Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 20:08 UTC
Static task
static1
Behavioral task
behavioral1
Sample
TwDush.msi
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
TwDush.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
TwDush.msi
-
Size
66.4MB
-
MD5
9800a890a4819b574c5aa5ca9e063d96
-
SHA1
ede8c738d4e58c770f0ba7792e330756aaf28c7f
-
SHA256
ec40da7be23e50181fb692525cc62f6cd5f5caa74f653fabaf5d57df1201263b
-
SHA512
ae52316d3f17cab0370ce6a772861ae5ca5a556f140955c93edf91852695964b57b108c1b85a342d2c52ae8090a6c3d97e7fe5a1c4bd87435135572ab5ca12cf
-
SSDEEP
1572864:vXU1B6zASrGGq3ymZM4yLpQBoxFlfAwwsUZWOVH:vXU1B6ASrGGqCcM/DxFBDwhZzH
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe mvlKSjKRHbPQ.exe File opened for modification C:\Program Files\PlanAnalyzerOptimistic PtsxcsyatT16.exe File created C:\Program Files\PlanAnalyzerOptimistic\MOELauncherSetup_V0TKW.exe msiexec.exe File created C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe msiexec.exe File opened for modification C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.xml mvlKSjKRHbPQ.exe File created C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe mvlKSjKRHbPQ.exe File opened for modification C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe mvlKSjKRHbPQ.exe File created C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe msiexec.exe File created C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe msiexec.exe File created C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.xml mvlKSjKRHbPQ.exe File created C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe mvlKSjKRHbPQ.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\f76a6f9.msi msiexec.exe File opened for modification C:\Windows\Installer\f76a6f9.msi msiexec.exe File created C:\Windows\Installer\f76a6fa.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA850.tmp msiexec.exe File created C:\Windows\Installer\f76a6fc.msi msiexec.exe File opened for modification C:\Windows\Installer\f76a6fa.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Executes dropped EXE 3 IoCs
pid Process 528 mvlKSjKRHbPQ.exe 2028 PtsxcsyatT16.exe 1988 ToDesk.exe -
Loads dropped DLL 9 IoCs
pid Process 1240 MsiExec.exe 1240 MsiExec.exe 1240 MsiExec.exe 1240 MsiExec.exe 1240 MsiExec.exe 2028 PtsxcsyatT16.exe 2028 PtsxcsyatT16.exe 2028 PtsxcsyatT16.exe 2028 PtsxcsyatT16.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2380 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mvlKSjKRHbPQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PtsxcsyatT16.exe -
Modifies data under HKEY_USERS 50 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E PtsxcsyatT16.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" PtsxcsyatT16.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 PtsxcsyatT16.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" PtsxcsyatT16.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Version = "134807556" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\PackageName = "TwDush.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E5A40D8B63096B4BAF3DA1D70837CE3 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\PackageCode = "B4C280FC3A938F442BA728B9CF74E9DC" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E5A40D8B63096B4BAF3DA1D70837CE3\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\376C3C4D8C5B1874EB9AE27A958B6EEA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\376C3C4D8C5B1874EB9AE27A958B6EEA\8E5A40D8B63096B4BAF3DA1D70837CE3 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\ProductName = "PlanAnalyzerOptimistic" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2012 msiexec.exe 2012 msiexec.exe 2028 PtsxcsyatT16.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2380 msiexec.exe Token: SeIncreaseQuotaPrivilege 2380 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeSecurityPrivilege 2012 msiexec.exe Token: SeCreateTokenPrivilege 2380 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2380 msiexec.exe Token: SeLockMemoryPrivilege 2380 msiexec.exe Token: SeIncreaseQuotaPrivilege 2380 msiexec.exe Token: SeMachineAccountPrivilege 2380 msiexec.exe Token: SeTcbPrivilege 2380 msiexec.exe Token: SeSecurityPrivilege 2380 msiexec.exe Token: SeTakeOwnershipPrivilege 2380 msiexec.exe Token: SeLoadDriverPrivilege 2380 msiexec.exe Token: SeSystemProfilePrivilege 2380 msiexec.exe Token: SeSystemtimePrivilege 2380 msiexec.exe Token: SeProfSingleProcessPrivilege 2380 msiexec.exe Token: SeIncBasePriorityPrivilege 2380 msiexec.exe Token: SeCreatePagefilePrivilege 2380 msiexec.exe Token: SeCreatePermanentPrivilege 2380 msiexec.exe Token: SeBackupPrivilege 2380 msiexec.exe Token: SeRestorePrivilege 2380 msiexec.exe Token: SeShutdownPrivilege 2380 msiexec.exe Token: SeDebugPrivilege 2380 msiexec.exe Token: SeAuditPrivilege 2380 msiexec.exe Token: SeSystemEnvironmentPrivilege 2380 msiexec.exe Token: SeChangeNotifyPrivilege 2380 msiexec.exe Token: SeRemoteShutdownPrivilege 2380 msiexec.exe Token: SeUndockPrivilege 2380 msiexec.exe Token: SeSyncAgentPrivilege 2380 msiexec.exe Token: SeEnableDelegationPrivilege 2380 msiexec.exe Token: SeManageVolumePrivilege 2380 msiexec.exe Token: SeImpersonatePrivilege 2380 msiexec.exe Token: SeCreateGlobalPrivilege 2380 msiexec.exe Token: SeBackupPrivilege 2860 vssvc.exe Token: SeRestorePrivilege 2860 vssvc.exe Token: SeAuditPrivilege 2860 vssvc.exe Token: SeBackupPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2720 DrvInst.exe Token: SeRestorePrivilege 2720 DrvInst.exe Token: SeRestorePrivilege 2720 DrvInst.exe Token: SeRestorePrivilege 2720 DrvInst.exe Token: SeRestorePrivilege 2720 DrvInst.exe Token: SeRestorePrivilege 2720 DrvInst.exe Token: SeRestorePrivilege 2720 DrvInst.exe Token: SeLoadDriverPrivilege 2720 DrvInst.exe Token: SeLoadDriverPrivilege 2720 DrvInst.exe Token: SeLoadDriverPrivilege 2720 DrvInst.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2380 msiexec.exe 2380 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1240 2012 msiexec.exe 34 PID 2012 wrote to memory of 1240 2012 msiexec.exe 34 PID 2012 wrote to memory of 1240 2012 msiexec.exe 34 PID 2012 wrote to memory of 1240 2012 msiexec.exe 34 PID 2012 wrote to memory of 1240 2012 msiexec.exe 34 PID 2012 wrote to memory of 1240 2012 msiexec.exe 34 PID 2012 wrote to memory of 1240 2012 msiexec.exe 34 PID 1240 wrote to memory of 528 1240 MsiExec.exe 35 PID 1240 wrote to memory of 528 1240 MsiExec.exe 35 PID 1240 wrote to memory of 528 1240 MsiExec.exe 35 PID 1240 wrote to memory of 528 1240 MsiExec.exe 35 PID 1240 wrote to memory of 2028 1240 MsiExec.exe 37 PID 1240 wrote to memory of 2028 1240 MsiExec.exe 37 PID 1240 wrote to memory of 2028 1240 MsiExec.exe 37 PID 1240 wrote to memory of 2028 1240 MsiExec.exe 37 PID 1240 wrote to memory of 1988 1240 MsiExec.exe 38 PID 1240 wrote to memory of 1988 1240 MsiExec.exe 38 PID 1240 wrote to memory of 1988 1240 MsiExec.exe 38 PID 1240 wrote to memory of 1988 1240 MsiExec.exe 38 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TwDush.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2380
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7C0DC154DC099864EA127D99817B10F M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe"C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe" x "C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe" -o"C:\Program Files\PlanAnalyzerOptimistic\" -pyjlAFQsGZRtyUdVIXREr -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:528
-
-
C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe"C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe" -number 132 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
-
C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe"C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe"3⤵
- Executes dropped EXE
PID:1988
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "0000000000000070"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2720
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD564165913ce08744a488915251f506571
SHA1a2a7c628ef6d6569cbcb6f3f413aff0b0dd8d93b
SHA256ddf864c614e18ec2b2567163e31955eccbbdba8ccdf845ed68791705cd5fe7ce
SHA5124b9e6caa68598e19f57ceb1a4cf184ece5eb1a333aa55c33b95895c44b6b3429a5e6cb7620a2f3a37c3793699703a8d5b3ceea98198a7fb8c1c8a6f4e7755e01
-
Filesize
35.6MB
MD5f0b4afeb9a9582a84c04d33b4f9c93e5
SHA10b9229e8e3879fc4d1310ba493280894cac1f259
SHA256d71c5c27f6e68be09e40921321a2c6d3b95f65787c33dcc2d66e6939a798a3c9
SHA512d4c3593590a5574bbfc1270d3aca3b419ea5126735206b5e2104e42fda961844ba90073ebacd917b9b0152c103670d1a64b88c76b03b358feae73794418abe51
-
Filesize
2.9MB
MD5772375794abfe39763f2057e845ff14b
SHA108ada20435475025e8b22d4a7460725fdcb0c3d5
SHA256c31afb76379f0adaaa98d52f7a6dca18cd9f374672e1e85c6c4f7214080e2248
SHA512ab67f8af704b0bf8902120b23fd2d31a1b12f05dc64f17b0f5fafb1c96bbf93481d4e147967a891028c2f4f0c5dc0b1eb135c003a2bc33ca4e118c60b70a2ad2
-
Filesize
48.3MB
MD51193d280fe00a77b753b8c196969fddf
SHA12ba757374129b149823d67a99e907989732c31dc
SHA25656e4cbc58c71fbab44bef5bb191659e92fa6713b6e1834465464f4dea44498ad
SHA512dd62534de37eae14cce7e83ccdf2e9f1fd6d87ea104c25bb107af4826a128ee40507958ce37c3df937ea238f1370a5e3f3cdcf701d015f6e2d31e45d4c0d1327
-
Filesize
1.7MB
MD52b86a11112da3cafddcd7ee308cea7c9
SHA1994cce38475425226d857550c86f1651fcfdc2dc
SHA2565f80ac378a228c920d0dd85c05c986c06ef3bc05b0b98a85df03428a00c6f9e3
SHA512da141c69561b862dec313b23a636a34ce831c18973c71c1450372350b1aba9be8291b3ecaa909166bb25f4bfbbd0477c6ff2711bb7475ca8c333a9c677ad56a2
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796