Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 18:03
Static task
static1
Behavioral task
behavioral1
Sample
TwDush.msi
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
TwDush.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
TwDush.msi
-
Size
66.4MB
-
MD5
9800a890a4819b574c5aa5ca9e063d96
-
SHA1
ede8c738d4e58c770f0ba7792e330756aaf28c7f
-
SHA256
ec40da7be23e50181fb692525cc62f6cd5f5caa74f653fabaf5d57df1201263b
-
SHA512
ae52316d3f17cab0370ce6a772861ae5ca5a556f140955c93edf91852695964b57b108c1b85a342d2c52ae8090a6c3d97e7fe5a1c4bd87435135572ab5ca12cf
-
SSDEEP
1572864:vXU1B6zASrGGq3ymZM4yLpQBoxFlfAwwsUZWOVH:vXU1B6ASrGGqCcM/DxFBDwhZzH
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\PlanAnalyzerOptimistic\MOELauncherSetup_V0TKW.exe msiexec.exe File created C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe msiexec.exe File created C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.xml mvlKSjKRHbPQ.exe File opened for modification C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.xml mvlKSjKRHbPQ.exe File created C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe mvlKSjKRHbPQ.exe File opened for modification C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe mvlKSjKRHbPQ.exe File created C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe msiexec.exe File created C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe msiexec.exe File opened for modification C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe mvlKSjKRHbPQ.exe File created C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe mvlKSjKRHbPQ.exe File opened for modification C:\Program Files\PlanAnalyzerOptimistic PtsxcsyatT16.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\f76e13e.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76e13b.msi msiexec.exe File created C:\Windows\Installer\f76e13c.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIE215.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f76e13b.msi msiexec.exe File opened for modification C:\Windows\Installer\f76e13c.ipi msiexec.exe -
Executes dropped EXE 3 IoCs
pid Process 856 mvlKSjKRHbPQ.exe 2032 PtsxcsyatT16.exe 1208 ToDesk.exe -
Loads dropped DLL 9 IoCs
pid Process 2888 MsiExec.exe 2888 MsiExec.exe 2888 MsiExec.exe 2888 MsiExec.exe 2888 MsiExec.exe 2032 PtsxcsyatT16.exe 2032 PtsxcsyatT16.exe 2032 PtsxcsyatT16.exe 2032 PtsxcsyatT16.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2348 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mvlKSjKRHbPQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PtsxcsyatT16.exe -
Modifies data under HKEY_USERS 50 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" PtsxcsyatT16.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 PtsxcsyatT16.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E PtsxcsyatT16.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" PtsxcsyatT16.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Version = "134807556" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\PackageName = "TwDush.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\376C3C4D8C5B1874EB9AE27A958B6EEA msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\ProductName = "PlanAnalyzerOptimistic" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\376C3C4D8C5B1874EB9AE27A958B6EEA\8E5A40D8B63096B4BAF3DA1D70837CE3 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E5A40D8B63096B4BAF3DA1D70837CE3 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E5A40D8B63096B4BAF3DA1D70837CE3\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\PackageCode = "B4C280FC3A938F442BA728B9CF74E9DC" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Net msiexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2308 msiexec.exe 2308 msiexec.exe 2032 PtsxcsyatT16.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2348 msiexec.exe Token: SeIncreaseQuotaPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeSecurityPrivilege 2308 msiexec.exe Token: SeCreateTokenPrivilege 2348 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2348 msiexec.exe Token: SeLockMemoryPrivilege 2348 msiexec.exe Token: SeIncreaseQuotaPrivilege 2348 msiexec.exe Token: SeMachineAccountPrivilege 2348 msiexec.exe Token: SeTcbPrivilege 2348 msiexec.exe Token: SeSecurityPrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeLoadDriverPrivilege 2348 msiexec.exe Token: SeSystemProfilePrivilege 2348 msiexec.exe Token: SeSystemtimePrivilege 2348 msiexec.exe Token: SeProfSingleProcessPrivilege 2348 msiexec.exe Token: SeIncBasePriorityPrivilege 2348 msiexec.exe Token: SeCreatePagefilePrivilege 2348 msiexec.exe Token: SeCreatePermanentPrivilege 2348 msiexec.exe Token: SeBackupPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeShutdownPrivilege 2348 msiexec.exe Token: SeDebugPrivilege 2348 msiexec.exe Token: SeAuditPrivilege 2348 msiexec.exe Token: SeSystemEnvironmentPrivilege 2348 msiexec.exe Token: SeChangeNotifyPrivilege 2348 msiexec.exe Token: SeRemoteShutdownPrivilege 2348 msiexec.exe Token: SeUndockPrivilege 2348 msiexec.exe Token: SeSyncAgentPrivilege 2348 msiexec.exe Token: SeEnableDelegationPrivilege 2348 msiexec.exe Token: SeManageVolumePrivilege 2348 msiexec.exe Token: SeImpersonatePrivilege 2348 msiexec.exe Token: SeCreateGlobalPrivilege 2348 msiexec.exe Token: SeBackupPrivilege 1792 vssvc.exe Token: SeRestorePrivilege 1792 vssvc.exe Token: SeAuditPrivilege 1792 vssvc.exe Token: SeBackupPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeLoadDriverPrivilege 2792 DrvInst.exe Token: SeLoadDriverPrivilege 2792 DrvInst.exe Token: SeLoadDriverPrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2348 msiexec.exe 2348 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2888 2308 msiexec.exe 35 PID 2308 wrote to memory of 2888 2308 msiexec.exe 35 PID 2308 wrote to memory of 2888 2308 msiexec.exe 35 PID 2308 wrote to memory of 2888 2308 msiexec.exe 35 PID 2308 wrote to memory of 2888 2308 msiexec.exe 35 PID 2308 wrote to memory of 2888 2308 msiexec.exe 35 PID 2308 wrote to memory of 2888 2308 msiexec.exe 35 PID 2888 wrote to memory of 856 2888 MsiExec.exe 36 PID 2888 wrote to memory of 856 2888 MsiExec.exe 36 PID 2888 wrote to memory of 856 2888 MsiExec.exe 36 PID 2888 wrote to memory of 856 2888 MsiExec.exe 36 PID 2888 wrote to memory of 2032 2888 MsiExec.exe 38 PID 2888 wrote to memory of 2032 2888 MsiExec.exe 38 PID 2888 wrote to memory of 2032 2888 MsiExec.exe 38 PID 2888 wrote to memory of 2032 2888 MsiExec.exe 38 PID 2888 wrote to memory of 1208 2888 MsiExec.exe 39 PID 2888 wrote to memory of 1208 2888 MsiExec.exe 39 PID 2888 wrote to memory of 1208 2888 MsiExec.exe 39 PID 2888 wrote to memory of 1208 2888 MsiExec.exe 39 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TwDush.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2348
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C129ADC2C46E27C0A71CE1323C15155E M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe"C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe" x "C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe" -o"C:\Program Files\PlanAnalyzerOptimistic\" -pyjlAFQsGZRtyUdVIXREr -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856
-
-
C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe"C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe" -number 132 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
-
C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe"C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe"3⤵
- Executes dropped EXE
PID:1208
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000598" "00000000000005E0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5615d52a76ceab9f74b658c4b17db49b5
SHA17d4ac6ea2319a85285d1ad04a67b744a6e509e9e
SHA256cc0a3b55cc0c5453f46e740a9f01b4c79c2e5875731417a0ae154397631a2605
SHA512f4d395f535d76e06426f483b842207165944ccb80344ddb48806f209079c779a03d8ca7dbf3c35a3739ce1bca44f81315c5ed3a6171d4bfdf0a4a15302defb9e
-
Filesize
2.9MB
MD5772375794abfe39763f2057e845ff14b
SHA108ada20435475025e8b22d4a7460725fdcb0c3d5
SHA256c31afb76379f0adaaa98d52f7a6dca18cd9f374672e1e85c6c4f7214080e2248
SHA512ab67f8af704b0bf8902120b23fd2d31a1b12f05dc64f17b0f5fafb1c96bbf93481d4e147967a891028c2f4f0c5dc0b1eb135c003a2bc33ca4e118c60b70a2ad2
-
Filesize
48.3MB
MD51193d280fe00a77b753b8c196969fddf
SHA12ba757374129b149823d67a99e907989732c31dc
SHA25656e4cbc58c71fbab44bef5bb191659e92fa6713b6e1834465464f4dea44498ad
SHA512dd62534de37eae14cce7e83ccdf2e9f1fd6d87ea104c25bb107af4826a128ee40507958ce37c3df937ea238f1370a5e3f3cdcf701d015f6e2d31e45d4c0d1327
-
Filesize
1.7MB
MD52b86a11112da3cafddcd7ee308cea7c9
SHA1994cce38475425226d857550c86f1651fcfdc2dc
SHA2565f80ac378a228c920d0dd85c05c986c06ef3bc05b0b98a85df03428a00c6f9e3
SHA512da141c69561b862dec313b23a636a34ce831c18973c71c1450372350b1aba9be8291b3ecaa909166bb25f4bfbbd0477c6ff2711bb7475ca8c333a9c677ad56a2
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
35.6MB
MD5f0b4afeb9a9582a84c04d33b4f9c93e5
SHA10b9229e8e3879fc4d1310ba493280894cac1f259
SHA256d71c5c27f6e68be09e40921321a2c6d3b95f65787c33dcc2d66e6939a798a3c9
SHA512d4c3593590a5574bbfc1270d3aca3b419ea5126735206b5e2104e42fda961844ba90073ebacd917b9b0152c103670d1a64b88c76b03b358feae73794418abe51
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796