Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
VLC2.7.msi
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
VLC2.7.msi
Resource
win10v2004-20240802-en
General
-
Target
VLC2.7.msi
-
Size
14.0MB
-
MD5
a1c5d32005ee62baa30dc993394aa17c
-
SHA1
360dd1889252cc5c06386706f5d9f8f326f218db
-
SHA256
49d8edfd8a93ede3e3087771d69b7e6be33f53dfb92ee1da9d82c09f2e0d3188
-
SHA512
3ae8fcf6120e9c2a518b109c64996cea7d5b8f28df1e00c6e18a74b199d4f80d44e2c647fddb22b6b5ab3e24a495366be21d1a140521c00db35dd9e3480c4124
-
SSDEEP
393216:sGS3skS0F5Ky7pfJY/+LXwwhCtZRZ5bz/ueWBem1f4V:sG8S0F5N7pfJu2XwwhYZRDbz/uFdp4V
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4560-66-0x000000002C450000-0x000000002C60B000-memory.dmp purplefox_rootkit behavioral2/memory/4560-68-0x000000002C450000-0x000000002C60B000-memory.dmp purplefox_rootkit behavioral2/memory/4560-69-0x000000002C450000-0x000000002C60B000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/4560-66-0x000000002C450000-0x000000002C60B000-memory.dmp family_gh0strat behavioral2/memory/4560-68-0x000000002C450000-0x000000002C60B000-memory.dmp family_gh0strat behavioral2/memory/4560-69-0x000000002C450000-0x000000002C60B000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: nSBnCTQPhM12.exe File opened (read-only) \??\X: nSBnCTQPhM12.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: nSBnCTQPhM12.exe File opened (read-only) \??\B: nSBnCTQPhM12.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: nSBnCTQPhM12.exe File opened (read-only) \??\Y: nSBnCTQPhM12.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: nSBnCTQPhM12.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: nSBnCTQPhM12.exe File opened (read-only) \??\M: nSBnCTQPhM12.exe File opened (read-only) \??\O: nSBnCTQPhM12.exe File opened (read-only) \??\R: nSBnCTQPhM12.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: nSBnCTQPhM12.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: nSBnCTQPhM12.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: nSBnCTQPhM12.exe File opened (read-only) \??\L: nSBnCTQPhM12.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: nSBnCTQPhM12.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: nSBnCTQPhM12.exe File opened (read-only) \??\Q: nSBnCTQPhM12.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: nSBnCTQPhM12.exe File opened (read-only) \??\V: nSBnCTQPhM12.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe UdgXmVwhvaeF.exe File created C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe UdgXmVwhvaeF.exe File opened for modification C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.wrapper.log QCIFTyMgyyFp.exe File opened for modification C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.wrapper.log QCIFTyMgyyFp.exe File created C:\Program Files\UpgradeWholesalerAgile\opencv_world452.dll msiexec.exe File opened for modification C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.xml UdgXmVwhvaeF.exe File created C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.xml UdgXmVwhvaeF.exe File created C:\Program Files\UpgradeWholesalerAgile\zJVekxzWHGhLKpsaTVoA msiexec.exe File opened for modification C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe UdgXmVwhvaeF.exe File opened for modification C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe UdgXmVwhvaeF.exe File opened for modification C:\Program Files\UpgradeWholesalerAgile nSBnCTQPhM12.exe File created C:\Program Files\UpgradeWholesalerAgile\UdgXmVwhvaeF.exe msiexec.exe File opened for modification C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.wrapper.log QCIFTyMgyyFp.exe File created C:\Program Files\UpgradeWholesalerAgile\svml_dispmd2.dll msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIEE57.tmp msiexec.exe File created C:\Windows\Installer\e57ed9e.msi msiexec.exe File created C:\Windows\Installer\e57ed9c.msi msiexec.exe File opened for modification C:\Windows\Installer\e57ed9c.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{8D81BE40-3702-4FBA-8224-CC5AE6DC9090} msiexec.exe -
Executes dropped EXE 7 IoCs
pid Process 3632 UdgXmVwhvaeF.exe 3020 nSBnCTQPhM12.exe 3724 QCIFTyMgyyFp.exe 532 QCIFTyMgyyFp.exe 3112 QCIFTyMgyyFp.exe 4708 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3764 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nSBnCTQPhM12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nSBnCTQPhM12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nSBnCTQPhM12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UdgXmVwhvaeF.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000080ecc9f1fa88237c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000080ecc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090080ecc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d80ecc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000080ecc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz nSBnCTQPhM12.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nSBnCTQPhM12.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\Version = "118030336" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1F1EA91E6509F3D4CB169EA220D06350 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\04EB18D82073ABF42842CCA56ECD0909 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\ProductName = "UpgradeWholesalerAgile" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\PackageCode = "D2FD7181211B77A4B97E1C454892B469" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\PackageName = "VLC\uefb2\uefa5\uefb7\uefc5\uefc6\ueff72.7.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\04EB18D82073ABF42842CCA56ECD0909\ProductFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1F1EA91E6509F3D4CB169EA220D06350\04EB18D82073ABF42842CCA56ECD0909 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2508 msiexec.exe 2508 msiexec.exe 3020 nSBnCTQPhM12.exe 3020 nSBnCTQPhM12.exe 3112 QCIFTyMgyyFp.exe 4708 nSBnCTQPhM12.exe 4708 nSBnCTQPhM12.exe 4708 nSBnCTQPhM12.exe 4708 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe 4560 nSBnCTQPhM12.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3764 msiexec.exe Token: SeIncreaseQuotaPrivilege 3764 msiexec.exe Token: SeSecurityPrivilege 2508 msiexec.exe Token: SeCreateTokenPrivilege 3764 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3764 msiexec.exe Token: SeLockMemoryPrivilege 3764 msiexec.exe Token: SeIncreaseQuotaPrivilege 3764 msiexec.exe Token: SeMachineAccountPrivilege 3764 msiexec.exe Token: SeTcbPrivilege 3764 msiexec.exe Token: SeSecurityPrivilege 3764 msiexec.exe Token: SeTakeOwnershipPrivilege 3764 msiexec.exe Token: SeLoadDriverPrivilege 3764 msiexec.exe Token: SeSystemProfilePrivilege 3764 msiexec.exe Token: SeSystemtimePrivilege 3764 msiexec.exe Token: SeProfSingleProcessPrivilege 3764 msiexec.exe Token: SeIncBasePriorityPrivilege 3764 msiexec.exe Token: SeCreatePagefilePrivilege 3764 msiexec.exe Token: SeCreatePermanentPrivilege 3764 msiexec.exe Token: SeBackupPrivilege 3764 msiexec.exe Token: SeRestorePrivilege 3764 msiexec.exe Token: SeShutdownPrivilege 3764 msiexec.exe Token: SeDebugPrivilege 3764 msiexec.exe Token: SeAuditPrivilege 3764 msiexec.exe Token: SeSystemEnvironmentPrivilege 3764 msiexec.exe Token: SeChangeNotifyPrivilege 3764 msiexec.exe Token: SeRemoteShutdownPrivilege 3764 msiexec.exe Token: SeUndockPrivilege 3764 msiexec.exe Token: SeSyncAgentPrivilege 3764 msiexec.exe Token: SeEnableDelegationPrivilege 3764 msiexec.exe Token: SeManageVolumePrivilege 3764 msiexec.exe Token: SeImpersonatePrivilege 3764 msiexec.exe Token: SeCreateGlobalPrivilege 3764 msiexec.exe Token: SeBackupPrivilege 2608 vssvc.exe Token: SeRestorePrivilege 2608 vssvc.exe Token: SeAuditPrivilege 2608 vssvc.exe Token: SeBackupPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeBackupPrivilege 3388 srtasks.exe Token: SeRestorePrivilege 3388 srtasks.exe Token: SeSecurityPrivilege 3388 srtasks.exe Token: SeTakeOwnershipPrivilege 3388 srtasks.exe Token: SeBackupPrivilege 3388 srtasks.exe Token: SeRestorePrivilege 3388 srtasks.exe Token: SeSecurityPrivilege 3388 srtasks.exe Token: SeTakeOwnershipPrivilege 3388 srtasks.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3764 msiexec.exe 3764 msiexec.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2508 wrote to memory of 3388 2508 msiexec.exe 94 PID 2508 wrote to memory of 3388 2508 msiexec.exe 94 PID 2508 wrote to memory of 4244 2508 msiexec.exe 96 PID 2508 wrote to memory of 4244 2508 msiexec.exe 96 PID 2508 wrote to memory of 4244 2508 msiexec.exe 96 PID 4244 wrote to memory of 3632 4244 MsiExec.exe 97 PID 4244 wrote to memory of 3632 4244 MsiExec.exe 97 PID 4244 wrote to memory of 3632 4244 MsiExec.exe 97 PID 4244 wrote to memory of 3020 4244 MsiExec.exe 99 PID 4244 wrote to memory of 3020 4244 MsiExec.exe 99 PID 4244 wrote to memory of 3020 4244 MsiExec.exe 99 PID 3112 wrote to memory of 4708 3112 QCIFTyMgyyFp.exe 105 PID 3112 wrote to memory of 4708 3112 QCIFTyMgyyFp.exe 105 PID 3112 wrote to memory of 4708 3112 QCIFTyMgyyFp.exe 105 PID 4708 wrote to memory of 4560 4708 nSBnCTQPhM12.exe 106 PID 4708 wrote to memory of 4560 4708 nSBnCTQPhM12.exe 106 PID 4708 wrote to memory of 4560 4708 nSBnCTQPhM12.exe 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VLC2.7.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3764
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6A8996DC1238417FF778488E53871609 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Program Files\UpgradeWholesalerAgile\UdgXmVwhvaeF.exe"C:\Program Files\UpgradeWholesalerAgile\UdgXmVwhvaeF.exe" x "C:\Program Files\UpgradeWholesalerAgile\zJVekxzWHGhLKpsaTVoA" -o"C:\Program Files\UpgradeWholesalerAgile\" -pDUaIQBEnpsKpUhGkYwoZ -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3632
-
-
C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe"C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe" -number 218 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe"C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe" install1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3724
-
C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe"C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:532
-
C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe"C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe"C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe" -number 116 -file file3 -mode mode3 -flag flag32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe"C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe" -number 362 -file file3 -mode mode3 -flag flag33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5e3961504893d64db7c0699c4514d4fea
SHA183855610f01d35fe00f651ae4634eed7389e86f2
SHA256f5fbc44b203abd1bdaa0a34337a512c405a96392caf65321793e66ce41e4a617
SHA5127072a519ce53da291a288ba2c9945461af8b48f3ac62b12f8ee510e6e6e494b9e82a05bcf5be484e9420e6481087a6325491c90a87c654750e303471cb490822
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
268B
MD595da6fe2e4d2d29187afbdffcb5b07de
SHA1ba574433c207ad0587349605314c246fd5bf84a3
SHA2568cf8ac72f0fef95529764d6d8d892842cd56f53b8c842066d6989679eec99237
SHA5121f66b3bfdce7b72bbb6e4b0cf831308fe8c9eda8aee4742d6a87c16cc4fdf0bdc4ee962ace8552208279a483bce5f12871b4806c93afe9d8932b0d1a21f4bcff
-
Filesize
489B
MD50df63241cb6b00cf465c7a99dc6c45cc
SHA1bdfda69cf8564f471447ec9d2adeedb0882dc34e
SHA256d35c9d605941cacfb76d7f9840bf069de0755f87045b39c3657331a71ba8535b
SHA512668feec5985fe5b268ba32d767b1145e5c43070b78ae1fdf3d4f3199c410afa95bd44ccaf051708a8be900669c75c09be07b305ab58dc69ef508e8985e288e16
-
Filesize
592B
MD54cfdfa23e02c667871d121cdb68246ed
SHA1f7730ef22ba9a854943ca6f9f4f27391246fbdf5
SHA2567c81981dc101ee1e0e7bc5f4969ac3216450a4dedef8ab40e0031c2b7093660b
SHA51269dbb9f5207249e8bd3685e5bd3e6ad4881599ccd81617e243392dccb3154630e56373974ebb9e655982899c96c20baac088d367e19244f9145b9bdd761c0a6b
-
Filesize
442B
MD51edb29deabaa1f8e1d1ab7d0a0da78df
SHA112b85e64c54c2085b4f9ef259dce35e770da6b88
SHA2563995b47de316c8a5ac98048470ffef3d97fe7b601dc0f099391cd716642212c7
SHA512cc58406cbedef85d35fe7bbb34a4108e3c1bfeb1707302a16dcb76853ee78416abe91edd751a63e096cfcd445d0721e3b76e16316e8dc48d40d60188d63aa0bf
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
2.9MB
MD5a39b845fda1e4459eed816fd8f300935
SHA16eb0bb58fabdf307f4fda5a2eb408226cdb2ac35
SHA2567beb9eb8189d6f97bc9def1190b4e00d3a8bca6af9378a383683baa002cda3f9
SHA512d1f0fdea0738a658c5d7977be76a96ff09d922f0c2ca884ca39e50618de42e9acee0d944e97fcd306fb8d5eda17b05dec286a2c2306f4782541f90c16931ab71
-
Filesize
1.7MB
MD59c911a773c1629487f12783080c37b0c
SHA1d0c3db8b3c354f96bd0cff829dbd561b81676f19
SHA2566a6a941a94077fc7d43076e4d231341b6641a455681f80d65efd480de4733b3c
SHA51251c669086de0492442ae030315fd9adeee1208c79b605b34d46d20758aeeac569f8d5d16b110a7164490ff9a255bb1af207c931ed45be2409aaee6a29e04a421
-
Filesize
1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
14.0MB
MD5a1c5d32005ee62baa30dc993394aa17c
SHA1360dd1889252cc5c06386706f5d9f8f326f218db
SHA25649d8edfd8a93ede3e3087771d69b7e6be33f53dfb92ee1da9d82c09f2e0d3188
SHA5123ae8fcf6120e9c2a518b109c64996cea7d5b8f28df1e00c6e18a74b199d4f80d44e2c647fddb22b6b5ab3e24a495366be21d1a140521c00db35dd9e3480c4124
-
Filesize
23.7MB
MD591aa3cad537c20f8c01286dec82198de
SHA181d4f4fa2a325d7b41be7634adb5f1f72e12d152
SHA2562bce9c16d5fb4b23f8db8a87b2e52c384fd61f6cdcf23a161b52af8b3e29a4e1
SHA51262a1ec38684462cb1acc3adcd8a71136979adc26c77a823681b4143f457ab5b152df5cf84a84a3c32312ce00660c8165663a987e8ade9097cf668f9d2107b2c8
-
\??\Volume{f1c9ec80-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0db3e223-962f-4f40-a2a7-013299d08498}_OnDiskSnapshotProp
Filesize6KB
MD57f332317a74435959554be2adae444a0
SHA1c036f32d4393377f8a4ae8900e9e99db3b274b0d
SHA2563fc4d36e936856d8193013b0ad7aba6d691080d07304b7f220317b27aaf4c27c
SHA512e460fe56ec40a1135af1bd6d6cc5f054677951c9f7bebbb762541f67eeffdbea9d28dbe0b9be2def5220809c0e3af2cf04d912933b8709eb25866c827c1ee652