vidar | 60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899

Analysis

max time kernel
95s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e34e031f90002ad25ca1b315e0a0e1ca_JaffaCakes118.msi
Size

2.0MB
MD5

e34e031f90002ad25ca1b315e0a0e1ca
SHA1

ed594f951eed29c1354e6d9e65f82cc27b39b060
SHA256

60c410c65d8b07444b092f5fb71b2b3f071a0cb92230fad7211551309611d899
SHA512

4c08ffaa9301f963c54cb8aa17bce30d833121b056c06903606ca1fe0d9e3a112b20ae72dde5e623acdf3bde15e75830f43f86594eed46e3ddc411e2bee9149f
SSDEEP

24576:w9Uoe69/dlRsxV7/igVTHl+mwmbz0Zl+p/+c6qacm5PO/k:mUoe61SxwgVj4mboZiU

Score

10^/10

vidar 615 credential_access discovery persistence privilege_escalation rezer0 spyware stealer

Malware Config

Extracted

Family

vidar

Version

26.1

Botnet

615

http://centos10.com/

Attributes

profile_id
615

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral2/memory/2508-52-0x0000000007D60000-0x0000000007DF6000-memory.dmp	rezer0

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/1864-56-0x0000000000400000-0x000000000048D000-memory.dmp	family_vidar
behavioral2/memory/1864-58-0x0000000000400000-0x000000000048D000-memory.dmp	family_vidar

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 1864	2508	update_.exe	103

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIFFCD.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a8d3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA96F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a8d3.msi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File created	C:\Windows\Installer\e57a8d5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{1BCCC744-C9F2-4623-BB86-4B588A51334D}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1BCCC744-C9F2-4623-BB86-4B588A51334D}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\MSIFFCE.tmp	msiexec.exe
File created	C:\Windows\Installer\{1BCCC744-C9F2-4623-BB86-4B588A51334D}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2508	update_.exe

Loads dropped DLL 3 IoCs

pid	Process
540	MsiExec.exe
540	MsiExec.exe
540	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4984	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4976	1864	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a2808484d8f468e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a28084840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a2808484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da2808484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a280848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4D8C7751FCEC9AC4BB70FBE6F1982114\447CCCB12F9C3264BB68B485A81533D4	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\447CCCB12F9C3264BB68B485A81533D4\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\ProductIcon = "C:\\Windows\\Installer\\{1BCCC744-C9F2-4623-BB86-4B588A51334D}\\ProductIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\447CCCB12F9C3264BB68B485A81533D4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\ProductName = "setup"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\PackageCode = "C10CDC6E570C4CA43B2950E45D8BE53F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4D8C7751FCEC9AC4BB70FBE6F1982114	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\PackageName = "e34e031f90002ad25ca1b315e0a0e1ca_JaffaCakes118.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\447CCCB12F9C3264BB68B485A81533D4\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2248	msiexec.exe
2248	msiexec.exe
2508	update_.exe
2508	update_.exe
2508	update_.exe
2508	update_.exe
1864	RegSvcs.exe
1864	RegSvcs.exe
1864	RegSvcs.exe
1864	RegSvcs.exe
1864	RegSvcs.exe
1864	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4984	msiexec.exe
Token: SeSecurityPrivilege	2248	msiexec.exe
Token: SeCreateTokenPrivilege	4984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4984	msiexec.exe
Token: SeLockMemoryPrivilege	4984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4984	msiexec.exe
Token: SeMachineAccountPrivilege	4984	msiexec.exe
Token: SeTcbPrivilege	4984	msiexec.exe
Token: SeSecurityPrivilege	4984	msiexec.exe
Token: SeTakeOwnershipPrivilege	4984	msiexec.exe
Token: SeLoadDriverPrivilege	4984	msiexec.exe
Token: SeSystemProfilePrivilege	4984	msiexec.exe
Token: SeSystemtimePrivilege	4984	msiexec.exe
Token: SeProfSingleProcessPrivilege	4984	msiexec.exe
Token: SeIncBasePriorityPrivilege	4984	msiexec.exe
Token: SeCreatePagefilePrivilege	4984	msiexec.exe
Token: SeCreatePermanentPrivilege	4984	msiexec.exe
Token: SeBackupPrivilege	4984	msiexec.exe
Token: SeRestorePrivilege	4984	msiexec.exe
Token: SeShutdownPrivilege	4984	msiexec.exe
Token: SeDebugPrivilege	4984	msiexec.exe
Token: SeAuditPrivilege	4984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4984	msiexec.exe
Token: SeChangeNotifyPrivilege	4984	msiexec.exe
Token: SeRemoteShutdownPrivilege	4984	msiexec.exe
Token: SeUndockPrivilege	4984	msiexec.exe
Token: SeSyncAgentPrivilege	4984	msiexec.exe
Token: SeEnableDelegationPrivilege	4984	msiexec.exe
Token: SeManageVolumePrivilege	4984	msiexec.exe
Token: SeImpersonatePrivilege	4984	msiexec.exe
Token: SeCreateGlobalPrivilege	4984	msiexec.exe
Token: SeBackupPrivilege	3672	vssvc.exe
Token: SeRestorePrivilege	3672	vssvc.exe
Token: SeAuditPrivilege	3672	vssvc.exe
Token: SeBackupPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeDebugPrivilege	2508	update_.exe
Token: SeBackupPrivilege	1964	srtasks.exe
Token: SeRestorePrivilege	1964	srtasks.exe
Token: SeSecurityPrivilege	1964	srtasks.exe
Token: SeTakeOwnershipPrivilege	1964	srtasks.exe
Token: SeBackupPrivilege	1964	srtasks.exe
Token: SeRestorePrivilege	1964	srtasks.exe
Token: SeSecurityPrivilege	1964	srtasks.exe
Token: SeTakeOwnershipPrivilege	1964	srtasks.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4984	msiexec.exe
4984	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1964	2248	msiexec.exe	95
PID 2248 wrote to memory of 1964	2248	msiexec.exe	95
PID 2248 wrote to memory of 540	2248	msiexec.exe	97
PID 2248 wrote to memory of 540	2248	msiexec.exe	97
PID 2248 wrote to memory of 540	2248	msiexec.exe	97
PID 540 wrote to memory of 3468	540	MsiExec.exe	98
PID 540 wrote to memory of 3468	540	MsiExec.exe	98
PID 540 wrote to memory of 3468	540	MsiExec.exe	98
PID 540 wrote to memory of 2508	540	MsiExec.exe	100
PID 540 wrote to memory of 2508	540	MsiExec.exe	100
PID 540 wrote to memory of 2508	540	MsiExec.exe	100
PID 2508 wrote to memory of 1864	2508	update_.exe	103
PID 2508 wrote to memory of 1864	2508	update_.exe	103
PID 2508 wrote to memory of 1864	2508	update_.exe	103
PID 2508 wrote to memory of 1864	2508	update_.exe	103
PID 2508 wrote to memory of 1864	2508	update_.exe	103
PID 2508 wrote to memory of 1864	2508	update_.exe	103
PID 2508 wrote to memory of 1864	2508	update_.exe	103
PID 2508 wrote to memory of 1864	2508	update_.exe	103
PID 540 wrote to memory of 1192	540	MsiExec.exe	104
PID 540 wrote to memory of 1192	540	MsiExec.exe	104
PID 540 wrote to memory of 1192	540	MsiExec.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e34e031f90002ad25ca1b315e0a0e1ca_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F213697F12992C898DE76D184F4A3020
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\expand.exe
    "C:\Windows\System32\expand.exe" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3468
- - C:\Users\Admin\AppData\Local\Temp\MW-45f06593-f24f-43e8-8f5d-daf17a70d000\files\update_.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-45f06593-f24f-43e8-8f5d-daf17a70d000\files\update_.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1288
        5⤵
        Program crash
        
        PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-45f06593-f24f-43e8-8f5d-daf17a70d000\files"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1864 -ip 1864
1⤵
PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a8d4.rbs

Filesize
7KB

MD5
fcaf24a8f38747e88829aee82a3ab84e

SHA1
ef244a43294d7bc59ad8c842a77147b6c75fd42a

SHA256
d04e6a1c2900a1a866bfa9931b11b162d82362a8edff174f3ef09387cd5c768e

SHA512
49c8cc78071a55691c5c42716b451e88372fc7356125167bcc74f253b942cc26a4d61eb8e18948df0024c0a13a3418723b0ae839fc0565128b397df5385da87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45f06593-f24f-43e8-8f5d-daf17a70d000\files.cab

Filesize
1.6MB

MD5
483df885be4c8437b1911eff9850dda7

SHA1
06a57536d2c68c0c20d1ca3d7d451ac1280dd4f3

SHA256
ecd1378d316af9c3412409bcd7e75209bcfc059ec168ee1ffbb1e6f4aad05834

SHA512
007b3f6cee62f09338c02422066ecda15c04d95d713c0084af0d6d3af78f6be13e8bbbffc63aecbefd3aa114bc7856b044131785526cba61981c8558c373d079

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45f06593-f24f-43e8-8f5d-daf17a70d000\files\update_.exe

Filesize
1.6MB

MD5
8997b830816a345baf25f94e8033f92a

SHA1
f398d7c660d0d2e5e3f8fc7c88818f52d22ed008

SHA256
af104f0f0c43600e5116b57f3e89f044c225850cee16a4e1a1d37d0272d20e52

SHA512
57d50ac553fecf6a06c37cdefded2481488a132764c906ac90a4da6b6c5006d5cb1aaddcdea0910c511b47298ccf8cf0b1695ada9b01d7edb25a6a2008a563ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45f06593-f24f-43e8-8f5d-daf17a70d000\msiwrapper.ini

Filesize
459B

MD5
5e32887966b803a325a54cb1a2878879

SHA1
cbde4f5c9c4d0918afde63222462bc12d951d2ab

SHA256
3d32a77713785f21b01a62f1c32c3d6c6cb8c023c97b0dfd248314e3d776164a

SHA512
e112e6fccb1fc214a37e52cdefe037f083e96c6e2ed13e711399516ec67ae8b07502e9013019a0f119840286d657f3958964e5208139fa5bb318ba5d0a917227

Download Submit
C:\Windows\Installer\MSIA96F.tmp

Filesize
128KB

MD5
3e9d2974fd83d2c22b647d36a2ba7861

SHA1
3b1d50d42235439d456444f7d3b573f93ecdbe5f

SHA256
339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

SHA512
e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
e617ff073503f433e59cc38f1c8f638f

SHA1
3d9814a80584cd8875a6326dd116bbb6a2328255

SHA256
f93d05961ac9b91f1c2073823421fdc07c9457cc1a62841fe4043e5d8ce4c682

SHA512
6a3da853e5744ee2f29f177fd3b40fa5099ecacca2b14a1a91a4f9bb13bdd168686b83a9955138637b9c0a6290ccddb6734382931a77aeca2d67fb8c4571038c

Download Submit
\??\Volume{848480a2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0dcf3f59-0690-4817-b778-a42fd842b6b4}_OnDiskSnapshotProp

Filesize
6KB

MD5
cfe68eea4aa7c754fa4d498004c8dc54

SHA1
44906415b3b13fcd47a53229ec2986c381f6f4d3

SHA256
2e4d46186666c8312eb29841a8894b55d73407f756da066bd825b36d8df91214

SHA512
e9e291606ea8e07ddc6464a9dc3419de067a8f0cbb0a67aa0852aa22ddc4111b4df307b7aeddedbba405e910ead0c8d8c10f31ef9286c8e0813de972f8c1da30

Download Submit
memory/1864-58-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1864-56-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2508-46-0x0000000000330000-0x00000000004CE000-memory.dmp

Filesize
1.6MB

Download
memory/2508-52-0x0000000007D60000-0x0000000007DF6000-memory.dmp

Filesize
600KB

Download
memory/2508-53-0x00000000080E0000-0x000000000817C000-memory.dmp

Filesize
624KB

Download
memory/2508-51-0x0000000005620000-0x0000000005628000-memory.dmp

Filesize
32KB

Download
memory/2508-50-0x0000000005570000-0x0000000005616000-memory.dmp

Filesize
664KB

Download
memory/2508-49-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/2508-48-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/2508-47-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download