
Token: SeRestorePrivilege	3372	msiexec.exe
Token: SeShutdownPrivilege	3372	msiexec.exe
Token: SeDebugPrivilege	3372	msiexec.exe
Token: SeAuditPrivilege	3372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3372	msiexec.exe
Token: SeChangeNotifyPrivilege	3372	msiexec.exe
Token: SeRemoteShutdownPrivilege	3372	msiexec.exe
Token: SeUndockPrivilege	3372	msiexec.exe
Token: SeSyncAgentPrivilege	3372	msiexec.exe
Token: SeEnableDelegationPrivilege	3372	msiexec.exe
Token: SeManageVolumePrivilege	3372	msiexec.exe
Token: SeImpersonatePrivilege	3372	msiexec.exe
Token: SeCreateGlobalPrivilege	3372	msiexec.exe
Token: SeBackupPrivilege	4428	vssvc.exe
Token: SeRestorePrivilege	4428	vssvc.exe
Token: SeAuditPrivilege	4428	vssvc.exe
Token: SeBackupPrivilege	1380	msiexec.exe
Token: SeRestorePrivilege	1380	msiexec.exe
Token: SeRestorePrivilege	1380	msiexec.exe
Token: SeTakeOwnershipPrivilege	1380	msiexec.exe
Token: SeRestorePrivilege	1380	msiexec.exe
Token: SeTakeOwnershipPrivilege	1380	msiexec.exe
Token: SeBackupPrivilege	5076	srtasks.exe
Token: SeRestorePrivilege	5076	srtasks.exe
Token: SeSecurityPrivilege	5076	srtasks.exe
Token: SeTakeOwnershipPrivilege	5076	srtasks.exe
Token: SeBackupPrivilege	5076	srtasks.exe
Token: SeRestorePrivilege	5076	srtasks.exe
Token: SeSecurityPrivilege	5076	srtasks.exe
Token: SeTakeOwnershipPrivilege	5076	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3372	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 5076	1380	msiexec.exe	99
PID 1380 wrote to memory of 5076	1380	msiexec.exe	99
PID 4480 wrote to memory of 3192	4480	dllhost.exe	103
PID 4480 wrote to memory of 3192	4480	dllhost.exe	103
PID 4480 wrote to memory of 3192	4480	dllhost.exe	103
PID 4480 wrote to memory of 1420	4480	dllhost.exe	107
PID 4480 wrote to memory of 1420	4480	dllhost.exe	107
PID 4480 wrote to memory of 1420	4480	dllhost.exe	107
PID 4480 wrote to memory of 2312	4480	dllhost.exe	110
PID 4480 wrote to memory of 2312	4480	dllhost.exe	110
PID 4480 wrote to memory of 2312	4480	dllhost.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\汇博计件工资(2005-03-16-16-02)\Console\Msi\Hyper_CSalary.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\RunDll32.exe
  C:\Windows\SysWOW64\RunDll32 C:\Windows\SysWOW64\catsrvut.dll,QueryUserDll "C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\SMMgr.dll" Global\{6B9CDBB8-57A6-40DE-AE58-6F68EE03574E}
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 656
    3⤵
    - Program crash
    PID:1136
- C:\Windows\SysWOW64\RunDll32.exe
  C:\Windows\SysWOW64\RunDll32 C:\Windows\SysWOW64\catsrvut.dll,QueryUserDll "C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\GBMgr.dll" Global\{716E1995-1E98-413C-B4CD-1879F80C856C}
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 656
    3⤵
    - Program crash
    PID:3336
- C:\Windows\SysWOW64\RunDll32.exe
  C:\Windows\SysWOW64\RunDll32 C:\Windows\SysWOW64\catsrvut.dll,QueryUserDll "C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\PSMgr.dll" Global\{5C66143F-1D63-4D8D-9BC9-4E8111AE393A}
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 656
    3⤵
    - Program crash
    PID:2188

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3192 -ip 3192
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1420 -ip 1420
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2312 -ip 2312
1⤵
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\APL67.tmp

Filesize
26KB

MD5
cb4d90d434e66313ae39537e8029a3cb

SHA1
beba31924ba0cfd10e865da8f8d8934e0ccc15bb

SHA256
1e33dc804e259d9b46a134dd9db1408483889c9e6c230c65e1e8c975a28ed709

SHA512
5e99f93bc9234ab7c750717c1d3f4e0b09664fe0d07015edef068da2952ed377a91aaa6f2010cb9bda60263359f9ec457890e3bd0c6b8785c71958df0f414a0a

Download Submit
C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\APL67.tmp

Filesize
34KB

MD5
a2e08940711bfe5b091f2de6608ca8ac

SHA1
d394d2023f5527562db3544977b58eac389bd2ab

SHA256
ed0b0daccd3d197ef91e08d14b94f3cf0cda2c87b44330f4ddf31c1483b64348

SHA512
0e59d2fd0491a8a290de747ee5143bb19d504865b3282e85a1d6143d37f296d60acf7c2d83a058b1a13e2eeb86dd960fd4fa73253c3c4b7931c9989112186db4

Download Submit
C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\GBMgr.dll

Filesize
273KB

MD5
3342ecfc6f36cd3582bbb8a7b238b7b6

SHA1
1622f6bce501eeeea1bdd3ba6d20311f34884062

SHA256
7b0487b746d25ee34bd5781dad8843a4bf7bbb998774de552365c8f6ea618067

SHA512
44985f3f229f4b7774fb86e25e3a1c316775bb8f9a8fe48031dfbe27fa75f138ed3a536a1eb3dbf18f7e987d81e4e438aa2b11693283f045570e39a58a6fe145

Download Submit
C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\PSMgr.dll

Filesize
312KB

MD5
36ec5b141c90b03bbe4e50d300ea50a4

SHA1
bc2124f43e12f99eedfb8a4032bdc753a1b1c7ed

SHA256
765ee35de88e0d4cade0e985ff9c4bfca9ac7b78862e343a91d5ff133f8bc5e9

SHA512
97e66114b433c5c1ac696758f5db637a0ed51353727d55931975856613aaba70bbf9fe7ba26100901becdc7a87815e702072c0ddd69b17d35fe3e8467e611708

Download Submit
C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\SMMgr.dll

Filesize
479KB

MD5
452d12c662da3e7e57e036b81f293298

SHA1
a6a3f98b16bea3afbb03b8643e9a9243f3b455db

SHA256
215f8c75776c4afe07141d6fff392d10af1475b8ca5d5cfccc7ad07bf2710519

SHA512
0174f90b9314e1547cb7a7bea57849f022d173fc6f63072ed3f38c5721af0c7156f88fd2ede9585a866d7ce7575845d1751920c3ba5f8a135244b5f91cd2481b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
e0c76974d811a8511d78fe07b0ca2356

SHA1
5627d53f1b400dd260531e6330f777b78d0127b9

SHA256
b7bc7cbf2e380fd9da01bd312a8ad10e52975cbf256779835c6e04ba32e48779

SHA512
68f0addc55bb123058972c407139bb99d97d28ed798c5e389e16e6e0046b2bf8d3a9886bb99e46839298330368a510b30b7c7c9603d0e5bf1f8ea35b4e53d31b

Download Submit
\??\Volume{f1c94fa5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a537cf53-69fd-4bee-bf14-d1d6a0b9d111}_OnDiskSnapshotProp

Filesize
6KB

MD5
c3a3db0d14fb0ccf8ef00f4635d20ce0

SHA1
93ba2c114563d4ff0ca23e0dfa9e6974a7b2f9fe

SHA256
b2e33f7df3e3d668e46f81d74be524aefe7fb0cd5999cf71b3c9921410648849

SHA512
d45e51a686b38c7efa4a8b02eabe883a1e0f76d00aa901044b0837d957a628310ff4d8ff597f3015dd1b2a783e4f62af306efed78292644224d05317d17c7181

Download Submit